- Linux-stable-mirror - lists.linaro.org

by Greg Kroah-Hartman

I'm announcing the release of the 5.15.191 kernel. All users of the 5.15 kernel series must upgrade. The updated 5.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/powerpc/kernel/kvm.c | 8 arch/x86/kvm/lapic.c | 2 arch/x86/kvm/x86.c | 7 drivers/atm/atmtcp.c | 17 + drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 4 drivers/gpu/drm/drm_dp_helper.c | 2 drivers/gpu/drm/nouveau/dispnv50/wndw.c | 4 drivers/hid/hid-asus.c | 8 drivers/hid/hid-mcp2221.c | 71 +++++-- drivers/hid/hid-multitouch.c | 8 drivers/hid/hid-ntrig.c | 3 drivers/hid/wacom_wac.c | 1 drivers/net/ethernet/dlink/dl2k.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c | 3 drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h | 12 + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 19 +- drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 4 drivers/net/phy/mscc/mscc.h | 4 drivers/net/phy/mscc/mscc_main.c | 4 drivers/net/phy/mscc/mscc_ptp.c | 34 ++- drivers/net/usb/qmi_wwan.c | 3 drivers/pinctrl/Kconfig | 1 drivers/scsi/scsi_sysfs.c | 4 drivers/vhost/net.c | 9 fs/efivarfs/super.c | 4 fs/nfs/pagelist.c | 86 --------- fs/nfs/write.c | 140 +++++++++------ fs/udf/directory.c | 2 fs/xfs/libxfs/xfs_attr_remote.c | 7 fs/xfs/libxfs/xfs_da_btree.c | 6 include/linux/atmdev.h | 1 include/linux/nfs_page.h | 2 kernel/dma/pool.c | 4 kernel/trace/trace.c | 4 net/atm/common.c | 15 + net/bluetooth/hci_event.c | 12 + net/ipv4/route.c | 10 - net/sctp/ipv6.c | 2 sound/soc/codecs/lpass-tx-macro.c | 2 40 files changed, 326 insertions(+), 207 deletions(-) Alex Deucher (1): Revert "drm/amdgpu: fix incorrect vm flags to map bo" Alexei Lazar (3): net/mlx5e: Update and set Xon/Xoff upon MTU set net/mlx5e: Update and set Xon/Xoff upon port speed set net/mlx5e: Set local Xoff after FW update Alexey Klimov (1): ASoC: codecs: tx-macro: correct tx_macro_component_drv name Christoph Hellwig (1): nfs: fold nfs_page_group_lock_subrequests into nfs_lock_and_join_requests Damien Le Moal (1): scsi: core: sysfs: Correct sysfs attributes access rights Eric Dumazet (1): sctp: initialize more fields in sctp_v6_from_sk() Eric Sandeen (1): xfs: do not propagate ENODATA disk errors into xattr code Fabio Porcedda (1): net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new compositions Greg Kroah-Hartman (1): Linux 5.15.191 Hamish Martin (2): HID: mcp2221: Don't set bus speed on every transfer HID: mcp2221: Handle reads greater than 60 bytes Horatiu Vultur (1): phy: mscc: Fix when PTP clock is register and unregister Imre Deak (1): Revert "drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS" James Jones (1): drm/nouveau/disp: Always accept linear modifier Jan Kara (1): udf: Fix directory iteration for longer tail extents Kuniyuki Iwashima (1): atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control(). Li Nan (1): efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Luiz Augusto von Dentz (1): Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced Madhavan Srinivasan (1): powerpc/kvm: Fix ifdef to remove build warning Minjong Kim (1): HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() Nikolay Kuratov (1): vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put() Oscar Maes (1): net: ipv4: fix regression in local-broadcast routes Ping Cheng (1): HID: wacom: Add a new Art Pen 2 Qasim Ijaz (2): HID: asus: fix UAF via HID_CLAIMED_INPUT validation HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() Randy Dunlap (1): pinctrl: STMFX: add missing HAS_IOMEM dependency Rohan G Thomas (1): net: stmmac: xgmac: Do not enable RX FIFO Overflow interrupts Shanker Donthineni (1): dma/pool: Ensure DMA_DIRECT_REMAP allocations are decrypted Tengda Wu (1): ftrace: Fix potential warning in trace_printk_seq during ftrace_dump Thijs Raymakers (1): KVM: x86: use array_index_nospec with indices that come from guest Trond Myklebust (1): NFS: Fix a race when updating an existing write Yeounsu Moon (1): net: dlink: fix multicast stats being counted incorrectly

6 days, 15 hours

1
1
0 0

Linux 5.10.242

by Greg Kroah-Hartman

I'm announcing the release of the 5.10.242 kernel. All users of the 5.10 kernel series must upgrade. The updated 5.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.10.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/powerpc/kernel/kvm.c | 8 arch/x86/kernel/cpu/hygon.c | 3 arch/x86/kvm/lapic.c | 2 arch/x86/kvm/x86.c | 7 drivers/atm/atmtcp.c | 17 + drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 4 drivers/gpu/drm/drm_dp_helper.c | 2 drivers/gpu/drm/nouveau/dispnv50/wndw.c | 4 drivers/hid/hid-asus.c | 8 drivers/hid/hid-mcp2221.c | 71 +++++-- drivers/hid/hid-ntrig.c | 3 drivers/hid/wacom_wac.c | 1 drivers/net/ethernet/dlink/dl2k.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c | 3 drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h | 12 + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 19 +- drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 4 drivers/net/usb/qmi_wwan.c | 3 drivers/pinctrl/Kconfig | 1 drivers/scsi/scsi_sysfs.c | 4 drivers/vhost/net.c | 9 fs/efivarfs/super.c | 4 fs/nfs/pagelist.c | 86 --------- fs/nfs/write.c | 140 +++++++++------ fs/xfs/libxfs/xfs_attr_remote.c | 7 fs/xfs/libxfs/xfs_da_btree.c | 6 include/linux/atmdev.h | 1 include/linux/nfs_page.h | 2 kernel/dma/pool.c | 4 kernel/trace/trace.c | 4 net/atm/common.c | 15 + net/bluetooth/hci_event.c | 12 + net/ipv4/route.c | 10 - net/sctp/ipv6.c | 2 sound/soc/intel/boards/bxt_da7219_max98357a.c | 12 - sound/soc/intel/boards/glk_rt5682_max98357a.c | 4 sound/soc/intel/boards/sof_da7219_max98373.c | 10 - sound/soc/intel/boards/sof_rt5682.c | 12 - sound/soc/intel/common/soc-acpi-intel-bxt-match.c | 2 sound/soc/intel/common/soc-acpi-intel-cml-match.c | 2 sound/soc/intel/common/soc-acpi-intel-glk-match.c | 4 sound/soc/intel/common/soc-acpi-intel-jsl-match.c | 6 sound/soc/intel/common/soc-acpi-intel-tgl-match.c | 4 44 files changed, 321 insertions(+), 217 deletions(-) Alex Deucher (1): Revert "drm/amdgpu: fix incorrect vm flags to map bo" Alexei Lazar (3): net/mlx5e: Update and set Xon/Xoff upon MTU set net/mlx5e: Update and set Xon/Xoff upon port speed set net/mlx5e: Set local Xoff after FW update Brent Lu (1): ASoC: Intel: sof_da7219_mx98360a: fail to initialize soundcard Christoph Hellwig (1): nfs: fold nfs_page_group_lock_subrequests into nfs_lock_and_join_requests Damien Le Moal (1): scsi: core: sysfs: Correct sysfs attributes access rights Eric Dumazet (1): sctp: initialize more fields in sctp_v6_from_sk() Eric Sandeen (1): xfs: do not propagate ENODATA disk errors into xattr code Fabio Porcedda (1): net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new compositions Greg Kroah-Hartman (1): Linux 5.10.242 Hamish Martin (2): HID: mcp2221: Don't set bus speed on every transfer HID: mcp2221: Handle reads greater than 60 bytes Imre Deak (1): Revert "drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS" James Jones (1): drm/nouveau/disp: Always accept linear modifier Kuniyuki Iwashima (1): atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control(). Li Nan (1): efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Luiz Augusto von Dentz (1): Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced Madhavan Srinivasan (1): powerpc/kvm: Fix ifdef to remove build warning Minjong Kim (1): HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() Nikolay Kuratov (1): vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put() Oscar Maes (1): net: ipv4: fix regression in local-broadcast routes Pierre-Louis Bossart (4): ASoC: Intel: bxt_da7219_max98357a: shrink platform_id below 20 characters ASoC: Intel: sof_rt5682: shrink platform_id names below 20 characters ASoC: Intel: glk_rt5682_max98357a: shrink platform_id below 20 characters ASoC: Intel: sof_da7219_max98373: shrink platform_id below 20 characters Ping Cheng (1): HID: wacom: Add a new Art Pen 2 Qasim Ijaz (1): HID: asus: fix UAF via HID_CLAIMED_INPUT validation Randy Dunlap (1): pinctrl: STMFX: add missing HAS_IOMEM dependency Rohan G Thomas (1): net: stmmac: xgmac: Do not enable RX FIFO Overflow interrupts Shanker Donthineni (1): dma/pool: Ensure DMA_DIRECT_REMAP allocations are decrypted Tengda Wu (1): ftrace: Fix potential warning in trace_printk_seq during ftrace_dump Thijs Raymakers (1): KVM: x86: use array_index_nospec with indices that come from guest Tianxiang Peng (1): x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Trond Myklebust (1): NFS: Fix a race when updating an existing write Yeounsu Moon (1): net: dlink: fix multicast stats being counted incorrectly

6 days, 15 hours

1
1
0 0

Linux 5.4.298

by Greg Kroah-Hartman

I'm announcing the release of the 5.4.298 kernel. All users of the 5.4 kernel series must upgrade. The updated 5.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.4.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/powerpc/kernel/kvm.c | 8 +-- arch/x86/kvm/lapic.c | 3 + arch/x86/kvm/x86.c | 7 +- drivers/atm/atmtcp.c | 17 +++++- drivers/atm/eni.c | 17 ------ drivers/atm/firestream.c | 2 drivers/atm/fore200e.c | 27 ---------- drivers/atm/horizon.c | 40 --------------- drivers/atm/iphase.c | 16 ------ drivers/atm/lanai.c | 2 drivers/atm/solos-pci.c | 2 drivers/atm/zatm.c | 16 ------ drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 4 - drivers/gpu/drm/drm_dp_helper.c | 2 drivers/hid/hid-asus.c | 8 ++- drivers/hid/hid-ntrig.c | 3 + drivers/hid/wacom_wac.c | 1 drivers/net/ethernet/dlink/dl2k.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c | 3 - drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h | 12 ++++ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 19 ++++++- drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 4 - drivers/net/usb/qmi_wwan.c | 3 + drivers/pinctrl/Kconfig | 1 drivers/scsi/scsi_sysfs.c | 4 - drivers/vhost/net.c | 9 ++- fs/efivarfs/super.c | 4 + include/linux/atmdev.h | 10 --- kernel/trace/trace.c | 4 - net/atm/common.c | 29 +++++----- net/bluetooth/hci_event.c | 12 ++++ net/ipv4/route.c | 10 ++- net/sctp/ipv6.c | 2 34 files changed, 128 insertions(+), 177 deletions(-) Alex Deucher (1): Revert "drm/amdgpu: fix incorrect vm flags to map bo" Alexei Lazar (3): net/mlx5e: Update and set Xon/Xoff upon MTU set net/mlx5e: Update and set Xon/Xoff upon port speed set net/mlx5e: Set local Xoff after FW update Christoph Hellwig (1): net/atm: remove the atmdev_ops {get, set}sockopt methods Damien Le Moal (1): scsi: core: sysfs: Correct sysfs attributes access rights Eric Dumazet (1): sctp: initialize more fields in sctp_v6_from_sk() Fabio Porcedda (1): net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new compositions Greg Kroah-Hartman (1): Linux 5.4.298 Imre Deak (1): Revert "drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS" Kuniyuki Iwashima (1): atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control(). Li Nan (1): efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Luiz Augusto von Dentz (1): Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced Madhavan Srinivasan (1): powerpc/kvm: Fix ifdef to remove build warning Minjong Kim (1): HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() Nikolay Kuratov (1): vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put() Oscar Maes (1): net: ipv4: fix regression in local-broadcast routes Ping Cheng (1): HID: wacom: Add a new Art Pen 2 Qasim Ijaz (1): HID: asus: fix UAF via HID_CLAIMED_INPUT validation Randy Dunlap (1): pinctrl: STMFX: add missing HAS_IOMEM dependency Rohan G Thomas (1): net: stmmac: xgmac: Do not enable RX FIFO Overflow interrupts Tengda Wu (1): ftrace: Fix potential warning in trace_printk_seq during ftrace_dump Thijs Raymakers (1): KVM: x86: use array_index_nospec with indices that come from guest Yeounsu Moon (1): net: dlink: fix multicast stats being counted incorrectly

6 days, 15 hours

1
1
0 0

[PATCH 5.4] mm/khugepaged: fix ->anon_vma race

by Bjoern Doebel

From: Jann Horn <jannh(a)google.com> [Upstream commit 023f47a8250c6bdb4aebe744db4bf7f73414028b] If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires it to be locked. Page table traversal is allowed under any one of the mmap lock, the anon_vma lock (if the VMA is associated with an anon_vma), and the mapping lock (if the VMA is associated with a mapping); and so to be able to remove page tables, we must hold all three of them. retract_page_tables() bails out if an ->anon_vma is attached, but does this check before holding the mmap lock (as the comment above the check explains). If we racily merged an existing ->anon_vma (shared with a child process) from a neighboring VMA, subsequent rmap traversals on pages belonging to the child will be able to see the page tables that we are concurrently removing while assuming that nothing else can access them. Repeat the ->anon_vma check once we hold the mmap lock to ensure that there really is no concurrent page table access. Hitting this bug causes a lockdep warning in collapse_and_free_pmd(), in the line "lockdep_assert_held_write(&vma->anon_vma->root->rwsem)". It can also lead to use-after-free access. Link: https://lore.kernel.org/linux-mm/CAG48ez3434wZBKFFbdx4M9j6eUwSUVPd4dxhzW_k_… Link: https://lkml.kernel.org/r/20230111133351.807024-1-jannh@google.com Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages") Signed-off-by: Jann Horn <jannh(a)google.com> Reported-by: Zach O'Keefe <zokeefe(a)google.com> Acked-by: Kirill A. Shutemov <kirill.shutemov(a)intel.linux.com> Reviewed-by: Yang Shi <shy828301(a)gmail.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [doebel(a)amazon.de: Kernel 5.4 uses different control flow and locking mechanism. Context adjustments.] Signed-off-by: Bjoern Doebel <doebel(a)amazon.de> --- Testing - passed the Amazon Linux kernel release tests - already shipped in Amazon Linux 2 - compile-tested against v5.4.298 --- mm/khugepaged.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index f1f98305433e..d6da1fcbef6f 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -1476,7 +1476,7 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff) * has higher cost too. It would also probably require locking * the anon_vma. */ - if (vma->anon_vma) + if (READ_ONCE(vma->anon_vma)) continue; addr = vma->vm_start + ((pgoff - vma->vm_pgoff) << PAGE_SHIFT); if (addr & ~HPAGE_PMD_MASK) @@ -1498,6 +1498,18 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff) if (!khugepaged_test_exit(mm)) { struct mmu_notifier_range range; + /* + * Re-check whether we have an ->anon_vma, because + * collapse_and_free_pmd() requires that either no + * ->anon_vma exists or the anon_vma is locked. + * We already checked ->anon_vma above, but that check + * is racy because ->anon_vma can be populated under the + * mmap_sem in read mode. + */ + if (vma->anon_vma) { + up_write(&mm->mmap_sem); + continue; + } mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, NULL, mm, addr, -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

6 days, 15 hours

1
0
0 0

[PATCH 5.10] mm/khugepaged: fix ->anon_vma race

by Bjoern Doebel

From: Jann Horn <jannh(a)google.com> [Upstream commit 023f47a8250c6bdb4aebe744db4bf7f73414028b] If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires it to be locked. Page table traversal is allowed under any one of the mmap lock, the anon_vma lock (if the VMA is associated with an anon_vma), and the mapping lock (if the VMA is associated with a mapping); and so to be able to remove page tables, we must hold all three of them. retract_page_tables() bails out if an ->anon_vma is attached, but does this check before holding the mmap lock (as the comment above the check explains). If we racily merged an existing ->anon_vma (shared with a child process) from a neighboring VMA, subsequent rmap traversals on pages belonging to the child will be able to see the page tables that we are concurrently removing while assuming that nothing else can access them. Repeat the ->anon_vma check once we hold the mmap lock to ensure that there really is no concurrent page table access. Hitting this bug causes a lockdep warning in collapse_and_free_pmd(), in the line "lockdep_assert_held_write(&vma->anon_vma->root->rwsem)". It can also lead to use-after-free access. Link: https://lore.kernel.org/linux-mm/CAG48ez3434wZBKFFbdx4M9j6eUwSUVPd4dxhzW_k_… Link: https://lkml.kernel.org/r/20230111133351.807024-1-jannh@google.com Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages") Signed-off-by: Jann Horn <jannh(a)google.com> Reported-by: Zach O'Keefe <zokeefe(a)google.com> Acked-by: Kirill A. Shutemov <kirill.shutemov(a)intel.linux.com> Reviewed-by: Yang Shi <shy828301(a)gmail.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [doebel(a)amazon.de: Kernel 5.10 uses different control flow pattern, context adjustments] Signed-off-by: Bjoern Doebel <doebel(a)amazon.de> --- Testing - passed the Amazon Linux kernel release tests - already shipped in Amazon Linux 2 - compile-tested against v5.10.142 --- mm/khugepaged.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index 28e18777ec51..511499e8e29a 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -1611,7 +1611,7 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff) * has higher cost too. It would also probably require locking * the anon_vma. */ - if (vma->anon_vma) + if (READ_ONCE(vma->anon_vma)) continue; addr = vma->vm_start + ((pgoff - vma->vm_pgoff) << PAGE_SHIFT); if (addr & ~HPAGE_PMD_MASK) @@ -1633,6 +1633,19 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff) if (!khugepaged_test_exit(mm)) { struct mmu_notifier_range range; + /* + * Re-check whether we have an ->anon_vma, because + * collapse_and_free_pmd() requires that either no + * ->anon_vma exists or the anon_vma is locked. + * We already checked ->anon_vma above, but that check + * is racy because ->anon_vma can be populated under the + * mmap lock in read mode. + */ + if (vma->anon_vma) { + mmap_write_unlock(mm); + continue; + } + mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, NULL, mm, addr, -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

6 days, 15 hours

1
0
0 0

RE: Patch "drm/amdgpu: Add more checks to PSP mailbox" has been added to the 6.16-stable tree

by Deucher, Alexander

[Public] > -----Original Message----- > From: Sasha Levin <sashal(a)kernel.org> > Sent: Sunday, August 17, 2025 9:38 AM > To: stable-commits(a)vger.kernel.org; Lazar, Lijo <Lijo.Lazar(a)amd.com> > Cc: Deucher, Alexander <Alexander.Deucher(a)amd.com>; Koenig, Christian > <Christian.Koenig(a)amd.com>; David Airlie <airlied(a)gmail.com>; Simona Vetter > <simona(a)ffwll.ch> > Subject: Patch "drm/amdgpu: Add more checks to PSP mailbox" has been added to > the 6.16-stable tree > > This is a note to let you know that I've just added the patch titled > > drm/amdgpu: Add more checks to PSP mailbox > > to the 6.16-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > drm-amdgpu-add-more-checks-to-psp-mailbox.patch > and it can be found in the queue-6.16 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, please let > <stable(a)vger.kernel.org> know about it. > Please drop this patch for 6.16. It's not for stable and causes regressions on 6.16. Alex > > > commit eb1b9227a503b05c0afd067598c7bcef1e8801cf > Author: Lijo Lazar <lijo.lazar(a)amd.com> > Date: Mon Jun 2 12:55:14 2025 +0530 > > drm/amdgpu: Add more checks to PSP mailbox > > [ Upstream commit 8345a71fc54b28e4d13a759c45ce2664d8540d28 ] > > Instead of checking the response flag, use status mask also to check > against any unexpected failures like a device drop. Also, log error if > waiting on a psp response fails/times out. > > Signed-off-by: Lijo Lazar <lijo.lazar(a)amd.com> > Reviewed-by: Hawking Zhang <Hawking.Zhang(a)amd.com> > Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c > b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c > index c14f63cefe67..7d8b98aa5271 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c > @@ -596,6 +596,10 @@ int psp_wait_for(struct psp_context *psp, uint32_t > reg_index, > udelay(1); > } > > + dev_err(adev->dev, > + "psp reg (0x%x) wait timed out, mask: %x, read: %x exp: %x", > + reg_index, mask, val, reg_val); > + > return -ETIME; > } > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h > b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h > index 428adc7f741d..a4a00855d0b2 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h > @@ -51,6 +51,17 @@ > #define C2PMSG_CMD_SPI_GET_ROM_IMAGE_ADDR_HI 0x10 #define > C2PMSG_CMD_SPI_GET_FLASH_IMAGE 0x11 > > +/* Command register bit 31 set to indicate readiness */ #define > +MBOX_TOS_READY_FLAG (GFX_FLAG_RESPONSE) #define > MBOX_TOS_READY_MASK > +(GFX_CMD_RESPONSE_MASK | GFX_CMD_STATUS_MASK) > + > +/* Values to check for a successful GFX_CMD response wait. Check > +against > + * both status bits and response state - helps to detect a command > +failure > + * or other unexpected cases like a device drop reading all 0xFFs */ > +#define MBOX_TOS_RESP_FLAG (GFX_FLAG_RESPONSE) #define > +MBOX_TOS_RESP_MASK (GFX_CMD_RESPONSE_MASK | > GFX_CMD_STATUS_MASK) > + > extern const struct attribute_group amdgpu_flash_attr_group; > > enum psp_shared_mem_size { > diff --git a/drivers/gpu/drm/amd/amdgpu/psp_v10_0.c > b/drivers/gpu/drm/amd/amdgpu/psp_v10_0.c > index 145186a1e48f..2c4ebd98927f 100644 > --- a/drivers/gpu/drm/amd/amdgpu/psp_v10_0.c > +++ b/drivers/gpu/drm/amd/amdgpu/psp_v10_0.c > @@ -94,7 +94,7 @@ static int psp_v10_0_ring_create(struct psp_context *psp, > > /* Wait for response flag (bit 31) in C2PMSG_64 */ > ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_64), > - 0x80000000, 0x8000FFFF, false); > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > > return ret; > } > @@ -115,7 +115,7 @@ static int psp_v10_0_ring_stop(struct psp_context *psp, > > /* Wait for response flag (bit 31) in C2PMSG_64 */ > ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_64), > - 0x80000000, 0x80000000, false); > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > > return ret; > } > diff --git a/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c > b/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c > index 215543575f47..1a4a26e6ffd2 100644 > --- a/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c > +++ b/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c > @@ -277,11 +277,13 @@ static int psp_v11_0_ring_stop(struct psp_context *psp, > > /* Wait for response flag (bit 31) */ > if (amdgpu_sriov_vf(adev)) > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_101), > - 0x80000000, 0x80000000, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_101), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > else > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_64), > - 0x80000000, 0x80000000, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_64), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > > return ret; > } > @@ -317,13 +319,15 @@ static int psp_v11_0_ring_create(struct psp_context > *psp, > mdelay(20); > > /* Wait for response flag (bit 31) in C2PMSG_101 */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_101), > - 0x80000000, 0x8000FFFF, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_101), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > > } else { > /* Wait for sOS ready for ring creation */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_64), > - 0x80000000, 0x80000000, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_64), > + MBOX_TOS_READY_FLAG, MBOX_TOS_READY_MASK, > false); > if (ret) { > DRM_ERROR("Failed to wait for sOS ready for ring > creation\n"); > return ret; > @@ -347,8 +351,9 @@ static int psp_v11_0_ring_create(struct psp_context *psp, > mdelay(20); > > /* Wait for response flag (bit 31) in C2PMSG_64 */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_64), > - 0x80000000, 0x8000FFFF, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_64), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > } > > return ret; > @@ -381,7 +386,8 @@ static int psp_v11_0_mode1_reset(struct psp_context > *psp) > > offset = SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64); > > - ret = psp_wait_for(psp, offset, 0x80000000, 0x8000FFFF, false); > + ret = psp_wait_for(psp, offset, MBOX_TOS_READY_FLAG, > + MBOX_TOS_READY_MASK, false); > > if (ret) { > DRM_INFO("psp is not working correctly before mode1 reset!\n"); > @@ -395,7 +401,8 @@ static int psp_v11_0_mode1_reset(struct psp_context > *psp) > > offset = SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_33); > > - ret = psp_wait_for(psp, offset, 0x80000000, 0x80000000, false); > + ret = psp_wait_for(psp, offset, MBOX_TOS_RESP_FLAG, > MBOX_TOS_RESP_MASK, > + false); > > if (ret) { > DRM_INFO("psp mode 1 reset failed!\n"); diff --git > a/drivers/gpu/drm/amd/amdgpu/psp_v11_0_8.c > b/drivers/gpu/drm/amd/amdgpu/psp_v11_0_8.c > index 5697760a819b..338d015c0f2e 100644 > --- a/drivers/gpu/drm/amd/amdgpu/psp_v11_0_8.c > +++ b/drivers/gpu/drm/amd/amdgpu/psp_v11_0_8.c > @@ -41,8 +41,9 @@ static int psp_v11_0_8_ring_stop(struct psp_context *psp, > /* there might be handshake issue with hardware which needs delay > */ > mdelay(20); > /* Wait for response flag (bit 31) */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_101), > - 0x80000000, 0x80000000, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_101), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > } else { > /* Write the ring destroy command*/ > WREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_64, @@ -50,8 > +51,9 @@ static int psp_v11_0_8_ring_stop(struct psp_context *psp, > /* there might be handshake issue with hardware which needs delay > */ > mdelay(20); > /* Wait for response flag (bit 31) */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_64), > - 0x80000000, 0x80000000, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_64), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > } > > return ret; > @@ -87,13 +89,15 @@ static int psp_v11_0_8_ring_create(struct psp_context > *psp, > mdelay(20); > > /* Wait for response flag (bit 31) in C2PMSG_101 */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_101), > - 0x80000000, 0x8000FFFF, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_101), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > > } else { > /* Wait for sOS ready for ring creation */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_64), > - 0x80000000, 0x80000000, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_64), > + MBOX_TOS_READY_FLAG, MBOX_TOS_READY_MASK, > false); > if (ret) { > DRM_ERROR("Failed to wait for trust OS ready for ring > creation\n"); > return ret; > @@ -117,8 +121,9 @@ static int psp_v11_0_8_ring_create(struct psp_context > *psp, > mdelay(20); > > /* Wait for response flag (bit 31) in C2PMSG_64 */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_64), > - 0x80000000, 0x8000FFFF, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_64), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > } > > return ret; > diff --git a/drivers/gpu/drm/amd/amdgpu/psp_v12_0.c > b/drivers/gpu/drm/amd/amdgpu/psp_v12_0.c > index 80153f837470..d54b3e0fabaf 100644 > --- a/drivers/gpu/drm/amd/amdgpu/psp_v12_0.c > +++ b/drivers/gpu/drm/amd/amdgpu/psp_v12_0.c > @@ -163,7 +163,7 @@ static int psp_v12_0_ring_create(struct psp_context *psp, > > /* Wait for response flag (bit 31) in C2PMSG_64 */ > ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_64), > - 0x80000000, 0x8000FFFF, false); > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > > return ret; > } > @@ -184,11 +184,13 @@ static int psp_v12_0_ring_stop(struct psp_context *psp, > > /* Wait for response flag (bit 31) */ > if (amdgpu_sriov_vf(adev)) > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_101), > - 0x80000000, 0x80000000, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_101), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > else > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_64), > - 0x80000000, 0x80000000, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > mmMP0_SMN_C2PMSG_64), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > > return ret; > } > @@ -219,7 +221,8 @@ static int psp_v12_0_mode1_reset(struct psp_context > *psp) > > offset = SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64); > > - ret = psp_wait_for(psp, offset, 0x80000000, 0x8000FFFF, false); > + ret = psp_wait_for(psp, offset, MBOX_TOS_READY_FLAG, > + MBOX_TOS_READY_MASK, false); > > if (ret) { > DRM_INFO("psp is not working correctly before mode1 reset!\n"); > @@ -233,7 +236,8 @@ static int psp_v12_0_mode1_reset(struct psp_context > *psp) > > offset = SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_33); > > - ret = psp_wait_for(psp, offset, 0x80000000, 0x80000000, false); > + ret = psp_wait_for(psp, offset, MBOX_TOS_RESP_FLAG, > MBOX_TOS_RESP_MASK, > + false); > > if (ret) { > DRM_INFO("psp mode 1 reset failed!\n"); diff --git > a/drivers/gpu/drm/amd/amdgpu/psp_v13_0.c > b/drivers/gpu/drm/amd/amdgpu/psp_v13_0.c > index ead616c11705..58b6b64dcd68 100644 > --- a/drivers/gpu/drm/amd/amdgpu/psp_v13_0.c > +++ b/drivers/gpu/drm/amd/amdgpu/psp_v13_0.c > @@ -384,8 +384,9 @@ static int psp_v13_0_ring_stop(struct psp_context *psp, > /* there might be handshake issue with hardware which needs delay > */ > mdelay(20); > /* Wait for response flag (bit 31) */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_101), > - 0x80000000, 0x80000000, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_101), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > } else { > /* Write the ring destroy command*/ > WREG32_SOC15(MP0, 0, regMP0_SMN_C2PMSG_64, @@ - > 393,8 +394,9 @@ static int psp_v13_0_ring_stop(struct psp_context *psp, > /* there might be handshake issue with hardware which needs delay > */ > mdelay(20); > /* Wait for response flag (bit 31) */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_64), > - 0x80000000, 0x80000000, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_64), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > } > > return ret; > @@ -430,13 +432,15 @@ static int psp_v13_0_ring_create(struct psp_context > *psp, > mdelay(20); > > /* Wait for response flag (bit 31) in C2PMSG_101 */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_101), > - 0x80000000, 0x8000FFFF, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_101), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > > } else { > /* Wait for sOS ready for ring creation */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_64), > - 0x80000000, 0x80000000, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_64), > + MBOX_TOS_READY_FLAG, MBOX_TOS_READY_MASK, > false); > if (ret) { > DRM_ERROR("Failed to wait for trust OS ready for ring > creation\n"); > return ret; > @@ -460,8 +464,9 @@ static int psp_v13_0_ring_create(struct psp_context *psp, > mdelay(20); > > /* Wait for response flag (bit 31) in C2PMSG_64 */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_64), > - 0x80000000, 0x8000FFFF, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_64), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > } > > return ret; > diff --git a/drivers/gpu/drm/amd/amdgpu/psp_v13_0_4.c > b/drivers/gpu/drm/amd/amdgpu/psp_v13_0_4.c > index eaa5512a21da..f65af52c1c19 100644 > --- a/drivers/gpu/drm/amd/amdgpu/psp_v13_0_4.c > +++ b/drivers/gpu/drm/amd/amdgpu/psp_v13_0_4.c > @@ -204,8 +204,9 @@ static int psp_v13_0_4_ring_stop(struct psp_context *psp, > /* there might be handshake issue with hardware which needs delay > */ > mdelay(20); > /* Wait for response flag (bit 31) */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_101), > - 0x80000000, 0x80000000, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_101), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > } else { > /* Write the ring destroy command*/ > WREG32_SOC15(MP0, 0, regMP0_SMN_C2PMSG_64, @@ - > 213,8 +214,9 @@ static int psp_v13_0_4_ring_stop(struct psp_context *psp, > /* there might be handshake issue with hardware which needs delay > */ > mdelay(20); > /* Wait for response flag (bit 31) */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_64), > - 0x80000000, 0x80000000, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_64), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > } > > return ret; > @@ -250,13 +252,15 @@ static int psp_v13_0_4_ring_create(struct psp_context > *psp, > mdelay(20); > > /* Wait for response flag (bit 31) in C2PMSG_101 */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_101), > - 0x80000000, 0x8000FFFF, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_101), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > > } else { > /* Wait for sOS ready for ring creation */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_64), > - 0x80000000, 0x80000000, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_64), > + MBOX_TOS_READY_FLAG, MBOX_TOS_READY_MASK, > false); > if (ret) { > DRM_ERROR("Failed to wait for trust OS ready for ring > creation\n"); > return ret; > @@ -280,8 +284,9 @@ static int psp_v13_0_4_ring_create(struct psp_context > *psp, > mdelay(20); > > /* Wait for response flag (bit 31) in C2PMSG_64 */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_64), > - 0x80000000, 0x8000FFFF, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > regMP0_SMN_C2PMSG_64), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > } > > return ret; > diff --git a/drivers/gpu/drm/amd/amdgpu/psp_v14_0.c > b/drivers/gpu/drm/amd/amdgpu/psp_v14_0.c > index 256288c6cd78..ffa47c7d24c9 100644 > --- a/drivers/gpu/drm/amd/amdgpu/psp_v14_0.c > +++ b/drivers/gpu/drm/amd/amdgpu/psp_v14_0.c > @@ -248,8 +248,9 @@ static int psp_v14_0_ring_stop(struct psp_context *psp, > /* there might be handshake issue with hardware which needs delay > */ > mdelay(20); > /* Wait for response flag (bit 31) */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > regMPASP_SMN_C2PMSG_101), > - 0x80000000, 0x80000000, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > regMPASP_SMN_C2PMSG_101), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > } else { > /* Write the ring destroy command*/ > WREG32_SOC15(MP0, 0, regMPASP_SMN_C2PMSG_64, @@ - > 257,8 +258,9 @@ static int psp_v14_0_ring_stop(struct psp_context *psp, > /* there might be handshake issue with hardware which needs delay > */ > mdelay(20); > /* Wait for response flag (bit 31) */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > regMPASP_SMN_C2PMSG_64), > - 0x80000000, 0x80000000, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > regMPASP_SMN_C2PMSG_64), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > } > > return ret; > @@ -294,13 +296,15 @@ static int psp_v14_0_ring_create(struct psp_context > *psp, > mdelay(20); > > /* Wait for response flag (bit 31) in C2PMSG_101 */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > regMPASP_SMN_C2PMSG_101), > - 0x80000000, 0x8000FFFF, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > regMPASP_SMN_C2PMSG_101), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > > } else { > /* Wait for sOS ready for ring creation */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > regMPASP_SMN_C2PMSG_64), > - 0x80000000, 0x80000000, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > regMPASP_SMN_C2PMSG_64), > + MBOX_TOS_READY_FLAG, MBOX_TOS_READY_MASK, > false); > if (ret) { > DRM_ERROR("Failed to wait for trust OS ready for ring > creation\n"); > return ret; > @@ -324,8 +328,9 @@ static int psp_v14_0_ring_create(struct psp_context *psp, > mdelay(20); > > /* Wait for response flag (bit 31) in C2PMSG_64 */ > - ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, > regMPASP_SMN_C2PMSG_64), > - 0x80000000, 0x8000FFFF, false); > + ret = psp_wait_for( > + psp, SOC15_REG_OFFSET(MP0, 0, > regMPASP_SMN_C2PMSG_64), > + MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, > false); > } > > return ret;

6 days, 15 hours

2
1
0 0

[PATCH 5.15] mm/khugepaged: fix ->anon_vma race

by Bjoern Doebel

From: Jann Horn <jannh(a)google.com> commit 023f47a8250c6bdb4aebe744db4bf7f73414028b upstream. If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires it to be locked. Page table traversal is allowed under any one of the mmap lock, the anon_vma lock (if the VMA is associated with an anon_vma), and the mapping lock (if the VMA is associated with a mapping); and so to be able to remove page tables, we must hold all three of them. retract_page_tables() bails out if an ->anon_vma is attached, but does this check before holding the mmap lock (as the comment above the check explains). If we racily merged an existing ->anon_vma (shared with a child process) from a neighboring VMA, subsequent rmap traversals on pages belonging to the child will be able to see the page tables that we are concurrently removing while assuming that nothing else can access them. Repeat the ->anon_vma check once we hold the mmap lock to ensure that there really is no concurrent page table access. Hitting this bug causes a lockdep warning in collapse_and_free_pmd(), in the line "lockdep_assert_held_write(&vma->anon_vma->root->rwsem)". It can also lead to use-after-free access. Link: https://lore.kernel.org/linux-mm/CAG48ez3434wZBKFFbdx4M9j6eUwSUVPd4dxhzW_k_… Link: https://lkml.kernel.org/r/20230111133351.807024-1-jannh@google.com Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages") Signed-off-by: Jann Horn <jannh(a)google.com> Reported-by: Zach O'Keefe <zokeefe(a)google.com> Acked-by: Kirill A. Shutemov <kirill.shutemov(a)intel.linux.com> Reviewed-by: Yang Shi <shy828301(a)gmail.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [doebel(a)amazon.de: Kernel 5.15 uses a different control flow pattern, context adjustments.] Signed-off-by: Bjoern Doebel <doebel(a)amazon.de> --- mm/khugepaged.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index 203792e70ac1..e318c1abc81f 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -1609,7 +1609,7 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff) * has higher cost too. It would also probably require locking * the anon_vma. */ - if (vma->anon_vma) + if (READ_ONCE(vma->anon_vma)) continue; addr = vma->vm_start + ((pgoff - vma->vm_pgoff) << PAGE_SHIFT); if (addr & ~HPAGE_PMD_MASK) @@ -1631,6 +1631,19 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff) if (!khugepaged_test_exit(mm)) { struct mmu_notifier_range range; + /* + * Re-check whether we have an ->anon_vma, because + * collapse_and_free_pmd() requires that either no + * ->anon_vma exists or the anon_vma is locked. + * We already checked ->anon_vma above, but that check + * is racy because ->anon_vma can be populated under the + * mmap lock in read mode. + */ + if (vma->anon_vma) { + mmap_write_unlock(mm); + continue; + } + mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, NULL, mm, addr, -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

6 days, 15 hours

1
0
0 0

[PATCH net v3] net: xilinx: axienet: Add error handling for RX metadata pointer retrieval

by Abin Joseph

Add proper error checking for dmaengine_desc_get_metadata_ptr() which can return an error pointer and lead to potential crashes or undefined behaviour if the pointer retrieval fails. Properly handle the error by unmapping DMA buffer, freeing the skb and returning early to prevent further processing with invalid data. Fixes: 6a91b846af85 ("net: axienet: Introduce dmaengine support") Signed-off-by: Abin Joseph <abin.joseph(a)amd.com> Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey(a)amd.com> --- Changes in v2: Fix the alias to net Changes in v3: Remove unwanted space Add reviewed by tag --- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c index 0d8a05fe541a..ec6d47dc984a 100644 --- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c @@ -1168,6 +1168,15 @@ static void axienet_dma_rx_cb(void *data, const struct dmaengine_result *result) &meta_max_len); dma_unmap_single(lp->dev, skbuf_dma->dma_address, lp->max_frm_size, DMA_FROM_DEVICE); + + if (IS_ERR(app_metadata)) { + if (net_ratelimit()) + netdev_err(lp->ndev, "Failed to get RX metadata pointer\n"); + dev_kfree_skb_any(skb); + lp->ndev->stats.rx_dropped++; + goto rx_submit; + } + /* TODO: Derive app word index programmatically */ rx_len = (app_metadata[LEN_APP] & 0xFFFF); skb_put(skb, rx_len); @@ -1180,6 +1189,7 @@ static void axienet_dma_rx_cb(void *data, const struct dmaengine_result *result) u64_stats_add(&lp->rx_bytes, rx_len); u64_stats_update_end(&lp->rx_stat_sync); +rx_submit: for (i = 0; i < CIRC_SPACE(lp->rx_ring_head, lp->rx_ring_tail, RX_BUF_NUM_DEFAULT); i++) axienet_rx_submit_desc(lp->ndev); -- 2.34.1

6 days, 15 hours

3
2
0 0

[PATCH 2/4] spi: cadence-quadspi: Flush posted register writes before DAC access

by Santhosh Kumar K

From: Pratyush Yadav <pratyush(a)kernel.org> cqspi_read_setup() and cqspi_write_setup() program the address width as the last step in the setup. This is likely to be immediately followed by a DAC region read/write. On TI K3 SoCs the DAC region is on a different endpoint from the register region. This means that the order of the two operations is not guaranteed, and they might be reordered at the interconnect level. It is possible that the DAC read/write goes through before the address width update goes through. In this situation if the previous command used a different address width the OSPI command is sent with the wrong number of address bytes, resulting in an invalid command and undefined behavior. Read back the size register to make sure the write gets flushed before accessing the DAC region. Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller") CC: stable(a)vger.kernel.org Signed-off-by: Pratyush Yadav <pratyush(a)kernel.org> Signed-off-by: Santhosh Kumar K <s-k6(a)ti.com> --- drivers/spi/spi-cadence-quadspi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c index eaf9a0f522d5..447a32a08a93 100644 --- a/drivers/spi/spi-cadence-quadspi.c +++ b/drivers/spi/spi-cadence-quadspi.c @@ -719,6 +719,7 @@ static int cqspi_read_setup(struct cqspi_flash_pdata *f_pdata, reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK; reg |= (op->addr.nbytes - 1); writel(reg, reg_base + CQSPI_REG_SIZE); + readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */ return 0; } @@ -1063,6 +1064,7 @@ static int cqspi_write_setup(struct cqspi_flash_pdata *f_pdata, reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK; reg |= (op->addr.nbytes - 1); writel(reg, reg_base + CQSPI_REG_SIZE); + readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */ return 0; } -- 2.34.1

6 days, 16 hours

2
1
0 0

[PATCH 1/4] spi: cadence-quadspi: Flush posted register writes before INDAC access

by Santhosh Kumar K

From: Pratyush Yadav <pratyush(a)kernel.org> cqspi_indirect_read_execute() and cqspi_indirect_write_execute() first set the enable bit on APB region and then start reading/writing to the AHB region. On TI K3 SoCs these regions lie on different endpoints. This means that the order of the two operations is not guaranteed, and they might be reordered at the interconnect level. It is possible for the AHB write to be executed before the APB write to enable the indirect controller, causing the transaction to be invalid and the write erroring out. Read back the APB region write before accessing the AHB region to make sure the write got flushed and the race condition is eliminated. Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller") CC: stable(a)vger.kernel.org Signed-off-by: Pratyush Yadav <pratyush(a)kernel.org> Signed-off-by: Santhosh Kumar K <s-k6(a)ti.com> --- drivers/spi/spi-cadence-quadspi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c index 9bf823348cd3..eaf9a0f522d5 100644 --- a/drivers/spi/spi-cadence-quadspi.c +++ b/drivers/spi/spi-cadence-quadspi.c @@ -764,6 +764,7 @@ static int cqspi_indirect_read_execute(struct cqspi_flash_pdata *f_pdata, reinit_completion(&cqspi->transfer_complete); writel(CQSPI_REG_INDIRECTRD_START_MASK, reg_base + CQSPI_REG_INDIRECTRD); + readl(reg_base + CQSPI_REG_INDIRECTRD); /* Flush posted write. */ while (remaining > 0) { if (use_irq && @@ -1090,6 +1091,8 @@ static int cqspi_indirect_write_execute(struct cqspi_flash_pdata *f_pdata, reinit_completion(&cqspi->transfer_complete); writel(CQSPI_REG_INDIRECTWR_START_MASK, reg_base + CQSPI_REG_INDIRECTWR); + readl(reg_base + CQSPI_REG_INDIRECTWR); /* Flush posted write. */ + /* * As per 66AK2G02 TRM SPRUHY8F section 11.15.5.3 Indirect Access * Controller programming sequence, couple of cycles of -- 2.34.1

6 days, 16 hours

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror