- Linux-stable-mirror - lists.linaro.org

Re: Patch "smb: client: make use of common smbdirect_socket_parameters" has been added to the 6.12-stable tree

by Stefan Metzmacher

Hi, any reason why this is only backported to 6.12, but not 6.15? I'm looking at v6.15.5 and v6.12.36 and the following are missing from 6.15: bced02aca343 David Howells Wed Apr 2 20:27:26 2025 +0100 cifs: Fix reading into an ITER_FOLIOQ from the smbdirect code 87dcc7e33fc3 David Howells Wed Jun 25 14:15:04 2025 +0100 cifs: Fix the smbd_response slab to allow usercopy b8ddcca4391e Stefan Metzmacher Wed May 28 18:01:40 2025 +0200 smb: client: make use of common smbdirect_socket_parameters 69cafc413c2d Stefan Metzmacher Wed May 28 18:01:39 2025 +0200 smb: smbdirect: introduce smbdirect_socket_parameters c39639bc7723 Stefan Metzmacher Wed May 28 18:01:37 2025 +0200 smb: client: make use of common smbdirect_socket f4b05342c293 Stefan Metzmacher Wed May 28 18:01:36 2025 +0200 smb: smbdirect: add smbdirect_socket.h a6ec1fcafd41 Stefan Metzmacher Wed May 28 18:01:33 2025 +0200 smb: smbdirect: add smbdirect.h with public structures 6509de31b1b6 Stefan Metzmacher Wed May 28 18:01:31 2025 +0200 smb: client: make use of common smbdirect_pdu.h a9bb4006c4f3 Stefan Metzmacher Wed May 28 18:01:30 2025 +0200 smb: smbdirect: add smbdirect_pdu.h with protocol definitions With these being backported to 6.15 too, the following is missing in both: commit 1944f6ab4967db7ad8d4db527dceae8c77de76e9 Author: Stefan Metzmacher <metze(a)samba.org> AuthorDate: Wed Jun 25 10:16:38 2025 +0200 Commit: Steve French <stfrench(a)microsoft.com> CommitDate: Wed Jun 25 11:12:54 2025 -0500 smb: client: let smbd_post_send_iter() respect the peers max_send_size and transmit all data As it was marked as Cc: <stable+noautosel(a)kernel.org> # sp->max_send_size should be info->max_send_size in backports But now that the patches up to b8ddcca4391e are backported it can be cherry-picked just fine to both branches. Thanks! metze Am 29.06.25 um 16:56 schrieb Steve French: >> Steve: Do you agree? > > Yes > > Thanks, > > Steve > > On Sun, Jun 29, 2025, 9:48 AM Stefan Metzmacher <metze(a)samba.org> wrote: > >> Hi, >> >> if these patches are backported to stable then >> 1944f6ab4967db7ad8d4db527dceae8c77de76e9 >> "smb: client: let smbd_post_send_iter() respect the peers max_send_size >> and transmit all data" >> can also be backported as is. >> >> I just added the >> "Cc: <stable+noautosel(a)kernel.org> # sp->max_send_size should be >> info->max_send_size in backports" >> because I thought they would not be backported. >> >> I'm fine with backporting the header changes... >> >> @Steve: Do you agree? >> >> Thanks! >> metze >> >> Am 29.06.25 um 16:28 schrieb Sasha Levin: >>> This is a note to let you know that I've just added the patch titled >>> >>> smb: client: make use of common smbdirect_socket_parameters >>> >>> to the 6.12-stable tree which can be found at: >>> >> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… >>> >>> The filename of the patch is: >>> smb-client-make-use-of-common-smbdirect_socket_param.patch >>> and it can be found in the queue-6.12 subdirectory. >>> >>> If you, or anyone else, feels it should not be added to the stable tree, >>> please let <stable(a)vger.kernel.org> know about it. >>> >>> >>> >>> commit a1fa1698297356797d7a0379b7e056744fd133ac >>> Author: Stefan Metzmacher <metze(a)samba.org> >>> Date: Wed May 28 18:01:40 2025 +0200 >>> >>> smb: client: make use of common smbdirect_socket_parameters >>> >>> [ Upstream commit cc55f65dd352bdb7bdf8db1c36fb348c294c3b66 ] >>> >>> Cc: Steve French <smfrench(a)gmail.com> >>> Cc: Tom Talpey <tom(a)talpey.com> >>> Cc: Long Li <longli(a)microsoft.com> >>> Cc: Namjae Jeon <linkinjeon(a)kernel.org> >>> Cc: Hyunchul Lee <hyc.lee(a)gmail.com> >>> Cc: Meetakshi Setiya <meetakshisetiyaoss(a)gmail.com> >>> Cc: linux-cifs(a)vger.kernel.org >>> Cc: samba-technical(a)lists.samba.org >>> Signed-off-by: Stefan Metzmacher <metze(a)samba.org> >>> Signed-off-by: Steve French <stfrench(a)microsoft.com> >>> Stable-dep-of: 43e7e284fc77 ("cifs: Fix the smbd_response slab to >> allow usercopy") >>> Signed-off-by: Sasha Levin <sashal(a)kernel.org> >>> >>> diff --git a/fs/smb/client/cifs_debug.c b/fs/smb/client/cifs_debug.c >>> index 56b0b5c82dd19..c0196be0e65fc 100644 >>> --- a/fs/smb/client/cifs_debug.c >>> +++ b/fs/smb/client/cifs_debug.c >>> @@ -362,6 +362,10 @@ static int cifs_debug_data_proc_show(struct >> seq_file *m, void *v) >>> c = 0; >>> spin_lock(&cifs_tcp_ses_lock); >>> list_for_each_entry(server, &cifs_tcp_ses_list, tcp_ses_list) { >>> +#ifdef CONFIG_CIFS_SMB_DIRECT >>> + struct smbdirect_socket_parameters *sp; >>> +#endif >>> + >>> /* channel info will be printed as a part of sessions >> below */ >>> if (SERVER_IS_CHAN(server)) >>> continue; >>> @@ -383,6 +387,7 @@ static int cifs_debug_data_proc_show(struct seq_file >> *m, void *v) >>> seq_printf(m, "\nSMBDirect transport not >> available"); >>> goto skip_rdma; >>> } >>> + sp = &server->smbd_conn->socket.parameters; >>> >>> seq_printf(m, "\nSMBDirect (in hex) protocol version: %x " >>> "transport status: %x", >>> @@ -390,18 +395,18 @@ static int cifs_debug_data_proc_show(struct >> seq_file *m, void *v) >>> server->smbd_conn->socket.status); >>> seq_printf(m, "\nConn receive_credit_max: %x " >>> "send_credit_target: %x max_send_size: %x", >>> - server->smbd_conn->receive_credit_max, >>> - server->smbd_conn->send_credit_target, >>> - server->smbd_conn->max_send_size); >>> + sp->recv_credit_max, >>> + sp->send_credit_target, >>> + sp->max_send_size); >>> seq_printf(m, "\nConn max_fragmented_recv_size: %x " >>> "max_fragmented_send_size: %x max_receive_size:%x", >>> - server->smbd_conn->max_fragmented_recv_size, >>> - server->smbd_conn->max_fragmented_send_size, >>> - server->smbd_conn->max_receive_size); >>> + sp->max_fragmented_recv_size, >>> + sp->max_fragmented_send_size, >>> + sp->max_recv_size); >>> seq_printf(m, "\nConn keep_alive_interval: %x " >>> "max_readwrite_size: %x rdma_readwrite_threshold: >> %x", >>> - server->smbd_conn->keep_alive_interval, >>> - server->smbd_conn->max_readwrite_size, >>> + sp->keepalive_interval_msec * 1000, >>> + sp->max_read_write_size, >>> server->smbd_conn->rdma_readwrite_threshold); >>> seq_printf(m, "\nDebug count_get_receive_buffer: %x " >>> "count_put_receive_buffer: %x count_send_empty: >> %x", >>> diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c >>> index 74bcc51ccd32f..e596bc4837b68 100644 >>> --- a/fs/smb/client/smb2ops.c >>> +++ b/fs/smb/client/smb2ops.c >>> @@ -504,6 +504,9 @@ smb3_negotiate_wsize(struct cifs_tcon *tcon, struct >> smb3_fs_context *ctx) >>> wsize = min_t(unsigned int, wsize, server->max_write); >>> #ifdef CONFIG_CIFS_SMB_DIRECT >>> if (server->rdma) { >>> + struct smbdirect_socket_parameters *sp = >>> + &server->smbd_conn->socket.parameters; >>> + >>> if (server->sign) >>> /* >>> * Account for SMB2 data transfer packet header and >>> @@ -511,12 +514,12 @@ smb3_negotiate_wsize(struct cifs_tcon *tcon, >> struct smb3_fs_context *ctx) >>> */ >>> wsize = min_t(unsigned int, >>> wsize, >>> - >> server->smbd_conn->max_fragmented_send_size - >>> + sp->max_fragmented_send_size - >>> SMB2_READWRITE_PDU_HEADER_SIZE - >>> sizeof(struct smb2_transform_hdr)); >>> else >>> wsize = min_t(unsigned int, >>> - wsize, >> server->smbd_conn->max_readwrite_size); >>> + wsize, sp->max_read_write_size); >>> } >>> #endif >>> if (!(server->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU)) >>> @@ -552,6 +555,9 @@ smb3_negotiate_rsize(struct cifs_tcon *tcon, struct >> smb3_fs_context *ctx) >>> rsize = min_t(unsigned int, rsize, server->max_read); >>> #ifdef CONFIG_CIFS_SMB_DIRECT >>> if (server->rdma) { >>> + struct smbdirect_socket_parameters *sp = >>> + &server->smbd_conn->socket.parameters; >>> + >>> if (server->sign) >>> /* >>> * Account for SMB2 data transfer packet header and >>> @@ -559,12 +565,12 @@ smb3_negotiate_rsize(struct cifs_tcon *tcon, >> struct smb3_fs_context *ctx) >>> */ >>> rsize = min_t(unsigned int, >>> rsize, >>> - >> server->smbd_conn->max_fragmented_recv_size - >>> + sp->max_fragmented_recv_size - >>> SMB2_READWRITE_PDU_HEADER_SIZE - >>> sizeof(struct smb2_transform_hdr)); >>> else >>> rsize = min_t(unsigned int, >>> - rsize, >> server->smbd_conn->max_readwrite_size); >>> + rsize, sp->max_read_write_size); >>> } >>> #endif >>> >>> diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c >>> index ac489df8151a1..cbc85bca006f7 100644 >>> --- a/fs/smb/client/smbdirect.c >>> +++ b/fs/smb/client/smbdirect.c >>> @@ -320,6 +320,8 @@ static bool process_negotiation_response( >>> struct smbd_response *response, int packet_length) >>> { >>> struct smbd_connection *info = response->info; >>> + struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct smbdirect_negotiate_resp *packet = >> smbd_response_payload(response); >>> >>> if (packet_length < sizeof(struct smbdirect_negotiate_resp)) { >>> @@ -349,20 +351,20 @@ static bool process_negotiation_response( >>> >>> atomic_set(&info->receive_credits, 0); >>> >>> - if (le32_to_cpu(packet->preferred_send_size) > >> info->max_receive_size) { >>> + if (le32_to_cpu(packet->preferred_send_size) > sp->max_recv_size) { >>> log_rdma_event(ERR, "error: preferred_send_size=%d\n", >>> le32_to_cpu(packet->preferred_send_size)); >>> return false; >>> } >>> - info->max_receive_size = le32_to_cpu(packet->preferred_send_size); >>> + sp->max_recv_size = le32_to_cpu(packet->preferred_send_size); >>> >>> if (le32_to_cpu(packet->max_receive_size) < SMBD_MIN_RECEIVE_SIZE) >> { >>> log_rdma_event(ERR, "error: max_receive_size=%d\n", >>> le32_to_cpu(packet->max_receive_size)); >>> return false; >>> } >>> - info->max_send_size = min_t(int, info->max_send_size, >>> - >> le32_to_cpu(packet->max_receive_size)); >>> + sp->max_send_size = min_t(u32, sp->max_send_size, >>> + le32_to_cpu(packet->max_receive_size)); >>> >>> if (le32_to_cpu(packet->max_fragmented_size) < >>> SMBD_MIN_FRAGMENTED_SIZE) { >>> @@ -370,18 +372,18 @@ static bool process_negotiation_response( >>> le32_to_cpu(packet->max_fragmented_size)); >>> return false; >>> } >>> - info->max_fragmented_send_size = >>> + sp->max_fragmented_send_size = >>> le32_to_cpu(packet->max_fragmented_size); >>> info->rdma_readwrite_threshold = >>> - rdma_readwrite_threshold > info->max_fragmented_send_size ? >>> - info->max_fragmented_send_size : >>> + rdma_readwrite_threshold > sp->max_fragmented_send_size ? >>> + sp->max_fragmented_send_size : >>> rdma_readwrite_threshold; >>> >>> >>> - info->max_readwrite_size = min_t(u32, >>> + sp->max_read_write_size = min_t(u32, >>> le32_to_cpu(packet->max_readwrite_size), >>> info->max_frmr_depth * PAGE_SIZE); >>> - info->max_frmr_depth = info->max_readwrite_size / PAGE_SIZE; >>> + info->max_frmr_depth = sp->max_read_write_size / PAGE_SIZE; >>> >>> return true; >>> } >>> @@ -689,6 +691,7 @@ static int smbd_ia_open( >>> static int smbd_post_send_negotiate_req(struct smbd_connection *info) >>> { >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct ib_send_wr send_wr; >>> int rc = -ENOMEM; >>> struct smbd_request *request; >>> @@ -704,11 +707,11 @@ static int smbd_post_send_negotiate_req(struct >> smbd_connection *info) >>> packet->min_version = cpu_to_le16(SMBDIRECT_V1); >>> packet->max_version = cpu_to_le16(SMBDIRECT_V1); >>> packet->reserved = 0; >>> - packet->credits_requested = cpu_to_le16(info->send_credit_target); >>> - packet->preferred_send_size = cpu_to_le32(info->max_send_size); >>> - packet->max_receive_size = cpu_to_le32(info->max_receive_size); >>> + packet->credits_requested = cpu_to_le16(sp->send_credit_target); >>> + packet->preferred_send_size = cpu_to_le32(sp->max_send_size); >>> + packet->max_receive_size = cpu_to_le32(sp->max_recv_size); >>> packet->max_fragmented_size = >>> - cpu_to_le32(info->max_fragmented_recv_size); >>> + cpu_to_le32(sp->max_fragmented_recv_size); >>> >>> request->num_sge = 1; >>> request->sge[0].addr = ib_dma_map_single( >>> @@ -800,6 +803,7 @@ static int smbd_post_send(struct smbd_connection >> *info, >>> struct smbd_request *request) >>> { >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct ib_send_wr send_wr; >>> int rc, i; >>> >>> @@ -831,7 +835,7 @@ static int smbd_post_send(struct smbd_connection >> *info, >>> } else >>> /* Reset timer for idle connection after packet is sent */ >>> mod_delayed_work(info->workqueue, &info->idle_timer_work, >>> - info->keep_alive_interval*HZ); >>> + msecs_to_jiffies(sp->keepalive_interval_msec)); >>> >>> return rc; >>> } >>> @@ -841,6 +845,7 @@ static int smbd_post_send_iter(struct >> smbd_connection *info, >>> int *_remaining_data_length) >>> { >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> int i, rc; >>> int header_length; >>> int data_length; >>> @@ -868,7 +873,7 @@ static int smbd_post_send_iter(struct >> smbd_connection *info, >>> >>> wait_send_queue: >>> wait_event(info->wait_post_send, >>> - atomic_read(&info->send_pending) < >> info->send_credit_target || >>> + atomic_read(&info->send_pending) < sp->send_credit_target >> || >>> sc->status != SMBDIRECT_SOCKET_CONNECTED); >>> >>> if (sc->status != SMBDIRECT_SOCKET_CONNECTED) { >>> @@ -878,7 +883,7 @@ static int smbd_post_send_iter(struct >> smbd_connection *info, >>> } >>> >>> if (unlikely(atomic_inc_return(&info->send_pending) > >>> - info->send_credit_target)) { >>> + sp->send_credit_target)) { >>> atomic_dec(&info->send_pending); >>> goto wait_send_queue; >>> } >>> @@ -917,7 +922,7 @@ static int smbd_post_send_iter(struct >> smbd_connection *info, >>> >>> /* Fill in the packet header */ >>> packet = smbd_request_payload(request); >>> - packet->credits_requested = cpu_to_le16(info->send_credit_target); >>> + packet->credits_requested = cpu_to_le16(sp->send_credit_target); >>> >>> new_credits = manage_credits_prior_sending(info); >>> atomic_add(new_credits, &info->receive_credits); >>> @@ -1017,16 +1022,17 @@ static int smbd_post_recv( >>> struct smbd_connection *info, struct smbd_response >> *response) >>> { >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct ib_recv_wr recv_wr; >>> int rc = -EIO; >>> >>> response->sge.addr = ib_dma_map_single( >>> sc->ib.dev, response->packet, >>> - info->max_receive_size, DMA_FROM_DEVICE); >>> + sp->max_recv_size, DMA_FROM_DEVICE); >>> if (ib_dma_mapping_error(sc->ib.dev, response->sge.addr)) >>> return rc; >>> >>> - response->sge.length = info->max_receive_size; >>> + response->sge.length = sp->max_recv_size; >>> response->sge.lkey = sc->ib.pd->local_dma_lkey; >>> >>> response->cqe.done = recv_done; >>> @@ -1274,6 +1280,8 @@ static void idle_connection_timer(struct >> work_struct *work) >>> struct smbd_connection *info = container_of( >>> work, struct smbd_connection, >>> idle_timer_work.work); >>> + struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> >>> if (info->keep_alive_requested != KEEP_ALIVE_NONE) { >>> log_keep_alive(ERR, >>> @@ -1288,7 +1296,7 @@ static void idle_connection_timer(struct >> work_struct *work) >>> >>> /* Setup the next idle timeout work */ >>> queue_delayed_work(info->workqueue, &info->idle_timer_work, >>> - info->keep_alive_interval*HZ); >>> + msecs_to_jiffies(sp->keepalive_interval_msec)); >>> } >>> >>> /* >>> @@ -1300,6 +1308,7 @@ void smbd_destroy(struct TCP_Server_Info *server) >>> { >>> struct smbd_connection *info = server->smbd_conn; >>> struct smbdirect_socket *sc; >>> + struct smbdirect_socket_parameters *sp; >>> struct smbd_response *response; >>> unsigned long flags; >>> >>> @@ -1308,6 +1317,7 @@ void smbd_destroy(struct TCP_Server_Info *server) >>> return; >>> } >>> sc = &info->socket; >>> + sp = &sc->parameters; >>> >>> log_rdma_event(INFO, "destroying rdma session\n"); >>> if (sc->status != SMBDIRECT_SOCKET_DISCONNECTED) { >>> @@ -1349,7 +1359,7 @@ void smbd_destroy(struct TCP_Server_Info *server) >>> log_rdma_event(INFO, "free receive buffers\n"); >>> wait_event(info->wait_receive_queues, >>> info->count_receive_queue + info->count_empty_packet_queue >>> - == info->receive_credit_max); >>> + == sp->recv_credit_max); >>> destroy_receive_buffers(info); >>> >>> /* >>> @@ -1437,6 +1447,8 @@ static void destroy_caches_and_workqueue(struct >> smbd_connection *info) >>> #define MAX_NAME_LEN 80 >>> static int allocate_caches_and_workqueue(struct smbd_connection *info) >>> { >>> + struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> char name[MAX_NAME_LEN]; >>> int rc; >>> >>> @@ -1451,7 +1463,7 @@ static int allocate_caches_and_workqueue(struct >> smbd_connection *info) >>> return -ENOMEM; >>> >>> info->request_mempool = >>> - mempool_create(info->send_credit_target, >> mempool_alloc_slab, >>> + mempool_create(sp->send_credit_target, mempool_alloc_slab, >>> mempool_free_slab, info->request_cache); >>> if (!info->request_mempool) >>> goto out1; >>> @@ -1461,13 +1473,13 @@ static int allocate_caches_and_workqueue(struct >> smbd_connection *info) >>> kmem_cache_create( >>> name, >>> sizeof(struct smbd_response) + >>> - info->max_receive_size, >>> + sp->max_recv_size, >>> 0, SLAB_HWCACHE_ALIGN, NULL); >>> if (!info->response_cache) >>> goto out2; >>> >>> info->response_mempool = >>> - mempool_create(info->receive_credit_max, >> mempool_alloc_slab, >>> + mempool_create(sp->recv_credit_max, mempool_alloc_slab, >>> mempool_free_slab, info->response_cache); >>> if (!info->response_mempool) >>> goto out3; >>> @@ -1477,7 +1489,7 @@ static int allocate_caches_and_workqueue(struct >> smbd_connection *info) >>> if (!info->workqueue) >>> goto out4; >>> >>> - rc = allocate_receive_buffers(info, info->receive_credit_max); >>> + rc = allocate_receive_buffers(info, sp->recv_credit_max); >>> if (rc) { >>> log_rdma_event(ERR, "failed to allocate receive >> buffers\n"); >>> goto out5; >>> @@ -1505,6 +1517,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> int rc; >>> struct smbd_connection *info; >>> struct smbdirect_socket *sc; >>> + struct smbdirect_socket_parameters *sp; >>> struct rdma_conn_param conn_param; >>> struct ib_qp_init_attr qp_attr; >>> struct sockaddr_in *addr_in = (struct sockaddr_in *) dstaddr; >>> @@ -1515,6 +1528,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> if (!info) >>> return NULL; >>> sc = &info->socket; >>> + sp = &sc->parameters; >>> >>> sc->status = SMBDIRECT_SOCKET_CONNECTING; >>> rc = smbd_ia_open(info, dstaddr, port); >>> @@ -1541,12 +1555,12 @@ static struct smbd_connection >> *_smbd_get_connection( >>> goto config_failed; >>> } >>> >>> - info->receive_credit_max = smbd_receive_credit_max; >>> - info->send_credit_target = smbd_send_credit_target; >>> - info->max_send_size = smbd_max_send_size; >>> - info->max_fragmented_recv_size = smbd_max_fragmented_recv_size; >>> - info->max_receive_size = smbd_max_receive_size; >>> - info->keep_alive_interval = smbd_keep_alive_interval; >>> + sp->recv_credit_max = smbd_receive_credit_max; >>> + sp->send_credit_target = smbd_send_credit_target; >>> + sp->max_send_size = smbd_max_send_size; >>> + sp->max_fragmented_recv_size = smbd_max_fragmented_recv_size; >>> + sp->max_recv_size = smbd_max_receive_size; >>> + sp->keepalive_interval_msec = smbd_keep_alive_interval * 1000; >>> >>> if (sc->ib.dev->attrs.max_send_sge < SMBDIRECT_MAX_SEND_SGE || >>> sc->ib.dev->attrs.max_recv_sge < SMBDIRECT_MAX_RECV_SGE) { >>> @@ -1561,7 +1575,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> >>> sc->ib.send_cq = >>> ib_alloc_cq_any(sc->ib.dev, info, >>> - info->send_credit_target, IB_POLL_SOFTIRQ); >>> + sp->send_credit_target, IB_POLL_SOFTIRQ); >>> if (IS_ERR(sc->ib.send_cq)) { >>> sc->ib.send_cq = NULL; >>> goto alloc_cq_failed; >>> @@ -1569,7 +1583,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> >>> sc->ib.recv_cq = >>> ib_alloc_cq_any(sc->ib.dev, info, >>> - info->receive_credit_max, IB_POLL_SOFTIRQ); >>> + sp->recv_credit_max, IB_POLL_SOFTIRQ); >>> if (IS_ERR(sc->ib.recv_cq)) { >>> sc->ib.recv_cq = NULL; >>> goto alloc_cq_failed; >>> @@ -1578,8 +1592,8 @@ static struct smbd_connection >> *_smbd_get_connection( >>> memset(&qp_attr, 0, sizeof(qp_attr)); >>> qp_attr.event_handler = smbd_qp_async_error_upcall; >>> qp_attr.qp_context = info; >>> - qp_attr.cap.max_send_wr = info->send_credit_target; >>> - qp_attr.cap.max_recv_wr = info->receive_credit_max; >>> + qp_attr.cap.max_send_wr = sp->send_credit_target; >>> + qp_attr.cap.max_recv_wr = sp->recv_credit_max; >>> qp_attr.cap.max_send_sge = SMBDIRECT_MAX_SEND_SGE; >>> qp_attr.cap.max_recv_sge = SMBDIRECT_MAX_RECV_SGE; >>> qp_attr.cap.max_inline_data = 0; >>> @@ -1654,7 +1668,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> init_waitqueue_head(&info->wait_send_queue); >>> INIT_DELAYED_WORK(&info->idle_timer_work, idle_connection_timer); >>> queue_delayed_work(info->workqueue, &info->idle_timer_work, >>> - info->keep_alive_interval*HZ); >>> + msecs_to_jiffies(sp->keepalive_interval_msec)); >>> >>> init_waitqueue_head(&info->wait_send_pending); >>> atomic_set(&info->send_pending, 0); >>> @@ -1971,6 +1985,7 @@ int smbd_send(struct TCP_Server_Info *server, >>> { >>> struct smbd_connection *info = server->smbd_conn; >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct smb_rqst *rqst; >>> struct iov_iter iter; >>> unsigned int remaining_data_length, klen; >>> @@ -1988,10 +2003,10 @@ int smbd_send(struct TCP_Server_Info *server, >>> for (i = 0; i < num_rqst; i++) >>> remaining_data_length += smb_rqst_len(server, >> &rqst_array[i]); >>> >>> - if (unlikely(remaining_data_length > >> info->max_fragmented_send_size)) { >>> + if (unlikely(remaining_data_length > >> sp->max_fragmented_send_size)) { >>> /* assertion: payload never exceeds negotiated maximum */ >>> log_write(ERR, "payload size %d > max size %d\n", >>> - remaining_data_length, >> info->max_fragmented_send_size); >>> + remaining_data_length, >> sp->max_fragmented_send_size); >>> return -EINVAL; >>> } >>> >>> diff --git a/fs/smb/client/smbdirect.h b/fs/smb/client/smbdirect.h >>> index 4b559a4147af1..3d552ab27e0f3 100644 >>> --- a/fs/smb/client/smbdirect.h >>> +++ b/fs/smb/client/smbdirect.h >>> @@ -69,15 +69,7 @@ struct smbd_connection { >>> spinlock_t lock_new_credits_offered; >>> int new_credits_offered; >>> >>> - /* Connection parameters defined in [MS-SMBD] 3.1.1.1 */ >>> - int receive_credit_max; >>> - int send_credit_target; >>> - int max_send_size; >>> - int max_fragmented_recv_size; >>> - int max_fragmented_send_size; >>> - int max_receive_size; >>> - int keep_alive_interval; >>> - int max_readwrite_size; >>> + /* dynamic connection parameters defined in [MS-SMBD] 3.1.1.1 */ >>> enum keep_alive_status keep_alive_requested; >>> int protocol; >>> atomic_t send_credits; >> >> >

3 days, 21 hours

2
1
0 0

[PATCH v3] drm/framebuffer: Acquire internal references on GEM handles

by Thomas Zimmermann

Acquire GEM handles in drm_framebuffer_init() and release them in the corresponding drm_framebuffer_cleanup(). Ties the handle's lifetime to the framebuffer. Not all GEM buffer objects have GEM handles. If not set, no refcounting takes place. This is the case for some fbdev emulation. This is not a problem as these GEM objects do not use dma-bufs and drivers will not release them while fbdev emulation is running. Framebuffer flags keep a bit per color plane of which the framebuffer holds a GEM handle reference. As all drivers use drm_framebuffer_init(), they will now all hold dma-buf references as fixed in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers"). In the GEM framebuffer helpers, restore the original ref counting on buffer objects. As the helpers for handle refcounting are now no longer called from outside the DRM core, unexport the symbols. v3: - don't mix internal flags with mode flags (Christian) v2: - track framebuffer handle refs by flag - drop gma500 cleanup (Christian) Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Fixes: 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") Reported-by: Bert Karwatzki <spasswolf(a)web.de> Closes: https://lore.kernel.org/dri-devel/20250703115915.3096-1-spasswolf@web.de/ Tested-by: Bert Karwatzki <spasswolf(a)web.de> Tested-by: Mario Limonciello <superm1(a)kernel.org> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: Anusha Srivatsa <asrivats(a)redhat.com> Cc: Christian König <christian.koenig(a)amd.com> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: Sumit Semwal <sumit.semwal(a)linaro.org> Cc: "Christian König" <christian.koenig(a)amd.com> Cc: linux-media(a)vger.kernel.org Cc: dri-devel(a)lists.freedesktop.org Cc: linaro-mm-sig(a)lists.linaro.org Cc: <stable(a)vger.kernel.org> --- drivers/gpu/drm/drm_framebuffer.c | 31 ++++++++++++++-- drivers/gpu/drm/drm_gem.c | 38 ++++++++++++-------- drivers/gpu/drm/drm_gem_framebuffer_helper.c | 16 ++++----- drivers/gpu/drm/drm_internal.h | 2 +- include/drm/drm_framebuffer.h | 7 ++++ 5 files changed, 68 insertions(+), 26 deletions(-) diff --git a/drivers/gpu/drm/drm_framebuffer.c b/drivers/gpu/drm/drm_framebuffer.c index b781601946db..63a70f285cce 100644 --- a/drivers/gpu/drm/drm_framebuffer.c +++ b/drivers/gpu/drm/drm_framebuffer.c @@ -862,11 +862,23 @@ EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_framebuffer_free); int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, const struct drm_framebuffer_funcs *funcs) { + unsigned int i; int ret; + bool exists; if (WARN_ON_ONCE(fb->dev != dev || !fb->format)) return -EINVAL; + for (i = 0; i < fb->format->num_planes; i++) { + if (drm_WARN_ON_ONCE(dev, fb->internal_flags & DRM_FRAMEBUFFER_HAS_HANDLE_REF(i))) + fb->internal_flags &= ~DRM_FRAMEBUFFER_HAS_HANDLE_REF(i); + if (fb->obj[i]) { + exists = drm_gem_object_handle_get_if_exists_unlocked(fb->obj[i]); + if (exists) + fb->internal_flags |= DRM_FRAMEBUFFER_HAS_HANDLE_REF(i); + } + } + INIT_LIST_HEAD(&fb->filp_head); fb->funcs = funcs; @@ -875,7 +887,7 @@ int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, ret = __drm_mode_object_add(dev, &fb->base, DRM_MODE_OBJECT_FB, false, drm_framebuffer_free); if (ret) - goto out; + goto err; mutex_lock(&dev->mode_config.fb_lock); dev->mode_config.num_fb++; @@ -883,7 +895,16 @@ int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, mutex_unlock(&dev->mode_config.fb_lock); drm_mode_object_register(dev, &fb->base); -out: + + return 0; + +err: + for (i = 0; i < fb->format->num_planes; i++) { + if (fb->internal_flags & DRM_FRAMEBUFFER_HAS_HANDLE_REF(i)) { + drm_gem_object_handle_put_unlocked(fb->obj[i]); + fb->internal_flags &= ~DRM_FRAMEBUFFER_HAS_HANDLE_REF(i); + } + } return ret; } EXPORT_SYMBOL(drm_framebuffer_init); @@ -960,6 +981,12 @@ EXPORT_SYMBOL(drm_framebuffer_unregister_private); void drm_framebuffer_cleanup(struct drm_framebuffer *fb) { struct drm_device *dev = fb->dev; + unsigned int i; + + for (i = 0; i < fb->format->num_planes; i++) { + if (fb->internal_flags & DRM_FRAMEBUFFER_HAS_HANDLE_REF(i)) + drm_gem_object_handle_put_unlocked(fb->obj[i]); + } mutex_lock(&dev->mode_config.fb_lock); list_del(&fb->head); diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index bc505d938b3e..41cdab6088ae 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -224,23 +224,34 @@ static void drm_gem_object_handle_get(struct drm_gem_object *obj) } /** - * drm_gem_object_handle_get_unlocked - acquire reference on user-space handles + * drm_gem_object_handle_get_if_exists_unlocked - acquire reference on user-space handle, if any * @obj: GEM object * - * Acquires a reference on the GEM buffer object's handle. Required - * to keep the GEM object alive. Call drm_gem_object_handle_put_unlocked() - * to release the reference. + * Acquires a reference on the GEM buffer object's handle. Required to keep + * the GEM object alive. Call drm_gem_object_handle_put_if_exists_unlocked() + * to release the reference. Does nothing if the buffer object has no handle. + * + * Returns: + * True if a handle exists, or false otherwise */ -void drm_gem_object_handle_get_unlocked(struct drm_gem_object *obj) +bool drm_gem_object_handle_get_if_exists_unlocked(struct drm_gem_object *obj) { struct drm_device *dev = obj->dev; guard(mutex)(&dev->object_name_lock); - drm_WARN_ON(dev, !obj->handle_count); /* first ref taken in create-tail helper */ + /* + * First ref taken during GEM object creation, if any. Some + * drivers set up internal framebuffers with GEM objects that + * do not have a GEM handle. Hence, this counter can be zero. + */ + if (!obj->handle_count) + return false; + drm_gem_object_handle_get(obj); + + return true; } -EXPORT_SYMBOL(drm_gem_object_handle_get_unlocked); /** * drm_gem_object_handle_free - release resources bound to userspace handles @@ -273,7 +284,7 @@ static void drm_gem_object_exported_dma_buf_free(struct drm_gem_object *obj) } /** - * drm_gem_object_handle_put_unlocked - releases reference on user-space handles + * drm_gem_object_handle_put_unlocked - releases reference on user-space handle * @obj: GEM object * * Releases a reference on the GEM buffer object's handle. Possibly releases @@ -284,14 +295,14 @@ void drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj) struct drm_device *dev = obj->dev; bool final = false; - if (WARN_ON(READ_ONCE(obj->handle_count) == 0)) + if (drm_WARN_ON(dev, READ_ONCE(obj->handle_count) == 0)) return; /* - * Must bump handle count first as this may be the last - * ref, in which case the object would disappear before we - * checked for a name - */ + * Must bump handle count first as this may be the last + * ref, in which case the object would disappear before + * we checked for a name. + */ mutex_lock(&dev->object_name_lock); if (--obj->handle_count == 0) { @@ -304,7 +315,6 @@ void drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj) if (final) drm_gem_object_put(obj); } -EXPORT_SYMBOL(drm_gem_object_handle_put_unlocked); /* * Called at device or object close to release the file's diff --git a/drivers/gpu/drm/drm_gem_framebuffer_helper.c b/drivers/gpu/drm/drm_gem_framebuffer_helper.c index c60d0044d036..618ce725cd75 100644 --- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c +++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c @@ -100,7 +100,7 @@ void drm_gem_fb_destroy(struct drm_framebuffer *fb) unsigned int i; for (i = 0; i < fb->format->num_planes; i++) - drm_gem_object_handle_put_unlocked(fb->obj[i]); + drm_gem_object_put(fb->obj[i]); drm_framebuffer_cleanup(fb); kfree(fb); @@ -183,10 +183,8 @@ int drm_gem_fb_init_with_funcs(struct drm_device *dev, if (!objs[i]) { drm_dbg_kms(dev, "Failed to lookup GEM object\n"); ret = -ENOENT; - goto err_gem_object_handle_put_unlocked; + goto err_gem_object_put; } - drm_gem_object_handle_get_unlocked(objs[i]); - drm_gem_object_put(objs[i]); min_size = (height - 1) * mode_cmd->pitches[i] + drm_format_info_min_pitch(info, i, width) @@ -196,22 +194,22 @@ int drm_gem_fb_init_with_funcs(struct drm_device *dev, drm_dbg_kms(dev, "GEM object size (%zu) smaller than minimum size (%u) for plane %d\n", objs[i]->size, min_size, i); - drm_gem_object_handle_put_unlocked(objs[i]); + drm_gem_object_put(objs[i]); ret = -EINVAL; - goto err_gem_object_handle_put_unlocked; + goto err_gem_object_put; } } ret = drm_gem_fb_init(dev, fb, mode_cmd, objs, i, funcs); if (ret) - goto err_gem_object_handle_put_unlocked; + goto err_gem_object_put; return 0; -err_gem_object_handle_put_unlocked: +err_gem_object_put: while (i > 0) { --i; - drm_gem_object_handle_put_unlocked(objs[i]); + drm_gem_object_put(objs[i]); } return ret; } diff --git a/drivers/gpu/drm/drm_internal.h b/drivers/gpu/drm/drm_internal.h index f921cc73f8b8..e79c3c623c9a 100644 --- a/drivers/gpu/drm/drm_internal.h +++ b/drivers/gpu/drm/drm_internal.h @@ -161,7 +161,7 @@ void drm_sysfs_lease_event(struct drm_device *dev); /* drm_gem.c */ int drm_gem_init(struct drm_device *dev); -void drm_gem_object_handle_get_unlocked(struct drm_gem_object *obj); +bool drm_gem_object_handle_get_if_exists_unlocked(struct drm_gem_object *obj); void drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj); int drm_gem_handle_create_tail(struct drm_file *file_priv, struct drm_gem_object *obj, diff --git a/include/drm/drm_framebuffer.h b/include/drm/drm_framebuffer.h index 668077009fce..38b24fc8978d 100644 --- a/include/drm/drm_framebuffer.h +++ b/include/drm/drm_framebuffer.h @@ -23,6 +23,7 @@ #ifndef __DRM_FRAMEBUFFER_H__ #define __DRM_FRAMEBUFFER_H__ +#include <linux/bits.h> #include <linux/ctype.h> #include <linux/list.h> #include <linux/sched.h> @@ -100,6 +101,8 @@ struct drm_framebuffer_funcs { unsigned num_clips); }; +#define DRM_FRAMEBUFFER_HAS_HANDLE_REF(_i) BIT(0u + (_i)) + /** * struct drm_framebuffer - frame buffer object * @@ -188,6 +191,10 @@ struct drm_framebuffer { * DRM_MODE_FB_MODIFIERS. */ int flags; + /** + * @internal_flags: Framebuffer flags like DRM_FRAMEBUFFER_HAS_HANDLE_REF. + */ + unsigned int internal_flags; /** * @filp_head: Placed on &drm_file.fbs, protected by &drm_file.fbs_lock. */ -- 2.50.0

3 days, 21 hours

3
3
0 0

[PATCH] mtd: spinand: propagate spinand_wait() errors from spinand_write_page()

by Gabor Juhos

Since commit 3d1f08b032dc ("mtd: spinand: Use the external ECC engine logic") the spinand_write_page() function ignores the errors returned by spinand_wait(). Change the code to propagate those up to the stack as it was done before the offending change. Cc: stable(a)vger.kernel.org Fixes: 3d1f08b032dc ("mtd: spinand: Use the external ECC engine logic") Signed-off-by: Gabor Juhos <j4g8y7(a)gmail.com> --- drivers/mtd/nand/spi/core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/nand/spi/core.c b/drivers/mtd/nand/spi/core.c index 7099db7a62be61f563380b724ac849057a834211..8cce63aef1b5ad7cda2f6ab28d29565aa979498f 100644 --- a/drivers/mtd/nand/spi/core.c +++ b/drivers/mtd/nand/spi/core.c @@ -688,7 +688,10 @@ int spinand_write_page(struct spinand_device *spinand, SPINAND_WRITE_INITIAL_DELAY_US, SPINAND_WRITE_POLL_DELAY_US, &status); - if (!ret && (status & STATUS_PROG_FAILED)) + if (ret) + return ret; + + if (status & STATUS_PROG_FAILED) return -EIO; return nand_ecc_finish_io_req(nand, (struct nand_page_io_req *)req); --- base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 change-id: 20250708-spinand-propagate-wait-timeout-a0220ea7c322 Best regards, -- Gabor Juhos <j4g8y7(a)gmail.com>

3 days, 22 hours

1
0
0 0

[PATCH] comedi: comedi_test: Fix possible deletion of uninitialized timers

by Ian Abbott

In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and `&devpriv->ao_timer` are initialized after the allocation of the device private data by `comedi_alloc_devpriv()` and the subdevices by `comedi_alloc_subdevices()`. The function may return with an error between those function calls. In that case, `waveform_detach()` will be called by the Comedi core to clean up. The check that `waveform_detach()` uses to decide whether to delete the timers is incorrect. It only checks that the device private data was allocated, but that does not guarantee that the timers were initialized. It also needs to check that the subdevices were allocated. Fix it. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Cc: <stable(a)vger.kernel.org> # 6.15+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch fails to apply to kernels before 6.15, requiring backports. --- drivers/comedi/drivers/comedi_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/comedi/drivers/comedi_test.c b/drivers/comedi/drivers/comedi_test.c index 9747e6d1f6eb..7984950f0f99 100644 --- a/drivers/comedi/drivers/comedi_test.c +++ b/drivers/comedi/drivers/comedi_test.c @@ -792,7 +792,7 @@ static void waveform_detach(struct comedi_device *dev) { struct waveform_private *devpriv = dev->private; - if (devpriv) { + if (devpriv && dev->n_subdevices) { timer_delete_sync(&devpriv->ai_timer); timer_delete_sync(&devpriv->ao_timer); } -- 2.47.2

3 days, 22 hours

1
0
0 0

[PATCH 5.10/5.15] mm/hugetlb: fix assertion splat in hugetlb_split()

by Fedor Pchelkin

No upstream commit exists for this patch. The following assertion is firing on 5.10 to 6.1 stable kernels after backport of upstream commit 081056dc00a2 ("mm/hugetlb: unshare page tables during VMA split, not before"): WARNING: CPU: 0 PID: 11489 at include/linux/fs.h:503 i_mmap_assert_write_locked include/linux/fs.h:503 [inline] WARNING: CPU: 0 PID: 11489 at include/linux/fs.h:503 hugetlb_split+0x267/0x300 mm/hugetlb.c:4917 Modules linked in: CPU: 0 PID: 11489 Comm: syz-executor.4 Not tainted 6.1.142-syzkaller-00296-gfd0df5221577 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:i_mmap_assert_write_locked include/linux/fs.h:503 [inline] RIP: 0010:hugetlb_split+0x267/0x300 mm/hugetlb.c:4917 Call Trace: <TASK> __vma_adjust+0xd73/0x1c10 mm/mmap.c:736 vma_adjust include/linux/mm.h:2745 [inline] __split_vma+0x459/0x540 mm/mmap.c:2385 do_mas_align_munmap+0x5f2/0xf10 mm/mmap.c:2497 do_mas_munmap+0x26c/0x2c0 mm/mmap.c:2646 __mmap_region mm/mmap.c:2694 [inline] mmap_region+0x19f/0x1770 mm/mmap.c:2912 do_mmap+0x84b/0xf20 mm/mmap.c:1432 vm_mmap_pgoff+0x1af/0x280 mm/util.c:520 ksys_mmap_pgoff+0x41f/0x5a0 mm/mmap.c:1478 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x46a269 </TASK> Those branches lack commit ccf1d78d8b86 ("mm/mmap: move vma_prepare before vma_adjust_trans_huge") so the needed locks are taken just after the newly added hugetlb_split(). Adjust the position of vma_adjust_trans_huge() blocks with the lock-taking code. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 081056dc00a2 ("mm/hugetlb: unshare page tables during VMA split, not before") Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- Tested with testcases/kernel/mem/hugetlb/hugemmap suite provided by LTP. For the report see: https://lore.kernel.org/stable/CAG48ez3LqUwXxhRY56tqQCpfGJsJ-GeXFG9FCcTZEBo… mm/mmap.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/mm/mmap.c b/mm/mmap.c index 8c188ed3738a..13669a33a515 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -832,16 +832,6 @@ int __vma_adjust(struct vm_area_struct *vma, unsigned long start, } } again: - /* - * Get rid of huge pages and shared page tables straddling the split - * boundary. - */ - vma_adjust_trans_huge(orig_vma, start, end, adjust_next); - if (is_vm_hugetlb_page(orig_vma)) { - hugetlb_split(orig_vma, start); - hugetlb_split(orig_vma, end); - } - if (file) { mapping = file->f_mapping; root = &mapping->i_mmap; @@ -881,6 +871,16 @@ int __vma_adjust(struct vm_area_struct *vma, unsigned long start, vma_interval_tree_remove(next, root); } + /* + * Get rid of huge pages and shared page tables straddling the split + * boundary. + */ + vma_adjust_trans_huge(orig_vma, start, end, adjust_next); + if (is_vm_hugetlb_page(orig_vma)) { + hugetlb_split(orig_vma, start); + hugetlb_split(orig_vma, end); + } + if (start != vma->vm_start) { vma->vm_start = start; start_changed = true; -- 2.50.0

3 days, 23 hours

1
0
0 0

[PATCH 6.1] mm/hugetlb: fix assertion splat in hugetlb_split()

by Fedor Pchelkin

No upstream commit exists for this patch. The following assertion is firing on 5.10 to 6.1 stable kernels after backport of upstream commit 081056dc00a2 ("mm/hugetlb: unshare page tables during VMA split, not before"): WARNING: CPU: 0 PID: 11489 at include/linux/fs.h:503 i_mmap_assert_write_locked include/linux/fs.h:503 [inline] WARNING: CPU: 0 PID: 11489 at include/linux/fs.h:503 hugetlb_split+0x267/0x300 mm/hugetlb.c:4917 Modules linked in: CPU: 0 PID: 11489 Comm: syz-executor.4 Not tainted 6.1.142-syzkaller-00296-gfd0df5221577 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:i_mmap_assert_write_locked include/linux/fs.h:503 [inline] RIP: 0010:hugetlb_split+0x267/0x300 mm/hugetlb.c:4917 Call Trace: <TASK> __vma_adjust+0xd73/0x1c10 mm/mmap.c:736 vma_adjust include/linux/mm.h:2745 [inline] __split_vma+0x459/0x540 mm/mmap.c:2385 do_mas_align_munmap+0x5f2/0xf10 mm/mmap.c:2497 do_mas_munmap+0x26c/0x2c0 mm/mmap.c:2646 __mmap_region mm/mmap.c:2694 [inline] mmap_region+0x19f/0x1770 mm/mmap.c:2912 do_mmap+0x84b/0xf20 mm/mmap.c:1432 vm_mmap_pgoff+0x1af/0x280 mm/util.c:520 ksys_mmap_pgoff+0x41f/0x5a0 mm/mmap.c:1478 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x46a269 </TASK> Those branches lack commit ccf1d78d8b86 ("mm/mmap: move vma_prepare before vma_adjust_trans_huge") so the needed locks are taken just after the newly added hugetlb_split(). Adjust the position of vma_adjust_trans_huge() blocks with the lock-taking code. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 081056dc00a2 ("mm/hugetlb: unshare page tables during VMA split, not before") Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- Tested with testcases/kernel/mem/hugetlb/hugemmap suite provided by LTP. For the report see: https://lore.kernel.org/stable/CAG48ez3LqUwXxhRY56tqQCpfGJsJ-GeXFG9FCcTZEBo… mm/mmap.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/mm/mmap.c b/mm/mmap.c index 0f303dc8425a..941880ed62d7 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -543,8 +543,6 @@ inline int vma_expand(struct ma_state *mas, struct vm_area_struct *vma, if (mas_preallocate(mas, vma, GFP_KERNEL)) goto nomem; - vma_adjust_trans_huge(vma, start, end, 0); - if (file) { mapping = file->f_mapping; root = &mapping->i_mmap; @@ -562,6 +560,8 @@ inline int vma_expand(struct ma_state *mas, struct vm_area_struct *vma, vma_interval_tree_remove(vma, root); } + vma_adjust_trans_huge(vma, start, end, 0); + vma->vm_start = start; vma->vm_end = end; vma->vm_pgoff = pgoff; @@ -727,15 +727,6 @@ int __vma_adjust(struct vm_area_struct *vma, unsigned long start, return -ENOMEM; } - /* - * Get rid of huge pages and shared page tables straddling the split - * boundary. - */ - vma_adjust_trans_huge(orig_vma, start, end, adjust_next); - if (is_vm_hugetlb_page(orig_vma)) { - hugetlb_split(orig_vma, start); - hugetlb_split(orig_vma, end); - } if (file) { mapping = file->f_mapping; root = &mapping->i_mmap; @@ -775,6 +766,16 @@ int __vma_adjust(struct vm_area_struct *vma, unsigned long start, vma_interval_tree_remove(next, root); } + /* + * Get rid of huge pages and shared page tables straddling the split + * boundary. + */ + vma_adjust_trans_huge(orig_vma, start, end, adjust_next); + if (is_vm_hugetlb_page(orig_vma)) { + hugetlb_split(orig_vma, start); + hugetlb_split(orig_vma, end); + } + if (start != vma->vm_start) { if ((vma->vm_start < start) && (!insert || (insert->vm_end != start))) { -- 2.50.0

3 days, 23 hours

1
0
0 0

[PATCH v3] wifi: wilc1000: Add error handling for wilc_sdio_cmd52()

by Wentao Liang

The wilc_sdio_read_size() calls wilc_sdio_cmd52() but does not check the return value. This could lead to execution with potentially invalid data if wilc_sdio_cmd52() fails. A proper implementation can be found in wilc_sdio_read_reg(). Add error handling for wilc_sdio_cmd52(). If wilc_sdio_cmd52() fails, log an error message via dev_err(). Fixes: ea5779b4fbc7 ("staging: wilc1000: wilc_sdio_cmd52: pass struct wilc") Cc: stable(a)vger.kernel.org # v4.5 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- v3: Remove redundant error log. Fix code error. Fix fixes flag error. v2: Fix code error. drivers/net/wireless/microchip/wilc1000/sdio.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/microchip/wilc1000/sdio.c b/drivers/net/wireless/microchip/wilc1000/sdio.c index 5262c8846c13..d77f88996250 100644 --- a/drivers/net/wireless/microchip/wilc1000/sdio.c +++ b/drivers/net/wireless/microchip/wilc1000/sdio.c @@ -771,6 +771,7 @@ static int wilc_sdio_read_size(struct wilc *wilc, u32 *size) { u32 tmp; struct sdio_cmd52 cmd; + int ret; /** * Read DMA count in words @@ -780,12 +781,16 @@ static int wilc_sdio_read_size(struct wilc *wilc, u32 *size) cmd.raw = 0; cmd.address = WILC_SDIO_INTERRUPT_DATA_SZ_REG; cmd.data = 0; - wilc_sdio_cmd52(wilc, &cmd); + ret = wilc_sdio_cmd52(wilc, &cmd); + if (ret) + return ret; tmp = cmd.data; cmd.address = WILC_SDIO_INTERRUPT_DATA_SZ_REG + 1; cmd.data = 0; - wilc_sdio_cmd52(wilc, &cmd); + ret = wilc_sdio_cmd52(wilc, &cmd); + if (ret) + return ret; tmp |= (cmd.data << 8); *size = tmp; -- 2.42.0.windows.2

4 days

2
1
0 0

FAILED: patch "[PATCH] usb: dwc3: Abort suspend on soft disconnect failure" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 630a1dec3b0eba2a695b9063f1c205d585cbfec9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070816-untoasted-wooing-3f93@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 630a1dec3b0eba2a695b9063f1c205d585cbfec9 Mon Sep 17 00:00:00 2001 From: Kuen-Han Tsai <khtsai(a)google.com> Date: Wed, 28 May 2025 18:03:11 +0800 Subject: [PATCH] usb: dwc3: Abort suspend on soft disconnect failure When dwc3_gadget_soft_disconnect() fails, dwc3_suspend_common() keeps going with the suspend, resulting in a period where the power domain is off, but the gadget driver remains connected. Within this time frame, invoking vbus_event_work() will cause an error as it attempts to access DWC3 registers for endpoint disabling after the power domain has been completely shut down. Abort the suspend sequence when dwc3_gadget_suspend() cannot halt the controller and proceeds with a soft connect. Fixes: 9f8a67b65a49 ("usb: dwc3: gadget: fix gadget suspend/resume") Cc: stable <stable(a)kernel.org> Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Signed-off-by: Kuen-Han Tsai <khtsai(a)google.com> Link: https://lore.kernel.org/r/20250528100315.2162699-1-khtsai@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 2bc775a747f2..8002c23a5a02 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2422,6 +2422,7 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) { u32 reg; int i; + int ret; if (!pm_runtime_suspended(dwc->dev) && !PMSG_IS_AUTO(msg)) { dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & @@ -2440,7 +2441,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) break; - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); dwc3_core_exit(dwc); break; @@ -2475,7 +2478,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; if (dwc->current_otg_role == DWC3_OTG_ROLE_DEVICE) { - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); } diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 321361288935..b6b63b530148 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4821,8 +4821,15 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) int ret; ret = dwc3_gadget_soft_disconnect(dwc); - if (ret) - goto err; + /* + * Attempt to reset the controller's state. Likely no + * communication can be established until the host + * performs a port reset. + */ + if (ret && dwc->softconnect) { + dwc3_gadget_soft_connect(dwc); + return -EAGAIN; + } spin_lock_irqsave(&dwc->lock, flags); if (dwc->gadget_driver) @@ -4830,17 +4837,6 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) spin_unlock_irqrestore(&dwc->lock, flags); return 0; - -err: - /* - * Attempt to reset the controller's state. Likely no - * communication can be established until the host - * performs a port reset. - */ - if (dwc->softconnect) - dwc3_gadget_soft_connect(dwc); - - return ret; } int dwc3_gadget_resume(struct dwc3 *dwc)

4 days, 1 hour

1
0
0 0

FAILED: patch "[PATCH] usb: dwc3: Abort suspend on soft disconnect failure" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 630a1dec3b0eba2a695b9063f1c205d585cbfec9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070814-edginess-essence-e135@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 630a1dec3b0eba2a695b9063f1c205d585cbfec9 Mon Sep 17 00:00:00 2001 From: Kuen-Han Tsai <khtsai(a)google.com> Date: Wed, 28 May 2025 18:03:11 +0800 Subject: [PATCH] usb: dwc3: Abort suspend on soft disconnect failure When dwc3_gadget_soft_disconnect() fails, dwc3_suspend_common() keeps going with the suspend, resulting in a period where the power domain is off, but the gadget driver remains connected. Within this time frame, invoking vbus_event_work() will cause an error as it attempts to access DWC3 registers for endpoint disabling after the power domain has been completely shut down. Abort the suspend sequence when dwc3_gadget_suspend() cannot halt the controller and proceeds with a soft connect. Fixes: 9f8a67b65a49 ("usb: dwc3: gadget: fix gadget suspend/resume") Cc: stable <stable(a)kernel.org> Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Signed-off-by: Kuen-Han Tsai <khtsai(a)google.com> Link: https://lore.kernel.org/r/20250528100315.2162699-1-khtsai@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 2bc775a747f2..8002c23a5a02 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2422,6 +2422,7 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) { u32 reg; int i; + int ret; if (!pm_runtime_suspended(dwc->dev) && !PMSG_IS_AUTO(msg)) { dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & @@ -2440,7 +2441,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) break; - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); dwc3_core_exit(dwc); break; @@ -2475,7 +2478,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; if (dwc->current_otg_role == DWC3_OTG_ROLE_DEVICE) { - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); } diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 321361288935..b6b63b530148 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4821,8 +4821,15 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) int ret; ret = dwc3_gadget_soft_disconnect(dwc); - if (ret) - goto err; + /* + * Attempt to reset the controller's state. Likely no + * communication can be established until the host + * performs a port reset. + */ + if (ret && dwc->softconnect) { + dwc3_gadget_soft_connect(dwc); + return -EAGAIN; + } spin_lock_irqsave(&dwc->lock, flags); if (dwc->gadget_driver) @@ -4830,17 +4837,6 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) spin_unlock_irqrestore(&dwc->lock, flags); return 0; - -err: - /* - * Attempt to reset the controller's state. Likely no - * communication can be established until the host - * performs a port reset. - */ - if (dwc->softconnect) - dwc3_gadget_soft_connect(dwc); - - return ret; } int dwc3_gadget_resume(struct dwc3 *dwc)

4 days, 1 hour

1
0
0 0

FAILED: patch "[PATCH] usb: dwc3: Abort suspend on soft disconnect failure" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 630a1dec3b0eba2a695b9063f1c205d585cbfec9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070843-mammal-recapture-b529@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 630a1dec3b0eba2a695b9063f1c205d585cbfec9 Mon Sep 17 00:00:00 2001 From: Kuen-Han Tsai <khtsai(a)google.com> Date: Wed, 28 May 2025 18:03:11 +0800 Subject: [PATCH] usb: dwc3: Abort suspend on soft disconnect failure When dwc3_gadget_soft_disconnect() fails, dwc3_suspend_common() keeps going with the suspend, resulting in a period where the power domain is off, but the gadget driver remains connected. Within this time frame, invoking vbus_event_work() will cause an error as it attempts to access DWC3 registers for endpoint disabling after the power domain has been completely shut down. Abort the suspend sequence when dwc3_gadget_suspend() cannot halt the controller and proceeds with a soft connect. Fixes: 9f8a67b65a49 ("usb: dwc3: gadget: fix gadget suspend/resume") Cc: stable <stable(a)kernel.org> Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Signed-off-by: Kuen-Han Tsai <khtsai(a)google.com> Link: https://lore.kernel.org/r/20250528100315.2162699-1-khtsai@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 2bc775a747f2..8002c23a5a02 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2422,6 +2422,7 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) { u32 reg; int i; + int ret; if (!pm_runtime_suspended(dwc->dev) && !PMSG_IS_AUTO(msg)) { dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & @@ -2440,7 +2441,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) break; - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); dwc3_core_exit(dwc); break; @@ -2475,7 +2478,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; if (dwc->current_otg_role == DWC3_OTG_ROLE_DEVICE) { - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); } diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 321361288935..b6b63b530148 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4821,8 +4821,15 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) int ret; ret = dwc3_gadget_soft_disconnect(dwc); - if (ret) - goto err; + /* + * Attempt to reset the controller's state. Likely no + * communication can be established until the host + * performs a port reset. + */ + if (ret && dwc->softconnect) { + dwc3_gadget_soft_connect(dwc); + return -EAGAIN; + } spin_lock_irqsave(&dwc->lock, flags); if (dwc->gadget_driver) @@ -4830,17 +4837,6 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) spin_unlock_irqrestore(&dwc->lock, flags); return 0; - -err: - /* - * Attempt to reset the controller's state. Likely no - * communication can be established until the host - * performs a port reset. - */ - if (dwc->softconnect) - dwc3_gadget_soft_connect(dwc); - - return ret; } int dwc3_gadget_resume(struct dwc3 *dwc)

4 days, 1 hour

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror