- Linux-stable-mirror - lists.linaro.org

FAILED: patch "[PATCH] ALSA: wavefront: Fix integer overflow in sample size" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 0c4a13ba88594fd4a27292853e736c6b4349823d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025121615-subplot-parachute-73bb@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0c4a13ba88594fd4a27292853e736c6b4349823d Mon Sep 17 00:00:00 2001 From: Junrui Luo <moonafterrain(a)outlook.com> Date: Thu, 6 Nov 2025 10:49:46 +0800 Subject: [PATCH] ALSA: wavefront: Fix integer overflow in sample size validation The wavefront_send_sample() function has an integer overflow issue when validating sample size. The header->size field is u32 but gets cast to int for comparison with dev->freemem Fix by using unsigned comparison to avoid integer overflow. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Junrui Luo <moonafterrain(a)outlook.com> Link: https://patch.msgid.link/SYBPR01MB7881B47789D1B060CE8BF4C3AFC2A@SYBPR01MB78… Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/isa/wavefront/wavefront_synth.c b/sound/isa/wavefront/wavefront_synth.c index cd5c177943aa..0d78533e1cfd 100644 --- a/sound/isa/wavefront/wavefront_synth.c +++ b/sound/isa/wavefront/wavefront_synth.c @@ -950,9 +950,9 @@ wavefront_send_sample (snd_wavefront_t *dev, if (header->size) { dev->freemem = wavefront_freemem (dev); - if (dev->freemem < (int)header->size) { + if (dev->freemem < 0 || dev->freemem < header->size) { dev_err(dev->card->dev, - "insufficient memory to load %d byte sample.\n", + "insufficient memory to load %u byte sample.\n", header->size); return -ENOMEM; }

3 days, 15 hours

2
2
0 0

FAILED: patch "[PATCH] ALSA: wavefront: Clear substream pointers on close" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x e11c5c13ce0ab2325d38fe63500be1dd88b81e38 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025121659-feline-king-9be3@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e11c5c13ce0ab2325d38fe63500be1dd88b81e38 Mon Sep 17 00:00:00 2001 From: Junrui Luo <moonafterrain(a)outlook.com> Date: Thu, 6 Nov 2025 10:24:57 +0800 Subject: [PATCH] ALSA: wavefront: Clear substream pointers on close Clear substream pointers in close functions to avoid leaving dangling pointers, helping to improve code safety and prevents potential issues. Reported-by: Yuhao Jiang <danisjiang(a)gmail.com> Reported-by: Junrui Luo <moonafterrain(a)outlook.com> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Junrui Luo <moonafterrain(a)outlook.com> Link: https://patch.msgid.link/SYBPR01MB7881DF762CAB45EE42F6D812AFC2A@SYBPR01MB78… Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/isa/wavefront/wavefront_midi.c b/sound/isa/wavefront/wavefront_midi.c index 1250ecba659a..69d87c4cafae 100644 --- a/sound/isa/wavefront/wavefront_midi.c +++ b/sound/isa/wavefront/wavefront_midi.c @@ -278,6 +278,7 @@ static int snd_wavefront_midi_input_close(struct snd_rawmidi_substream *substrea return -EIO; guard(spinlock_irqsave)(&midi->open); + midi->substream_input[mpu] = NULL; midi->mode[mpu] &= ~MPU401_MODE_INPUT; return 0; @@ -300,6 +301,7 @@ static int snd_wavefront_midi_output_close(struct snd_rawmidi_substream *substre return -EIO; guard(spinlock_irqsave)(&midi->open); + midi->substream_output[mpu] = NULL; midi->mode[mpu] &= ~MPU401_MODE_OUTPUT; return 0; }

3 days, 15 hours

2
2
0 0

[PATCH] wifi: mac80211: restore non-chanctx injection behaviour

by Johannes Berg

From: Johannes Berg <johannes.berg(a)intel.com> During the transition to use channel contexts throughout, the ability to do injection while in monitor mode concurrent with another interface was lost, since the (virtual) monitor won't have a chanctx assigned in this scenario. It's harder to fix drivers that actually transitioned to using channel contexts themselves, such as mt76, but it's easy to do those that are (still) just using the emulation. Do that. Cc: stable(a)vger.kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=218763 Reported-and-tested-by: Oscar Alfonso Diaz <oscar.alfonso.diaz(a)gmail.com> Fixes: 0a44dfc07074 ("wifi: mac80211: simplify non-chanctx drivers") Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> --- net/mac80211/tx.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index 9d8b0a25f73c..1b55e8340413 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -2397,6 +2397,8 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb, if (chanctx_conf) chandef = &chanctx_conf->def; + else if (local->emulate_chanctx) + chandef = &local->hw.conf.chandef; else goto fail_rcu; -- 2.52.0

3 days, 15 hours

1
0
0 0

Re: Patch "media: ov02c10: Fix default vertical flip" has been added to the 6.18-stable tree

by Hans de Goede

Hi Sasha, On 13-Dec-25 10:35, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > media: ov02c10: Fix default vertical flip This fix is incomplete, leading to wrong colors and it causes the image to be upside down on some Dell XPS models where it currently is the right way up. There is a series of fixes which applies on top of this to fix both issues: https://lore.kernel.org/linux-media/20251210112436.167212-1-johannes.goede@… For now (without the fixes on top) we are better of not adding this patch to the stable series. Can you drop this patch please? Same for 6.17 and other stable series. Regards, Hans > > to the 6.18-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > media-ov02c10-fix-default-vertical-flip.patch > and it can be found in the queue-6.18 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 14cc4474799a595caeccdb8fdf2ca4b867cef972 > Author: Sebastian Reichel <sre(a)kernel.org> > Date: Wed Aug 20 02:13:19 2025 +0200 > > media: ov02c10: Fix default vertical flip > > [ Upstream commit d5ebe3f7d13d4cee3ff7e718de23564915aaf163 ] > > The driver right now defaults to setting the vertical flip bit. This > conflicts with proper handling of the rotation property defined in > ACPI or device tree, so drop the VFLIP bit. It should be handled via > V4L2_CID_VFLIP instead. > > Reported-by: Frederic Stuyk <fstuyk(a)runbox.com> > Closes: https://lore.kernel.org/all/b6df9ae7-ea9f-4e5a-8065-5b130f534f37@runbox.com/ > Fixes: 44f89010dae0 ("media: i2c: Add Omnivision OV02C10 sensor driver") > Signed-off-by: Sebastian Reichel <sre(a)kernel.org> > Reviewed-by: Bryan O'Donoghue <bod(a)kernel.org> > Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> > Signed-off-by: Hans Verkuil <hverkuil+cisco(a)kernel.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/media/i2c/ov02c10.c b/drivers/media/i2c/ov02c10.c > index 8c4d85dc7922e..8e22ff446b0c4 100644 > --- a/drivers/media/i2c/ov02c10.c > +++ b/drivers/media/i2c/ov02c10.c > @@ -174,7 +174,7 @@ static const struct reg_sequence sensor_1928x1092_30fps_setting[] = { > {0x3816, 0x01}, > {0x3817, 0x01}, > > - {0x3820, 0xb0}, > + {0x3820, 0xa0}, > {0x3821, 0x00}, > {0x3822, 0x80}, > {0x3823, 0x08},

3 days, 16 hours

2
1
0 0

[PATCH 6.12 00/49] 6.12.62-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.62 release. There are 49 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 12 Dec 2025 07:29:38 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.62-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.62-rc1 Daniele Palmas <dnlplm(a)gmail.com> bus: mhi: host: pci_generic: Add Telit FN990B40 modem support Daniele Palmas <dnlplm(a)gmail.com> bus: mhi: host: pci_generic: Add Telit FN920C04 modem support Navaneeth K <knavaneeth786(a)gmail.com> staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing Navaneeth K <knavaneeth786(a)gmail.com> staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing Navaneeth K <knavaneeth786(a)gmail.com> staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> comedi: check device's attached status in compat ioctls Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> comedi: multiq3: sanitize config options in multiq3_attach() Ian Abbott <abbotti(a)mev.co.uk> comedi: c6xdigio: Fix invalid PNP driver unregistration Zenm Chen <zenmchen(a)gmail.com> wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1 Zenm Chen <zenmchen(a)gmail.com> wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 Linus Torvalds <torvalds(a)linux-foundation.org> samples: work around glibc redefining some of our defines wrong Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Mask all interrupts during kexec/kdump Naoki Ueki <naoki25519(a)gmail.com> HID: elecom: Add support for ELECOM M-XT3URBK (018F) Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list Jia Ston <ston.jia(a)outlook.com> platform/x86: huawei-wmi: add keys for HONOR models April Grimoire <april(a)aprilg.moe> HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list Armin Wolf <W_Armin(a)gmx.de> platform/x86: acer-wmi: Ignore backlight event Praveen Talari <praveen.talari(a)oss.qualcomm.com> pinctrl: qcom: msm: Fix deadlock in pinmux configuration Keith Busch <kbusch(a)kernel.org> nvme: fix admin request_queue lifetime Mario Limonciello (AMD) <superm1(a)kernel.org> HID: hid-input: Extend Elan ignore battery quirk to USB Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> bfs: Reconstruct file type when loading from disk Lushih Hsieh <bruce(a)mail.kh.edu.tw> ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series Harish Kasiviswanathan <Harish.Kasiviswanathan(a)amd.com> drm/amdkfd: Fix GPU mappings for APU after prefetch Yiqi Sun <sunyiqixm(a)gmail.com> smb: fix invalid username check in smb3_fs_context_parse_param() Max Chou <max.chou(a)realtek.com> Bluetooth: btrtl: Avoid loading the config file on security chips Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Use kref in vmw_bo_dirty Robin Gong <yibin.gong(a)nxp.com> spi: imx: keep dma request disabled before dma transfer setup Alvaro Gamez Machado <alvaro.gamez(a)hazent.com> spi: xilinx: increase number of retries before declaring stall Song Liu <song(a)kernel.org> ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct() Johan Hovold <johan(a)kernel.org> USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC Johan Hovold <johan(a)kernel.org> USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC Magne Bruno <magne.bruno(a)addi-data.com> serial: add support of CPCI cards Johan Hovold <johan(a)kernel.org> USB: serial: ftdi_sio: match on interface number for jtag Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: move Telit 0x10c7 composition in the right place Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FE910C04 new compositions Slark Xiao <slark_xiao(a)163.com> USB: serial: option: add Foxconn T99W760 Omar Sandoval <osandov(a)fb.com> KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Alexey Nepomnyashih <sdl(a)nppct.ru> ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Alexander Sverdlin <alexander.sverdlin(a)siemens.com> locking/spinlock/debug: Fix data-race in do_raw_write_lock Qianchang Zhao <pioooooooooip(a)gmail.com> ksmbd: ipc: fix use-after-free in ipc_msg_send_request Deepanshu Kartikey <kartikey406(a)gmail.com> ext4: refresh inline data size before write operations Ye Bin <yebin10(a)huawei.com> jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Bagas Sanjaya <bagasdotme(a)gmail.com> Documentation: process: Also mention Sasha Levin as stable tree maintainer Sabrina Dubroca <sd(a)queasysnail.net> xfrm: flush all states in xfrm_state_fini Sabrina Dubroca <sd(a)queasysnail.net> xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added Sabrina Dubroca <sd(a)queasysnail.net> Revert "xfrm: destroy xfrm_state synchronously on net exit path" Sabrina Dubroca <sd(a)queasysnail.net> xfrm: delete x->tunnel as we delete x ------------- Diffstat: Documentation/process/2.Process.rst | 6 ++- Makefile | 4 +- arch/loongarch/kernel/machine_kexec.c | 2 + arch/x86/include/asm/kvm_host.h | 9 ++++ arch/x86/kvm/svm/svm.c | 24 +++++---- arch/x86/kvm/x86.c | 21 ++++++++ drivers/bluetooth/btrtl.c | 24 +++++---- drivers/bus/mhi/host/pci_generic.c | 52 +++++++++++++++++++ drivers/comedi/comedi_fops.c | 42 ++++++++++++--- drivers/comedi/drivers/c6xdigio.c | 46 ++++++++++++---- drivers/comedi/drivers/multiq3.c | 9 ++++ drivers/comedi/drivers/pcl818.c | 5 +- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 2 + drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c | 12 ++--- drivers/hid/hid-apple.c | 1 + drivers/hid/hid-elecom.c | 6 ++- drivers/hid/hid-ids.h | 3 +- drivers/hid/hid-input.c | 5 +- drivers/hid/hid-quirks.c | 3 +- drivers/net/wireless/realtek/rtl8xxxu/core.c | 3 ++ drivers/net/wireless/realtek/rtw88/rtw8822cu.c | 2 + drivers/nvme/host/core.c | 3 +- drivers/pinctrl/qcom/pinctrl-msm.c | 2 +- drivers/platform/x86/acer-wmi.c | 4 ++ drivers/platform/x86/amd/pmc/pmc-quirks.c | 25 +++++++++ drivers/platform/x86/huawei-wmi.c | 4 ++ drivers/spi/spi-imx.c | 15 ++++-- drivers/spi/spi-xilinx.c | 2 +- drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 ++--- drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 13 +++-- drivers/tty/serial/8250/8250_pci.c | 37 +++++++++++++ drivers/usb/serial/belkin_sa.c | 28 ++++++---- drivers/usb/serial/ftdi_sio.c | 72 +++++++++----------------- drivers/usb/serial/kobil_sct.c | 18 +++---- drivers/usb/serial/option.c | 22 ++++++-- fs/bfs/inode.c | 19 ++++++- fs/ext4/inline.c | 14 ++++- fs/jbd2/transaction.c | 19 +++++-- fs/smb/client/fs_context.c | 2 +- fs/smb/server/transport_ipc.c | 7 ++- include/net/xfrm.h | 13 ++--- kernel/locking/spinlock_debug.c | 4 +- kernel/trace/ftrace.c | 40 ++++++++++---- net/ipv4/ipcomp.c | 2 + net/ipv6/ipcomp6.c | 2 + net/ipv6/xfrm6_tunnel.c | 2 +- net/key/af_key.c | 2 +- net/xfrm/xfrm_ipcomp.c | 1 - net/xfrm/xfrm_state.c | 41 ++++++--------- net/xfrm/xfrm_user.c | 2 +- samples/vfs/test-statx.c | 6 +++ samples/watch_queue/watch_test.c | 6 +++ sound/usb/quirks.c | 6 +++ 53 files changed, 521 insertions(+), 207 deletions(-)

3 days, 16 hours

14
63
0 0

[PATCH] [STABLE ONLY] firmware: arm_scmi: Fix unused notifier-block in unregister

by Amitai Gottlieb

In function `scmi_devm_notifier_unregister` the notifier-block parameter was unused and therefore never passed to `devres_release`. This causes the function to always return -ENOENT and fail to unregister the notifier. In drivers that rely on this function for cleanup this causes unexpected failures including kernel-panic. This is not needed upstream becaues the bug was fixed in a refactor by commit 264a2c520628 ("firmware: arm_scmi: Simplify scmi_devm_notifier_unregister"). It is needed for the 5.15, 6.1 and 6.6 kernels. Cc: <stable(a)vger.kernel.org> # 5.15.x, 6.1.x, and 6.6.x Fixes: 5ad3d1cf7d34 ("firmware: arm_scmi: Introduce new devres notification ops") Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org> Reviewed-by: Cristian Marussi <cristian.marussi(a)arm.com> Signed-off-by: Amitai Gottlieb <amitaig(a)hailo.ai> --- drivers/firmware/arm_scmi/notify.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/firmware/arm_scmi/notify.c b/drivers/firmware/arm_scmi/notify.c index 0efd20cd9d69..4782b115e6ec 100644 --- a/drivers/firmware/arm_scmi/notify.c +++ b/drivers/firmware/arm_scmi/notify.c @@ -1539,6 +1539,7 @@ static int scmi_devm_notifier_unregister(struct scmi_device *sdev, dres.handle = sdev->handle; dres.proto_id = proto_id; dres.evt_id = evt_id; + dres.nb = nb; if (src_id) { dres.__src_id = *src_id; dres.src_id = &dres.__src_id; -- 2.34.1

3 days, 17 hours

2
1
0 0

[PATCH 2/2 RESEND] mailbox: Make mbox_send_message() return error code when tx fails

by Joonwon Kang

Previously, when the mailbox controller failed transmitting message, the error code was only passed to the client's tx done handler and not to mbox_send_message(). For this reason, the function could return a false success. This commit resolves the issue by introducing the tx status and checking it before mbox_send_message() returns. Cc: stable(a)vger.kernel.org Signed-off-by: Joonwon Kang <joonwonkang(a)google.com> --- drivers/mailbox/mailbox.c | 17 +++++++++++++---- include/linux/mailbox_controller.h | 2 ++ 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c index 0afe3ae3bfdc..05808ecff774 100644 --- a/drivers/mailbox/mailbox.c +++ b/drivers/mailbox/mailbox.c @@ -23,7 +23,8 @@ static LIST_HEAD(mbox_cons); static DEFINE_MUTEX(con_mutex); -static int add_to_rbuf(struct mbox_chan *chan, void *mssg, struct completion *tx_complete) +static int add_to_rbuf(struct mbox_chan *chan, void *mssg, struct completion *tx_complete, + int *tx_status) { int idx; @@ -36,6 +37,7 @@ static int add_to_rbuf(struct mbox_chan *chan, void *mssg, struct completion *tx idx = chan->msg_free; chan->msg_data[idx].data = mssg; chan->msg_data[idx].tx_complete = tx_complete; + chan->msg_data[idx].tx_status = tx_status; chan->msg_count++; if (idx == MBOX_TX_QUEUE_LEN - 1) @@ -87,12 +89,14 @@ static void tx_tick(struct mbox_chan *chan, int r) int idx; void *mssg = NULL; struct completion *tx_complete = NULL; + int *tx_status = NULL; scoped_guard(spinlock_irqsave, &chan->lock) { idx = chan->active_req; if (idx >= 0) { mssg = chan->msg_data[idx].data; tx_complete = chan->msg_data[idx].tx_complete; + tx_status = chan->msg_data[idx].tx_status; chan->active_req = -1; } } @@ -107,8 +111,10 @@ static void tx_tick(struct mbox_chan *chan, int r) if (chan->cl->tx_done) chan->cl->tx_done(chan->cl, mssg, r); - if (r != -ETIME && chan->cl->tx_block) + if (r != -ETIME && chan->cl->tx_block) { + *tx_status = r; complete(tx_complete); + } } static enum hrtimer_restart txdone_hrtimer(struct hrtimer *hrtimer) @@ -253,15 +259,16 @@ int mbox_send_message(struct mbox_chan *chan, void *mssg) { int t; struct completion tx_complete; + int tx_status = 0; if (!chan || !chan->cl) return -EINVAL; if (chan->cl->tx_block) { init_completion(&tx_complete); - t = add_to_rbuf(chan, mssg, &tx_complete); + t = add_to_rbuf(chan, mssg, &tx_complete, &tx_status); } else { - t = add_to_rbuf(chan, mssg, NULL); + t = add_to_rbuf(chan, mssg, NULL, NULL); } if (t < 0) { @@ -284,6 +291,8 @@ int mbox_send_message(struct mbox_chan *chan, void *mssg) if (ret == 0) { t = -ETIME; tx_tick(chan, t); + } else if (tx_status < 0) { + t = tx_status; } } diff --git a/include/linux/mailbox_controller.h b/include/linux/mailbox_controller.h index 67e08a440f5f..6929774d3129 100644 --- a/include/linux/mailbox_controller.h +++ b/include/linux/mailbox_controller.h @@ -109,10 +109,12 @@ struct mbox_controller { * struct mbox_message - Internal representation of a mailbox message * @data: Data packet * @tx_complete: Pointer to the transmission completion + * @tx_status: Pointer to the transmission status */ struct mbox_message { void *data; struct completion *tx_complete; + int *tx_status; }; /** -- 2.52.0.239.gd5f0c6e74e-goog

3 days, 18 hours

1
0
0 0

[PATCH 1/2 RESEND] mailbox: Use per-thread completion to fix wrong completion order

by Joonwon Kang

Previously, a sender thread in mbox_send_message() could be woken up at a wrong time in blocking mode. It is because there was only a single completion for a channel whereas messages from multiple threads could be sent on the same channel in any order; since the shared completion could be signalled in any order, it could wake up a wrong sender thread. This commit resolves the false wake-up issue with the following changes: - Completions are created just as many as the number of concurrent sender threads - A completion is created on a sender thread's stack - Each slot of the message queue, i.e. `msg_data`, contains a pointer to its target completion - tx_tick() signals the completion of the currently active slot of the message queue Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/1490809381-28869-1-git-send-email-jaswinder.sin… Signed-off-by: Joonwon Kang <joonwonkang(a)google.com> --- Link -> v1: The previous solution in the Link tries to have per-message completion: `tx_cmpl[MBOX_TX_QUEUE_LEN]`; each completion belongs to each slot of the message queue: `msg_data[i]`. Those completions take up additional memory even when they are not used. Instead, this patch tries to have per-"thread" completion; each completion belongs to each sender thread and each slot of the message queue has a pointer to that completion; `struct mbox_message` has the "pointer" field `struct completion *tx_complete` which points to the completion which is created on the stack of the sender, instead of owning the completion by `struct completion tx_complete`. This way, we could avoid additional memory use since a completion will be allocated only when necessary. Plus, more importantly, we could avoid the window where the same completion is reused by different sender threads which the previous solution still has. drivers/mailbox/mailbox.c | 43 +++++++++++++++++++----------- drivers/mailbox/tegra-hsp.c | 2 +- include/linux/mailbox_controller.h | 20 +++++++++----- 3 files changed, 43 insertions(+), 22 deletions(-) diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c index 617ba505691d..0afe3ae3bfdc 100644 --- a/drivers/mailbox/mailbox.c +++ b/drivers/mailbox/mailbox.c @@ -23,7 +23,7 @@ static LIST_HEAD(mbox_cons); static DEFINE_MUTEX(con_mutex); -static int add_to_rbuf(struct mbox_chan *chan, void *mssg) +static int add_to_rbuf(struct mbox_chan *chan, void *mssg, struct completion *tx_complete) { int idx; @@ -34,7 +34,8 @@ static int add_to_rbuf(struct mbox_chan *chan, void *mssg) return -ENOBUFS; idx = chan->msg_free; - chan->msg_data[idx] = mssg; + chan->msg_data[idx].data = mssg; + chan->msg_data[idx].tx_complete = tx_complete; chan->msg_count++; if (idx == MBOX_TX_QUEUE_LEN - 1) @@ -52,7 +53,7 @@ static void msg_submit(struct mbox_chan *chan) int err = -EBUSY; scoped_guard(spinlock_irqsave, &chan->lock) { - if (!chan->msg_count || chan->active_req) + if (!chan->msg_count || chan->active_req >= 0) break; count = chan->msg_count; @@ -62,14 +63,14 @@ static void msg_submit(struct mbox_chan *chan) else idx += MBOX_TX_QUEUE_LEN - count; - data = chan->msg_data[idx]; + data = chan->msg_data[idx].data; if (chan->cl->tx_prepare) chan->cl->tx_prepare(chan->cl, data); /* Try to submit a message to the MBOX controller */ err = chan->mbox->ops->send_data(chan, data); if (!err) { - chan->active_req = data; + chan->active_req = idx; chan->msg_count--; } } @@ -83,11 +84,17 @@ static void msg_submit(struct mbox_chan *chan) static void tx_tick(struct mbox_chan *chan, int r) { - void *mssg; + int idx; + void *mssg = NULL; + struct completion *tx_complete = NULL; scoped_guard(spinlock_irqsave, &chan->lock) { - mssg = chan->active_req; - chan->active_req = NULL; + idx = chan->active_req; + if (idx >= 0) { + mssg = chan->msg_data[idx].data; + tx_complete = chan->msg_data[idx].tx_complete; + chan->active_req = -1; + } } /* Submit next message */ @@ -101,7 +108,7 @@ static void tx_tick(struct mbox_chan *chan, int r) chan->cl->tx_done(chan->cl, mssg, r); if (r != -ETIME && chan->cl->tx_block) - complete(&chan->tx_complete); + complete(tx_complete); } static enum hrtimer_restart txdone_hrtimer(struct hrtimer *hrtimer) @@ -114,7 +121,7 @@ static enum hrtimer_restart txdone_hrtimer(struct hrtimer *hrtimer) for (i = 0; i < mbox->num_chans; i++) { struct mbox_chan *chan = &mbox->chans[i]; - if (chan->active_req && chan->cl) { + if (chan->active_req >= 0 && chan->cl) { txdone = chan->mbox->ops->last_tx_done(chan); if (txdone) tx_tick(chan, 0); @@ -245,11 +252,18 @@ EXPORT_SYMBOL_GPL(mbox_client_peek_data); int mbox_send_message(struct mbox_chan *chan, void *mssg) { int t; + struct completion tx_complete; if (!chan || !chan->cl) return -EINVAL; - t = add_to_rbuf(chan, mssg); + if (chan->cl->tx_block) { + init_completion(&tx_complete); + t = add_to_rbuf(chan, mssg, &tx_complete); + } else { + t = add_to_rbuf(chan, mssg, NULL); + } + if (t < 0) { dev_err(chan->mbox->dev, "Try increasing MBOX_TX_QUEUE_LEN\n"); return t; @@ -266,7 +280,7 @@ int mbox_send_message(struct mbox_chan *chan, void *mssg) else wait = msecs_to_jiffies(chan->cl->tx_tout); - ret = wait_for_completion_timeout(&chan->tx_complete, wait); + ret = wait_for_completion_timeout(&tx_complete, wait); if (ret == 0) { t = -ETIME; tx_tick(chan, t); @@ -319,9 +333,8 @@ static int __mbox_bind_client(struct mbox_chan *chan, struct mbox_client *cl) scoped_guard(spinlock_irqsave, &chan->lock) { chan->msg_free = 0; chan->msg_count = 0; - chan->active_req = NULL; + chan->active_req = -1; chan->cl = cl; - init_completion(&chan->tx_complete); if (chan->txdone_method == TXDONE_BY_POLL && cl->knows_txdone) chan->txdone_method = TXDONE_BY_ACK; @@ -477,7 +490,7 @@ void mbox_free_channel(struct mbox_chan *chan) /* The queued TX requests are simply aborted, no callbacks are made */ scoped_guard(spinlock_irqsave, &chan->lock) { chan->cl = NULL; - chan->active_req = NULL; + chan->active_req = -1; if (chan->txdone_method == TXDONE_BY_ACK) chan->txdone_method = TXDONE_BY_POLL; } diff --git a/drivers/mailbox/tegra-hsp.c b/drivers/mailbox/tegra-hsp.c index ed9a0bb2bcd8..de7494ce0a9f 100644 --- a/drivers/mailbox/tegra-hsp.c +++ b/drivers/mailbox/tegra-hsp.c @@ -497,7 +497,7 @@ static int tegra_hsp_mailbox_flush(struct mbox_chan *chan, mbox_chan_txdone(chan, 0); /* Wait until channel is empty */ - if (chan->active_req != NULL) + if (chan->active_req >= 0) continue; return 0; diff --git a/include/linux/mailbox_controller.h b/include/linux/mailbox_controller.h index 80a427c7ca29..67e08a440f5f 100644 --- a/include/linux/mailbox_controller.h +++ b/include/linux/mailbox_controller.h @@ -105,16 +105,25 @@ struct mbox_controller { */ #define MBOX_TX_QUEUE_LEN 20 +/** + * struct mbox_message - Internal representation of a mailbox message + * @data: Data packet + * @tx_complete: Pointer to the transmission completion + */ +struct mbox_message { + void *data; + struct completion *tx_complete; +}; + /** * struct mbox_chan - s/w representation of a communication chan * @mbox: Pointer to the parent/provider of this channel * @txdone_method: Way to detect TXDone chosen by the API * @cl: Pointer to the current owner of this channel - * @tx_complete: Transmission completion - * @active_req: Currently active request hook + * @active_req: Index of the currently active slot in the queue * @msg_count: No. of mssg currently queued * @msg_free: Index of next available mssg slot - * @msg_data: Hook for data packet + * @msg_data: Queue of data packets * @lock: Serialise access to the channel * @con_priv: Hook for controller driver to attach private data */ @@ -122,10 +131,9 @@ struct mbox_chan { struct mbox_controller *mbox; unsigned txdone_method; struct mbox_client *cl; - struct completion tx_complete; - void *active_req; + int active_req; unsigned msg_count, msg_free; - void *msg_data[MBOX_TX_QUEUE_LEN]; + struct mbox_message msg_data[MBOX_TX_QUEUE_LEN]; spinlock_t lock; /* Serialise access to the channel */ void *con_priv; }; -- 2.52.0.239.gd5f0c6e74e-goog

3 days, 18 hours

1
0
0 0

[PATCH 5.10.y 0/2] Backport 2 commits to fix a KASAN ext4 splat

by David Nyström

Backport commit:5701875f9609 ("ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()" to linux 5.10 branch. The fix depends on commit:69f3a3039b0d ("ext4: introduce ITAIL helper") In order to make a clean backport on stable kernel, backport 2 commits. It has a single merge conflict where static inline int, which changed to static int. To: stable(a)vger.kernel.org Cc: Theodore Ts'o <tytso(a)mit.edu> Cc: Ye Bin <yebin10(a)huawei.com> Cc: Sasha Levin <sashal(a)kernel.org> Signed-off-by: David Nyström <david.nystrom(a)est.tech> --- Ye Bin (2): ext4: introduce ITAIL helper ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() fs/ext4/inode.c | 5 +++++ fs/ext4/xattr.c | 32 ++++---------------------------- fs/ext4/xattr.h | 10 ++++++++++ 3 files changed, 19 insertions(+), 28 deletions(-) --- base-commit: f964b940099f9982d723d4c77988d4b0dda9c165 change-id: 20251215-ext4_splat-f59c1acd9e88 Best regards, -- David Nyström <david.nystrom(a)est.tech>

3 days, 18 hours

1
2
0 0

[PATCH] crypto: arm64/ghash - Fix incorrect output from ghash-neon

by Eric Biggers

Commit 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block handling") made ghash_finup() pass the wrong buffer to ghash_do_simd_update(). As a result, ghash-neon now produces incorrect outputs when the message length isn't divisible by 16 bytes. Fix this. (I didn't notice this earlier because this code is reached only on CPUs that support NEON but not PMULL. I haven't yet found a way to get qemu-system-aarch64 to emulate that configuration.) Fixes: 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block handling") Cc: stable(a)vger.kernel.org Reported-by: Diederik de Haas <diederik(a)cknow-tech.com> Closes: https://lore.kernel.org/linux-crypto/DETXT7QI62KE.F3CGH2VWX1SC@cknow-tech.c… Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- If it's okay, I'd like to just take this via libcrypto-fixes. arch/arm64/crypto/ghash-ce-glue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/crypto/ghash-ce-glue.c b/arch/arm64/crypto/ghash-ce-glue.c index 7951557a285a..ef249d06c92c 100644 --- a/arch/arm64/crypto/ghash-ce-glue.c +++ b/arch/arm64/crypto/ghash-ce-glue.c @@ -131,11 +131,11 @@ static int ghash_finup(struct shash_desc *desc, const u8 *src, if (len) { u8 buf[GHASH_BLOCK_SIZE] = {}; memcpy(buf, src, len); - ghash_do_simd_update(1, ctx->digest, src, key, NULL, + ghash_do_simd_update(1, ctx->digest, buf, key, NULL, pmull_ghash_update_p8); memzero_explicit(buf, sizeof(buf)); } return ghash_export(desc, dst); } base-commit: 7a3984bbd69055898add0fe22445f99435f33450 -- 2.52.0

3 days, 18 hours

4
8
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror