* [PATCH 5.10 000/462] 5.10.235-rc1 review
@ 2025-03-11 14:54 Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 001/462] afs: Fix EEXIST error returned from afs_rmdir() to be ENOTEMPTY Greg Kroah-Hartman
` (465 more replies)
0 siblings, 466 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie
This is the start of the stable review cycle for the 5.10.235 release.
There are 462 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 13 Mar 2025 14:56:39 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.235-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 5.10.235-rc1
Jakub Kicinski <kuba@kernel.org>
net: ipv6: fix dst refleaks in rpl, seg6 and ioam6 lwtunnels
Ben Hutchings <benh@debian.org>
udf: Fix use of check_add_overflow() with mixed type arguments
Ben Hutchings <benh@debian.org>
perf cs-etm: Add missing variable in cs_etm__process_queues()
Michal Pecio <michal.pecio@gmail.com>
usb: xhci: Enable the TRB overfetch quirk on VIA VL805
Filipe Manana <fdmanana@suse.com>
btrfs: bring back the incorrectly removed extent buffer lock recursion support
Weili Qian <qianweili@huawei.com>
crypto: hisilicon/qm - inject error before stopping queue
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
kbuild: userprogs: use correct lld when linking through clang
Toke Høiland-Jørgensen <toke@redhat.com>
sched: sch_cake: add bounds checks to host bulk flow fairness counts
Michal Luczaj <mhal@rbox.co>
vsock: Orphan socket after transport release
Michal Luczaj <mhal@rbox.co>
vsock: Keep the binding until socket destruction
Michal Luczaj <mhal@rbox.co>
bpf, vsock: Invoke proto::close on close()
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Revert "media: uvcvideo: Require entities to have a non-zero unique ID"
Ricardo Ribalda <ribalda@chromium.org>
media: uvcvideo: Remove dangling pointers
Ricardo Ribalda <ribalda@chromium.org>
media: uvcvideo: Only save async fh if success
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: handle errors that nilfs_prepare_chunk() may return
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: eliminate staggered calls to kunmap in nilfs_rename
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: move page release outside of nilfs_delete_entry and nilfs_set_link
Ralf Schlatterbeck <rsc@runtux.com>
spi-mxs: Fix chipselect glitch
Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
mtd: rawnand: cadence: fix unchecked dereference
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
eeprom: digsy_mtc: Make GPIO lookup table match the device
Visweswara Tanuku <quic_vtanuku@quicinc.com>
slimbus: messaging: Free transaction ID in delayed interrupt scenario
Alexander Shishkin <alexander.shishkin@linux.intel.com>
intel_th: pci: Add Panther Lake-P/U support
Alexander Shishkin <alexander.shishkin@linux.intel.com>
intel_th: pci: Add Panther Lake-H support
Pawel Chmielewski <pawel.chmielewski@intel.com>
intel_th: pci: Add Arrow Lake support
Alexander Usyskin <alexander.usyskin@intel.com>
mei: me: add panther lake P DID
Phillip Lougher <phillip@squashfs.org.uk>
Squashfs: check the inode number is not the invalid value of zero
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
xhci: pci: Fix indentation in the PCI device ID definitions
Prashanth K <prashanth.k@oss.qualcomm.com>
usb: gadget: Check bmAttributes only if configuration is valid
Marek Szyprowski <m.szyprowski@samsung.com>
usb: gadget: Fix setting self-powered state on suspend
Prashanth K <prashanth.k@oss.qualcomm.com>
usb: gadget: Set self-powered based on MaxPower and bmAttributes
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
usb: typec: tcpci_rt1711h: Unmask alert interrupts to fix functionality
Fedor Pchelkin <boddah8794@gmail.com>
usb: typec: ucsi: increase timeout for PPM reset operations
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
usb: atm: cxacru: fix a flaw in existing endpoint checks
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
usb: renesas_usbhs: Flush the notify_hotplug_work
Miao Li <limiao@kylinos.cn>
usb: quirks: Add DELAY_INIT and NO_LPM for Prolific Mass Storage Card Reader
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
usb: renesas_usbhs: Use devm_usb_get_phy()
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
usb: renesas_usbhs: Call clk_put()
Christian Heusel <christian@heusel.eu>
Revert "drivers/card_reader/rtsx_usb: Restore interrupt based detection"
Fabrizio Castro <fabrizio.castro.jz@renesas.com>
gpio: rcar: Fix missing of_node_put() call
Justin Iurman <justin.iurman@uliege.be>
net: ipv6: fix missing dst ref drop in ila lwtunnel
Justin Iurman <justin.iurman@uliege.be>
net: ipv6: fix dst ref loop in ila lwtunnel
Jason Xing <kerneljasonxing@gmail.com>
net-timestamp: support TCP GSO case for a few missing flags
Oscar Maes <oscmaes92@gmail.com>
vlan: enforce underlying device type
Jiayuan Chen <jiayuan.chen@linux.dev>
ppp: Fix KMSAN uninit-value warning with bpf
Nikolay Aleksandrov <razor@blackwall.org>
be2net: fix sleeping while atomic bugs in be_ndo_bridge_getlink
Philipp Stanner <phasta@kernel.org>
drm/sched: Fix preprocessor guard
Xinghuo Chen <xinghuo.chen@foxmail.com>
hwmon: fix a NULL vs IS_ERR_OR_NULL() check in xgene_hwmon_probe()
Eric Dumazet <edumazet@google.com>
llc: do not use skb_get() before dev_queue_xmit()
Murad Masimov <m.masimov@mt-integration.ru>
ALSA: usx2y: validate nrpacks module parameter on probe
Erik Schumacher <erik.schumacher@iris-sensing.com>
hwmon: (ad7314) Validate leading zero bits and return error
Maud Spierings <maudspierings@gocontroll.com>
hwmon: (ntc_thermistor) Fix the ncpXXxh103 sensor table
Titus Rwantare <titusr@google.com>
hwmon: (pmbus) Initialise page count in pmbus_identify()
Vitaliy Shevtsov <v.shevtsov@mt-integration.ru>
caif_virtio: fix wrong pointer check in cfv_probe()
Antoine Tenart <atenart@kernel.org>
net: gso: fix ownership in __udp_gso_segment
Meir Elisha <meir.elisha@volumez.com>
nvmet-tcp: Fix a possible sporadic response drops in weakly ordered arch
Zhang Lixu <lixu.zhang@intel.com>
HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()
Yu-Chun Lin <eleanor15x@gmail.com>
HID: google: fix unused variable warning under !CONFIG_ACPI
Johannes Berg <johannes.berg@intel.com>
wifi: iwlwifi: limit printed string from FW file
Hao Zhang <zhanghao1@kylinos.cn>
mm/page_alloc: fix uninitialized variable
Olivier Gayot <olivier.gayot@canonical.com>
block: fix conversion of GPT partition name to 7-bit
Heiko Carstens <hca@linux.ibm.com>
s390/traps: Fix test_monitor_call() inline assembly
Haoxiang Li <haoxiang_li2024@163.com>
rapidio: fix an API misues when rio_add_net() fails
Haoxiang Li <haoxiang_li2024@163.com>
rapidio: add check for rio_add_net() in rio_scan_alloc_net()
Vitaliy Shevtsov <v.shevtsov@mt-integration.ru>
wifi: nl80211: reject cooked mode if it is set along with other flags
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
wifi: cfg80211: regulatory: improve invalid hints checking
Ahmed S. Darwish <darwi@linutronix.de>
x86/cpu: Properly parse CPUID leaf 0x2 TLB descriptor 0x63
Ahmed S. Darwish <darwi@linutronix.de>
x86/cpu: Validate CPUID leaf 0x2 EDX output
Ahmed S. Darwish <darwi@linutronix.de>
x86/cacheinfo: Validate CPUID leaf 0x2 EDX output
Mingcong Bai <jeffbai@aosc.io>
platform/x86: thinkpad_acpi: Add battery quirk for ThinkPad X131e
Richard Thier <u9vata@gmail.com>
drm/radeon: Fix rs400_gpu_init for ATI mobility radeon Xpress 200M
Kailang Yang <kailang@realtek.com>
ALSA: hda/realtek: update ALC222 depop optimize
Hoku Ishibe <me@hokuishi.be>
ALSA: hda: intel: Add Dell ALC3271 to power_save denylist
Koichiro Den <koichiro.den@canonical.com>
gpio: aggregator: protect driver attr handlers against module unload
Daniil Dulov <d.dulov@aladdin.ru>
HID: appleir: Fix potential NULL dereference at raw event handle
Rob Herring (Arm) <robh@kernel.org>
Revert "of: reserved-memory: Fix using wrong number of cells to get property 'alignment'"
Peter Jones <pjones@redhat.com>
efi: Don't map the entire mokvar table to determine its size
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu: disable BAR resize on Dell G5 SE
Ma Jun <Jun.Ma2@amd.com>
drm/amdgpu: Check extended configuration space register when system uses large bar
Haoxiang Li <haoxiang_li2024@163.com>
smb: client: Add check for next_buffer in receive_encrypted_standard()
Christian Brauner <brauner@kernel.org>
acct: perform last write from workqueue
Yang Yang <yang.yang29@zte.com.cn>
kernel/acct.c: use dedicated helper to access rlimit values
Hui Su <sh_def@163.com>
kernel/acct.c: use #elif instead of #end and #elif
Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
drop_monitor: fix incorrect initialization order
Quang Le <quanglex97@gmail.com>
pfifo_tail_enqueue: Drop new packet when sch->limit == 0
Thomas Gleixner <tglx@linutronix.de>
intel_idle: Handle older CPUs, which stop the TSC in deeper C states, correctly
Thomas Gleixner <tglx@linutronix.de>
sched/core: Prevent rescheduling when interrupts are disabled
Ard Biesheuvel <ardb@kernel.org>
vmlinux.lds: Ensure that const vars with relocations are mapped R/O
Paolo Abeni <pabeni@redhat.com>
mptcp: always handle address removal under msk socket lock
Kaustabh Chakraborty <kauschluss@disroot.org>
phy: exynos5-usbdrd: fix MPLL_MULTIPLIER and SSC_REFCLKSEL masks in refclk
BH Hsieh <bhsieh@nvidia.com>
phy: tegra: xusb: reset VBUS & ID OVERRIDE
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
usbnet: gl620a: fix endpoint checking in genelink_bind()
Tyrone Ting <kfting@nuvoton.com>
i2c: npcm: disable interrupt enable bit before devm_request_irq
Kan Liang <kan.liang@linux.intel.com>
perf/core: Fix low freq setting via IOC_PERIOD
Nikolay Kuratov <kniv@yandex-team.ru>
ftrace: Avoid potential division by zero in function_stat_show()
Russell Senior <russell@personaltelco.net>
x86/CPU: Fix warm boot hang regression on AMD SC1100 SoC systems
Justin Iurman <justin.iurman@uliege.be>
net: ipv6: fix dst ref loop on input in rpl lwt
Justin Iurman <justin.iurman@uliege.be>
net: ipv6: rpl_iptunnel: mitigate 2-realloc issue
Justin Iurman <justin.iurman@uliege.be>
include: net: add static inline dst_dev_overhead() to dst.h
Brian Vazquez <brianvv@google.com>
net: use indirect call helpers for dst_output
Brian Vazquez <brianvv@google.com>
net: use indirect call helpers for dst_input
Zheng Yongjun <zhengyongjun3@huawei.com>
net: ipv6: rpl_iptunnel: simplify the return expression of rpl_do_srh()
Harshal Chaudhari <hchaudhari@marvell.com>
net: mvpp2: cls: Fixed Non IP flow, with vlan tag flow defination.
Wang Hai <wanghai38@huawei.com>
tcp: Defer ts_recent changes until req is owned
Philo Lu <lulie@linux.alibaba.com>
ipvs: Always clear ipvs_property flag in skb_scrub_packet()
Nicolas Frattaroli <nicolas.frattaroli@collabora.com>
ASoC: es8328: fix route from DAC to output
Sean Anderson <sean.anderson@linux.dev>
net: cadence: macb: Synchronize stats calculations
Ido Schimmel <idosch@nvidia.com>
net: loopback: Avoid sending IP packets without an Ethernet header
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix L2CAP_ECRED_CONN_RSP response
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Avoid dropping MIDI events at closing multiple ports
Arnd Bergmann <arnd@arndb.de>
sunrpc: suppress warnings for unused procfs functions
Patrisious Haddad <phaddad@nvidia.com>
RDMA/mlx5: Fix bind QP error cleanup flow
Mark Zhang <markzhang@nvidia.com>
IB/mlx5: Set and get correct qp_num for a DCT QP
Patrick Bellasi <derkling@google.com>
x86/cpu/kvm: SRSO: Fix possible missing IBPB on VM-Exit
Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
mtd: rawnand: cadence: fix incorrect device in dma_unmap_single
Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
mtd: rawnand: cadence: use dma_map_resource for sdma address
Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
mtd: rawnand: cadence: fix error code in cadence_nand_init()
Christian Brauner <brauner@kernel.org>
acct: block access to kernel internal filesystems
John Veness <john-linux@pelago.org.uk>
ALSA: hda/conexant: Add quirk for HP ProBook 450 G4 mute LED
Haoxiang Li <haoxiang_li2024@163.com>
nfp: bpf: Add check for nfp_app_ctrl_msg_alloc()
Sumit Garg <sumit.garg@linaro.org>
tee: optee: Fix supplicant wait loop
Yan Zhai <yan@cloudflare.com>
bpf: skip non exist keys in generic_map_lookup_batch
Andrey Vatoropin <a.vatoropin@crpt.ru>
power: supply: da9150-fg: fix potential overflow
Cong Wang <xiyou.wangcong@gmail.com>
flow_dissector: Fix port range key handling in BPF conversion
Cong Wang <xiyou.wangcong@gmail.com>
flow_dissector: Fix handling of mixed port and port-range keys
Maksym Glubokiy <maksym.glubokiy@plvision.eu>
net: extract port range fields from fl_flow_key
Kuniyuki Iwashima <kuniyu@amazon.com>
geneve: Suppress list corruption splat in geneve_destroy_tunnels().
Kuniyuki Iwashima <kuniyu@amazon.com>
gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().
Kuniyuki Iwashima <kuniyu@amazon.com>
geneve: Fix use-after-free in geneve_find_dev().
Christophe Leroy <christophe.leroy@csgroup.eu>
powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC
Kailang Yang <kailang@realtek.com>
ALSA: hda/realtek: Fixup ALC225 depop procedure
Christophe Leroy <christophe.leroy@csgroup.eu>
powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static inline
Michael Ellerman <mpe@ellerman.id.au>
powerpc/64s/mm: Move __real_pte stubs into hash-4k.h
Jill Donahue <jilliandonahue58@gmail.com>
USB: gadget: f_midi: f_midi_complete to call queue_work
Davidlohr Bueso <dave@stgolabs.net>
usb/gadget: f_midi: Replace tasklet with work
Selvarasu Ganesan <selvarasu.g@samsung.com>
usb: dwc3: Fix timeout issue during controller enter/exit from halt state
Wesley Cheng <quic_wcheng@quicinc.com>
usb: dwc3: Increase DWC3 controller halt timeout
Sven Eckelmann <sven@narfation.org>
batman-adv: Drop unmanaged ELP metric worker
Sven Eckelmann <sven@narfation.org>
batman-adv: Drop initialization of flexible ethtool_link_ksettings
Sven Eckelmann <sven@narfation.org>
batman-adv: Add new include for min/max helpers
Jarkko Sakkinen <jarkko@kernel.org>
tpm: Change to kvalloc() in eventlog/acpi.c
Eddie James <eajames@linux.ibm.com>
tpm: Use managed allocation for bios event log
Thomas Zimmermann <tzimmermann@suse.de>
drm/rockchip: cdn-dp: Use drm_connector_helper_hpd_irq_event()
Maxime Ripard <maxime@cerno.tech>
drm/probe-helper: Create a HPD IRQ event helper for a single connector
Chen Ridong <chenridong@huawei.com>
memcg: fix soft lockup in the OOM process
Carlos Galo <carlosgalo@google.com>
mm: update mark_victim tracepoints fields
Ignat Korchagin <ignat@cloudflare.com>
crypto: testmgr - some more fixes to RSA test vectors
Ignat Korchagin <ignat@cloudflare.com>
crypto: testmgr - populate RSA CRT parameters in RSA test vectors
lei he <helei.sig11@bytedance.com>
crypto: testmgr - fix version number of RSA tests
Lei He <helei.sig11@bytedance.com>
crypto: testmgr - Fix wrong test case of RSA
Lei He <helei.sig11@bytedance.com>
crypto: testmgr - fix wrong key length for pkcs1pad
Catalin Marinas <catalin.marinas@arm.com>
arm64: mte: Do not allow PROT_MTE on MAP_HUGETLB user mappings
Casey Chen <cachen@purestorage.com>
nvme-pci: fix multiple races in nvme_setup_io_queues
Xin Long <lucien.xin@gmail.com>
vlan: move dev_put into vlan_dev_uninit
Xin Long <lucien.xin@gmail.com>
vlan: introduce vlan_dev_free_egress_priority
Stefan Berger <stefanb@linux.ibm.com>
ima: Fix use-after-free on a dentry's dname.name
Calvin Owens <calvin@wbinvd.org>
pps: Fix a use-after-free
Filipe Manana <fdmanana@suse.com>
btrfs: avoid monopolizing a core when activating a swap file
Koichiro Den <koichiro.den@canonical.com>
Revert "btrfs: avoid monopolizing a core when activating a swap file"
David Woodhouse <dwmw@amazon.co.uk>
x86/i8253: Disable PIT timer 0 when not in use
Chao Yu <chao@kernel.org>
f2fs: fix to wait dio completion
Hangbin Liu <liuhangbin@gmail.com>
selftests: rtnetlink: update netdevsim ipsec output format
Hangbin Liu <liuhangbin@gmail.com>
netdevsim: print human readable IP address
Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
parport_pc: add support for ASIX AX99100
Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
serial: 8250_pci: add support for ASIX AX99100
Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
can: ems_pci: move ASIX AX99100 ids to pci_ids.h
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: protect access to buffers with no active references
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: do not force clear folio if buffer is referenced
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: do not output warnings when clearing dirty buffers
Ivan Kokshaysky <ink@unseen.parts>
alpha: replace hardcoded stack offsets with autogenerated ones
Andrew Cooper <andrew.cooper3@citrix.com>
x86/static-call: Remove early_boot_irqs_disabled check to fix Xen PVH dom0
John Ogness <john.ogness@linutronix.de>
kdb: Do not assume write() callback available
Devarsh Thakkar <devarsht@ti.com>
drm/tidss: Clear the interrupt status for interrupts being disabled
Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
drm/tidss: Fix issue in irq handling causing irq-flood issue
Eric Dumazet <edumazet@google.com>
ndisc: extend RCU protection in ndisc_send_skb()
Eric Dumazet <edumazet@google.com>
openvswitch: use RCU protection in ovs_vport_cmd_fill_info()
Eric Dumazet <edumazet@google.com>
arp: use RCU protection in arp_xmit()
Eric Dumazet <edumazet@google.com>
neighbour: use RCU protection in __neigh_notify()
Li Zetao <lizetao1@huawei.com>
neighbour: delete redundant judgment statements
Eric Dumazet <edumazet@google.com>
ndisc: use RCU protection in ndisc_alloc_skb()
Eric Dumazet <edumazet@google.com>
ipv6: use RCU protection in ip6_default_advmss()
Eric Dumazet <edumazet@google.com>
ipv4: use RCU protection in inet_select_addr()
Eric Dumazet <edumazet@google.com>
ipv4: use RCU protection in rt_is_expired()
Eric Dumazet <edumazet@google.com>
net: add dev_net_rcu() helper
Jiri Pirko <jiri@nvidia.com>
net: treat possible_net_t net pointer as an RCU one and add read_pnet_rcu()
Waiman Long <longman@redhat.com>
clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context
Waiman Long <longman@redhat.com>
clocksource: Use pr_info() for "Checking clocksource synchronization" message
Yury Norov <yury.norov@gmail.com>
clocksource: Replace cpumask_weight() with cpumask_empty()
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
clocksource: Replace deprecated CPU-hotplug functions.
Paul E. McKenney <paulmck@kernel.org>
clocksource: Limit number of CPUs checked for clock synchronization
Wentao Liang <vulab@iscas.ac.cn>
mlxsw: Add return value check for mlxsw_sp_port_get_stats_raw()
Nathan Chancellor <nathan@kernel.org>
arm64: Handle .ARM.attributes section in linker scripts
Jiasheng Jiang <jiashengjiangcool@gmail.com>
regmap-irq: Add missing kfree()
Jann Horn <jannh@google.com>
partitions: mac: fix handling of bogus partition table
Wentao Liang <vulab@iscas.ac.cn>
gpio: stmpe: Check return value of stmpe_reg_read in stmpe_gpio_irq_sync_unlock
Ivan Kokshaysky <ink@unseen.parts>
alpha: align stack for page fault and user unaligned trap handlers
John Keeping <jkeeping@inmusicbrands.com>
serial: 8250: Fix fifo underflow on flush
Ard Biesheuvel <ardb@kernel.org>
efi: Avoid cold plugged memory for placing the kernel
Ivan Kokshaysky <ink@unseen.parts>
alpha: make stack 16-byte aligned (most cases)
Alexander Hölzl <alexander.hoelzl@gmx.net>
can: j1939: j1939_sk_send_loop(): fix unable to send messages with data length zero
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
can: c_can: fix unbalanced runtime PM disable in error path
Johan Hovold <johan@kernel.org>
USB: serial: option: drop MeiG Smart defines
Fabio Porcedda <fabio.porcedda@gmail.com>
USB: serial: option: fix Telit Cinterion FN990A name
Fabio Porcedda <fabio.porcedda@gmail.com>
USB: serial: option: add Telit Cinterion FN990B compositions
Chester A. Unal <chester.a.unal@arinc9.com>
USB: serial: option: add MeiG Smart SLM828
Jann Horn <jannh@google.com>
usb: cdc-acm: Fix handling of oversized fragments
Jann Horn <jannh@google.com>
usb: cdc-acm: Check control transfer buffer size before access
Marek Vasut <marek.vasut+renesas@mailbox.org>
USB: cdc-acm: Fill in Renesas R-Car D3 USB Download mode quirk
Alan Stern <stern@rowland.harvard.edu>
USB: hub: Ignore non-compliant devices with too many configs or interfaces
John Keeping <jkeeping@inmusicbrands.com>
usb: gadget: f_midi: fix MIDI Streaming descriptor lengths
Mathias Nyman <mathias.nyman@linux.intel.com>
USB: Add USB_QUIRK_NO_LPM quirk for sony xperia xz1 smartphone
Lei Huang <huanglei@kylinos.cn>
USB: quirks: add USB_QUIRK_NO_LPM quirk for Teclast dist
Stefan Eichenberger <stefan.eichenberger@toradex.com>
usb: core: fix pipe creation for get_bMaxPacketSize0
Huacai Chen <chenhuacai@loongson.cn>
USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI
Fabrice Gasnier <fabrice.gasnier@foss.st.com>
usb: dwc2: gadget: remove of_node reference upon udc_stop
Guo Ren <guoren@linux.alibaba.com>
usb: gadget: udc: renesas_usb3: Fix compiler warning
Elson Roy Serrao <quic_eserrao@quicinc.com>
usb: roles: set switch registered flag early on
Sean Christopherson <seanjc@google.com>
perf/x86/intel: Ensure LBRs are disabled when a CPU is starting
Sven Eckelmann <sven@narfation.org>
batman-adv: Ignore neighbor throughput metrics in error case
Andy Strohman <andrew@andrewstrohman.com>
batman-adv: fix panic during interface removal
Hans de Goede <hdegoede@redhat.com>
ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet 5V
Mike Marshall <hubcap@omnibond.com>
orangefs: fix a oob in orangefs_debug_write
Maksym Planeta <maksym@exostellar.io>
Grab mm lock before grabbing pt lock
Ramesh Thomas <ramesh.thomas@intel.com>
vfio/pci: Enable iowrite64 and ioread64 for vfio pci
Takashi Iwai <tiwai@suse.de>
PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P
Edward Adam Davis <eadavis@qq.com>
media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread
Arnd Bergmann <arnd@arndb.de>
media: cxd2841er: fix 64-bit division on gcc-9
Juergen Gross <jgross@suse.com>
x86/xen: allow larger contiguous memory regions in PV guests
Petr Tesarik <petr.tesarik.ext@huawei.com>
xen: remove a confusing comment on auto-translated guest I/O
Artur Weber <aweber.kernel@gmail.com>
gpio: bcm-kona: Add missing newline to dev_err format string
Artur Weber <aweber.kernel@gmail.com>
gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ
Artur Weber <aweber.kernel@gmail.com>
gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0
Radu Rendec <rrendec@redhat.com>
arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array
Eric Dumazet <edumazet@google.com>
team: better TEAM_OPTION_TYPE_STRING validation
Eric Dumazet <edumazet@google.com>
vrf: use RCU protection in l3mdev_l3_out()
Eric Dumazet <edumazet@google.com>
ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu()
Charles Han <hanchunchao@inspur.com>
HID: multitouch: Add NULL check in mt_input_configured
Dai Ngo <dai.ngo@oracle.com>
NFSD: fix hang in nfsd4_shutdown_callback
Li Lingfeng <lilingfeng3@huawei.com>
nfsd: clear acl_access/acl_default after releasing them
Paolo Abeni <pabeni@redhat.com>
mptcp: prevent excessive coalescing on receive
Su Yue <glass.su@suse.com>
ocfs2: check dir i_size in ocfs2_find_entry
WangYuli <wangyuli@uniontech.com>
MIPS: ftrace: Declare ftrace_get_parent_ra_addr() as static
Thomas Weißschuh <linux@weissschuh.net>
ptp: Ensure info->enable callback is always set
Paul Fertser <fercerpav@gmail.com>
net/ncsi: wait for the last response to Deselect Package before configuring channel
Ekansh Gupta <quic_ekangupt@quicinc.com>
misc: fastrpc: Fix registered buffer page address
Ivan Stepchenko <sid@itb.spb.ru>
mtd: onenand: Fix uninitialized retlen in do_otp_read()
Dan Carpenter <dan.carpenter@linaro.org>
NFC: nci: Add bounds checking in nci_hci_create_pipe()
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
nilfs2: fix possible int overflows in nilfs_fiemap()
Matthew Wilcox (Oracle) <willy@infradead.org>
ocfs2: handle a symlink read error correctly
Heming Zhao <heming.zhao@suse.com>
ocfs2: fix incorrect CPU endianness conversion causing mount failure
Mike Snitzer <snitzer@kernel.org>
pnfs/flexfiles: retry getting layout segment for reads
Alex Williamson <alex.williamson@redhat.com>
vfio/platform: check the bounds of read/write syscalls
Jennifer Berringer <jberring@redhat.com>
nvmem: core: improve range check for nvmem_cell_write()
Luca Weiss <luca.weiss@fairphone.com>
nvmem: qcom-spmi-sdam: Set size in struct nvmem_config
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
crypto: qce - unregister previously registered algos in error path
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
crypto: qce - fix goto jump in error path
Ricardo Ribalda <ribalda@chromium.org>
media: uvcvideo: Remove redundant NULL assignment
Ricardo Ribalda <ribalda@chromium.org>
media: uvcvideo: Fix event flags in uvc_ctrl_send_events
Sam Bobrowicz <sam@elite-embedded.com>
media: ov5640: fix get_light_freq on auto
Cosmin Tanislav <demonsingur@gmail.com>
media: mc: fix endpoint iteration
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
soc: qcom: smem_state: fix missing of_node_put in error path
Javier Carrasco <javier.carrasco.cruz@gmail.com>
iio: light: as73211: fix channel handling in only-color triggered buffer
Nathan Chancellor <nathan@kernel.org>
x86/boot: Use '-std=gnu11' to fix build with GCC 15
Nathan Chancellor <nathan@kernel.org>
kbuild: Move -Wenum-enum-conversion to W=2
Long Li <longli@microsoft.com>
scsi: storvsc: Set correct data length for sending SCSI command without payload
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: Move FCE Trace buffer allocation to user control
Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
ALSA: hda/realtek: Enable headset mic on Positivo C6400
Hou Tao <houtao1@huawei.com>
dm-crypt: track tag_offset in convert_context
Hou Tao <houtao1@huawei.com>
dm-crypt: don't update io->sector after kcryptd_crypt_write_io_submit()
Narayana Murty N <nnmlinux@linux.ibm.com>
powerpc/pseries/eeh: Fix get PE state translation
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
serial: sh-sci: Do not probe the serial port if its slot in sci_ports[] is in use
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
serial: sh-sci: Drop __initdata macro for port_cfg
Stephan Gerhold <stephan.gerhold@linaro.org>
soc: qcom: socinfo: Avoid out of bounds read of serial number
Thinh Nguyen <Thinh.Nguyen@synopsys.com>
usb: gadget: f_tcm: Don't prepare BOT write request twice
Thinh Nguyen <Thinh.Nguyen@synopsys.com>
usb: gadget: f_tcm: ep_autoconfig with fullspeed endpoint
Thinh Nguyen <Thinh.Nguyen@synopsys.com>
usb: gadget: f_tcm: Decrement command ref count on cleanup
Thinh Nguyen <Thinh.Nguyen@synopsys.com>
usb: gadget: f_tcm: Translate error to sense
Marcel Hamer <marcel.hamer@windriver.com>
wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtlwifi: rtl8821ae: Fix media status report
Heiko Stuebner <heiko@sntech.de>
HID: hid-sensor-hub: don't use stale platform-data on remove
Zijun Hu <quic_zijuhu@quicinc.com>
of: reserved-memory: Fix using wrong number of cells to get property 'alignment'
Zijun Hu <quic_zijuhu@quicinc.com>
of: Fix of_find_node_opts_by_path() handling of alias+path+options
Zijun Hu <quic_zijuhu@quicinc.com>
of: Correct child specifier used as input of the 2nd nexus node
Kuan-Wei Chiu <visitorckw@gmail.com>
perf bench: Fix undefined behavior in cmpworker()
Nathan Chancellor <nathan@kernel.org>
efi: libstub: Use '-std=gnu11' to fix build with GCC 15
Zijun Hu <quic_zijuhu@quicinc.com>
blk-cgroup: Fix class @block_class's subsystem refcount leakage
Anastasia Belova <abelova@astralinux.ru>
clk: qcom: clk-rpmh: prevent integer overflow in recalc_rate
Gabor Juhos <j4g8y7@gmail.com>
clk: qcom: clk-alpha-pll: fix alpha mode configuration
Cody Eksal <masterr3c0rd@epochal.quest>
clk: sunxi-ng: a100: enable MMC clock reparenting
Fedor Pchelkin <pchelkin@ispras.ru>
Bluetooth: L2CAP: accept zero as a special value for MTU auto-selection
Fedor Pchelkin <pchelkin@ispras.ru>
Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc
Haoxiang Li <haoxiang_li2024@163.com>
drm/komeda: Add check for komeda_get_layer_fourcc_list()
David Hildenbrand <david@redhat.com>
KVM: s390: vsie: fix some corner-cases when grabbing vsie pages
Sean Christopherson <seanjc@google.com>
KVM: Explicitly verify target vCPU is online in kvm_get_vcpu()
Jakob Unterwurzacher <jakobunt@gmail.com>
arm64: dts: rockchip: increase gmac rx_delay on rk3399-puma
Dan Carpenter <dan.carpenter@linaro.org>
binfmt_flat: Fix integer overflow bug on 32 bit systems
Thomas Zimmermann <tzimmermann@suse.de>
m68k: vga: Fix I/O defines
Heiko Carstens <hca@linux.ibm.com>
s390/futex: Fix FUTEX_OP_ANDN implementation
Maarten Lankhorst <dev@lankhorst.se>
drm/modeset: Handle tiled displays in pan_display_atomic.
Alexander Sverdlin <alexander.sverdlin@siemens.com>
leds: lp8860: Write full EEPROM, not only half of it
Viresh Kumar <viresh.kumar@linaro.org>
cpufreq: s3c64xx: Fix compilation warning
Willem de Bruijn <willemb@google.com>
tun: revert fix group permission check
Cong Wang <cong.wang@bytedance.com>
netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()
Juergen Gross <jgross@suse.com>
x86/xen: add FRAME_END to xen_hypercall_hvm()
Juergen Gross <jgross@suse.com>
x86/xen: fix xen_hypercall_hvm() to not clobber %rbx
Eric Dumazet <edumazet@google.com>
net: rose: lock the socket in rose_bind()
Jacob Moroni <mail@jakemoroni.com>
net: atlantic: fix warning during hot unplug
Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
gpio: pca953x: Improve interrupt support
Yan Zhai <yan@cloudflare.com>
udp: gso: do not drop small packets when PMTU reduces
Lenny Szubowicz <lszubowi@redhat.com>
tg3: Disable tg3 PCIe AER on system reboot
Hans Verkuil <hverkuil@xs4all.nl>
gpu: drm_dp_cec: fix broken CEC adapter properties check
Prasad Pandit <pjp@fedoraproject.org>
firmware: iscsi_ibft: fix ISCSI_IBFT Kconfig entry
Daniel Wagner <wagi@kernel.org>
nvme: handle connectivity loss in nvme_set_queue_count
Michal Pecio <michal.pecio@gmail.com>
usb: xhci: Fix NULL pointer dereference on certain command aborts
Hardik Gajjar <hgajjar@de.adit-jv.com>
usb: xhci: Add timeout argument in address_device USB HCD callback
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
net: usb: rtl8150: enable basic endpoint checking
Emil Renner Berthing <kernel@esmil.dk>
net: usb: rtl8150: use new tasklet API
Xi Ruoyao <xry111@xry111.site>
x86/mm: Don't disable PCID when INVLPG has been fixed by microcode
Illia Ostapyshyn <illia@yshyn.com>
Input: allocate keycode for phone linking
Liu Ye <liuye@kylinos.cn>
selftests/net/ipsec: Fix Null pointer dereference in rtattr_pack()
Dan Carpenter <dan.carpenter@linaro.org>
tipc: re-order conditions in tipc_crypto_key_rcv()
Yuanjie Yang <quic_yuanjiey@quicinc.com>
mmc: sdhci-msm: Correctly set the load for the regulator
Borislav Petkov <bp@alien8.de>
APEI: GHES: Have GHES honor the panic= setting
Randolph Ha <rha051117@gmail.com>
i2c: Force ELAN06FA touchpad I2C bus freq to 100KHz
Vadim Fedorenko <vadfed@meta.com>
net/mlx5: use do_aux_work for PHC overflow checks
Even Xu <even.xu@intel.com>
HID: Wacom: Add PCI Wacom device support
Hans de Goede <hdegoede@redhat.com>
mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
tomoyo: don't emit warning in tomoyo_write_control()
Dmitry Antipov <dmantipov@yandex.ru>
wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy()
Shawn Lin <shawn.lin@rock-chips.com>
mmc: core: Respect quirk_max_rate for non-UHS SDIO card
Stas Sergeev <stsp2@yandex.ru>
tun: fix group permission check
Leo Stone <leocstone@gmail.com>
safesetid: check size of policy writes
Kuan-Wei Chiu <visitorckw@gmail.com>
printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX
Yazen Ghannam <yazen.ghannam@amd.com>
x86/amd_nb: Restrict init function to AMD-based systems
Carlos Llamas <cmllamas@google.com>
lockdep: Fix upper limit for LOCKDEP_*_BITS configs
Suleiman Souhlal <suleiman@google.com>
sched: Don't try to catch up excess steal time.
Josef Bacik <josef@toxicpanda.com>
btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling
Filipe Manana <fdmanana@suse.com>
btrfs: fix use-after-free when attempting to join an aborted transaction
Qu Wenruo <wqu@suse.com>
btrfs: output the reason for open_ctree() failure
Thinh Nguyen <Thinh.Nguyen@synopsys.com>
usb: gadget: f_tcm: Don't free command immediately
Laurent Pinchart <laurent.pinchart@ideasonboard.com>
media: uvcvideo: Fix double free in error path
Alan Stern <stern@rowland.harvard.edu>
HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections
Jos Wang <joswang@lenovo.com>
usb: typec: tcpm: set SRC_SEND_CAPABILITIES timeout to PD_T_SENDER_RESPONSE
Thinh Nguyen <Thinh.Nguyen@synopsys.com>
usb: gadget: f_tcm: Fix Get/SetInterface return value
Sean Rhodes <sean@starlabs.systems>
drivers/card_reader/rtsx_usb: Restore interrupt based detection
Ricardo B. Marliere <rbm@suse.com>
ktest.pl: Check kernelrelease return in get_version
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: reject mismatching sum of field_len with set key length
Chuck Lever <chuck.lever@oracle.com>
NFSD: Reset cb_seq_status after NFS4ERR_DELAY
Lin Yujun <linyujun809@huawei.com>
hexagon: Fix unbalanced spinlock in die()
Willem de Bruijn <willemb@google.com>
hexagon: fix using plain integer as NULL pointer warning in cmpxchg
Masahiro Yamada <masahiroy@kernel.org>
genksyms: fix memory leak when the same symbol is read from *.symref file
Masahiro Yamada <masahiroy@kernel.org>
genksyms: fix memory leak when the same symbol is added from source
Eric Dumazet <edumazet@google.com>
net: hsr: fix fill_frame_info() regression vs VLAN packets
Kory Maincent <kory.maincent@bootlin.com>
net: sh_eth: Fix missing rtnl lock in suspend/resume path
Rafał Miłecki <rafal@milecki.pl>
bgmac: reduce max frame size to support just MTU 1500
Michal Luczaj <mhal@rbox.co>
vsock: Allow retrying on connect() failure
Howard Chu <howardchu95@gmail.com>
perf trace: Fix runtime error of index out of bounds
Chenyuan Yang <chenyuan0y@gmail.com>
net: davicom: fix UAF in dm9000_drv_remove
Jakub Kicinski <kuba@kernel.org>
net: netdevsim: try to close UDP port harness races
Eric Dumazet <edumazet@google.com>
net: rose: fix timer races against user threads
Wentao Liang <vulab@iscas.ac.cn>
PM: hibernate: Add error handling for syscore_suspend()
Eric Dumazet <edumazet@google.com>
ipmr: do not call mr_mfc_uses_dev() for unres entries
Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com>
net: fec: implement TSO descriptor cleanup
Jian Shen <shenjian15@huawei.com>
net: hns3: fix oops when unload drivers paralleling
pangliyuan <pangliyuan1@huawei.com>
ubifs: skip dumping tnc tree when zroot is null
Oleksij Rempel <linux@rempel-privat.de>
rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read
Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
dmaengine: ti: edma: fix OF node reference leaks in edma_driver
Jianbo Liu <jianbol@nvidia.com>
xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO
Luo Yifan <luoyifan@cmss.chinamobile.com>
tools/bootconfig: Fix the wrong format specifier
Olga Kornievskaia <okorniev@redhat.com>
NFSv4.2: fix COPY_NOTIFY xdr buf size calculation
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
module: Extend the preempt disabled section in dereference_symbol_descriptor().
Su Yue <glass.su@suse.com>
ocfs2: mark dquot as inactive if failed to start trans while releasing dquot
Guixin Liu <kanie@linux.alibaba.com>
scsi: ufs: bsg: Delete bsg_dev when setting up bsg fails
Paul Menzel <pmenzel@molgen.mpg.de>
scsi: mpt3sas: Set ioc->manu_pg11.EEDPTagMode directly to 1
King Dix <kingdix10@qq.com>
PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region()
Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
staging: media: imx: fix OF node leak in imx_media_add_of_subdevs()
Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
mtd: hyperbus: hbmc-am654: fix an OF node reference leak
Ricardo Ribalda <ribalda@chromium.org>
media: uvcvideo: Propagate buf->error to userspace
Jiasheng Jiang <jiashengjiangcool@gmail.com>
media: camif-core: Add check for clk_enable()
Jiasheng Jiang <jiashengjiangcool@gmail.com>
media: mipi-csis: Add check for clk_enable()
Jiasheng Jiang <jiashengjiangcool@gmail.com>
media: marvell: Add check for clk_enable()
Zijun Hu <quic_zijuhu@quicinc.com>
PCI: endpoint: Destroy the EPC device in devm_pci_epc_destroy()
Chen Ni <nichen@iscas.ac.cn>
media: lmedm04: Handle errors for lme2510_int_read
Malcolm Priestley <tvboxspy@gmail.com>
media: lmedm04: Use GFP_KERNEL for URB allocation/submission.
Oliver Neukum <oneukum@suse.com>
media: rc: iguanair: handle timeouts
Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
fbdev: omapfb: Fix an OF node leak in dss_of_port_get_parent_device()
Rafał Miłecki <rafal@milecki.pl>
ARM: dts: mediatek: mt7623: fix IR nodename
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
arm64: dts: qcom: sm8250: correct sleep clock frequency
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
arm64: dts: qcom: msm8994: correct sleep clock frequency
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
arm64: dts: qcom: msm8916: correct sleep clock frequency
Chen-Yu Tsai <wenst@chromium.org>
arm64: dts: mediatek: mt8173-evb: Fix MT6397 PMIC sub-node names
Chen-Yu Tsai <wenst@chromium.org>
arm64: dts: mediatek: mt8173-elm: Fix MT6397 PMIC sub-node names
Chen-Yu Tsai <wenst@chromium.org>
arm64: dts: mediatek: mt8173-elm: Drop regulator-compatible property
Chen-Yu Tsai <wenst@chromium.org>
arm64: dts: mediatek: mt8173-evb: Drop regulator-compatible property
Dan Carpenter <dan.carpenter@linaro.org>
rdma/cxgb4: Prevent potential integer overflow on 32bit
Leon Romanovsky <leon@kernel.org>
RDMA/mlx4: Avoid false error about access to uninitialized gids array
Val Packett <val@packett.cool>
arm64: dts: mediatek: mt8516: reserve 192 KiB for TF-A
Val Packett <val@packett.cool>
arm64: dts: mediatek: mt8516: add i2c clock-div property
Fabien Parent <fparent@baylibre.com>
arm64: dts: mediatek: mt8516: remove 2 invalid i2c clocks
Val Packett <val@packett.cool>
arm64: dts: mediatek: mt8516: fix wdt irq type
Val Packett <val@packett.cool>
arm64: dts: mediatek: mt8516: fix GICv2 range
Chen Ridong <chenridong@huawei.com>
padata: avoid UAF for reorder_work
Chen Ridong <chenridong@huawei.com>
padata: add pd get/put refcnt helper
Chen Ridong <chenridong@huawei.com>
padata: fix UAF in padata_reorder
Puranjay Mohan <puranjay@kernel.org>
bpf: Send signals asynchronously if !preemptible
Jiachen Zhang <me@jcix.top>
perf report: Fix misleading help message about --demangle
Arnaldo Carvalho de Melo <acme@redhat.com>
perf top: Don't complain about lack of vmlinux when not resolving some kernel samples
Thomas Weißschuh <linux@weissschuh.net>
padata: fix sysfs store callback check
Ba Jing <bajing@cmss.chinamobile.com>
ktest.pl: Remove unused declarations in run_bisect_test function
Zhongqiu Han <quic_zhonhan@quicinc.com>
perf bpf: Fix two memory leakages when calling perf_env__insert_bpf_prog_info()
Arnaldo Carvalho de Melo <acme@redhat.com>
perf env: Conditionally compile BPF support code on having HAVE_LIBBPF_SUPPORT
Zhongqiu Han <quic_zhonhan@quicinc.com>
perf header: Fix one memory leakage in process_bpf_prog_info()
Zhongqiu Han <quic_zhonhan@quicinc.com>
perf header: Fix one memory leakage in process_bpf_btf()
George Lander <lander@jagmn.com>
ASoC: sun4i-spdif: Add clock multiplier settings
Marco Leogrande <leogrande@google.com>
tools/testing/selftests/bpf/test_tc_tunnel.sh: Fix wait for server bind
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
net/rose: prevent integer overflows in rose_setsockopt()
Roger Quadros <rogerq@kernel.org>
net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns()
Jamal Hadi Salim <jhs@mojatatu.com>
net: sched: Disallow replacing of child qdisc from one parent to another
Maher Sanalla <msanalla@nvidia.com>
net/mlxfw: Drop hard coded max FW flash image size
Liu Jian <liujian56@huawei.com>
net: let net.core.dev_weight always be non-zero
Mingwei Zheng <zmw12306@gmail.com>
pwm: stm32: Add check for clk_enable()
Bo Gan <ganboing@gmail.com>
clk: analogbits: Fix incorrect calculation of vco rate delta
Dmitry Antipov <dmantipov@yandex.ru>
wifi: cfg80211: adjust allocation of colocated AP data
Ilan Peer <ilan.peer@intel.com>
wifi: cfg80211: Handle specific BSSID in 6GHz scanning
Dmitry V. Levin <ldv@strace.io>
selftests: harness: fix printing of mismatch values in __EXPECT()
Gautham R. Shenoy <gautham.shenoy@amd.com>
cpufreq: ACPI: Fix max-frequency computation
WangYuli <wangyuli@uniontech.com>
wifi: mt76: mt76u_vendor_request: Do not print error messages when -EPROTO
Guangguan Wang <guangguan.wang@linux.alibaba.com>
net/smc: fix data error when recvmsg with MSG_PEEK flag
Andreas Kemnade <andreas@kemnade.info>
wifi: wlcore: fix unbalanced pm_runtime calls
Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
regulator: of: Implement the unwind path of of_regulator_match()
Octavian Purdila <tavip@google.com>
team: prevent adding a device which is already a team device lower
Marek Vasut <marex@denx.de>
clk: imx8mp: Fix clkout1/2 support
Sultan Alsawaf (unemployed) <sultan@kerneltoast.com>
cpufreq: schedutil: Fix superfluous updates caused by need_freq_update
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpufreq: schedutil: Simplify sugov_update_next_freq()
Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
leds: netxbig: Fix an OF node reference leak in netxbig_leds_get_of_pdata()
He Rongguang <herongguang@linux.alibaba.com>
cpupower: fix TSC MHz calculation
Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
ACPI: fan: cleanup resources in the error path of .probe()
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
wifi: rtlwifi: pci: wait for firmware loading before releasing memory
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
wifi: rtlwifi: fix memory leaks and invalid access at probe error path
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
wifi: rtlwifi: destroy workqueue at rtl_deinit_core
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
wifi: rtlwifi: remove unused check_buddy_priv
Dmitry Antipov <dmantipov@yandex.ru>
wifi: rtlwifi: remove unused dualmac control leftovers
Dmitry Antipov <dmantipov@yandex.ru>
wifi: rtlwifi: remove unused timer and related code
Jakob Koschel <jakobkoschel@gmail.com>
rtlwifi: replace usage of found with dedicated list iterator variable
Neil Armstrong <neil.armstrong@linaro.org>
dt-bindings: mmc: controller: clarify the address-cells description
Mingwei Zheng <zmw12306@gmail.com>
spi: zynq-qspi: Add check for clk_enable()
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
wifi: rtlwifi: usb: fix workqueue leak when probe fails
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
wifi: rtlwifi: fix init_sw_vars leak when probe fails
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
wifi: rtlwifi: wait for firmware loading before releasing memory
Colin Ian King <colin.king@canonical.com>
rtlwifi: remove redundant assignment to variable err
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
wifi: rtlwifi: rtl8192se: rise completion of firmware loading as last step
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
wifi: rtlwifi: do not complete firmware loading needlessly
Charles Han <hanchunchao@inspur.com>
ipmi: ipmb: Add check devm_kasprintf() returned value
Thomas Gleixner <tglx@linutronix.de>
genirq: Make handle_enforce_irqctx() unconditionally available
Ivan Stepchenko <sid@itb.spb.ru>
drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table
Sui Jingfeng <sui.jingfeng@linux.dev>
drm/etnaviv: Fix page property being used for non writecombine buffers
David Howells <dhowells@redhat.com>
afs: Fix the fallback handling for the YFS.RemoveFile2 RPC call
Christophe Leroy <christophe.leroy@csgroup.eu>
select: Fix unbalanced user_access_end()
Randy Dunlap <rdunlap@infradead.org>
partitions: ldm: remove the initial kernel-doc notation
Keisuke Nishimura <keisuke.nishimura@inria.fr>
nvme: Add error check for xa_store in nvme_get_effects_log
Yu Kuai <yukuai3@huawei.com>
nbd: don't allow reconnect after disconnect
David Howells <dhowells@redhat.com>
afs: Fix directory format encoding struct
David Howells <dhowells@redhat.com>
afs: Fix EEXIST error returned from afs_rmdir() to be ENOTEMPTY
-------------
Diffstat:
Documentation/admin-guide/kernel-parameters.txt | 10 +
.../devicetree/bindings/mmc/mmc-controller.yaml | 2 +-
Makefile | 9 +-
arch/alpha/include/uapi/asm/ptrace.h | 2 +
arch/alpha/kernel/asm-offsets.c | 2 +
arch/alpha/kernel/entry.S | 24 +--
arch/alpha/kernel/traps.c | 2 +-
arch/alpha/mm/fault.c | 4 +-
arch/arm/boot/dts/mt7623.dtsi | 2 +-
arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi | 29 +--
arch/arm64/boot/dts/mediatek/mt8173-evb.dts | 25 +--
arch/arm64/boot/dts/mediatek/mt8516.dtsi | 38 ++--
arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi | 2 -
arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 +-
arch/arm64/boot/dts/qcom/msm8994.dtsi | 2 +-
arch/arm64/boot/dts/qcom/sm8250.dtsi | 2 +-
arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 2 +-
arch/arm64/include/asm/mman.h | 9 +-
arch/arm64/kernel/cacheinfo.c | 12 +-
arch/arm64/kernel/vdso/vdso.lds.S | 1 +
arch/arm64/kernel/vmlinux.lds.S | 1 +
arch/hexagon/include/asm/cmpxchg.h | 2 +-
arch/hexagon/kernel/traps.c | 4 +-
arch/m68k/include/asm/vga.h | 8 +-
arch/mips/kernel/ftrace.c | 2 +-
arch/powerpc/include/asm/book3s/64/hash-4k.h | 28 +++
arch/powerpc/include/asm/book3s/64/pgtable.h | 26 ---
arch/powerpc/lib/code-patching.c | 2 +-
arch/powerpc/platforms/pseries/eeh_pseries.c | 6 +-
arch/s390/include/asm/futex.h | 2 +-
arch/s390/kernel/traps.c | 6 +-
arch/s390/kvm/vsie.c | 25 ++-
arch/x86/Kconfig | 3 +-
arch/x86/boot/compressed/Makefile | 1 +
arch/x86/events/intel/core.c | 5 +-
arch/x86/include/asm/msr-index.h | 3 +-
arch/x86/kernel/amd_nb.c | 4 +
arch/x86/kernel/cpu/bugs.c | 20 +-
arch/x86/kernel/cpu/cacheinfo.c | 2 +-
arch/x86/kernel/cpu/cyrix.c | 4 +-
arch/x86/kernel/cpu/intel.c | 52 +++--
arch/x86/kernel/i8253.c | 11 +-
arch/x86/kernel/static_call.c | 1 -
arch/x86/mm/init.c | 23 ++-
arch/x86/xen/mmu_pv.c | 79 +++++--
arch/x86/xen/xen-head.S | 5 +-
block/blk-cgroup.c | 1 +
block/partitions/efi.c | 2 +-
block/partitions/ldm.h | 2 +-
block/partitions/mac.c | 18 +-
crypto/testmgr.h | 227 +++++++++++++++------
drivers/acpi/apei/ghes.c | 10 +-
drivers/acpi/fan.c | 10 +-
drivers/base/regmap/regmap-irq.c | 2 +
drivers/block/nbd.c | 1 +
drivers/char/ipmi/ipmb_dev_int.c | 3 +
drivers/char/tpm/eventlog/acpi.c | 16 +-
drivers/char/tpm/eventlog/efi.c | 13 +-
drivers/char/tpm/eventlog/of.c | 3 +-
drivers/char/tpm/tpm-chip.c | 1 -
drivers/clk/analogbits/wrpll-cln28hpc.c | 2 +-
drivers/clk/imx/clk-imx8mp.c | 5 +-
drivers/clk/qcom/clk-alpha-pll.c | 2 +
drivers/clk/qcom/clk-rpmh.c | 2 +-
drivers/clk/sunxi-ng/ccu-sun50i-a100.c | 6 +-
drivers/clocksource/i8253.c | 13 +-
drivers/cpufreq/acpi-cpufreq.c | 36 +++-
drivers/cpufreq/s3c64xx-cpufreq.c | 11 +-
drivers/crypto/hisilicon/qm.c | 46 ++---
drivers/crypto/qce/core.c | 13 +-
drivers/dma/ti/edma.c | 3 +-
drivers/firmware/Kconfig | 2 +-
drivers/firmware/efi/efi.c | 6 +-
drivers/firmware/efi/libstub/Makefile | 2 +-
drivers/firmware/efi/libstub/randomalloc.c | 3 +
drivers/firmware/efi/libstub/relocate.c | 3 +
drivers/firmware/efi/mokvar-table.c | 41 ++--
drivers/gpio/gpio-aggregator.c | 20 +-
drivers/gpio/gpio-bcm-kona.c | 71 +++++--
drivers/gpio/gpio-pca953x.c | 19 --
drivers/gpio/gpio-rcar.c | 7 +-
drivers/gpio/gpio-stmpe.c | 15 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 11 +
.../gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c | 2 +
.../drm/arm/display/komeda/komeda_wb_connector.c | 4 +
drivers/gpu/drm/drm_dp_cec.c | 14 +-
drivers/gpu/drm/drm_fb_helper.c | 14 +-
drivers/gpu/drm/drm_probe_helper.c | 116 ++++++++---
drivers/gpu/drm/etnaviv/etnaviv_gem.c | 16 +-
drivers/gpu/drm/radeon/r300.c | 3 +-
drivers/gpu/drm/radeon/radeon_asic.h | 1 +
drivers/gpu/drm/radeon/rs400.c | 18 +-
drivers/gpu/drm/rockchip/cdn-dp-core.c | 9 +-
drivers/gpu/drm/scheduler/gpu_scheduler_trace.h | 4 +-
drivers/gpu/drm/tidss/tidss_dispc.c | 22 +-
drivers/hid/hid-appleir.c | 2 +-
drivers/hid/hid-core.c | 2 +
drivers/hid/hid-google-hammer.c | 2 +
drivers/hid/hid-multitouch.c | 5 +-
drivers/hid/hid-sensor-hub.c | 21 +-
drivers/hid/intel-ish-hid/ishtp-hid.c | 4 +-
drivers/hid/wacom_wac.c | 5 +
drivers/hwmon/ad7314.c | 10 +
drivers/hwmon/ntc_thermistor.c | 66 +++---
drivers/hwmon/pmbus/pmbus.c | 2 +
drivers/hwmon/xgene-hwmon.c | 2 +-
drivers/hwtracing/intel_th/pci.c | 15 ++
drivers/i2c/busses/i2c-npcm7xx.c | 7 +
drivers/i2c/i2c-core-acpi.c | 22 ++
drivers/idle/intel_idle.c | 4 +
drivers/iio/light/as73211.c | 24 ++-
drivers/infiniband/hw/cxgb4/device.c | 6 +-
drivers/infiniband/hw/mlx4/main.c | 6 +-
drivers/infiniband/hw/mlx5/counters.c | 8 +-
drivers/infiniband/hw/mlx5/qp.c | 4 +-
drivers/leds/leds-lp8860.c | 2 +-
drivers/leds/leds-netxbig.c | 1 +
drivers/md/dm-crypt.c | 27 +--
drivers/media/dvb-frontends/cxd2841er.c | 8 +-
drivers/media/i2c/ov5640.c | 1 +
drivers/media/platform/exynos4-is/mipi-csis.c | 10 +-
drivers/media/platform/marvell-ccic/mcam-core.c | 7 +-
drivers/media/platform/s3c-camif/camif-core.c | 13 +-
drivers/media/rc/iguanair.c | 4 +-
drivers/media/test-drivers/vidtv/vidtv_bridge.c | 8 +-
drivers/media/usb/dvb-usb-v2/lmedm04.c | 14 +-
drivers/media/usb/uvc/uvc_ctrl.c | 85 ++++++--
drivers/media/usb/uvc/uvc_driver.c | 63 +++---
drivers/media/usb/uvc/uvc_queue.c | 3 +-
drivers/media/usb/uvc/uvc_status.c | 1 +
drivers/media/usb/uvc/uvc_v4l2.c | 2 +
drivers/media/usb/uvc/uvcvideo.h | 9 +-
drivers/media/v4l2-core/v4l2-mc.c | 2 +-
drivers/mfd/lpc_ich.c | 3 +-
drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 +-
drivers/misc/fastrpc.c | 2 +-
drivers/misc/mei/hw-me-regs.h | 2 +
drivers/misc/mei/pci-me.c | 2 +
drivers/mmc/core/sdio.c | 2 +
drivers/mmc/host/sdhci-msm.c | 53 ++++-
drivers/mtd/hyperbus/hbmc-am654.c | 19 +-
drivers/mtd/nand/onenand/onenand_base.c | 1 +
drivers/mtd/nand/raw/cadence-nand-controller.c | 44 +++-
drivers/net/caif/caif_virtio.c | 2 +-
drivers/net/can/c_can/c_can_platform.c | 5 +-
drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 4 +-
drivers/net/ethernet/broadcom/bgmac.h | 3 +-
drivers/net/ethernet/broadcom/tg3.c | 58 ++++++
drivers/net/ethernet/cadence/macb.h | 2 +
drivers/net/ethernet/cadence/macb_main.c | 12 +-
drivers/net/ethernet/davicom/dm9000.c | 3 +-
drivers/net/ethernet/emulex/benet/be.h | 2 +-
drivers/net/ethernet/emulex/benet/be_cmds.c | 197 +++++++++---------
drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
drivers/net/ethernet/freescale/fec_main.c | 31 ++-
drivers/net/ethernet/hisilicon/hns3/hnae3.c | 15 ++
drivers/net/ethernet/hisilicon/hns3/hnae3.h | 2 +
drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 +
.../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +
.../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 2 +
drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 2 +-
.../net/ethernet/mellanox/mlx5/core/lib/clock.c | 24 ++-
drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c | 2 -
.../net/ethernet/mellanox/mlxsw/spectrum_ethtool.c | 4 +-
drivers/net/ethernet/netronome/nfp/bpf/cmsg.c | 2 +
drivers/net/ethernet/renesas/sh_eth.c | 4 +
drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +-
drivers/net/geneve.c | 16 +-
drivers/net/gtp.c | 5 -
drivers/net/loopback.c | 14 ++
drivers/net/netdevsim/ipsec.c | 12 +-
drivers/net/netdevsim/netdevsim.h | 1 +
drivers/net/netdevsim/udp_tunnels.c | 23 ++-
drivers/net/ppp/ppp_generic.c | 28 ++-
drivers/net/team/team.c | 11 +-
drivers/net/tun.c | 2 +-
drivers/net/usb/gl620a.c | 4 +-
drivers/net/usb/rtl8150.c | 28 ++-
.../wireless/broadcom/brcm80211/brcmfmac/core.c | 5 +
.../broadcom/brcm80211/brcmsmac/phy/phy_n.c | 3 +
drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 +-
drivers/net/wireless/mediatek/mt76/usb.c | 4 +-
drivers/net/wireless/realtek/rtlwifi/base.c | 42 ++--
drivers/net/wireless/realtek/rtlwifi/base.h | 2 -
drivers/net/wireless/realtek/rtlwifi/pci.c | 67 +-----
.../net/wireless/realtek/rtlwifi/rtl8192se/sw.c | 7 +-
.../net/wireless/realtek/rtlwifi/rtl8821ae/fw.h | 4 +-
drivers/net/wireless/realtek/rtlwifi/usb.c | 13 +-
drivers/net/wireless/realtek/rtlwifi/wifi.h | 23 ---
drivers/net/wireless/ti/wlcore/main.c | 10 +-
drivers/nvme/host/core.c | 16 +-
drivers/nvme/host/pci.c | 66 +++++-
drivers/nvme/target/tcp.c | 15 +-
drivers/nvmem/core.c | 2 +
drivers/nvmem/qcom-spmi-sdam.c | 1 +
drivers/of/base.c | 8 +-
drivers/parport/parport_pc.c | 5 +
drivers/pci/controller/pcie-rcar-ep.c | 2 +-
drivers/pci/endpoint/pci-epc-core.c | 2 +-
drivers/pci/quirks.c | 1 +
drivers/phy/samsung/phy-exynos5-usbdrd.c | 12 +-
drivers/phy/tegra/xusb-tegra186.c | 11 +
drivers/platform/x86/thinkpad_acpi.c | 1 +
drivers/power/supply/da9150-fg.c | 4 +-
drivers/pps/clients/pps-gpio.c | 4 +-
drivers/pps/clients/pps-ktimer.c | 4 +-
drivers/pps/clients/pps-ldisc.c | 6 +-
drivers/pps/clients/pps_parport.c | 4 +-
drivers/pps/kapi.c | 10 +-
drivers/pps/kc.c | 10 +-
drivers/pps/pps.c | 127 ++++++------
drivers/ptp/ptp_clock.c | 8 +
drivers/pwm/pwm-stm32.c | 7 +-
drivers/rapidio/devices/rio_mport_cdev.c | 3 +-
drivers/rapidio/rio-scan.c | 5 +-
drivers/regulator/of_regulator.c | 14 +-
drivers/rtc/rtc-pcf85063.c | 11 +-
drivers/scsi/mpt3sas/mpt3sas_base.c | 3 +-
drivers/scsi/qla2xxx/qla_def.h | 2 +
drivers/scsi/qla2xxx/qla_dfs.c | 122 +++++++++--
drivers/scsi/qla2xxx/qla_gbl.h | 3 +
drivers/scsi/qla2xxx/qla_init.c | 28 ++-
drivers/scsi/storvsc_drv.c | 1 +
drivers/scsi/ufs/ufs_bsg.c | 1 +
drivers/slimbus/messaging.c | 5 +-
drivers/soc/qcom/smem_state.c | 3 +-
drivers/soc/qcom/socinfo.c | 2 +-
drivers/spi/spi-mxs.c | 3 +-
drivers/spi/spi-zynq-qspi.c | 13 +-
drivers/staging/media/imx/imx-media-of.c | 8 +-
drivers/tee/optee/supp.c | 35 +---
drivers/tty/serial/8250/8250.h | 2 +
drivers/tty/serial/8250/8250_dma.c | 16 ++
drivers/tty/serial/8250/8250_pci.c | 10 +
drivers/tty/serial/8250/8250_port.c | 9 +
drivers/tty/serial/sh-sci.c | 25 ++-
drivers/usb/atm/cxacru.c | 13 +-
drivers/usb/class/cdc-acm.c | 28 ++-
drivers/usb/core/hub.c | 16 +-
drivers/usb/core/quirks.c | 10 +
drivers/usb/dwc2/gadget.c | 1 +
drivers/usb/dwc3/gadget.c | 37 +++-
drivers/usb/gadget/composite.c | 17 +-
drivers/usb/gadget/function/f_midi.c | 22 +-
drivers/usb/gadget/function/f_tcm.c | 66 +++---
drivers/usb/gadget/udc/renesas_usb3.c | 2 +-
drivers/usb/host/pci-quirks.c | 9 +
drivers/usb/host/xhci-mem.c | 5 +-
drivers/usb/host/xhci-pci.c | 17 +-
drivers/usb/host/xhci-ring.c | 12 +-
drivers/usb/host/xhci.c | 23 ++-
drivers/usb/host/xhci.h | 11 +-
drivers/usb/renesas_usbhs/common.c | 6 +-
drivers/usb/renesas_usbhs/mod_gadget.c | 2 +-
drivers/usb/roles/class.c | 5 +-
drivers/usb/serial/option.c | 49 +++--
drivers/usb/typec/tcpm/tcpci_rt1711h.c | 11 +
drivers/usb/typec/tcpm/tcpm.c | 2 +-
drivers/usb/typec/ucsi/ucsi.c | 2 +-
drivers/vfio/pci/vfio_pci_rdwr.c | 1 +
drivers/vfio/platform/vfio_platform_common.c | 10 +
drivers/video/fbdev/omap2/omapfb/dss/dss-of.c | 1 +
fs/afs/dir.c | 7 +-
fs/afs/xdr_fs.h | 2 +-
fs/afs/yfsclient.c | 5 +-
fs/binfmt_flat.c | 2 +-
fs/btrfs/inode.c | 4 +-
fs/btrfs/locking.c | 68 +++++-
fs/btrfs/relocation.c | 14 +-
fs/btrfs/super.c | 2 +-
fs/btrfs/transaction.c | 4 +-
fs/cifs/smb2ops.c | 4 +
fs/f2fs/file.c | 13 ++
fs/nfs/flexfilelayout/flexfilelayout.c | 27 ++-
fs/nfs/nfs42xdr.c | 2 +
fs/nfsd/nfs2acl.c | 2 +
fs/nfsd/nfs3acl.c | 2 +
fs/nfsd/nfs4callback.c | 8 +-
fs/nilfs2/dir.c | 24 +--
fs/nilfs2/inode.c | 10 +-
fs/nilfs2/mdt.c | 6 +-
fs/nilfs2/namei.c | 37 ++--
fs/nilfs2/nilfs.h | 10 +-
fs/nilfs2/page.c | 55 ++---
fs/nilfs2/page.h | 4 +-
fs/nilfs2/segment.c | 4 +-
fs/ocfs2/dir.c | 25 ++-
fs/ocfs2/quota_global.c | 5 +
fs/ocfs2/super.c | 2 +-
fs/ocfs2/symlink.c | 5 +-
fs/orangefs/orangefs-debugfs.c | 4 +-
fs/select.c | 4 +-
fs/squashfs/inode.c | 5 +-
fs/ubifs/debug.c | 22 +-
fs/udf/super.c | 2 +-
include/asm-generic/vmlinux.lds.h | 2 +-
include/drm/drm_probe_helper.h | 1 +
include/linux/efi.h | 1 +
include/linux/i8253.h | 1 +
include/linux/kallsyms.h | 2 +-
include/linux/kvm_host.h | 9 +
include/linux/mlx5/driver.h | 1 -
include/linux/netdevice.h | 6 +
include/linux/pci_ids.h | 4 +
include/linux/pps_kernel.h | 3 +-
include/linux/usb/hcd.h | 5 +-
include/net/dst.h | 23 ++-
include/net/flow_dissector.h | 16 ++
include/net/flow_offload.h | 6 +
include/net/l3mdev.h | 2 +
include/net/net_namespace.h | 15 +-
include/trace/events/oom.h | 36 +++-
include/uapi/linux/input-event-codes.h | 1 +
kernel/acct.c | 141 ++++++++-----
kernel/bpf/syscall.c | 18 +-
kernel/debug/kdb/kdb_io.c | 2 +
kernel/events/core.c | 17 +-
kernel/irq/internals.h | 9 +-
kernel/padata.c | 45 +++-
kernel/power/hibernate.c | 7 +-
kernel/printk/printk.c | 2 +-
kernel/sched/core.c | 8 +-
kernel/sched/cpufreq_schedutil.c | 12 +-
kernel/time/clocksource.c | 79 ++++++-
kernel/trace/bpf_trace.c | 2 +-
kernel/trace/ftrace.c | 27 ++-
lib/Kconfig.debug | 8 +-
mm/memcontrol.c | 7 +-
mm/oom_kill.c | 14 +-
mm/page_alloc.c | 1 +
net/8021q/vlan.c | 3 +-
net/8021q/vlan.h | 2 +-
net/8021q/vlan_dev.c | 15 +-
net/8021q/vlan_netlink.c | 7 +-
net/batman-adv/bat_v.c | 3 +-
net/batman-adv/bat_v_elp.c | 124 +++++++----
net/batman-adv/bat_v_elp.h | 2 -
net/batman-adv/bat_v_ogm.c | 1 +
net/batman-adv/fragmentation.c | 2 +-
net/batman-adv/hard-interface.c | 1 +
net/batman-adv/icmp_socket.c | 1 +
net/batman-adv/main.c | 1 +
net/batman-adv/netlink.c | 1 +
net/batman-adv/tp_meter.c | 1 +
net/batman-adv/types.h | 3 -
net/bluetooth/l2cap_core.c | 9 +-
net/bluetooth/l2cap_sock.c | 7 +-
net/can/j1939/socket.c | 4 +-
net/can/j1939/transport.c | 5 +-
net/core/drop_monitor.c | 39 ++--
net/core/flow_dissector.c | 49 +++--
net/core/flow_offload.c | 7 +
net/core/neighbour.c | 11 +-
net/core/skbuff.c | 2 +-
net/core/sysctl_net_core.c | 5 +-
net/hsr/hsr_forward.c | 7 +-
net/ipv4/arp.c | 4 +-
net/ipv4/devinet.c | 3 +-
net/ipv4/ip_input.c | 1 +
net/ipv4/ip_output.c | 1 +
net/ipv4/ipmr_base.c | 3 -
net/ipv4/route.c | 8 +-
net/ipv4/tcp_minisocks.c | 10 +-
net/ipv4/tcp_offload.c | 11 +-
net/ipv4/udp.c | 4 +-
net/ipv4/udp_offload.c | 8 +-
net/ipv6/ila/ila_lwt.c | 4 +-
net/ipv6/ip6_output.c | 1 +
net/ipv6/ndisc.c | 28 +--
net/ipv6/route.c | 7 +-
net/ipv6/rpl_iptunnel.c | 67 +++---
net/ipv6/seg6_iptunnel.c | 2 +-
net/ipv6/udp.c | 4 +-
net/llc/llc_s_ac.c | 49 +++--
net/mptcp/pm_netlink.c | 6 -
net/mptcp/protocol.c | 1 +
net/ncsi/ncsi-manage.c | 13 +-
net/netfilter/nf_tables_api.c | 8 +-
net/nfc/nci/hci.c | 2 +
net/openvswitch/datapath.c | 12 +-
net/rose/af_rose.c | 40 ++--
net/rose/rose_timer.c | 15 ++
net/sched/cls_flower.c | 8 +-
net/sched/sch_api.c | 4 +
net/sched/sch_cake.c | 140 +++++++------
net/sched/sch_fifo.c | 3 +
net/sched/sch_netem.c | 2 +-
net/smc/af_smc.c | 2 +-
net/smc/smc_rx.c | 37 ++--
net/smc/smc_rx.h | 8 +-
net/sunrpc/cache.c | 10 +-
net/tipc/crypto.c | 4 +-
net/vmw_vsock/af_vsock.c | 82 +++++---
net/wireless/nl80211.c | 5 +
net/wireless/reg.c | 3 +-
net/wireless/scan.c | 35 ++++
net/xfrm/xfrm_replay.c | 10 +-
scripts/Makefile.extrawarn | 5 +-
scripts/genksyms/genksyms.c | 11 +-
scripts/genksyms/genksyms.h | 2 +-
scripts/genksyms/parse.y | 18 +-
security/integrity/ima/ima_api.c | 16 +-
security/integrity/ima/ima_template_lib.c | 17 +-
security/safesetid/securityfs.c | 3 +
security/tomoyo/common.c | 2 +-
sound/pci/hda/hda_intel.c | 2 +
sound/pci/hda/patch_conexant.c | 1 +
sound/pci/hda/patch_realtek.c | 78 +++++++
sound/soc/codecs/es8328.c | 15 +-
sound/soc/intel/boards/bytcr_rt5640.c | 17 +-
sound/soc/sunxi/sun4i-spdif.c | 7 +
sound/usb/midi.c | 2 +-
sound/usb/usx2y/usbusx2y.c | 11 +
sound/usb/usx2y/usbusx2y.h | 26 +++
sound/usb/usx2y/usbusx2yaudio.c | 27 ---
tools/bootconfig/main.c | 4 +-
tools/perf/bench/epoll-wait.c | 7 +-
tools/perf/builtin-report.c | 2 +-
tools/perf/builtin-top.c | 2 +-
tools/perf/builtin-trace.c | 6 +-
tools/perf/util/bpf-event.c | 10 +-
tools/perf/util/cs-etm.c | 2 +-
tools/perf/util/dso.c | 14 +-
tools/perf/util/env.c | 28 ++-
tools/perf/util/env.h | 8 +-
tools/perf/util/header.c | 29 ++-
.../cpupower/utils/idle_monitor/mperf_monitor.c | 15 +-
tools/testing/ktest/ktest.pl | 7 +-
tools/testing/selftests/bpf/test_tc_tunnel.sh | 1 +
.../drivers/net/netdevsim/udp_tunnel_nic.sh | 16 +-
tools/testing/selftests/kselftest_harness.h | 24 +--
tools/testing/selftests/net/ipsec.c | 3 +-
tools/testing/selftests/net/rtnetlink.sh | 4 +-
tools/testing/selftests/net/udpgso.c | 26 +++
434 files changed, 4060 insertions(+), 2030 deletions(-)
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 001/462] afs: Fix EEXIST error returned from afs_rmdir() to be ENOTEMPTY
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 002/462] afs: Fix directory format encoding struct Greg Kroah-Hartman
` (464 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Marc Dionne,
linux-afs, Christian Brauner, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit b49194da2aff2c879dec9c59ef8dec0f2b0809ef ]
AFS servers pass back a code indicating EEXIST when they're asked to remove
a directory that is not empty rather than ENOTEMPTY because not all the
systems that an AFS server can run on have the latter error available and
AFS preexisted the addition of that error in general.
Fix afs_rmdir() to translate EEXIST to ENOTEMPTY.
Fixes: 260a980317da ("[AFS]: Add "directory write" support.")
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://lore.kernel.org/r/20241216204124.3752367-13-dhowells@redhat.com
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/afs/dir.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/afs/dir.c b/fs/afs/dir.c
index a59d6293a32b2..c3c870416f1b7 100644
--- a/fs/afs/dir.c
+++ b/fs/afs/dir.c
@@ -1412,7 +1412,12 @@ static int afs_rmdir(struct inode *dir, struct dentry *dentry)
op->file[1].vnode = vnode;
}
- return afs_do_sync_operation(op);
+ ret = afs_do_sync_operation(op);
+
+ /* Not all systems that can host afs servers have ENOTEMPTY. */
+ if (ret == -EEXIST)
+ ret = -ENOTEMPTY;
+ return ret;
error:
return afs_put_operation(op);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 002/462] afs: Fix directory format encoding struct
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 001/462] afs: Fix EEXIST error returned from afs_rmdir() to be ENOTEMPTY Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 003/462] nbd: dont allow reconnect after disconnect Greg Kroah-Hartman
` (463 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Marc Dionne,
linux-afs, Christian Brauner, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 07a10767853adcbdbf436dc91393b729b52c4e81 ]
The AFS directory format structure, union afs_xdr_dir_block::meta, has too
many alloc counter slots declared and so pushes the hash table along and
over the data. This doesn't cause a problem at the moment because I'm
currently ignoring the hash table and only using the correct number of
alloc_ctrs in the code anyway. In future, however, I should start using
the hash table to try and speed up afs_lookup().
Fix this by using the correct constant to declare the counter array.
Fixes: 4ea219a839bf ("afs: Split the directory content defs into a header")
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://lore.kernel.org/r/20241216204124.3752367-14-dhowells@redhat.com
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/afs/xdr_fs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/afs/xdr_fs.h b/fs/afs/xdr_fs.h
index 94f1f398eefad..cccc8e74f49b0 100644
--- a/fs/afs/xdr_fs.h
+++ b/fs/afs/xdr_fs.h
@@ -82,7 +82,7 @@ union afs_xdr_dir_block {
struct {
struct afs_xdr_dir_hdr hdr;
- u8 alloc_ctrs[AFS_DIR_MAX_BLOCKS];
+ u8 alloc_ctrs[AFS_DIR_BLOCKS_WITH_CTR];
__be16 hashtable[AFS_DIR_HASHTBL_SIZE];
} meta;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 003/462] nbd: dont allow reconnect after disconnect
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 001/462] afs: Fix EEXIST error returned from afs_rmdir() to be ENOTEMPTY Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 002/462] afs: Fix directory format encoding struct Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 004/462] nvme: Add error check for xa_store in nvme_get_effects_log Greg Kroah-Hartman
` (462 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6b0df248918b92c33e6a, Yu Kuai,
Christoph Hellwig, Jens Axboe, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai3@huawei.com>
[ Upstream commit 844b8cdc681612ff24df62cdefddeab5772fadf1 ]
Following process can cause nbd_config UAF:
1) grab nbd_config temporarily;
2) nbd_genl_disconnect() flush all recv_work() and release the
initial reference:
nbd_genl_disconnect
nbd_disconnect_and_put
nbd_disconnect
flush_workqueue(nbd->recv_workq)
if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))
nbd_config_put
-> due to step 1), reference is still not zero
3) nbd_genl_reconfigure() queue recv_work() again;
nbd_genl_reconfigure
config = nbd_get_config_unlocked(nbd)
if (!config)
-> succeed
if (!test_bit(NBD_RT_BOUND, ...))
-> succeed
nbd_reconnect_socket
queue_work(nbd->recv_workq, &args->work)
4) step 1) release the reference;
5) Finially, recv_work() will trigger UAF:
recv_work
nbd_config_put(nbd)
-> nbd_config is freed
atomic_dec(&config->recv_threads)
-> UAF
Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so
that nbd_genl_reconfigure() will fail.
Fixes: b7aa3d39385d ("nbd: add a reconfigure netlink command")
Reported-by: syzbot+6b0df248918b92c33e6a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/675bfb65.050a0220.1a2d0d.0006.GAE@google.com/
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20250103092859.3574648-1-yukuai1@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/nbd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index d6e3edb404748..4776009587190 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -2065,6 +2065,7 @@ static void nbd_disconnect_and_put(struct nbd_device *nbd)
flush_workqueue(nbd->recv_workq);
nbd_clear_que(nbd);
nbd->task_setup = NULL;
+ clear_bit(NBD_RT_BOUND, &nbd->config->runtime_flags);
mutex_unlock(&nbd->config_lock);
if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF,
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 004/462] nvme: Add error check for xa_store in nvme_get_effects_log
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 003/462] nbd: dont allow reconnect after disconnect Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 005/462] partitions: ldm: remove the initial kernel-doc notation Greg Kroah-Hartman
` (461 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Keisuke Nishimura, Christoph Hellwig,
Sagi Grimberg, Keith Busch, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keisuke Nishimura <keisuke.nishimura@inria.fr>
[ Upstream commit ac32057acc7f3d7a238dafaa9b2aa2bc9750080e ]
The xa_store() may fail due to memory allocation failure because there
is no guarantee that the index csi is already used. This fix adds an
error check of the return value of xa_store() in nvme_get_effects_log().
Fixes: 1cf7a12e09aa ("nvme: use an xarray to lookup the Commands Supported and Effects log")
Signed-off-by: Keisuke Nishimura <keisuke.nishimura@inria.fr>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/core.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index c739ac1761ba6..f988a5e3f0e15 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -3043,7 +3043,7 @@ int nvme_get_log(struct nvme_ctrl *ctrl, u32 nsid, u8 log_page, u8 lsp, u8 csi,
static int nvme_get_effects_log(struct nvme_ctrl *ctrl, u8 csi,
struct nvme_effects_log **log)
{
- struct nvme_effects_log *cel = xa_load(&ctrl->cels, csi);
+ struct nvme_effects_log *old, *cel = xa_load(&ctrl->cels, csi);
int ret;
if (cel)
@@ -3060,7 +3060,11 @@ static int nvme_get_effects_log(struct nvme_ctrl *ctrl, u8 csi,
return ret;
}
- xa_store(&ctrl->cels, csi, cel, GFP_KERNEL);
+ old = xa_store(&ctrl->cels, csi, cel, GFP_KERNEL);
+ if (xa_is_err(old)) {
+ kfree(cel);
+ return xa_err(old);
+ }
out:
*log = cel;
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 005/462] partitions: ldm: remove the initial kernel-doc notation
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 004/462] nvme: Add error check for xa_store in nvme_get_effects_log Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 006/462] select: Fix unbalanced user_access_end() Greg Kroah-Hartman
` (460 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap,
Richard Russon (FlatCap), linux-ntfs-dev, Jens Axboe, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit e494e451611a3de6ae95f99e8339210c157d70fb ]
Remove the file's first comment describing what the file is.
This comment is not in kernel-doc format so it causes a kernel-doc
warning.
ldm.h:13: warning: expecting prototype for ldm(). Prototype was for _FS_PT_LDM_H_() instead
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Richard Russon (FlatCap) <ldm@flatcap.org>
Cc: linux-ntfs-dev@lists.sourceforge.net
Cc: Jens Axboe <axboe@kernel.dk>
Link: https://lore.kernel.org/r/20250111062758.910458-1-rdunlap@infradead.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/partitions/ldm.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/partitions/ldm.h b/block/partitions/ldm.h
index 8693704dcf5e9..84a66b51cd2ab 100644
--- a/block/partitions/ldm.h
+++ b/block/partitions/ldm.h
@@ -1,5 +1,5 @@
// SPDX-License-Identifier: GPL-2.0-or-later
-/**
+/*
* ldm - Part of the Linux-NTFS project.
*
* Copyright (C) 2001,2002 Richard Russon <ldm@flatcap.org>
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 006/462] select: Fix unbalanced user_access_end()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 005/462] partitions: ldm: remove the initial kernel-doc notation Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 007/462] afs: Fix the fallback handling for the YFS.RemoveFile2 RPC call Greg Kroah-Hartman
` (459 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy, Christian Brauner,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@csgroup.eu>
[ Upstream commit 344af27715ddbf357cf76978d674428b88f8e92d ]
While working on implementing user access validation on powerpc
I got the following warnings on a pmac32_defconfig build:
CC fs/select.o
fs/select.o: warning: objtool: sys_pselect6+0x1bc: redundant UACCESS disable
fs/select.o: warning: objtool: sys_pselect6_time32+0x1bc: redundant UACCESS disable
On powerpc/32s, user_read_access_begin/end() are no-ops, but the
failure path has a user_access_end() instead of user_read_access_end()
which means an access end without any prior access begin.
Replace that user_access_end() by user_read_access_end().
Fixes: 7e71609f64ec ("pselect6() and friends: take handling the combined 6th/7th args into helper")
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Link: https://lore.kernel.org/r/a7139e28d767a13e667ee3c79599a8047222ef36.1736751221.git.christophe.leroy@csgroup.eu
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/select.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/select.c b/fs/select.c
index 668a5200503ae..7ce67428582e6 100644
--- a/fs/select.c
+++ b/fs/select.c
@@ -787,7 +787,7 @@ static inline int get_sigset_argpack(struct sigset_argpack *to,
}
return 0;
Efault:
- user_access_end();
+ user_read_access_end();
return -EFAULT;
}
@@ -1360,7 +1360,7 @@ static inline int get_compat_sigset_argpack(struct compat_sigset_argpack *to,
}
return 0;
Efault:
- user_access_end();
+ user_read_access_end();
return -EFAULT;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 007/462] afs: Fix the fallback handling for the YFS.RemoveFile2 RPC call
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 006/462] select: Fix unbalanced user_access_end() Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 008/462] drm/etnaviv: Fix page property being used for non writecombine buffers Greg Kroah-Hartman
` (458 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Marc Dionne,
linux-afs, Christian Brauner, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit e30458d690f35abb01de8b3cbc09285deb725d00 ]
Fix a pair of bugs in the fallback handling for the YFS.RemoveFile2 RPC
call:
(1) Fix the abort code check to also look for RXGEN_OPCODE. The lack of
this masks the second bug.
(2) call->server is now not used for ordinary filesystem RPC calls that
have an operation descriptor. Fix to use call->op->server instead.
Fixes: e49c7b2f6de7 ("afs: Build an abstraction around an "operation" concept")
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://lore.kernel.org/r/109541.1736865963@warthog.procyon.org.uk
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/afs/yfsclient.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/afs/yfsclient.c b/fs/afs/yfsclient.c
index 5b2ef5ffd716f..171de355a7e58 100644
--- a/fs/afs/yfsclient.c
+++ b/fs/afs/yfsclient.c
@@ -689,8 +689,9 @@ static int yfs_deliver_fs_remove_file2(struct afs_call *call)
static void yfs_done_fs_remove_file2(struct afs_call *call)
{
if (call->error == -ECONNABORTED &&
- call->abort_code == RX_INVALID_OPERATION) {
- set_bit(AFS_SERVER_FL_NO_RM2, &call->server->flags);
+ (call->abort_code == RX_INVALID_OPERATION ||
+ call->abort_code == RXGEN_OPCODE)) {
+ set_bit(AFS_SERVER_FL_NO_RM2, &call->op->server->flags);
call->op->flags |= AFS_OPERATION_DOWNGRADE;
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 008/462] drm/etnaviv: Fix page property being used for non writecombine buffers
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 007/462] afs: Fix the fallback handling for the YFS.RemoveFile2 RPC call Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 009/462] drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table Greg Kroah-Hartman
` (457 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sui Jingfeng, Lucas Stach,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sui Jingfeng <sui.jingfeng@linux.dev>
[ Upstream commit 834f304192834d6f0941954f3277ae0ba11a9a86 ]
In the etnaviv_gem_vmap_impl() function, the driver vmap whatever buffers
with write combine(WC) page property, this is incorrect. Cached buffers
should be mapped with the cached page property and uncached buffers should
be mapped with the uncached page property.
Fixes: a0a5ab3e99b8 ("drm/etnaviv: call correct function when trying to vmap a DMABUF")
Signed-off-by: Sui Jingfeng <sui.jingfeng@linux.dev>
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/etnaviv/etnaviv_gem.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gem.c b/drivers/gpu/drm/etnaviv/etnaviv_gem.c
index aa372982335e9..bdd3564634e79 100644
--- a/drivers/gpu/drm/etnaviv/etnaviv_gem.c
+++ b/drivers/gpu/drm/etnaviv/etnaviv_gem.c
@@ -351,6 +351,7 @@ void *etnaviv_gem_vmap(struct drm_gem_object *obj)
static void *etnaviv_gem_vmap_impl(struct etnaviv_gem_object *obj)
{
struct page **pages;
+ pgprot_t prot;
lockdep_assert_held(&obj->lock);
@@ -358,8 +359,19 @@ static void *etnaviv_gem_vmap_impl(struct etnaviv_gem_object *obj)
if (IS_ERR(pages))
return NULL;
- return vmap(pages, obj->base.size >> PAGE_SHIFT,
- VM_MAP, pgprot_writecombine(PAGE_KERNEL));
+ switch (obj->flags & ETNA_BO_CACHE_MASK) {
+ case ETNA_BO_CACHED:
+ prot = PAGE_KERNEL;
+ break;
+ case ETNA_BO_UNCACHED:
+ prot = pgprot_noncached(PAGE_KERNEL);
+ break;
+ case ETNA_BO_WC:
+ default:
+ prot = pgprot_writecombine(PAGE_KERNEL);
+ }
+
+ return vmap(pages, obj->base.size >> PAGE_SHIFT, VM_MAP, prot);
}
static inline enum dma_data_direction etnaviv_op_to_dma_dir(u32 op)
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 009/462] drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 008/462] drm/etnaviv: Fix page property being used for non writecombine buffers Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 010/462] genirq: Make handle_enforce_irqctx() unconditionally available Greg Kroah-Hartman
` (456 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ivan Stepchenko, Alex Deucher,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Stepchenko <sid@itb.spb.ru>
[ Upstream commit 357445e28ff004d7f10967aa93ddb4bffa5c3688 ]
The function atomctrl_get_smc_sclk_range_table() does not check the return
value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to
retrieve SMU_Info table, it returns NULL which is later dereferenced.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
In practice this should never happen as this code only gets called
on polaris chips and the vbios data table will always be present on
those chips.
Fixes: a23eefa2f461 ("drm/amd/powerplay: enable dpm for baffin.")
Signed-off-by: Ivan Stepchenko <sid@itb.spb.ru>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
index 165af862d0542..04dbd9f89a45d 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
@@ -1370,6 +1370,8 @@ int atomctrl_get_smc_sclk_range_table(struct pp_hwmgr *hwmgr, struct pp_atom_ctr
GetIndexIntoMasterTable(DATA, SMU_Info),
&size, &frev, &crev);
+ if (!psmu_info)
+ return -EINVAL;
for (i = 0; i < psmu_info->ucSclkEntryNum; i++) {
table->entry[i].ucVco_setting = psmu_info->asSclkFcwRangeEntry[i].ucVco_setting;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 010/462] genirq: Make handle_enforce_irqctx() unconditionally available
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 009/462] drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 011/462] ipmi: ipmb: Add check devm_kasprintf() returned value Greg Kroah-Hartman
` (455 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Gleixner, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 8d187a77f04c14fb459a5301d69f733a5a1396bc ]
Commit 1b57d91b969c ("irqchip/gic-v2, v3: Prevent SW resends entirely")
sett the flag which enforces interrupt handling in interrupt context and
prevents software base resends for ARM GIC v2/v3.
But it missed that the helper function which checks the flag was hidden
behind CONFIG_GENERIC_PENDING_IRQ, which is not set by ARM[64].
Make the helper unconditionally available so that the enforcement actually
works.
Fixes: 1b57d91b969c ("irqchip/gic-v2, v3: Prevent SW resends entirely")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/all/20241210101811.497716609@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/irq/internals.h | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/kernel/irq/internals.h b/kernel/irq/internals.h
index f1d83a8b44171..da1f282d5a1d1 100644
--- a/kernel/irq/internals.h
+++ b/kernel/irq/internals.h
@@ -429,10 +429,6 @@ static inline struct cpumask *irq_desc_get_pending_mask(struct irq_desc *desc)
{
return desc->pending_mask;
}
-static inline bool handle_enforce_irqctx(struct irq_data *data)
-{
- return irqd_is_handle_enforce_irqctx(data);
-}
bool irq_fixup_move_pending(struct irq_desc *desc, bool force_clear);
#else /* CONFIG_GENERIC_PENDING_IRQ */
static inline bool irq_can_move_pcntxt(struct irq_data *data)
@@ -459,11 +455,12 @@ static inline bool irq_fixup_move_pending(struct irq_desc *desc, bool fclear)
{
return false;
}
+#endif /* !CONFIG_GENERIC_PENDING_IRQ */
+
static inline bool handle_enforce_irqctx(struct irq_data *data)
{
- return false;
+ return irqd_is_handle_enforce_irqctx(data);
}
-#endif /* !CONFIG_GENERIC_PENDING_IRQ */
#if !defined(CONFIG_IRQ_DOMAIN) || !defined(CONFIG_IRQ_DOMAIN_HIERARCHY)
static inline int irq_domain_activate_irq(struct irq_data *data, bool reserve)
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 011/462] ipmi: ipmb: Add check devm_kasprintf() returned value
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 010/462] genirq: Make handle_enforce_irqctx() unconditionally available Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 012/462] wifi: rtlwifi: do not complete firmware loading needlessly Greg Kroah-Hartman
` (454 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Charles Han, Corey Minyard,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charles Han <hanchunchao@inspur.com>
[ Upstream commit 2378bd0b264ad3a1f76bd957caf33ee0c7945351 ]
devm_kasprintf() can return a NULL pointer on failure but this
returned value is not checked.
Fixes: 51bd6f291583 ("Add support for IPMB driver")
Signed-off-by: Charles Han <hanchunchao@inspur.com>
Message-ID: <20240926094419.25900-1-hanchunchao@inspur.com>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ipmb_dev_int.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/char/ipmi/ipmb_dev_int.c b/drivers/char/ipmi/ipmb_dev_int.c
index 382b28f1cf2f6..8800f2998d590 100644
--- a/drivers/char/ipmi/ipmb_dev_int.c
+++ b/drivers/char/ipmi/ipmb_dev_int.c
@@ -322,6 +322,9 @@ static int ipmb_probe(struct i2c_client *client,
ipmb_dev->miscdev.name = devm_kasprintf(&client->dev, GFP_KERNEL,
"%s%d", "ipmb-",
client->adapter->nr);
+ if (!ipmb_dev->miscdev.name)
+ return -ENOMEM;
+
ipmb_dev->miscdev.fops = &ipmb_fops;
ipmb_dev->miscdev.parent = &client->dev;
ret = misc_register(&ipmb_dev->miscdev);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 012/462] wifi: rtlwifi: do not complete firmware loading needlessly
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 011/462] ipmi: ipmb: Add check devm_kasprintf() returned value Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 013/462] wifi: rtlwifi: rtl8192se: rise completion of firmware loading as last step Greg Kroah-Hartman
` (453 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo,
Ping-Ke Shih, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
[ Upstream commit e73e11d303940119e41850a0452a0deda2cc4eb5 ]
The only code waiting for completion is driver removal, which will not be
called when probe returns a failure. So this completion is unnecessary.
Fixes: b0302aba812b ("rtlwifi: Convert to asynchronous firmware load")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20241107133322.855112-2-cascardo@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/pci.c | 1 -
drivers/net/wireless/realtek/rtlwifi/usb.c | 1 -
2 files changed, 2 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index 6d9f2a6233a21..70f1cc906502b 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -2274,7 +2274,6 @@ int rtl_pci_probe(struct pci_dev *pdev,
pci_iounmap(pdev, (void __iomem *)rtlpriv->io.pci_mem_start);
pci_release_regions(pdev);
- complete(&rtlpriv->firmware_loading_complete);
fail1:
if (hw)
diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
index c6e4fda7e431f..7e4655de30237 100644
--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
+++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
@@ -1085,7 +1085,6 @@ int rtl_usb_probe(struct usb_interface *intf,
error_out2:
_rtl_usb_io_handler_release(hw);
usb_put_dev(udev);
- complete(&rtlpriv->firmware_loading_complete);
kfree(rtlpriv->usb_data);
ieee80211_free_hw(hw);
return -ENODEV;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 013/462] wifi: rtlwifi: rtl8192se: rise completion of firmware loading as last step
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 012/462] wifi: rtlwifi: do not complete firmware loading needlessly Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 014/462] rtlwifi: remove redundant assignment to variable err Greg Kroah-Hartman
` (452 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo,
Ping-Ke Shih, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
[ Upstream commit 8559a9e0c457729fe3edb3176bbf7c7874f482b0 ]
Just like in commit 4dfde294b979 ("rtlwifi: rise completion at the last
step of firmware callback"), only signal completion once the function is
finished. Otherwise, the module removal waiting for the completion could
free the memory that the callback will still use before returning.
Fixes: b0302aba812b ("rtlwifi: Convert to asynchronous firmware load")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20241107133322.855112-3-cascardo@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c
index 6d352a3161b8f..60d97e73ca28e 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c
@@ -67,22 +67,23 @@ static void rtl92se_fw_cb(const struct firmware *firmware, void *context)
rtl_dbg(rtlpriv, COMP_ERR, DBG_LOUD,
"Firmware callback routine entered!\n");
- complete(&rtlpriv->firmware_loading_complete);
if (!firmware) {
pr_err("Firmware %s not available\n", fw_name);
rtlpriv->max_fw_size = 0;
- return;
+ goto exit;
}
if (firmware->size > rtlpriv->max_fw_size) {
pr_err("Firmware is too big!\n");
rtlpriv->max_fw_size = 0;
release_firmware(firmware);
- return;
+ goto exit;
}
pfirmware = (struct rt_firmware *)rtlpriv->rtlhal.pfirmware;
memcpy(pfirmware->sz_fw_tmpbuffer, firmware->data, firmware->size);
pfirmware->sz_fw_tmpbufferlen = firmware->size;
release_firmware(firmware);
+exit:
+ complete(&rtlpriv->firmware_loading_complete);
}
static int rtl92s_init_sw_vars(struct ieee80211_hw *hw)
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 014/462] rtlwifi: remove redundant assignment to variable err
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 013/462] wifi: rtlwifi: rtl8192se: rise completion of firmware loading as last step Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 015/462] wifi: rtlwifi: wait for firmware loading before releasing memory Greg Kroah-Hartman
` (451 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Colin Ian King, Kalle Valo,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King <colin.king@canonical.com>
[ Upstream commit 87431bc1f0f67aa2d23ca1b9682fe54f68549d42 ]
Variable err is assigned -ENODEV followed by an error return path
via label error_out that does not access the variable and returns
with the -ENODEV error return code. The assignment to err is
redundant and can be removed.
Addresses-Coverity: ("Unused value")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210327230014.25554-1-colin.king@canonical.com
Stable-dep-of: b4b26642b31e ("wifi: rtlwifi: wait for firmware loading before releasing memory")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/usb.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
index 7e4655de30237..add6da1ce3602 100644
--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
+++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
@@ -1072,7 +1072,6 @@ int rtl_usb_probe(struct usb_interface *intf,
err = ieee80211_register_hw(hw);
if (err) {
pr_err("Can't register mac80211 hw.\n");
- err = -ENODEV;
goto error_out;
}
rtlpriv->mac80211.mac80211_registered = 1;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 015/462] wifi: rtlwifi: wait for firmware loading before releasing memory
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 014/462] rtlwifi: remove redundant assignment to variable err Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 016/462] wifi: rtlwifi: fix init_sw_vars leak when probe fails Greg Kroah-Hartman
` (450 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo,
Ping-Ke Shih, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
[ Upstream commit b4b26642b31ef282df6ff7ea8531985edfdef12a ]
At probe error path, the firmware loading work may have already been
queued. In such a case, it will try to access memory allocated by the probe
function, which is about to be released. In such paths, wait for the
firmware worker to finish before releasing memory.
Fixes: a7f7c15e945a ("rtlwifi: rtl8192cu: Free ieee80211_hw if probing fails")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20241107133322.855112-4-cascardo@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/usb.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
index add6da1ce3602..087e398da36d9 100644
--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
+++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
@@ -1072,13 +1072,15 @@ int rtl_usb_probe(struct usb_interface *intf,
err = ieee80211_register_hw(hw);
if (err) {
pr_err("Can't register mac80211 hw.\n");
- goto error_out;
+ goto error_init_vars;
}
rtlpriv->mac80211.mac80211_registered = 1;
set_bit(RTL_STATUS_INTERFACE_START, &rtlpriv->status);
return 0;
+error_init_vars:
+ wait_for_completion(&rtlpriv->firmware_loading_complete);
error_out:
rtl_deinit_core(hw);
error_out2:
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 016/462] wifi: rtlwifi: fix init_sw_vars leak when probe fails
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 015/462] wifi: rtlwifi: wait for firmware loading before releasing memory Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 017/462] wifi: rtlwifi: usb: fix workqueue " Greg Kroah-Hartman
` (449 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo,
Ping-Ke Shih, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
[ Upstream commit 00260350aed80c002df270c805ca443ec9a719a6 ]
If ieee80211_register_hw fails, the memory allocated for the firmware will
not be released. Call deinit_sw_vars as the function that undoes the
allocationes done by init_sw_vars.
Fixes: cefe3dfdb9f5 ("rtl8192cu: Call ieee80211_register_hw from rtl_usb_probe")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20241107133322.855112-5-cascardo@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/usb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
index 087e398da36d9..66af56a79dbe5 100644
--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
+++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
@@ -1081,6 +1081,7 @@ int rtl_usb_probe(struct usb_interface *intf,
error_init_vars:
wait_for_completion(&rtlpriv->firmware_loading_complete);
+ rtlpriv->cfg->ops->deinit_sw_vars(hw);
error_out:
rtl_deinit_core(hw);
error_out2:
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 017/462] wifi: rtlwifi: usb: fix workqueue leak when probe fails
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 016/462] wifi: rtlwifi: fix init_sw_vars leak when probe fails Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 018/462] spi: zynq-qspi: Add check for clk_enable() Greg Kroah-Hartman
` (448 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo,
Ping-Ke Shih, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
[ Upstream commit f79bc5c67867c19ce2762e7934c20dbb835ed82c ]
rtl_init_core creates a workqueue that is then assigned to rtl_wq.
rtl_deinit_core does not destroy it. It is left to rtl_usb_deinit, which
must be called in the probe error path.
Fixes: 2ca20f79e0d8 ("rtlwifi: Add usb driver")
Fixes: 851639fdaeac ("rtlwifi: Modify some USB de-initialize code.")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20241107133322.855112-6-cascardo@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/usb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
index 66af56a79dbe5..08ab2482c00cc 100644
--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
+++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
@@ -1083,6 +1083,7 @@ int rtl_usb_probe(struct usb_interface *intf,
wait_for_completion(&rtlpriv->firmware_loading_complete);
rtlpriv->cfg->ops->deinit_sw_vars(hw);
error_out:
+ rtl_usb_deinit(hw);
rtl_deinit_core(hw);
error_out2:
_rtl_usb_io_handler_release(hw);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 018/462] spi: zynq-qspi: Add check for clk_enable()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 017/462] wifi: rtlwifi: usb: fix workqueue " Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 019/462] dt-bindings: mmc: controller: clarify the address-cells description Greg Kroah-Hartman
` (447 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mingwei Zheng, Jiasheng Jiang,
Mark Brown, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingwei Zheng <zmw12306@gmail.com>
[ Upstream commit 8332e667099712e05ec87ba2058af394b51ebdc9 ]
Add check for the return value of clk_enable() to catch the potential
error.
Fixes: c618a90dcaf3 ("spi: zynq-qspi: Drop GPIO header")
Signed-off-by: Mingwei Zheng <zmw12306@gmail.com>
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Link: https://patch.msgid.link/20241207015206.3689364-1-zmw12306@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-zynq-qspi.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/spi-zynq-qspi.c b/drivers/spi/spi-zynq-qspi.c
index 13c0b15fe1764..2be764d5460d3 100644
--- a/drivers/spi/spi-zynq-qspi.c
+++ b/drivers/spi/spi-zynq-qspi.c
@@ -379,12 +379,21 @@ static int zynq_qspi_setup_op(struct spi_device *spi)
{
struct spi_controller *ctlr = spi->master;
struct zynq_qspi *qspi = spi_controller_get_devdata(ctlr);
+ int ret;
if (ctlr->busy)
return -EBUSY;
- clk_enable(qspi->refclk);
- clk_enable(qspi->pclk);
+ ret = clk_enable(qspi->refclk);
+ if (ret)
+ return ret;
+
+ ret = clk_enable(qspi->pclk);
+ if (ret) {
+ clk_disable(qspi->refclk);
+ return ret;
+ }
+
zynq_qspi_write(qspi, ZYNQ_QSPI_ENABLE_OFFSET,
ZYNQ_QSPI_ENABLE_ENABLE_MASK);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 019/462] dt-bindings: mmc: controller: clarify the address-cells description
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 018/462] spi: zynq-qspi: Add check for clk_enable() Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 020/462] rtlwifi: replace usage of found with dedicated list iterator variable Greg Kroah-Hartman
` (446 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Rob Herring (Arm),
Ulf Hansson, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neil Armstrong <neil.armstrong@linaro.org>
[ Upstream commit b2b8e93ec00b8110cb37cbde5400d5abfdaed6a7 ]
The term "slot ID" has nothing to do with the SDIO function number
which is specified in the reg property of the subnodes, rephrase
the description to be more accurate.
Fixes: f9b7989859dd ("dt-bindings: mmc: Add YAML schemas for the generic MMC options")
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Acked-by: Rob Herring (Arm) <robh@kernel.org>
Message-ID: <20241128-topic-amlogic-arm32-upstream-bindings-fixes-convert-meson-mx-sdio-v4-1-11d9f9200a59@linaro.org>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/devicetree/bindings/mmc/mmc-controller.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Documentation/devicetree/bindings/mmc/mmc-controller.yaml b/Documentation/devicetree/bindings/mmc/mmc-controller.yaml
index 186f04ba93579..b7976809d8f68 100644
--- a/Documentation/devicetree/bindings/mmc/mmc-controller.yaml
+++ b/Documentation/devicetree/bindings/mmc/mmc-controller.yaml
@@ -25,7 +25,7 @@ properties:
"#address-cells":
const: 1
description: |
- The cell is the slot ID if a function subnode is used.
+ The cell is the SDIO function number if a function subnode is used.
"#size-cells":
const: 0
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 020/462] rtlwifi: replace usage of found with dedicated list iterator variable
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 019/462] dt-bindings: mmc: controller: clarify the address-cells description Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 021/462] wifi: rtlwifi: remove unused timer and related code Greg Kroah-Hartman
` (445 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakob Koschel, Ping-Ke Shih,
Kalle Valo, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakob Koschel <jakobkoschel@gmail.com>
[ Upstream commit a0ff2a87194a968b9547fd4d824a09092171d1ea ]
To move the list iterator variable into the list_for_each_entry_*()
macro in the future it should be avoided to use the list iterator
variable after the loop body.
To *never* use the list iterator variable after the loop it was
concluded to use a separate iterator variable instead of a
found boolean [1].
This removes the need to use a found variable and simply checking if
the variable was set, can determine if the break/goto was hit.
Link: https://lore.kernel.org/all/CAHk-=wgRr_D8CB-D9Kg-c=EHreAsk5SqXPwr9Y7k9sA6cWXJ6w@mail.gmail.com/
Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220324072124.62458-1-jakobkoschel@gmail.com
Stable-dep-of: 2fdac64c3c35 ("wifi: rtlwifi: remove unused check_buddy_priv")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/base.c | 13 ++++++-------
drivers/net/wireless/realtek/rtlwifi/pci.c | 15 +++++++--------
2 files changed, 13 insertions(+), 15 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
index 1866f6c2acab1..7ec876c6c663e 100644
--- a/drivers/net/wireless/realtek/rtlwifi/base.c
+++ b/drivers/net/wireless/realtek/rtlwifi/base.c
@@ -1995,8 +1995,7 @@ void rtl_collect_scan_list(struct ieee80211_hw *hw, struct sk_buff *skb)
struct rtl_mac *mac = rtl_mac(rtl_priv(hw));
unsigned long flags;
- struct rtl_bssid_entry *entry;
- bool entry_found = false;
+ struct rtl_bssid_entry *entry = NULL, *iter;
/* check if it is scanning */
if (!mac->act_scanning)
@@ -2009,10 +2008,10 @@ void rtl_collect_scan_list(struct ieee80211_hw *hw, struct sk_buff *skb)
spin_lock_irqsave(&rtlpriv->locks.scan_list_lock, flags);
- list_for_each_entry(entry, &rtlpriv->scan_list.list, list) {
- if (memcmp(entry->bssid, hdr->addr3, ETH_ALEN) == 0) {
- list_del_init(&entry->list);
- entry_found = true;
+ list_for_each_entry(iter, &rtlpriv->scan_list.list, list) {
+ if (memcmp(iter->bssid, hdr->addr3, ETH_ALEN) == 0) {
+ list_del_init(&iter->list);
+ entry = iter;
rtl_dbg(rtlpriv, COMP_SCAN, DBG_LOUD,
"Update BSSID=%pM to scan list (total=%d)\n",
hdr->addr3, rtlpriv->scan_list.num);
@@ -2020,7 +2019,7 @@ void rtl_collect_scan_list(struct ieee80211_hw *hw, struct sk_buff *skb)
}
}
- if (!entry_found) {
+ if (!entry) {
entry = kmalloc(sizeof(*entry), GFP_ATOMIC);
if (!entry)
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index 70f1cc906502b..f17a365fba070 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -300,14 +300,13 @@ static bool rtl_pci_check_buddy_priv(struct ieee80211_hw *hw,
{
struct rtl_priv *rtlpriv = rtl_priv(hw);
struct rtl_pci_priv *pcipriv = rtl_pcipriv(hw);
- bool find_buddy_priv = false;
- struct rtl_priv *tpriv;
+ struct rtl_priv *tpriv = NULL, *iter;
struct rtl_pci_priv *tpcipriv = NULL;
if (!list_empty(&rtlpriv->glb_var->glb_priv_list)) {
- list_for_each_entry(tpriv, &rtlpriv->glb_var->glb_priv_list,
+ list_for_each_entry(iter, &rtlpriv->glb_var->glb_priv_list,
list) {
- tpcipriv = (struct rtl_pci_priv *)tpriv->priv;
+ tpcipriv = (struct rtl_pci_priv *)iter->priv;
rtl_dbg(rtlpriv, COMP_INIT, DBG_LOUD,
"pcipriv->ndis_adapter.funcnumber %x\n",
pcipriv->ndis_adapter.funcnumber);
@@ -321,19 +320,19 @@ static bool rtl_pci_check_buddy_priv(struct ieee80211_hw *hw,
tpcipriv->ndis_adapter.devnumber &&
pcipriv->ndis_adapter.funcnumber !=
tpcipriv->ndis_adapter.funcnumber) {
- find_buddy_priv = true;
+ tpriv = iter;
break;
}
}
}
rtl_dbg(rtlpriv, COMP_INIT, DBG_LOUD,
- "find_buddy_priv %d\n", find_buddy_priv);
+ "find_buddy_priv %d\n", tpriv != NULL);
- if (find_buddy_priv)
+ if (tpriv)
*buddy_priv = tpriv;
- return find_buddy_priv;
+ return tpriv != NULL;
}
static void rtl_pci_parse_configuration(struct pci_dev *pdev,
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 021/462] wifi: rtlwifi: remove unused timer and related code
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 020/462] rtlwifi: replace usage of found with dedicated list iterator variable Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 022/462] wifi: rtlwifi: remove unused dualmac control leftovers Greg Kroah-Hartman
` (444 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Antipov, Ping-Ke Shih,
Kalle Valo, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit 358b94f0a7cadd2ec7824531d54dadaa8b71de04 ]
Drop unused 'dualmac_easyconcurrent_retrytimer' of 'struct rtl_works',
corresponding 'rtl_easy_concurrent_retrytimer_callback()' handler,
'dualmac_easy_concurrent' function pointer of 'struct rtl_hal_ops'
and related call to 'timer_setup()' in '_rtl_init_deferred_work()'.
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230602065940.149198-1-dmantipov@yandex.ru
Stable-dep-of: 2fdac64c3c35 ("wifi: rtlwifi: remove unused check_buddy_priv")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/base.c | 16 +---------------
drivers/net/wireless/realtek/rtlwifi/base.h | 1 -
drivers/net/wireless/realtek/rtlwifi/wifi.h | 2 --
3 files changed, 1 insertion(+), 18 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
index 7ec876c6c663e..3c2bdfb56fb4f 100644
--- a/drivers/net/wireless/realtek/rtlwifi/base.c
+++ b/drivers/net/wireless/realtek/rtlwifi/base.c
@@ -452,8 +452,7 @@ static int _rtl_init_deferred_work(struct ieee80211_hw *hw)
/* <1> timer */
timer_setup(&rtlpriv->works.watchdog_timer,
rtl_watch_dog_timer_callback, 0);
- timer_setup(&rtlpriv->works.dualmac_easyconcurrent_retrytimer,
- rtl_easy_concurrent_retrytimer_callback, 0);
+
/* <2> work queue */
rtlpriv->works.hw = hw;
rtlpriv->works.rtl_wq = wq;
@@ -2376,19 +2375,6 @@ static void rtl_c2hcmd_wq_callback(struct work_struct *work)
rtl_c2hcmd_launcher(hw, 1);
}
-void rtl_easy_concurrent_retrytimer_callback(struct timer_list *t)
-{
- struct rtl_priv *rtlpriv =
- from_timer(rtlpriv, t, works.dualmac_easyconcurrent_retrytimer);
- struct ieee80211_hw *hw = rtlpriv->hw;
- struct rtl_priv *buddy_priv = rtlpriv->buddy_priv;
-
- if (buddy_priv == NULL)
- return;
-
- rtlpriv->cfg->ops->dualmac_easy_concurrent(hw);
-}
-
/*********************************************************
*
* frame process functions
diff --git a/drivers/net/wireless/realtek/rtlwifi/base.h b/drivers/net/wireless/realtek/rtlwifi/base.h
index 0e4f8a8ae3a5f..f081a9a90563f 100644
--- a/drivers/net/wireless/realtek/rtlwifi/base.h
+++ b/drivers/net/wireless/realtek/rtlwifi/base.h
@@ -124,7 +124,6 @@ int rtl_send_smps_action(struct ieee80211_hw *hw,
u8 *rtl_find_ie(u8 *data, unsigned int len, u8 ie);
void rtl_recognize_peer(struct ieee80211_hw *hw, u8 *data, unsigned int len);
u8 rtl_tid_to_ac(u8 tid);
-void rtl_easy_concurrent_retrytimer_callback(struct timer_list *t);
extern struct rtl_global_var rtl_global_var;
void rtl_phy_scan_operation_backup(struct ieee80211_hw *hw, u8 operation);
diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h
index c997d8bfda975..d1b36760c8948 100644
--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
+++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
@@ -2300,7 +2300,6 @@ struct rtl_hal_ops {
u32 regaddr, u32 bitmask, u32 data);
void (*linked_set_reg)(struct ieee80211_hw *hw);
void (*chk_switch_dmdp)(struct ieee80211_hw *hw);
- void (*dualmac_easy_concurrent)(struct ieee80211_hw *hw);
void (*dualmac_switch_to_dmdp)(struct ieee80211_hw *hw);
bool (*phy_rf6052_config)(struct ieee80211_hw *hw);
void (*phy_rf6052_set_cck_txpower)(struct ieee80211_hw *hw,
@@ -2466,7 +2465,6 @@ struct rtl_works {
/*timer */
struct timer_list watchdog_timer;
- struct timer_list dualmac_easyconcurrent_retrytimer;
struct timer_list fw_clockoff_timer;
struct timer_list fast_antenna_training_timer;
/*task */
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 022/462] wifi: rtlwifi: remove unused dualmac control leftovers
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 021/462] wifi: rtlwifi: remove unused timer and related code Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 023/462] wifi: rtlwifi: remove unused check_buddy_priv Greg Kroah-Hartman
` (443 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Antipov, Ping-Ke Shih,
Kalle Valo, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit 557123259200b30863e1b6a8f24a8c8060b6fc1d ]
Remove 'struct rtl_dualmac_easy_concurrent_ctl' of 'struct rtl_priv'
and related code in '_rtl_pci_tx_chk_waitq()'.
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230602065940.149198-2-dmantipov@yandex.ru
Stable-dep-of: 2fdac64c3c35 ("wifi: rtlwifi: remove unused check_buddy_priv")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/pci.c | 5 -----
drivers/net/wireless/realtek/rtlwifi/wifi.h | 9 ---------
2 files changed, 14 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index f17a365fba070..0dcf5350e0885 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -443,11 +443,6 @@ static void _rtl_pci_tx_chk_waitq(struct ieee80211_hw *hw)
if (!rtlpriv->rtlhal.earlymode_enable)
return;
- if (rtlpriv->dm.supp_phymode_switch &&
- (rtlpriv->easy_concurrent_ctl.switch_in_process ||
- (rtlpriv->buddy_priv &&
- rtlpriv->buddy_priv->easy_concurrent_ctl.switch_in_process)))
- return;
/* we just use em for BE/BK/VI/VO */
for (tid = 7; tid >= 0; tid--) {
u8 hw_queue = ac_to_hwq[rtl_tid_to_ac(tid)];
diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h
index d1b36760c8948..f22891c73ade1 100644
--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
+++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
@@ -2496,14 +2496,6 @@ struct rtl_debug {
#define MIMO_PS_DYNAMIC 1
#define MIMO_PS_NOLIMIT 3
-struct rtl_dualmac_easy_concurrent_ctl {
- enum band_type currentbandtype_backfordmdp;
- bool close_bbandrf_for_dmsp;
- bool change_to_dmdp;
- bool change_to_dmsp;
- bool switch_in_process;
-};
-
struct rtl_dmsp_ctl {
bool activescan_for_slaveofdmsp;
bool scan_for_anothermac_fordmsp;
@@ -2744,7 +2736,6 @@ struct rtl_priv {
struct list_head list;
struct rtl_priv *buddy_priv;
struct rtl_global_var *glb_var;
- struct rtl_dualmac_easy_concurrent_ctl easy_concurrent_ctl;
struct rtl_dmsp_ctl dmsp_ctl;
struct rtl_locks locks;
struct rtl_works works;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 023/462] wifi: rtlwifi: remove unused check_buddy_priv
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 022/462] wifi: rtlwifi: remove unused dualmac control leftovers Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 024/462] wifi: rtlwifi: destroy workqueue at rtl_deinit_core Greg Kroah-Hartman
` (442 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo,
Ping-Ke Shih, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
[ Upstream commit 2fdac64c3c35858aa8ac5caa70b232e03456e120 ]
Commit 2461c7d60f9f ("rtlwifi: Update header file") introduced a global
list of private data structures.
Later on, commit 26634c4b1868 ("rtlwifi Modify existing bits to match
vendor version 2013.02.07") started adding the private data to that list at
probe time and added a hook, check_buddy_priv to find the private data from
a similar device.
However, that function was never used.
Besides, though there is a lock for that list, it is never used. And when
the probe fails, the private data is never removed from the list. This
would cause a second probe to access freed memory.
Remove the unused hook, structures and members, which will prevent the
potential race condition on the list and its corruption during a second
probe when probe fails.
Fixes: 26634c4b1868 ("rtlwifi Modify existing bits to match vendor version 2013.02.07")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20241206173713.3222187-2-cascardo@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/base.c | 7 ----
drivers/net/wireless/realtek/rtlwifi/base.h | 1 -
drivers/net/wireless/realtek/rtlwifi/pci.c | 44 ---------------------
drivers/net/wireless/realtek/rtlwifi/wifi.h | 12 ------
4 files changed, 64 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
index 3c2bdfb56fb4f..c14d7cbaa6472 100644
--- a/drivers/net/wireless/realtek/rtlwifi/base.c
+++ b/drivers/net/wireless/realtek/rtlwifi/base.c
@@ -2720,9 +2720,6 @@ MODULE_AUTHOR("Larry Finger <Larry.FInger@lwfinger.net>");
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Realtek 802.11n PCI wireless core");
-struct rtl_global_var rtl_global_var = {};
-EXPORT_SYMBOL_GPL(rtl_global_var);
-
static int __init rtl_core_module_init(void)
{
BUILD_BUG_ON(TX_PWR_BY_RATE_NUM_RATE < TX_PWR_BY_RATE_NUM_SECTION);
@@ -2736,10 +2733,6 @@ static int __init rtl_core_module_init(void)
/* add debugfs */
rtl_debugfs_add_topdir();
- /* init some global vars */
- INIT_LIST_HEAD(&rtl_global_var.glb_priv_list);
- spin_lock_init(&rtl_global_var.glb_list_lock);
-
return 0;
}
diff --git a/drivers/net/wireless/realtek/rtlwifi/base.h b/drivers/net/wireless/realtek/rtlwifi/base.h
index f081a9a90563f..f3a6a43a42eca 100644
--- a/drivers/net/wireless/realtek/rtlwifi/base.h
+++ b/drivers/net/wireless/realtek/rtlwifi/base.h
@@ -124,7 +124,6 @@ int rtl_send_smps_action(struct ieee80211_hw *hw,
u8 *rtl_find_ie(u8 *data, unsigned int len, u8 ie);
void rtl_recognize_peer(struct ieee80211_hw *hw, u8 *data, unsigned int len);
u8 rtl_tid_to_ac(u8 tid);
-extern struct rtl_global_var rtl_global_var;
void rtl_phy_scan_operation_backup(struct ieee80211_hw *hw, u8 operation);
#endif
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index 0dcf5350e0885..c0a201f1b74e5 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -295,46 +295,6 @@ static bool rtl_pci_get_amd_l1_patch(struct ieee80211_hw *hw)
return status;
}
-static bool rtl_pci_check_buddy_priv(struct ieee80211_hw *hw,
- struct rtl_priv **buddy_priv)
-{
- struct rtl_priv *rtlpriv = rtl_priv(hw);
- struct rtl_pci_priv *pcipriv = rtl_pcipriv(hw);
- struct rtl_priv *tpriv = NULL, *iter;
- struct rtl_pci_priv *tpcipriv = NULL;
-
- if (!list_empty(&rtlpriv->glb_var->glb_priv_list)) {
- list_for_each_entry(iter, &rtlpriv->glb_var->glb_priv_list,
- list) {
- tpcipriv = (struct rtl_pci_priv *)iter->priv;
- rtl_dbg(rtlpriv, COMP_INIT, DBG_LOUD,
- "pcipriv->ndis_adapter.funcnumber %x\n",
- pcipriv->ndis_adapter.funcnumber);
- rtl_dbg(rtlpriv, COMP_INIT, DBG_LOUD,
- "tpcipriv->ndis_adapter.funcnumber %x\n",
- tpcipriv->ndis_adapter.funcnumber);
-
- if (pcipriv->ndis_adapter.busnumber ==
- tpcipriv->ndis_adapter.busnumber &&
- pcipriv->ndis_adapter.devnumber ==
- tpcipriv->ndis_adapter.devnumber &&
- pcipriv->ndis_adapter.funcnumber !=
- tpcipriv->ndis_adapter.funcnumber) {
- tpriv = iter;
- break;
- }
- }
- }
-
- rtl_dbg(rtlpriv, COMP_INIT, DBG_LOUD,
- "find_buddy_priv %d\n", tpriv != NULL);
-
- if (tpriv)
- *buddy_priv = tpriv;
-
- return tpriv != NULL;
-}
-
static void rtl_pci_parse_configuration(struct pci_dev *pdev,
struct ieee80211_hw *hw)
{
@@ -2013,7 +1973,6 @@ static bool _rtl_pci_find_adapter(struct pci_dev *pdev,
pcipriv->ndis_adapter.amd_l1_patch);
rtl_pci_parse_configuration(pdev, hw);
- list_add_tail(&rtlpriv->list, &rtlpriv->glb_var->glb_priv_list);
return true;
}
@@ -2160,7 +2119,6 @@ int rtl_pci_probe(struct pci_dev *pdev,
rtlpriv->rtlhal.interface = INTF_PCI;
rtlpriv->cfg = (struct rtl_hal_cfg *)(id->driver_data);
rtlpriv->intf_ops = &rtl_pci_ops;
- rtlpriv->glb_var = &rtl_global_var;
rtl_efuse_ops_init(hw);
/* MEM map */
@@ -2318,7 +2276,6 @@ void rtl_pci_disconnect(struct pci_dev *pdev)
if (rtlpci->using_msi)
pci_disable_msi(rtlpci->pdev);
- list_del(&rtlpriv->list);
if (rtlpriv->io.pci_mem_start != 0) {
pci_iounmap(pdev, (void __iomem *)rtlpriv->io.pci_mem_start);
pci_release_regions(pdev);
@@ -2378,7 +2335,6 @@ const struct rtl_intf_ops rtl_pci_ops = {
.read_efuse_byte = read_efuse_byte,
.adapter_start = rtl_pci_start,
.adapter_stop = rtl_pci_stop,
- .check_buddy_priv = rtl_pci_check_buddy_priv,
.adapter_tx = rtl_pci_tx,
.flush = rtl_pci_flush,
.reset_trx_ring = rtl_pci_reset_trx_ring,
diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h
index f22891c73ade1..359ee313a0d2b 100644
--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
+++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
@@ -2335,8 +2335,6 @@ struct rtl_intf_ops {
void (*read_efuse_byte)(struct ieee80211_hw *hw, u16 _offset, u8 *pbuf);
int (*adapter_start)(struct ieee80211_hw *hw);
void (*adapter_stop)(struct ieee80211_hw *hw);
- bool (*check_buddy_priv)(struct ieee80211_hw *hw,
- struct rtl_priv **buddy_priv);
int (*adapter_tx)(struct ieee80211_hw *hw,
struct ieee80211_sta *sta,
@@ -2580,14 +2578,6 @@ struct dig_t {
u32 rssi_max;
};
-struct rtl_global_var {
- /* from this list we can get
- * other adapter's rtl_priv
- */
- struct list_head glb_priv_list;
- spinlock_t glb_list_lock;
-};
-
#define IN_4WAY_TIMEOUT_TIME (30 * MSEC_PER_SEC) /* 30 seconds */
struct rtl_btc_info {
@@ -2733,9 +2723,7 @@ struct rtl_scan_list {
struct rtl_priv {
struct ieee80211_hw *hw;
struct completion firmware_loading_complete;
- struct list_head list;
struct rtl_priv *buddy_priv;
- struct rtl_global_var *glb_var;
struct rtl_dmsp_ctl dmsp_ctl;
struct rtl_locks locks;
struct rtl_works works;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 024/462] wifi: rtlwifi: destroy workqueue at rtl_deinit_core
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 023/462] wifi: rtlwifi: remove unused check_buddy_priv Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 025/462] wifi: rtlwifi: fix memory leaks and invalid access at probe error path Greg Kroah-Hartman
` (441 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo,
Ping-Ke Shih, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
[ Upstream commit d8ece6fc3694657e4886191b32ca1690af11adda ]
rtl_wq is allocated at rtl_init_core, so it makes more sense to destroy it
at rtl_deinit_core. In the case of USB, where _rtl_usb_init does not
require anything to be undone, that is fine. But for PCI, rtl_pci_init,
which is called after rtl_init_core, needs to deallocate data, but only if
it has been called.
That means that destroying the workqueue needs to be done whether
rtl_pci_init has been called or not. And since rtl_pci_deinit was doing it,
it has to be moved out of there.
It makes more sense to move it to rtl_deinit_core and have it done in both
cases, USB and PCI.
Since this is a requirement for a followup memory leak fix, mark this as
fixing such memory leak.
Fixes: 0c8173385e54 ("rtl8192ce: Add new driver")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20241206173713.3222187-3-cascardo@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/base.c | 6 ++++++
drivers/net/wireless/realtek/rtlwifi/pci.c | 2 --
drivers/net/wireless/realtek/rtlwifi/usb.c | 5 -----
3 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
index c14d7cbaa6472..775f0c181fece 100644
--- a/drivers/net/wireless/realtek/rtlwifi/base.c
+++ b/drivers/net/wireless/realtek/rtlwifi/base.c
@@ -576,9 +576,15 @@ static void rtl_free_entries_from_ack_queue(struct ieee80211_hw *hw,
void rtl_deinit_core(struct ieee80211_hw *hw)
{
+ struct rtl_priv *rtlpriv = rtl_priv(hw);
+
rtl_c2hcmd_launcher(hw, 0);
rtl_free_entries_from_scan_list(hw);
rtl_free_entries_from_ack_queue(hw, false);
+ if (rtlpriv->works.rtl_wq) {
+ destroy_workqueue(rtlpriv->works.rtl_wq);
+ rtlpriv->works.rtl_wq = NULL;
+ }
}
EXPORT_SYMBOL_GPL(rtl_deinit_core);
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index c0a201f1b74e5..84f2669f201ab 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -1657,8 +1657,6 @@ static void rtl_pci_deinit(struct ieee80211_hw *hw)
synchronize_irq(rtlpci->pdev->irq);
tasklet_kill(&rtlpriv->works.irq_tasklet);
cancel_work_sync(&rtlpriv->works.lps_change_work);
-
- destroy_workqueue(rtlpriv->works.rtl_wq);
}
static int rtl_pci_init(struct ieee80211_hw *hw, struct pci_dev *pdev)
diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
index 08ab2482c00cc..be17498b5515f 100644
--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
+++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
@@ -680,11 +680,6 @@ static void _rtl_usb_cleanup_rx(struct ieee80211_hw *hw)
tasklet_kill(&rtlusb->rx_work_tasklet);
cancel_work_sync(&rtlpriv->works.lps_change_work);
- if (rtlpriv->works.rtl_wq) {
- destroy_workqueue(rtlpriv->works.rtl_wq);
- rtlpriv->works.rtl_wq = NULL;
- }
-
skb_queue_purge(&rtlusb->rx_queue);
while ((urb = usb_get_from_anchor(&rtlusb->rx_cleanup_urbs))) {
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 025/462] wifi: rtlwifi: fix memory leaks and invalid access at probe error path
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 024/462] wifi: rtlwifi: destroy workqueue at rtl_deinit_core Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 026/462] wifi: rtlwifi: pci: wait for firmware loading before releasing memory Greg Kroah-Hartman
` (440 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo,
Ping-Ke Shih, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
[ Upstream commit e7ceefbfd8d447abc8aca8ab993a942803522c06 ]
Deinitialize at reverse order when probe fails.
When init_sw_vars fails, rtl_deinit_core should not be called, specially
now that it destroys the rtl_wq workqueue.
And call rtl_pci_deinit and deinit_sw_vars, otherwise, memory will be
leaked.
Remove pci_set_drvdata call as it will already be cleaned up by the core
driver code and could lead to memory leaks too. cf. commit 8d450935ae7f
("wireless: rtlwifi: remove unnecessary pci_set_drvdata()") and
commit 3d86b93064c7 ("rtlwifi: Fix PCI probe error path orphaned memory").
Fixes: 0c8173385e54 ("rtl8192ce: Add new driver")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20241206173713.3222187-4-cascardo@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/pci.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index 84f2669f201ab..5b0a5a22d06d2 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -2167,7 +2167,7 @@ int rtl_pci_probe(struct pci_dev *pdev,
if (rtlpriv->cfg->ops->init_sw_vars(hw)) {
pr_err("Can't init_sw_vars\n");
err = -ENODEV;
- goto fail3;
+ goto fail2;
}
rtlpriv->cfg->ops->init_sw_leds(hw);
@@ -2185,14 +2185,14 @@ int rtl_pci_probe(struct pci_dev *pdev,
err = rtl_pci_init(hw, pdev);
if (err) {
pr_err("Failed to init PCI\n");
- goto fail3;
+ goto fail4;
}
err = ieee80211_register_hw(hw);
if (err) {
pr_err("Can't register mac80211 hw.\n");
err = -ENODEV;
- goto fail3;
+ goto fail5;
}
rtlpriv->mac80211.mac80211_registered = 1;
@@ -2215,9 +2215,12 @@ int rtl_pci_probe(struct pci_dev *pdev,
set_bit(RTL_STATUS_INTERFACE_START, &rtlpriv->status);
return 0;
-fail3:
- pci_set_drvdata(pdev, NULL);
+fail5:
+ rtl_pci_deinit(hw);
+fail4:
rtl_deinit_core(hw);
+fail3:
+ rtlpriv->cfg->ops->deinit_sw_vars(hw);
fail2:
if (rtlpriv->io.pci_mem_start != 0)
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 026/462] wifi: rtlwifi: pci: wait for firmware loading before releasing memory
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 025/462] wifi: rtlwifi: fix memory leaks and invalid access at probe error path Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 027/462] ACPI: fan: cleanup resources in the error path of .probe() Greg Kroah-Hartman
` (439 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo,
Ping-Ke Shih, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
[ Upstream commit b59b86c5d08be7d761c04affcbcec8184738c200 ]
At probe error path, the firmware loading work may have already been
queued. In such a case, it will try to access memory allocated by the probe
function, which is about to be released. In such paths, wait for the
firmware worker to finish before releasing memory.
Fixes: 3d86b93064c7 ("rtlwifi: Fix PCI probe error path orphaned memory")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20241206173713.3222187-5-cascardo@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/pci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index 5b0a5a22d06d2..925e4f807eb9f 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -2220,6 +2220,7 @@ int rtl_pci_probe(struct pci_dev *pdev,
fail4:
rtl_deinit_core(hw);
fail3:
+ wait_for_completion(&rtlpriv->firmware_loading_complete);
rtlpriv->cfg->ops->deinit_sw_vars(hw);
fail2:
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 027/462] ACPI: fan: cleanup resources in the error path of .probe()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 026/462] wifi: rtlwifi: pci: wait for firmware loading before releasing memory Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 028/462] cpupower: fix TSC MHz calculation Greg Kroah-Hartman
` (438 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joe Hattori, Rafael J. Wysocki,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
[ Upstream commit c759bc8e9046f9812238f506d70f07d3ea4206d4 ]
Call thermal_cooling_device_unregister() and sysfs_remove_link() in the
error path of acpi_fan_probe() to fix possible memory leak.
This bug was found by an experimental static analysis tool that I am
developing.
Fixes: 05a83d972293 ("ACPI: register ACPI Fan as generic thermal cooling device")
Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
Link: https://patch.msgid.link/20241211032812.210164-1-joe@pf.is.s.u-tokyo.ac.jp
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/fan.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/acpi/fan.c b/drivers/acpi/fan.c
index 5cd0ceb50bc8a..936429e81d8c8 100644
--- a/drivers/acpi/fan.c
+++ b/drivers/acpi/fan.c
@@ -423,19 +423,25 @@ static int acpi_fan_probe(struct platform_device *pdev)
result = sysfs_create_link(&pdev->dev.kobj,
&cdev->device.kobj,
"thermal_cooling");
- if (result)
+ if (result) {
dev_err(&pdev->dev, "Failed to create sysfs link 'thermal_cooling'\n");
+ goto err_unregister;
+ }
result = sysfs_create_link(&cdev->device.kobj,
&pdev->dev.kobj,
"device");
if (result) {
dev_err(&pdev->dev, "Failed to create sysfs link 'device'\n");
- goto err_end;
+ goto err_remove_link;
}
return 0;
+err_remove_link:
+ sysfs_remove_link(&pdev->dev.kobj, "thermal_cooling");
+err_unregister:
+ thermal_cooling_device_unregister(cdev);
err_end:
if (fan->acpi4) {
int i;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 028/462] cpupower: fix TSC MHz calculation
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 027/462] ACPI: fan: cleanup resources in the error path of .probe() Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 029/462] leds: netxbig: Fix an OF node reference leak in netxbig_leds_get_of_pdata() Greg Kroah-Hartman
` (437 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, He Rongguang, Shuah Khan,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: He Rongguang <herongguang@linux.alibaba.com>
[ Upstream commit 9d6c0e58514f8b57cd9c2c755e41623d6a966025 ]
Commit 'cpupower: Make TSC read per CPU for Mperf monitor' (c2adb1877b7)
changes TSC counter reads per cpu, but left time diff global (from start
of all cpus to end of all cpus), thus diff(time) is too large for a
cpu's tsc counting, resulting in far less than acutal TSC_Mhz and thus
`cpupower monitor` showing far less than actual cpu realtime frequency.
/proc/cpuinfo shows frequency:
cat /proc/cpuinfo | egrep -e 'processor' -e 'MHz'
...
processor : 171
cpu MHz : 4108.498
...
before fix (System 100% busy):
| Mperf || Idle_Stats
CPU| C0 | Cx | Freq || POLL | C1 | C2
171| 0.77| 99.23| 2279|| 0.00| 0.00| 0.00
after fix (System 100% busy):
| Mperf || Idle_Stats
CPU| C0 | Cx | Freq || POLL | C1 | C2
171| 0.46| 99.54| 4095|| 0.00| 0.00| 0.00
Fixes: c2adb1877b76 ("cpupower: Make TSC read per CPU for Mperf monitor")
Signed-off-by: He Rongguang <herongguang@linux.alibaba.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../cpupower/utils/idle_monitor/mperf_monitor.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
index ae6af354a81db..08a399b0be286 100644
--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
+++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
@@ -33,7 +33,7 @@ static int mperf_get_count_percent(unsigned int self_id, double *percent,
unsigned int cpu);
static int mperf_get_count_freq(unsigned int id, unsigned long long *count,
unsigned int cpu);
-static struct timespec time_start, time_end;
+static struct timespec *time_start, *time_end;
static cstate_t mperf_cstates[MPERF_CSTATE_COUNT] = {
{
@@ -174,7 +174,7 @@ static int mperf_get_count_percent(unsigned int id, double *percent,
dprint("%s: TSC Ref - mperf_diff: %llu, tsc_diff: %llu\n",
mperf_cstates[id].name, mperf_diff, tsc_diff);
} else if (max_freq_mode == MAX_FREQ_SYSFS) {
- timediff = max_frequency * timespec_diff_us(time_start, time_end);
+ timediff = max_frequency * timespec_diff_us(time_start[cpu], time_end[cpu]);
*percent = 100.0 * mperf_diff / timediff;
dprint("%s: MAXFREQ - mperf_diff: %llu, time_diff: %llu\n",
mperf_cstates[id].name, mperf_diff, timediff);
@@ -207,7 +207,7 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count,
if (max_freq_mode == MAX_FREQ_TSC_REF) {
/* Calculate max_freq from TSC count */
tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu];
- time_diff = timespec_diff_us(time_start, time_end);
+ time_diff = timespec_diff_us(time_start[cpu], time_end[cpu]);
max_frequency = tsc_diff / time_diff;
}
@@ -226,9 +226,8 @@ static int mperf_start(void)
{
int cpu;
- clock_gettime(CLOCK_REALTIME, &time_start);
-
for (cpu = 0; cpu < cpu_count; cpu++) {
+ clock_gettime(CLOCK_REALTIME, &time_start[cpu]);
mperf_get_tsc(&tsc_at_measure_start[cpu]);
mperf_init_stats(cpu);
}
@@ -243,9 +242,9 @@ static int mperf_stop(void)
for (cpu = 0; cpu < cpu_count; cpu++) {
mperf_measure_stats(cpu);
mperf_get_tsc(&tsc_at_measure_end[cpu]);
+ clock_gettime(CLOCK_REALTIME, &time_end[cpu]);
}
- clock_gettime(CLOCK_REALTIME, &time_end);
return 0;
}
@@ -349,6 +348,8 @@ struct cpuidle_monitor *mperf_register(void)
aperf_current_count = calloc(cpu_count, sizeof(unsigned long long));
tsc_at_measure_start = calloc(cpu_count, sizeof(unsigned long long));
tsc_at_measure_end = calloc(cpu_count, sizeof(unsigned long long));
+ time_start = calloc(cpu_count, sizeof(struct timespec));
+ time_end = calloc(cpu_count, sizeof(struct timespec));
mperf_monitor.name_len = strlen(mperf_monitor.name);
return &mperf_monitor;
}
@@ -361,6 +362,8 @@ void mperf_unregister(void)
free(aperf_current_count);
free(tsc_at_measure_start);
free(tsc_at_measure_end);
+ free(time_start);
+ free(time_end);
free(is_valid);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 029/462] leds: netxbig: Fix an OF node reference leak in netxbig_leds_get_of_pdata()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 028/462] cpupower: fix TSC MHz calculation Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 030/462] cpufreq: schedutil: Simplify sugov_update_next_freq() Greg Kroah-Hartman
` (436 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joe Hattori, Lee Jones, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
[ Upstream commit 0508316be63bb735f59bdc8fe4527cadb62210ca ]
netxbig_leds_get_of_pdata() does not release the OF node obtained by
of_parse_phandle() when of_find_device_by_node() fails. Add an
of_node_put() call to fix the leak.
This bug was found by an experimental static analysis tool that I am
developing.
Fixes: 9af512e81964 ("leds: netxbig: Convert to use GPIO descriptors")
Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
Link: https://lore.kernel.org/r/20241216074923.628509-1-joe@pf.is.s.u-tokyo.ac.jp
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/leds/leds-netxbig.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/leds/leds-netxbig.c b/drivers/leds/leds-netxbig.c
index 68fbf0b66fadd..c2cc45e19c4b2 100644
--- a/drivers/leds/leds-netxbig.c
+++ b/drivers/leds/leds-netxbig.c
@@ -440,6 +440,7 @@ static int netxbig_leds_get_of_pdata(struct device *dev,
}
gpio_ext_pdev = of_find_device_by_node(gpio_ext_np);
if (!gpio_ext_pdev) {
+ of_node_put(gpio_ext_np);
dev_err(dev, "Failed to find platform device for gpio-ext\n");
return -ENODEV;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 030/462] cpufreq: schedutil: Simplify sugov_update_next_freq()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 029/462] leds: netxbig: Fix an OF node reference leak in netxbig_leds_get_of_pdata() Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 031/462] cpufreq: schedutil: Fix superfluous updates caused by need_freq_update Greg Kroah-Hartman
` (435 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Viresh Kumar,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 90ac908a418b836427d6eaf84fbc5062881747fd ]
Rearrange a conditional to make it more straightforward.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Stable-dep-of: 8e461a1cb43d ("cpufreq: schedutil: Fix superfluous updates caused by need_freq_update")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/cpufreq_schedutil.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c
index 5e39da0ae0868..04295212ab500 100644
--- a/kernel/sched/cpufreq_schedutil.c
+++ b/kernel/sched/cpufreq_schedutil.c
@@ -102,12 +102,10 @@ static bool sugov_should_update_freq(struct sugov_policy *sg_policy, u64 time)
static bool sugov_update_next_freq(struct sugov_policy *sg_policy, u64 time,
unsigned int next_freq)
{
- if (!sg_policy->need_freq_update) {
- if (sg_policy->next_freq == next_freq)
- return false;
- } else {
+ if (sg_policy->need_freq_update)
sg_policy->need_freq_update = cpufreq_driver_test_flags(CPUFREQ_NEED_UPDATE_LIMITS);
- }
+ else if (sg_policy->next_freq == next_freq)
+ return false;
sg_policy->next_freq = next_freq;
sg_policy->last_freq_update_time = time;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 031/462] cpufreq: schedutil: Fix superfluous updates caused by need_freq_update
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 030/462] cpufreq: schedutil: Simplify sugov_update_next_freq() Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 032/462] clk: imx8mp: Fix clkout1/2 support Greg Kroah-Hartman
` (434 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sultan Alsawaf (unemployed),
Christian Loehle, Rafael J. Wysocki, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sultan Alsawaf (unemployed) <sultan@kerneltoast.com>
[ Upstream commit 8e461a1cb43d69d2fc8a97e61916dce571e6bb31 ]
A redundant frequency update is only truly needed when there is a policy
limits change with a driver that specifies CPUFREQ_NEED_UPDATE_LIMITS.
In spite of that, drivers specifying CPUFREQ_NEED_UPDATE_LIMITS receive a
frequency update _all the time_, not just for a policy limits change,
because need_freq_update is never cleared.
Furthermore, ignore_dl_rate_limit()'s usage of need_freq_update also leads
to a redundant frequency update, regardless of whether or not the driver
specifies CPUFREQ_NEED_UPDATE_LIMITS, when the next chosen frequency is the
same as the current one.
Fix the superfluous updates by only honoring CPUFREQ_NEED_UPDATE_LIMITS
when there's a policy limits change, and clearing need_freq_update when a
requisite redundant update occurs.
This is neatly achieved by moving up the CPUFREQ_NEED_UPDATE_LIMITS test
and instead setting need_freq_update to false in sugov_update_next_freq().
Fixes: 600f5badb78c ("cpufreq: schedutil: Don't skip freq update when limits change")
Signed-off-by: Sultan Alsawaf (unemployed) <sultan@kerneltoast.com>
Reviewed-by: Christian Loehle <christian.loehle@arm.com>
Link: https://patch.msgid.link/20241212015734.41241-2-sultan@kerneltoast.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/cpufreq_schedutil.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c
index 04295212ab500..d8b9e1d25200f 100644
--- a/kernel/sched/cpufreq_schedutil.c
+++ b/kernel/sched/cpufreq_schedutil.c
@@ -90,7 +90,7 @@ static bool sugov_should_update_freq(struct sugov_policy *sg_policy, u64 time)
if (unlikely(sg_policy->limits_changed)) {
sg_policy->limits_changed = false;
- sg_policy->need_freq_update = true;
+ sg_policy->need_freq_update = cpufreq_driver_test_flags(CPUFREQ_NEED_UPDATE_LIMITS);
return true;
}
@@ -103,7 +103,7 @@ static bool sugov_update_next_freq(struct sugov_policy *sg_policy, u64 time,
unsigned int next_freq)
{
if (sg_policy->need_freq_update)
- sg_policy->need_freq_update = cpufreq_driver_test_flags(CPUFREQ_NEED_UPDATE_LIMITS);
+ sg_policy->need_freq_update = false;
else if (sg_policy->next_freq == next_freq)
return false;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 032/462] clk: imx8mp: Fix clkout1/2 support
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 031/462] cpufreq: schedutil: Fix superfluous updates caused by need_freq_update Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:54 ` [PATCH 5.10 033/462] team: prevent adding a device which is already a team device lower Greg Kroah-Hartman
` (433 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Vasut, Peng Fan, Abel Vesa,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marex@denx.de>
[ Upstream commit a9b7c84d22fb1687d63ca2a386773015cf59436b ]
The CLKOUTn may be fed from PLL1/2/3, but the PLL1/2/3 has to be enabled
first by setting PLL_CLKE bit 11 in CCM_ANALOG_SYS_PLLn_GEN_CTRL register.
The CCM_ANALOG_SYS_PLLn_GEN_CTRL bit 11 is modeled by plln_out clock. Fix
the clock tree and place the clkout1/2 under plln_sel instead of plain plln
to let the clock subsystem correctly control the bit 11 and enable the PLL
in case the CLKOUTn is supplied by PLL1/2/3.
Fixes: 43896f56b59e ("clk: imx8mp: add clkout1/2 support")
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Link: https://lore.kernel.org/r/20241112013718.333771-1-marex@denx.de
Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/imx/clk-imx8mp.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/imx/clk-imx8mp.c b/drivers/clk/imx/clk-imx8mp.c
index 56d45caa603f8..385653fe39660 100644
--- a/drivers/clk/imx/clk-imx8mp.c
+++ b/drivers/clk/imx/clk-imx8mp.c
@@ -410,8 +410,9 @@ static const char * const imx8mp_dram_core_sels[] = {"dram_pll_out", "dram_alt_r
static const char * const imx8mp_clkout_sels[] = {"audio_pll1_out", "audio_pll2_out", "video_pll1_out",
"dummy", "dummy", "gpu_pll_out", "vpu_pll_out",
- "arm_pll_out", "sys_pll1", "sys_pll2", "sys_pll3",
- "dummy", "dummy", "osc_24m", "dummy", "osc_32k"};
+ "arm_pll_out", "sys_pll1_out", "sys_pll2_out",
+ "sys_pll3_out", "dummy", "dummy", "osc_24m",
+ "dummy", "osc_32k"};
static struct clk_hw **hws;
static struct clk_hw_onecell_data *clk_hw_data;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 033/462] team: prevent adding a device which is already a team device lower
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 032/462] clk: imx8mp: Fix clkout1/2 support Greg Kroah-Hartman
@ 2025-03-11 14:54 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 034/462] regulator: of: Implement the unwind path of of_regulator_match() Greg Kroah-Hartman
` (432 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3c47b5843403a45aef57,
Octavian Purdila, Hangbin Liu, David S. Miller, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Octavian Purdila <tavip@google.com>
[ Upstream commit 3fff5da4ca2164bb4d0f1e6cd33f6eb8a0e73e50 ]
Prevent adding a device which is already a team device lower,
e.g. adding veth0 if vlan1 was already added and veth0 is a lower of
vlan1.
This is not useful in practice and can lead to recursive locking:
$ ip link add veth0 type veth peer name veth1
$ ip link set veth0 up
$ ip link set veth1 up
$ ip link add link veth0 name veth0.1 type vlan protocol 802.1Q id 1
$ ip link add team0 type team
$ ip link set veth0.1 down
$ ip link set veth0.1 master team0
team0: Port device veth0.1 added
$ ip link set veth0 down
$ ip link set veth0 master team0
============================================
WARNING: possible recursive locking detected
6.13.0-rc2-virtme-00441-ga14a429069bb #46 Not tainted
--------------------------------------------
ip/7684 is trying to acquire lock:
ffff888016848e00 (team->team_lock_key){+.+.}-{4:4}, at: team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)
but task is already holding lock:
ffff888016848e00 (team->team_lock_key){+.+.}-{4:4}, at: team_add_slave (drivers/net/team/team_core.c:1147 drivers/net/team/team_core.c:1977)
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(team->team_lock_key);
lock(team->team_lock_key);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by ip/7684:
stack backtrace:
CPU: 3 UID: 0 PID: 7684 Comm: ip Not tainted 6.13.0-rc2-virtme-00441-ga14a429069bb #46
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:122)
print_deadlock_bug.cold (kernel/locking/lockdep.c:3040)
__lock_acquire (kernel/locking/lockdep.c:3893 kernel/locking/lockdep.c:5226)
? netlink_broadcast_filtered (net/netlink/af_netlink.c:1548)
lock_acquire.part.0 (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851)
? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)
? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 2))
? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)
? lock_acquire (kernel/locking/lockdep.c:5822)
? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)
__mutex_lock (kernel/locking/mutex.c:587 kernel/locking/mutex.c:735)
? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)
? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)
? fib_sync_up (net/ipv4/fib_semantics.c:2167)
? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)
team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)
notifier_call_chain (kernel/notifier.c:85)
call_netdevice_notifiers_info (net/core/dev.c:1996)
__dev_notify_flags (net/core/dev.c:8993)
? __dev_change_flags (net/core/dev.c:8975)
dev_change_flags (net/core/dev.c:9027)
vlan_device_event (net/8021q/vlan.c:85 net/8021q/vlan.c:470)
? br_device_event (net/bridge/br.c:143)
notifier_call_chain (kernel/notifier.c:85)
call_netdevice_notifiers_info (net/core/dev.c:1996)
dev_open (net/core/dev.c:1519 net/core/dev.c:1505)
team_add_slave (drivers/net/team/team_core.c:1219 drivers/net/team/team_core.c:1977)
? __pfx_team_add_slave (drivers/net/team/team_core.c:1972)
do_set_master (net/core/rtnetlink.c:2917)
do_setlink.isra.0 (net/core/rtnetlink.c:3117)
Reported-by: syzbot+3c47b5843403a45aef57@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3c47b5843403a45aef57
Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
Signed-off-by: Octavian Purdila <tavip@google.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/team/team.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
index bc52f9e24ff34..699076fbfb4d6 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -1165,6 +1165,13 @@ static int team_port_add(struct team *team, struct net_device *port_dev,
return -EBUSY;
}
+ if (netdev_has_upper_dev(port_dev, dev)) {
+ NL_SET_ERR_MSG(extack, "Device is already a lower device of the team interface");
+ netdev_err(dev, "Device %s is already a lower device of the team interface\n",
+ portname);
+ return -EBUSY;
+ }
+
if (port_dev->features & NETIF_F_VLAN_CHALLENGED &&
vlan_uses_dev(dev)) {
NL_SET_ERR_MSG(extack, "Device is VLAN challenged and team device has VLAN set up");
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 034/462] regulator: of: Implement the unwind path of of_regulator_match()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2025-03-11 14:54 ` [PATCH 5.10 033/462] team: prevent adding a device which is already a team device lower Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 035/462] wifi: wlcore: fix unbalanced pm_runtime calls Greg Kroah-Hartman
` (431 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joe Hattori, Mark Brown, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
[ Upstream commit dddca3b2fc676113c58b04aaefe84bfb958ac83e ]
of_regulator_match() does not release the OF node reference in the error
path, resulting in an OF node leak. Therefore, call of_node_put() on the
obtained nodes before returning the EINVAL error.
Since it is possible that some drivers call this function and do not
exit on failure, such as s2mps11_pmic_driver, clear the init_data and
of_node in the error path.
This was reported by an experimental verification tool that I am
developing. As I do not have access to actual devices nor the QEMU board
configuration to test drivers that call this function, no runtime test
was able to be performed.
Fixes: 1c8fa58f4750 ("regulator: Add generic DT parsing for regulators")
Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
Link: https://patch.msgid.link/20250104080453.2153592-1-joe@pf.is.s.u-tokyo.ac.jp
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/of_regulator.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/regulator/of_regulator.c b/drivers/regulator/of_regulator.c
index 5d844697c7b68..d1e69470137cf 100644
--- a/drivers/regulator/of_regulator.c
+++ b/drivers/regulator/of_regulator.c
@@ -377,7 +377,7 @@ int of_regulator_match(struct device *dev, struct device_node *node,
"failed to parse DT for regulator %pOFn\n",
child);
of_node_put(child);
- return -EINVAL;
+ goto err_put;
}
match->of_node = of_node_get(child);
count++;
@@ -386,6 +386,18 @@ int of_regulator_match(struct device *dev, struct device_node *node,
}
return count;
+
+err_put:
+ for (i = 0; i < num_matches; i++) {
+ struct of_regulator_match *match = &matches[i];
+
+ match->init_data = NULL;
+ if (match->of_node) {
+ of_node_put(match->of_node);
+ match->of_node = NULL;
+ }
+ }
+ return -EINVAL;
}
EXPORT_SYMBOL_GPL(of_regulator_match);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 035/462] wifi: wlcore: fix unbalanced pm_runtime calls
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 034/462] regulator: of: Implement the unwind path of of_regulator_match() Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 036/462] net/smc: fix data error when recvmsg with MSG_PEEK flag Greg Kroah-Hartman
` (430 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andreas Kemnade, Michael Nemanov,
Kalle Valo, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Kemnade <andreas@kemnade.info>
[ Upstream commit 996c934c8c196144af386c4385f61fcd5349af28 ]
If firmware boot failes, runtime pm is put too often:
[12092.708099] wlcore: ERROR firmware boot failed despite 3 retries
[12092.708099] wl18xx_driver wl18xx.1.auto: Runtime PM usage count underflow!
Fix that by redirecting all error gotos before runtime_get so that runtime is
not put.
Fixes: c40aad28a3cf ("wlcore: Make sure firmware is initialized in wl1271_op_add_interface()")
Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
Reviewed-by: Michael Nemanov <michael.nemanov@ti.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://patch.msgid.link/20250104195507.402673-1-akemnade@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ti/wlcore/main.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/ti/wlcore/main.c b/drivers/net/wireless/ti/wlcore/main.c
index 6e402d62dbe4a..109c51e497926 100644
--- a/drivers/net/wireless/ti/wlcore/main.c
+++ b/drivers/net/wireless/ti/wlcore/main.c
@@ -2552,24 +2552,24 @@ static int wl1271_op_add_interface(struct ieee80211_hw *hw,
if (test_bit(WL1271_FLAG_RECOVERY_IN_PROGRESS, &wl->flags) ||
test_bit(WLVIF_FLAG_INITIALIZED, &wlvif->flags)) {
ret = -EBUSY;
- goto out;
+ goto out_unlock;
}
ret = wl12xx_init_vif_data(wl, vif);
if (ret < 0)
- goto out;
+ goto out_unlock;
wlvif->wl = wl;
role_type = wl12xx_get_role_type(wl, wlvif);
if (role_type == WL12XX_INVALID_ROLE_TYPE) {
ret = -EINVAL;
- goto out;
+ goto out_unlock;
}
ret = wlcore_allocate_hw_queue_base(wl, wlvif);
if (ret < 0)
- goto out;
+ goto out_unlock;
/*
* TODO: after the nvs issue will be solved, move this block
@@ -2584,7 +2584,7 @@ static int wl1271_op_add_interface(struct ieee80211_hw *hw,
ret = wl12xx_init_fw(wl);
if (ret < 0)
- goto out;
+ goto out_unlock;
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 036/462] net/smc: fix data error when recvmsg with MSG_PEEK flag
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 035/462] wifi: wlcore: fix unbalanced pm_runtime calls Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 037/462] wifi: mt76: mt76u_vendor_request: Do not print error messages when -EPROTO Greg Kroah-Hartman
` (429 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, D. Wythe, Guangguan Wang,
Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
[ Upstream commit a4b6539038c1aa1ae871aacf6e41b566c3613993 ]
When recvmsg with MSG_PEEK flag, the data will be copied to
user's buffer without advancing consume cursor and without
reducing the length of rx available data. Once the expected
peek length is larger than the value of bytes_to_rcv, in the
loop of do while in smc_rx_recvmsg, the first loop will copy
bytes_to_rcv bytes of data from the position local_tx_ctrl.cons,
the second loop will copy the min(bytes_to_rcv, read_remaining)
bytes from the position local_tx_ctrl.cons again because of the
lacking of process with advancing consume cursor and reducing
the length of available data. So do the subsequent loops. The
data copied in the second loop and the subsequent loops will
result in data error, as it should not be copied if no more data
arrives and it should be copied from the position advancing
bytes_to_rcv bytes from the local_tx_ctrl.cons if more data arrives.
This issue can be reproduce by the following python script:
server.py:
import socket
import time
server_ip = '0.0.0.0'
server_port = 12346
server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_socket.bind((server_ip, server_port))
server_socket.listen(1)
print('Server is running and listening for connections...')
conn, addr = server_socket.accept()
print('Connected by', addr)
while True:
data = conn.recv(1024)
if not data:
break
print('Received request:', data.decode())
conn.sendall(b'Hello, client!\n')
time.sleep(5)
conn.sendall(b'Hello, again!\n')
conn.close()
client.py:
import socket
server_ip = '<server ip>'
server_port = 12346
resp=b'Hello, client!\nHello, again!\n'
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket.connect((server_ip, server_port))
request = 'Hello, server!'
client_socket.sendall(request.encode())
peek_data = client_socket.recv(len(resp),
socket.MSG_PEEK | socket.MSG_WAITALL)
print('Peeked data:', peek_data.decode())
client_socket.close()
Fixes: 952310ccf2d8 ("smc: receive data from RMBE")
Reported-by: D. Wythe <alibuda@linux.alibaba.com>
Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
Link: https://patch.msgid.link/20250104143201.35529-1-guangguan.wang@linux.alibaba.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/smc/af_smc.c | 2 +-
net/smc/smc_rx.c | 37 +++++++++++++++++++++----------------
net/smc/smc_rx.h | 8 ++++----
3 files changed, 26 insertions(+), 21 deletions(-)
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 0e0a12f4bb61f..d64cfd651c7a1 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -1968,7 +1968,7 @@ static int smc_accept(struct socket *sock, struct socket *new_sock,
release_sock(clcsk);
} else if (!atomic_read(&smc_sk(nsk)->conn.bytes_to_rcv)) {
lock_sock(nsk);
- smc_rx_wait(smc_sk(nsk), &timeo, smc_rx_data_available);
+ smc_rx_wait(smc_sk(nsk), &timeo, 0, smc_rx_data_available);
release_sock(nsk);
}
}
diff --git a/net/smc/smc_rx.c b/net/smc/smc_rx.c
index 3757aff6c2f00..5f20538cbf990 100644
--- a/net/smc/smc_rx.c
+++ b/net/smc/smc_rx.c
@@ -174,22 +174,23 @@ static int smc_rx_splice(struct pipe_inode_info *pipe, char *src, size_t len,
return bytes;
}
-static int smc_rx_data_available_and_no_splice_pend(struct smc_connection *conn)
+static int smc_rx_data_available_and_no_splice_pend(struct smc_connection *conn, size_t peeked)
{
- return atomic_read(&conn->bytes_to_rcv) &&
+ return smc_rx_data_available(conn, peeked) &&
!atomic_read(&conn->splice_pending);
}
/* blocks rcvbuf consumer until >=len bytes available or timeout or interrupted
* @smc smc socket
* @timeo pointer to max seconds to wait, pointer to value 0 for no timeout
+ * @peeked number of bytes already peeked
* @fcrit add'l criterion to evaluate as function pointer
* Returns:
* 1 if at least 1 byte available in rcvbuf or if socket error/shutdown.
* 0 otherwise (nothing in rcvbuf nor timeout, e.g. interrupted).
*/
-int smc_rx_wait(struct smc_sock *smc, long *timeo,
- int (*fcrit)(struct smc_connection *conn))
+int smc_rx_wait(struct smc_sock *smc, long *timeo, size_t peeked,
+ int (*fcrit)(struct smc_connection *conn, size_t baseline))
{
DEFINE_WAIT_FUNC(wait, woken_wake_function);
struct smc_connection *conn = &smc->conn;
@@ -198,7 +199,7 @@ int smc_rx_wait(struct smc_sock *smc, long *timeo,
struct sock *sk = &smc->sk;
int rc;
- if (fcrit(conn))
+ if (fcrit(conn, peeked))
return 1;
sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk);
add_wait_queue(sk_sleep(sk), &wait);
@@ -207,7 +208,7 @@ int smc_rx_wait(struct smc_sock *smc, long *timeo,
cflags->peer_conn_abort ||
READ_ONCE(sk->sk_shutdown) & RCV_SHUTDOWN ||
conn->killed ||
- fcrit(conn),
+ fcrit(conn, peeked),
&wait);
remove_wait_queue(sk_sleep(sk), &wait);
sk_clear_bit(SOCKWQ_ASYNC_WAITDATA, sk);
@@ -257,11 +258,11 @@ static int smc_rx_recv_urg(struct smc_sock *smc, struct msghdr *msg, int len,
return -EAGAIN;
}
-static bool smc_rx_recvmsg_data_available(struct smc_sock *smc)
+static bool smc_rx_recvmsg_data_available(struct smc_sock *smc, size_t peeked)
{
struct smc_connection *conn = &smc->conn;
- if (smc_rx_data_available(conn))
+ if (smc_rx_data_available(conn, peeked))
return true;
else if (conn->urg_state == SMC_URG_VALID)
/* we received a single urgent Byte - skip */
@@ -279,10 +280,10 @@ static bool smc_rx_recvmsg_data_available(struct smc_sock *smc)
int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg,
struct pipe_inode_info *pipe, size_t len, int flags)
{
- size_t copylen, read_done = 0, read_remaining = len;
+ size_t copylen, read_done = 0, read_remaining = len, peeked_bytes = 0;
size_t chunk_len, chunk_off, chunk_len_sum;
struct smc_connection *conn = &smc->conn;
- int (*func)(struct smc_connection *conn);
+ int (*func)(struct smc_connection *conn, size_t baseline);
union smc_host_cursor cons;
int readable, chunk;
char *rcvbuf_base;
@@ -313,14 +314,14 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg,
if (conn->killed)
break;
- if (smc_rx_recvmsg_data_available(smc))
+ if (smc_rx_recvmsg_data_available(smc, peeked_bytes))
goto copy;
if (sk->sk_shutdown & RCV_SHUTDOWN) {
/* smc_cdc_msg_recv_action() could have run after
* above smc_rx_recvmsg_data_available()
*/
- if (smc_rx_recvmsg_data_available(smc))
+ if (smc_rx_recvmsg_data_available(smc, peeked_bytes))
goto copy;
break;
}
@@ -354,26 +355,28 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg,
}
}
- if (!smc_rx_data_available(conn)) {
- smc_rx_wait(smc, &timeo, smc_rx_data_available);
+ if (!smc_rx_data_available(conn, peeked_bytes)) {
+ smc_rx_wait(smc, &timeo, peeked_bytes, smc_rx_data_available);
continue;
}
copy:
/* initialize variables for 1st iteration of subsequent loop */
/* could be just 1 byte, even after waiting on data above */
- readable = atomic_read(&conn->bytes_to_rcv);
+ readable = smc_rx_data_available(conn, peeked_bytes);
splbytes = atomic_read(&conn->splice_pending);
if (!readable || (msg && splbytes)) {
if (splbytes)
func = smc_rx_data_available_and_no_splice_pend;
else
func = smc_rx_data_available;
- smc_rx_wait(smc, &timeo, func);
+ smc_rx_wait(smc, &timeo, peeked_bytes, func);
continue;
}
smc_curs_copy(&cons, &conn->local_tx_ctrl.cons, conn);
+ if ((flags & MSG_PEEK) && peeked_bytes)
+ smc_curs_add(conn->rmb_desc->len, &cons, peeked_bytes);
/* subsequent splice() calls pick up where previous left */
if (splbytes)
smc_curs_add(conn->rmb_desc->len, &cons, splbytes);
@@ -410,6 +413,8 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg,
}
read_remaining -= chunk_len;
read_done += chunk_len;
+ if (flags & MSG_PEEK)
+ peeked_bytes += chunk_len;
if (chunk_len_sum == copylen)
break; /* either on 1st or 2nd iteration */
diff --git a/net/smc/smc_rx.h b/net/smc/smc_rx.h
index db823c97d824e..994f5e42d1ba2 100644
--- a/net/smc/smc_rx.h
+++ b/net/smc/smc_rx.h
@@ -21,11 +21,11 @@ void smc_rx_init(struct smc_sock *smc);
int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg,
struct pipe_inode_info *pipe, size_t len, int flags);
-int smc_rx_wait(struct smc_sock *smc, long *timeo,
- int (*fcrit)(struct smc_connection *conn));
-static inline int smc_rx_data_available(struct smc_connection *conn)
+int smc_rx_wait(struct smc_sock *smc, long *timeo, size_t peeked,
+ int (*fcrit)(struct smc_connection *conn, size_t baseline));
+static inline int smc_rx_data_available(struct smc_connection *conn, size_t peeked)
{
- return atomic_read(&conn->bytes_to_rcv);
+ return atomic_read(&conn->bytes_to_rcv) - peeked;
}
#endif /* SMC_RX_H */
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 037/462] wifi: mt76: mt76u_vendor_request: Do not print error messages when -EPROTO
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 036/462] net/smc: fix data error when recvmsg with MSG_PEEK flag Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 038/462] cpufreq: ACPI: Fix max-frequency computation Greg Kroah-Hartman
` (428 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xu Rao, WangYuli, Felix Fietkau,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyuli@uniontech.com>
[ Upstream commit f1b1e133a770fcdbd89551651232b034d2f7a27a ]
When initializing the network card, unplugging the device will
trigger an -EPROTO error, resulting in a flood of error messages
being printed frantically.
The exception is printed as follows:
mt76x2u 2-2.4:1.0: vendor request req:47 off:9018 failed:-71
mt76x2u 2-2.4:1.0: vendor request req:47 off:9018 failed:-71
...
It will continue to print more than 2000 times for about 5 minutes,
causing the usb device to be unable to be disconnected. During this
period, the usb port cannot recognize the new device because the old
device has not disconnected.
There may be other operating methods that cause -EPROTO, but -EPROTO is
a low-level hardware error. It is unwise to repeat vendor requests
expecting to read correct data. It is a better choice to treat -EPROTO
and -ENODEV the same way.
Similar to commit 9b0f100c1970 ("mt76: usb: process URBs with status
EPROTO properly") do no schedule rx_worker for urb marked with status
set -EPROTO. I also reproduced this situation when plugging and
unplugging the device, and this patch is effective.
Just do not vendor request again for urb marked with status set -EPROTO.
Link: https://lore.kernel.org/all/531681bd-30f5-4a70-a156-bf8754b8e072@intel.com/
Link: https://lore.kernel.org/all/D4B9CC1FFC0CBAC3+20250105040607.154706-1-wangyuli@uniontech.com/
Fixes: b40b15e1521f ("mt76: add usb support to mt76 layer")
Co-developed-by: Xu Rao <raoxu@uniontech.com>
Signed-off-by: Xu Rao <raoxu@uniontech.com>
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Link: https://patch.msgid.link/9DD7DE7AAB497CB7+20250113070241.63590-1-wangyuli@uniontech.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/usb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/usb.c b/drivers/net/wireless/mediatek/mt76/usb.c
index f1ae9ff835b23..07a563df6d6d3 100644
--- a/drivers/net/wireless/mediatek/mt76/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/usb.c
@@ -34,9 +34,9 @@ static int __mt76u_vendor_request(struct mt76_dev *dev, u8 req,
ret = usb_control_msg(udev, pipe, req, req_type, val,
offset, buf, len, MT_VEND_REQ_TOUT_MS);
- if (ret == -ENODEV)
+ if (ret == -ENODEV || ret == -EPROTO)
set_bit(MT76_REMOVED, &dev->phy.state);
- if (ret >= 0 || ret == -ENODEV)
+ if (ret >= 0 || ret == -ENODEV || ret == -EPROTO)
return ret;
usleep_range(5000, 10000);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 038/462] cpufreq: ACPI: Fix max-frequency computation
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 037/462] wifi: mt76: mt76u_vendor_request: Do not print error messages when -EPROTO Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 039/462] selftests: harness: fix printing of mismatch values in __EXPECT() Greg Kroah-Hartman
` (427 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dhananjay Ugwekar, Gautham R. Shenoy,
Mario Limonciello, Rafael J. Wysocki, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gautham R. Shenoy <gautham.shenoy@amd.com>
[ Upstream commit 0834667545962ef1c5e8684ed32b45d9c574acd3 ]
Commit 3c55e94c0ade ("cpufreq: ACPI: Extend frequency tables to cover
boost frequencies") introduced an assumption in acpi_cpufreq_cpu_init()
that the first entry in the P-state table was the nominal frequency.
This assumption is incorrect. The frequency corresponding to the P0
P-State need not be the same as the nominal frequency advertised via
CPPC.
Since the driver is using the CPPC.highest_perf and CPPC.nominal_perf
to compute the boost-ratio, it makes sense to use CPPC.nominal_freq to
compute the max-frequency. CPPC.nominal_freq is advertised on
platforms supporting CPPC revisions 3 or higher.
Hence, fallback to using the first entry in the P-State table only on
platforms that do not advertise CPPC.nominal_freq.
Fixes: 3c55e94c0ade ("cpufreq: ACPI: Extend frequency tables to cover boost frequencies")
Tested-by: Dhananjay Ugwekar <Dhananjay.Ugwekar@amd.com>
Signed-off-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Link: https://patch.msgid.link/20250113044107.566-1-gautham.shenoy@amd.com
[ rjw: Retain reverse X-mas tree ordering of local variable declarations ]
[ rjw: Subject and changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/acpi-cpufreq.c | 36 +++++++++++++++++++++++++---------
1 file changed, 27 insertions(+), 9 deletions(-)
diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c
index d1bbc16fba4b4..4109dda5e36d0 100644
--- a/drivers/cpufreq/acpi-cpufreq.c
+++ b/drivers/cpufreq/acpi-cpufreq.c
@@ -630,7 +630,14 @@ static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
#endif
#ifdef CONFIG_ACPI_CPPC_LIB
-static u64 get_max_boost_ratio(unsigned int cpu)
+/*
+ * get_max_boost_ratio: Computes the max_boost_ratio as the ratio
+ * between the highest_perf and the nominal_perf.
+ *
+ * Returns the max_boost_ratio for @cpu. Returns the CPPC nominal
+ * frequency via @nominal_freq if it is non-NULL pointer.
+ */
+static u64 get_max_boost_ratio(unsigned int cpu, u64 *nominal_freq)
{
struct cppc_perf_caps perf_caps;
u64 highest_perf, nominal_perf;
@@ -649,6 +656,9 @@ static u64 get_max_boost_ratio(unsigned int cpu)
highest_perf = perf_caps.highest_perf;
nominal_perf = perf_caps.nominal_perf;
+ if (nominal_freq)
+ *nominal_freq = perf_caps.nominal_freq;
+
if (!highest_perf || !nominal_perf) {
pr_debug("CPU%d: highest or nominal performance missing\n", cpu);
return 0;
@@ -661,8 +671,12 @@ static u64 get_max_boost_ratio(unsigned int cpu)
return div_u64(highest_perf << SCHED_CAPACITY_SHIFT, nominal_perf);
}
+
#else
-static inline u64 get_max_boost_ratio(unsigned int cpu) { return 0; }
+static inline u64 get_max_boost_ratio(unsigned int cpu, u64 *nominal_freq)
+{
+ return 0;
+}
#endif
static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy)
@@ -672,9 +686,9 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy)
struct acpi_cpufreq_data *data;
unsigned int cpu = policy->cpu;
struct cpuinfo_x86 *c = &cpu_data(cpu);
+ u64 max_boost_ratio, nominal_freq = 0;
unsigned int valid_states = 0;
unsigned int result = 0;
- u64 max_boost_ratio;
unsigned int i;
#ifdef CONFIG_SMP
static int blacklisted;
@@ -824,16 +838,20 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy)
}
freq_table[valid_states].frequency = CPUFREQ_TABLE_END;
- max_boost_ratio = get_max_boost_ratio(cpu);
+ max_boost_ratio = get_max_boost_ratio(cpu, &nominal_freq);
if (max_boost_ratio) {
- unsigned int freq = freq_table[0].frequency;
+ unsigned int freq = nominal_freq;
/*
- * Because the loop above sorts the freq_table entries in the
- * descending order, freq is the maximum frequency in the table.
- * Assume that it corresponds to the CPPC nominal frequency and
- * use it to set cpuinfo.max_freq.
+ * The loop above sorts the freq_table entries in the
+ * descending order. If ACPI CPPC has not advertised
+ * the nominal frequency (this is possible in CPPC
+ * revisions prior to 3), then use the first entry in
+ * the pstate table as a proxy for nominal frequency.
*/
+ if (!freq)
+ freq = freq_table[0].frequency;
+
policy->cpuinfo.max_freq = freq * max_boost_ratio >> SCHED_CAPACITY_SHIFT;
} else {
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 039/462] selftests: harness: fix printing of mismatch values in __EXPECT()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 038/462] cpufreq: ACPI: Fix max-frequency computation Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 040/462] wifi: cfg80211: Handle specific BSSID in 6GHz scanning Greg Kroah-Hartman
` (426 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry V. Levin, Kees Cook,
Shuah Khan, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry V. Levin <ldv@strace.io>
[ Upstream commit 02bc220dc6dc7c56edc4859bc5dd2c08b95d5fb5 ]
intptr_t and uintptr_t are not big enough types on 32-bit architectures
when printing 64-bit values, resulting to the following incorrect
diagnostic output:
# get_syscall_info.c:209:get_syscall_info:Expected exp_args[2] (3134324433) == info.entry.args[1] (3134324433)
Replace intptr_t and uintptr_t with intmax_t and uintmax_t, respectively.
With this fix, the same test produces more usable diagnostic output:
# get_syscall_info.c:209:get_syscall_info:Expected exp_args[2] (3134324433) == info.entry.args[1] (18446744072548908753)
Link: https://lore.kernel.org/r/20250108170757.GA6723@strace.io
Fixes: b5bb6d3068ea ("selftests/seccomp: fix 32-bit build warnings")
Signed-off-by: Dmitry V. Levin <ldv@strace.io>
Reviewed-by: Kees Cook <kees@kernel.org>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/kselftest_harness.h | 24 ++++++++++-----------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h
index 2fadc99d93619..8baf4789d9372 100644
--- a/tools/testing/selftests/kselftest_harness.h
+++ b/tools/testing/selftests/kselftest_harness.h
@@ -695,33 +695,33 @@
/* Report with actual signedness to avoid weird output. */ \
switch (is_signed_type(__exp) * 2 + is_signed_type(__seen)) { \
case 0: { \
- unsigned long long __exp_print = (uintptr_t)__exp; \
- unsigned long long __seen_print = (uintptr_t)__seen; \
- __TH_LOG("Expected %s (%llu) %s %s (%llu)", \
+ uintmax_t __exp_print = (uintmax_t)__exp; \
+ uintmax_t __seen_print = (uintmax_t)__seen; \
+ __TH_LOG("Expected %s (%ju) %s %s (%ju)", \
_expected_str, __exp_print, #_t, \
_seen_str, __seen_print); \
break; \
} \
case 1: { \
- unsigned long long __exp_print = (uintptr_t)__exp; \
- long long __seen_print = (intptr_t)__seen; \
- __TH_LOG("Expected %s (%llu) %s %s (%lld)", \
+ uintmax_t __exp_print = (uintmax_t)__exp; \
+ intmax_t __seen_print = (intmax_t)__seen; \
+ __TH_LOG("Expected %s (%ju) %s %s (%jd)", \
_expected_str, __exp_print, #_t, \
_seen_str, __seen_print); \
break; \
} \
case 2: { \
- long long __exp_print = (intptr_t)__exp; \
- unsigned long long __seen_print = (uintptr_t)__seen; \
- __TH_LOG("Expected %s (%lld) %s %s (%llu)", \
+ intmax_t __exp_print = (intmax_t)__exp; \
+ uintmax_t __seen_print = (uintmax_t)__seen; \
+ __TH_LOG("Expected %s (%jd) %s %s (%ju)", \
_expected_str, __exp_print, #_t, \
_seen_str, __seen_print); \
break; \
} \
case 3: { \
- long long __exp_print = (intptr_t)__exp; \
- long long __seen_print = (intptr_t)__seen; \
- __TH_LOG("Expected %s (%lld) %s %s (%lld)", \
+ intmax_t __exp_print = (intmax_t)__exp; \
+ intmax_t __seen_print = (intmax_t)__seen; \
+ __TH_LOG("Expected %s (%jd) %s %s (%jd)", \
_expected_str, __exp_print, #_t, \
_seen_str, __seen_print); \
break; \
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 040/462] wifi: cfg80211: Handle specific BSSID in 6GHz scanning
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 039/462] selftests: harness: fix printing of mismatch values in __EXPECT() Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 041/462] wifi: cfg80211: adjust allocation of colocated AP data Greg Kroah-Hartman
` (425 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilan Peer, Gregory Greenman,
Johannes Berg, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilan Peer <ilan.peer@intel.com>
[ Upstream commit 0fca7784b7a14d4ede64f479662afb98876ec7f8 ]
When the scan parameters for a 6GHz scan specify a unicast
BSSID address, and the corresponding AP is found in the scan
list, add a corresponding entry in the collocated AP list,
so this AP would be directly probed even if it was not
advertised as a collocated AP.
This is needed for handling a scan request that is intended
for a ML probe flow, where user space can requests a scan
to retrieve information for other links in the AP MLD.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230928172905.54b954bc02ad.I1c072793d3d77a4c8fbbc64b4db5cce1bbb00382@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Stable-dep-of: 1a0d24775cde ("wifi: cfg80211: adjust allocation of colocated AP data")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/scan.c | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index f6307061aac49..348b2fce25fc3 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -796,10 +796,47 @@ static int cfg80211_scan_6ghz(struct cfg80211_registered_device *rdev)
list_for_each_entry(intbss, &rdev->bss_list, list) {
struct cfg80211_bss *res = &intbss->pub;
const struct cfg80211_bss_ies *ies;
+ const struct element *ssid_elem;
+ struct cfg80211_colocated_ap *entry;
+ u32 s_ssid_tmp;
+ int ret;
ies = rcu_access_pointer(res->ies);
count += cfg80211_parse_colocated_ap(ies,
&coloc_ap_list);
+
+ /* In case the scan request specified a specific BSSID
+ * and the BSS is found and operating on 6GHz band then
+ * add this AP to the collocated APs list.
+ * This is relevant for ML probe requests when the lower
+ * band APs have not been discovered.
+ */
+ if (is_broadcast_ether_addr(rdev_req->bssid) ||
+ !ether_addr_equal(rdev_req->bssid, res->bssid) ||
+ res->channel->band != NL80211_BAND_6GHZ)
+ continue;
+
+ ret = cfg80211_calc_short_ssid(ies, &ssid_elem,
+ &s_ssid_tmp);
+ if (ret)
+ continue;
+
+ entry = kzalloc(sizeof(*entry) + IEEE80211_MAX_SSID_LEN,
+ GFP_ATOMIC);
+
+ if (!entry)
+ continue;
+
+ memcpy(entry->bssid, res->bssid, ETH_ALEN);
+ entry->short_ssid = s_ssid_tmp;
+ memcpy(entry->ssid, ssid_elem->data,
+ ssid_elem->datalen);
+ entry->ssid_len = ssid_elem->datalen;
+ entry->short_ssid_valid = true;
+ entry->center_freq = res->channel->center_freq;
+
+ list_add_tail(&entry->list, &coloc_ap_list);
+ count++;
}
spin_unlock_bh(&rdev->bss_lock);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 041/462] wifi: cfg80211: adjust allocation of colocated AP data
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 040/462] wifi: cfg80211: Handle specific BSSID in 6GHz scanning Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 042/462] clk: analogbits: Fix incorrect calculation of vco rate delta Greg Kroah-Hartman
` (424 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Antipov, Johannes Berg,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit 1a0d24775cdee2b8dc14bfa4f4418c930ab1ac57 ]
In 'cfg80211_scan_6ghz()', an instances of 'struct cfg80211_colocated_ap'
are allocated as if they would have 'ssid' as trailing VLA member. Since
this is not so, extra IEEE80211_MAX_SSID_LEN bytes are not needed.
Briefly tested with KUnit.
Fixes: c8cb5b854b40 ("nl80211/cfg80211: support 6 GHz scanning")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Link: https://patch.msgid.link/20250113155417.552587-1-dmantipov@yandex.ru
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/scan.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 348b2fce25fc3..670fcdbef95be 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -821,9 +821,7 @@ static int cfg80211_scan_6ghz(struct cfg80211_registered_device *rdev)
if (ret)
continue;
- entry = kzalloc(sizeof(*entry) + IEEE80211_MAX_SSID_LEN,
- GFP_ATOMIC);
-
+ entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
if (!entry)
continue;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 042/462] clk: analogbits: Fix incorrect calculation of vco rate delta
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 041/462] wifi: cfg80211: adjust allocation of colocated AP data Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 043/462] pwm: stm32: Add check for clk_enable() Greg Kroah-Hartman
` (423 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bo Gan, Stephen Boyd, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bo Gan <ganboing@gmail.com>
[ Upstream commit d7f12857f095ef38523399d47e68787b357232f6 ]
In wrpll_configure_for_rate() we try to determine the best PLL
configuration for a target rate. However, in the loop where we try
values of R, we should compare the derived `vco` with `target_vco_rate`.
However, we were in fact comparing it with `target_rate`, which is
actually after Q shift. This is incorrect, and sometimes can result in
suboptimal clock rates. Fix it.
Fixes: 7b9487a9a5c4 ("clk: analogbits: add Wide-Range PLL library")
Signed-off-by: Bo Gan <ganboing@gmail.com>
Link: https://lore.kernel.org/r/20240830061639.2316-1-ganboing@gmail.com
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/analogbits/wrpll-cln28hpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/analogbits/wrpll-cln28hpc.c b/drivers/clk/analogbits/wrpll-cln28hpc.c
index 776ead319ae9c..9df572579afb4 100644
--- a/drivers/clk/analogbits/wrpll-cln28hpc.c
+++ b/drivers/clk/analogbits/wrpll-cln28hpc.c
@@ -287,7 +287,7 @@ int wrpll_configure_for_rate(struct wrpll_cfg *c, u32 target_rate,
vco = vco_pre * f;
}
- delta = abs(target_rate - vco);
+ delta = abs(target_vco_rate - vco);
if (delta < best_delta) {
best_delta = delta;
best_r = r;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 043/462] pwm: stm32: Add check for clk_enable()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 042/462] clk: analogbits: Fix incorrect calculation of vco rate delta Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 044/462] net: let net.core.dev_weight always be non-zero Greg Kroah-Hartman
` (422 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mingwei Zheng, Jiasheng Jiang,
Uwe Kleine-König, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingwei Zheng <zmw12306@gmail.com>
[ Upstream commit e8c59791ebb60790c74b2c3ab520f04a8a57219a ]
Add check for the return value of clk_enable() to catch the potential
error.
Fixes: 19f1016ea960 ("pwm: stm32: Fix enable count for clk in .probe()")
Signed-off-by: Mingwei Zheng <zmw12306@gmail.com>
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Link: https://lore.kernel.org/r/20241215224752.220318-1-zmw12306@gmail.com
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-stm32.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/pwm/pwm-stm32.c b/drivers/pwm/pwm-stm32.c
index 7146b3f6755bc..2ca2855255be1 100644
--- a/drivers/pwm/pwm-stm32.c
+++ b/drivers/pwm/pwm-stm32.c
@@ -634,8 +634,11 @@ static int stm32_pwm_probe(struct platform_device *pdev)
priv->chip.npwm = stm32_pwm_detect_channels(priv, &num_enabled);
/* Initialize clock refcount to number of enabled PWM channels. */
- for (i = 0; i < num_enabled; i++)
- clk_enable(priv->clk);
+ for (i = 0; i < num_enabled; i++) {
+ ret = clk_enable(priv->clk);
+ if (ret)
+ return ret;
+ }
ret = pwmchip_add(&priv->chip);
if (ret < 0)
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 044/462] net: let net.core.dev_weight always be non-zero
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 043/462] pwm: stm32: Add check for clk_enable() Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 045/462] net/mlxfw: Drop hard coded max FW flash image size Greg Kroah-Hartman
` (421 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liu Jian, Jakub Kicinski,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liu Jian <liujian56@huawei.com>
[ Upstream commit d1f9f79fa2af8e3b45cffdeef66e05833480148a ]
The following problem was encountered during stability test:
(NULL net_device): NAPI poll function process_backlog+0x0/0x530 \
returned 1, exceeding its budget of 0.
------------[ cut here ]------------
list_add double add: new=ffff88905f746f48, prev=ffff88905f746f48, \
next=ffff88905f746e40.
WARNING: CPU: 18 PID: 5462 at lib/list_debug.c:35 \
__list_add_valid_or_report+0xf3/0x130
CPU: 18 UID: 0 PID: 5462 Comm: ping Kdump: loaded Not tainted 6.13.0-rc7+
RIP: 0010:__list_add_valid_or_report+0xf3/0x130
Call Trace:
? __warn+0xcd/0x250
? __list_add_valid_or_report+0xf3/0x130
enqueue_to_backlog+0x923/0x1070
netif_rx_internal+0x92/0x2b0
__netif_rx+0x15/0x170
loopback_xmit+0x2ef/0x450
dev_hard_start_xmit+0x103/0x490
__dev_queue_xmit+0xeac/0x1950
ip_finish_output2+0x6cc/0x1620
ip_output+0x161/0x270
ip_push_pending_frames+0x155/0x1a0
raw_sendmsg+0xe13/0x1550
__sys_sendto+0x3bf/0x4e0
__x64_sys_sendto+0xdc/0x1b0
do_syscall_64+0x5b/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The reproduction command is as follows:
sysctl -w net.core.dev_weight=0
ping 127.0.0.1
This is because when the napi's weight is set to 0, process_backlog() may
return 0 and clear the NAPI_STATE_SCHED bit of napi->state, causing this
napi to be re-polled in net_rx_action() until __do_softirq() times out.
Since the NAPI_STATE_SCHED bit has been cleared, napi_schedule_rps() can
be retriggered in enqueue_to_backlog(), causing this issue.
Making the napi's weight always non-zero solves this problem.
Triggering this issue requires system-wide admin (setting is
not namespaced).
Fixes: e38766054509 ("[NET]: Fix sysctl net.core.dev_weight")
Fixes: 3d48b53fb2ae ("net: dev_weight: TX/RX orthogonality")
Signed-off-by: Liu Jian <liujian56@huawei.com>
Link: https://patch.msgid.link/20250116143053.4146855-1-liujian56@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/sysctl_net_core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index 0dfe9f255ab3a..3640be19a795e 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -239,7 +239,7 @@ static int proc_do_dev_weight(struct ctl_table *table, int write,
int ret, weight;
mutex_lock(&dev_weight_mutex);
- ret = proc_dointvec(table, write, buffer, lenp, ppos);
+ ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
if (!ret && write) {
weight = READ_ONCE(weight_p);
WRITE_ONCE(dev_rx_weight, weight * dev_weight_rx_bias);
@@ -351,6 +351,7 @@ static struct ctl_table net_core_table[] = {
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_do_dev_weight,
+ .extra1 = SYSCTL_ONE,
},
{
.procname = "dev_weight_rx_bias",
@@ -358,6 +359,7 @@ static struct ctl_table net_core_table[] = {
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_do_dev_weight,
+ .extra1 = SYSCTL_ONE,
},
{
.procname = "dev_weight_tx_bias",
@@ -365,6 +367,7 @@ static struct ctl_table net_core_table[] = {
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_do_dev_weight,
+ .extra1 = SYSCTL_ONE,
},
{
.procname = "netdev_max_backlog",
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 045/462] net/mlxfw: Drop hard coded max FW flash image size
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 044/462] net: let net.core.dev_weight always be non-zero Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 046/462] net: sched: Disallow replacing of child qdisc from one parent to another Greg Kroah-Hartman
` (420 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maher Sanalla, Moshe Shemesh,
Ido Schimmel, Michal Swiatkowski, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maher Sanalla <msanalla@nvidia.com>
[ Upstream commit 70d81f25cc92cc4e914516c9935ae752f27d78ad ]
Currently, mlxfw kernel module limits FW flash image size to be
10MB at most, preventing the ability to burn recent BlueField-3
FW that exceeds the said size limit.
Thus, drop the hard coded limit. Instead, rely on FW's
max_component_size threshold that is reported in MCQI register
as the size limit for FW image.
Fixes: 410ed13cae39 ("Add the mlxfw module for Mellanox firmware flash process")
Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Tested-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Link: https://patch.msgid.link/1737030796-1441634-1-git-send-email-moshe@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c
index bcd166911d444..bbcaac4f99bc6 100644
--- a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c
+++ b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c
@@ -14,7 +14,6 @@
#define MLXFW_FSM_STATE_WAIT_TIMEOUT_MS 30000
#define MLXFW_FSM_STATE_WAIT_ROUNDS \
(MLXFW_FSM_STATE_WAIT_TIMEOUT_MS / MLXFW_FSM_STATE_WAIT_CYCLE_MS)
-#define MLXFW_FSM_MAX_COMPONENT_SIZE (10 * (1 << 20))
static const int mlxfw_fsm_state_errno[] = {
[MLXFW_FSM_STATE_ERR_ERROR] = -EIO,
@@ -229,7 +228,6 @@ static int mlxfw_flash_component(struct mlxfw_dev *mlxfw_dev,
return err;
}
- comp_max_size = min_t(u32, comp_max_size, MLXFW_FSM_MAX_COMPONENT_SIZE);
if (comp->data_size > comp_max_size) {
MLXFW_ERR_MSG(mlxfw_dev, extack,
"Component size is bigger than limit", -EINVAL);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 046/462] net: sched: Disallow replacing of child qdisc from one parent to another
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 045/462] net/mlxfw: Drop hard coded max FW flash image size Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 047/462] net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns() Greg Kroah-Hartman
` (419 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jamal Hadi Salim, Simon Horman,
Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit bc50835e83f60f56e9bec2b392fb5544f250fb6f ]
Lion Ackermann was able to create a UAF which can be abused for privilege
escalation with the following script
Step 1. create root qdisc
tc qdisc add dev lo root handle 1:0 drr
step2. a class for packet aggregation do demonstrate uaf
tc class add dev lo classid 1:1 drr
step3. a class for nesting
tc class add dev lo classid 1:2 drr
step4. a class to graft qdisc to
tc class add dev lo classid 1:3 drr
step5.
tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024
step6.
tc qdisc add dev lo parent 1:2 handle 3:0 drr
step7.
tc class add dev lo classid 3:1 drr
step 8.
tc qdisc add dev lo parent 3:1 handle 4:0 pfifo
step 9. Display the class/qdisc layout
tc class ls dev lo
class drr 1:1 root leaf 2: quantum 64Kb
class drr 1:2 root leaf 3: quantum 64Kb
class drr 3:1 root leaf 4: quantum 64Kb
tc qdisc ls
qdisc drr 1: dev lo root refcnt 2
qdisc plug 2: dev lo parent 1:1
qdisc pfifo 4: dev lo parent 3:1 limit 1000p
qdisc drr 3: dev lo parent 1:2
step10. trigger the bug <=== prevented by this patch
tc qdisc replace dev lo parent 1:3 handle 4:0
step 11. Redisplay again the qdiscs/classes
tc class ls dev lo
class drr 1:1 root leaf 2: quantum 64Kb
class drr 1:2 root leaf 3: quantum 64Kb
class drr 1:3 root leaf 4: quantum 64Kb
class drr 3:1 root leaf 4: quantum 64Kb
tc qdisc ls
qdisc drr 1: dev lo root refcnt 2
qdisc plug 2: dev lo parent 1:1
qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p
qdisc drr 3: dev lo parent 1:2
Observe that a) parent for 4:0 does not change despite the replace request.
There can only be one parent. b) refcount has gone up by two for 4:0 and
c) both class 1:3 and 3:1 are pointing to it.
Step 12. send one packet to plug
echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001))
step13. send one packet to the grafted fifo
echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003))
step14. lets trigger the uaf
tc class delete dev lo classid 1:3
tc class delete dev lo classid 1:1
The semantics of "replace" is for a del/add _on the same node_ and not
a delete from one node(3:1) and add to another node (1:3) as in step10.
While we could "fix" with a more complex approach there could be
consequences to expectations so the patch takes the preventive approach of
"disallow such config".
Joint work with Lion Ackermann <nnamrec@gmail.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250116013713.900000-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_api.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index b4e405676600f..238ae7b0ca5ba 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -1603,6 +1603,10 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
q = qdisc_lookup(dev, tcm->tcm_handle);
if (!q)
goto create_n_graft;
+ if (q->parent != tcm->tcm_parent) {
+ NL_SET_ERR_MSG(extack, "Cannot move an existing qdisc to a different parent");
+ return -EINVAL;
+ }
if (n->nlmsg_flags & NLM_F_EXCL) {
NL_SET_ERR_MSG(extack, "Exclusivity flag on, cannot override");
return -EEXIST;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 047/462] net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 046/462] net: sched: Disallow replacing of child qdisc from one parent to another Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 048/462] net/rose: prevent integer overflows in rose_setsockopt() Greg Kroah-Hartman
` (418 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roger Quadros, Simon Horman,
Siddharth Vadapalli, Jacob Keller, David S. Miller, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roger Quadros <rogerq@kernel.org>
[ Upstream commit 4395a44acb15850e492dd1de9ec4b6479d96bc80 ]
When getting the IRQ we use k3_udma_glue_tx_get_irq() which returns
negative error value on error. So not NULL check is not sufficient
to deteremine if IRQ is valid. Check that IRQ is greater then zero
to ensure it is valid.
There is no issue at probe time but at runtime user can invoke
.set_channels which results in the following call chain.
am65_cpsw_set_channels()
am65_cpsw_nuss_update_tx_rx_chns()
am65_cpsw_nuss_remove_tx_chns()
am65_cpsw_nuss_init_tx_chns()
At this point if am65_cpsw_nuss_init_tx_chns() fails due to
k3_udma_glue_tx_get_irq() then tx_chn->irq will be set to a
negative value.
Then, at subsequent .set_channels with higher channel count we
will attempt to free an invalid IRQ in am65_cpsw_nuss_remove_tx_chns()
leading to a kernel warning.
The issue is present in the original commit that introduced this driver,
although there, am65_cpsw_nuss_update_tx_rx_chns() existed as
am65_cpsw_nuss_update_tx_chns().
Fixes: 93a76530316a ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver")
Signed-off-by: Roger Quadros <rogerq@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Siddharth Vadapalli <s-vadapalli@ti.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
index 94e36deefe88a..07510e068742e 100644
--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
@@ -1425,7 +1425,7 @@ void am65_cpsw_nuss_remove_tx_chns(struct am65_cpsw_common *common)
for (i = 0; i < common->tx_ch_num; i++) {
struct am65_cpsw_tx_chn *tx_chn = &common->tx_chns[i];
- if (tx_chn->irq)
+ if (tx_chn->irq > 0)
devm_free_irq(dev, tx_chn->irq, tx_chn);
netif_napi_del(&tx_chn->napi_tx);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 048/462] net/rose: prevent integer overflows in rose_setsockopt()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 047/462] net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns() Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 049/462] tools/testing/selftests/bpf/test_tc_tunnel.sh: Fix wait for server bind Greg Kroah-Hartman
` (417 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikita Zhandarovich, Jakub Kicinski,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
[ Upstream commit d640627663bfe7d8963c7615316d7d4ef60f3b0b ]
In case of possible unpredictably large arguments passed to
rose_setsockopt() and multiplied by extra values on top of that,
integer overflows may occur.
Do the safest minimum and fix these issues by checking the
contents of 'opt' and returning -EINVAL if they are too large. Also,
switch to unsigned int and remove useless check for negative 'opt'
in ROSE_IDLE case.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Link: https://patch.msgid.link/20250115164220.19954-1-n.zhandarovich@fintech.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rose/af_rose.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index 1d95ff34b13c9..65fd5b99f9dea 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -396,15 +396,15 @@ static int rose_setsockopt(struct socket *sock, int level, int optname,
{
struct sock *sk = sock->sk;
struct rose_sock *rose = rose_sk(sk);
- int opt;
+ unsigned int opt;
if (level != SOL_ROSE)
return -ENOPROTOOPT;
- if (optlen < sizeof(int))
+ if (optlen < sizeof(unsigned int))
return -EINVAL;
- if (copy_from_sockptr(&opt, optval, sizeof(int)))
+ if (copy_from_sockptr(&opt, optval, sizeof(unsigned int)))
return -EFAULT;
switch (optname) {
@@ -413,31 +413,31 @@ static int rose_setsockopt(struct socket *sock, int level, int optname,
return 0;
case ROSE_T1:
- if (opt < 1)
+ if (opt < 1 || opt > UINT_MAX / HZ)
return -EINVAL;
rose->t1 = opt * HZ;
return 0;
case ROSE_T2:
- if (opt < 1)
+ if (opt < 1 || opt > UINT_MAX / HZ)
return -EINVAL;
rose->t2 = opt * HZ;
return 0;
case ROSE_T3:
- if (opt < 1)
+ if (opt < 1 || opt > UINT_MAX / HZ)
return -EINVAL;
rose->t3 = opt * HZ;
return 0;
case ROSE_HOLDBACK:
- if (opt < 1)
+ if (opt < 1 || opt > UINT_MAX / HZ)
return -EINVAL;
rose->hb = opt * HZ;
return 0;
case ROSE_IDLE:
- if (opt < 0)
+ if (opt > UINT_MAX / (60 * HZ))
return -EINVAL;
rose->idle = opt * 60 * HZ;
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 049/462] tools/testing/selftests/bpf/test_tc_tunnel.sh: Fix wait for server bind
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 048/462] net/rose: prevent integer overflows in rose_setsockopt() Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 050/462] ASoC: sun4i-spdif: Add clock multiplier settings Greg Kroah-Hartman
` (416 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marco Leogrande, Stanislav Fomichev,
Alexei Starovoitov, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marco Leogrande <leogrande@google.com>
[ Upstream commit e2f0791124a1b6ca8d570110cbd487969d9d41ef ]
Commit f803bcf9208a ("selftests/bpf: Prevent client connect before
server bind in test_tc_tunnel.sh") added code that waits for the
netcat server to start before the netcat client attempts to connect to
it. However, not all calls to 'server_listen' were guarded.
This patch adds the existing 'wait_for_port' guard after the remaining
call to 'server_listen'.
Fixes: f803bcf9208a ("selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh")
Signed-off-by: Marco Leogrande <leogrande@google.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Link: https://lore.kernel.org/r/20241202204530.1143448-1-leogrande@google.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/test_tc_tunnel.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/testing/selftests/bpf/test_tc_tunnel.sh b/tools/testing/selftests/bpf/test_tc_tunnel.sh
index 21bde60c95230..e42d8959cbf1c 100755
--- a/tools/testing/selftests/bpf/test_tc_tunnel.sh
+++ b/tools/testing/selftests/bpf/test_tc_tunnel.sh
@@ -286,6 +286,7 @@ else
client_connect
verify_data
server_listen
+ wait_for_port ${port} ${netcat_opt}
fi
# bpf_skb_net_shrink does not take tunnel flags yet, cannot update L3.
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 050/462] ASoC: sun4i-spdif: Add clock multiplier settings
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 049/462] tools/testing/selftests/bpf/test_tc_tunnel.sh: Fix wait for server bind Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 051/462] perf header: Fix one memory leakage in process_bpf_btf() Greg Kroah-Hartman
` (415 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, George Lander, Marcus Cooper,
Mark Brown, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: George Lander <lander@jagmn.com>
[ Upstream commit 0a2319308de88b9e819c0b43d0fccd857123eb31 ]
There have been intermittent issues with the SPDIF output on H3
and H2+ devices which has been fixed by setting the s_clk to 4
times the audio pll.
Add a quirk for the clock multiplier as not every supported SoC
requires it. Without the multiplier, the audio at normal sampling
rates was distorted and did not play at higher sampling rates.
Fixes: 1bd92af877ab ("ASoC: sun4i-spdif: Add support for the H3 SoC")
Signed-off-by: George Lander <lander@jagmn.com>
Signed-off-by: Marcus Cooper <codekipper@gmail.com>
Link: https://patch.msgid.link/20241111165600.57219-2-codekipper@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sunxi/sun4i-spdif.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sound/soc/sunxi/sun4i-spdif.c b/sound/soc/sunxi/sun4i-spdif.c
index 6dcad1aa25037..8e255a6d0bd1a 100644
--- a/sound/soc/sunxi/sun4i-spdif.c
+++ b/sound/soc/sunxi/sun4i-spdif.c
@@ -175,6 +175,7 @@ struct sun4i_spdif_quirks {
unsigned int reg_dac_txdata;
bool has_reset;
unsigned int val_fctl_ftx;
+ unsigned int mclk_multiplier;
};
struct sun4i_spdif_dev {
@@ -311,6 +312,7 @@ static int sun4i_spdif_hw_params(struct snd_pcm_substream *substream,
default:
return -EINVAL;
}
+ mclk *= host->quirks->mclk_multiplier;
ret = clk_set_rate(host->spdif_clk, mclk);
if (ret < 0) {
@@ -345,6 +347,7 @@ static int sun4i_spdif_hw_params(struct snd_pcm_substream *substream,
default:
return -EINVAL;
}
+ mclk_div *= host->quirks->mclk_multiplier;
reg_val = 0;
reg_val |= SUN4I_SPDIF_TXCFG_ASS;
@@ -427,24 +430,28 @@ static struct snd_soc_dai_driver sun4i_spdif_dai = {
static const struct sun4i_spdif_quirks sun4i_a10_spdif_quirks = {
.reg_dac_txdata = SUN4I_SPDIF_TXFIFO,
.val_fctl_ftx = SUN4I_SPDIF_FCTL_FTX,
+ .mclk_multiplier = 1,
};
static const struct sun4i_spdif_quirks sun6i_a31_spdif_quirks = {
.reg_dac_txdata = SUN4I_SPDIF_TXFIFO,
.val_fctl_ftx = SUN4I_SPDIF_FCTL_FTX,
.has_reset = true,
+ .mclk_multiplier = 1,
};
static const struct sun4i_spdif_quirks sun8i_h3_spdif_quirks = {
.reg_dac_txdata = SUN8I_SPDIF_TXFIFO,
.val_fctl_ftx = SUN4I_SPDIF_FCTL_FTX,
.has_reset = true,
+ .mclk_multiplier = 4,
};
static const struct sun4i_spdif_quirks sun50i_h6_spdif_quirks = {
.reg_dac_txdata = SUN8I_SPDIF_TXFIFO,
.val_fctl_ftx = SUN50I_H6_SPDIF_FCTL_FTX,
.has_reset = true,
+ .mclk_multiplier = 1,
};
static const struct of_device_id sun4i_spdif_of_match[] = {
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 051/462] perf header: Fix one memory leakage in process_bpf_btf()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 050/462] ASoC: sun4i-spdif: Add clock multiplier settings Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 052/462] perf header: Fix one memory leakage in process_bpf_prog_info() Greg Kroah-Hartman
` (414 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namhyung Kim, Zhongqiu Han,
Adrian Hunter, Alexander Shishkin, Ian Rogers, Ingo Molnar,
James Clark, Jiri Olsa, Kan Liang, Mark Rutland, Peter Zijlstra,
Song Liu, Yicong Yang, Arnaldo Carvalho de Melo, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhongqiu Han <quic_zhonhan@quicinc.com>
[ Upstream commit 875d22980a062521beed7b5df71fb13a1af15d83 ]
If __perf_env__insert_btf() returns false due to a duplicate btf node
insertion, the temporary node will leak. Add a check to ensure the memory
is freed if the function returns false.
Fixes: a70a1123174ab592 ("perf bpf: Save BTF information as headers to perf.data")
Reviewed-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Song Liu <song@kernel.org>
Cc: Yicong Yang <yangyicong@hisilicon.com>
Link: https://lore.kernel.org/r/20241205084500.823660-2-quic_zhonhan@quicinc.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
| 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--git a/tools/perf/util/header.c b/tools/perf/util/header.c
index d2812d98968df..a0a83e5de762a 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -2980,7 +2980,8 @@ static int process_bpf_btf(struct feat_fd *ff, void *data __maybe_unused)
if (__do_read(ff, node->data, data_size))
goto out;
- __perf_env__insert_btf(env, node);
+ if (!__perf_env__insert_btf(env, node))
+ free(node);
node = NULL;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 052/462] perf header: Fix one memory leakage in process_bpf_prog_info()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 051/462] perf header: Fix one memory leakage in process_bpf_btf() Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 053/462] perf env: Conditionally compile BPF support code on having HAVE_LIBBPF_SUPPORT Greg Kroah-Hartman
` (413 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namhyung Kim, Zhongqiu Han,
Adrian Hunter, Alexander Shishkin, Ian Rogers, Ingo Molnar,
James Clark, Jiri Olsa, Kan Liang, Mark Rutland, Peter Zijlstra,
Song Liu, Yicong Yang, Arnaldo Carvalho de Melo, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhongqiu Han <quic_zhonhan@quicinc.com>
[ Upstream commit a7da6c7030e1aec32f0a41c7b4fa70ec96042019 ]
Function __perf_env__insert_bpf_prog_info() will return without inserting
bpf prog info node into perf env again due to a duplicate bpf prog info
node insertion, causing the temporary info_linear and info_node memory to
leak. Modify the return type of this function to bool and add a check to
ensure the memory is freed if the function returns false.
Fixes: 606f972b1361f477 ("perf bpf: Save bpf_prog_info information as headers to perf.data")
Reviewed-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Song Liu <song@kernel.org>
Cc: Yicong Yang <yangyicong@hisilicon.com>
Link: https://lore.kernel.org/r/20241205084500.823660-3-quic_zhonhan@quicinc.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/env.c | 5 +++--
tools/perf/util/env.h | 2 +-
| 5 ++++-
3 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c
index ed2a42abe1270..abb43643c7857 100644
--- a/tools/perf/util/env.c
+++ b/tools/perf/util/env.c
@@ -23,7 +23,7 @@ void perf_env__insert_bpf_prog_info(struct perf_env *env,
up_write(&env->bpf_progs.lock);
}
-void __perf_env__insert_bpf_prog_info(struct perf_env *env, struct bpf_prog_info_node *info_node)
+bool __perf_env__insert_bpf_prog_info(struct perf_env *env, struct bpf_prog_info_node *info_node)
{
__u32 prog_id = info_node->info_linear->info.id;
struct bpf_prog_info_node *node;
@@ -41,13 +41,14 @@ void __perf_env__insert_bpf_prog_info(struct perf_env *env, struct bpf_prog_info
p = &(*p)->rb_right;
} else {
pr_debug("duplicated bpf prog info %u\n", prog_id);
- return;
+ return false;
}
}
rb_link_node(&info_node->rb_node, parent, p);
rb_insert_color(&info_node->rb_node, &env->bpf_progs.infos);
env->bpf_progs.infos_cnt++;
+ return true;
}
struct bpf_prog_info_node *perf_env__find_bpf_prog_info(struct perf_env *env,
diff --git a/tools/perf/util/env.h b/tools/perf/util/env.h
index ef0fd544cd672..64b63e989472e 100644
--- a/tools/perf/util/env.h
+++ b/tools/perf/util/env.h
@@ -139,7 +139,7 @@ const char *perf_env__raw_arch(struct perf_env *env);
int perf_env__nr_cpus_avail(struct perf_env *env);
void perf_env__init(struct perf_env *env);
-void __perf_env__insert_bpf_prog_info(struct perf_env *env,
+bool __perf_env__insert_bpf_prog_info(struct perf_env *env,
struct bpf_prog_info_node *info_node);
void perf_env__insert_bpf_prog_info(struct perf_env *env,
struct bpf_prog_info_node *info_node);
--git a/tools/perf/util/header.c b/tools/perf/util/header.c
index a0a83e5de762a..8d4f35e08905c 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -2927,7 +2927,10 @@ static int process_bpf_prog_info(struct feat_fd *ff, void *data __maybe_unused)
/* after reading from file, translate offset to address */
bpf_program__bpil_offs_to_addr(info_linear);
info_node->info_linear = info_linear;
- __perf_env__insert_bpf_prog_info(env, info_node);
+ if (!__perf_env__insert_bpf_prog_info(env, info_node)) {
+ free(info_linear);
+ free(info_node);
+ }
}
up_write(&env->bpf_progs.lock);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 053/462] perf env: Conditionally compile BPF support code on having HAVE_LIBBPF_SUPPORT
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 052/462] perf header: Fix one memory leakage in process_bpf_prog_info() Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 054/462] perf bpf: Fix two memory leakages when calling perf_env__insert_bpf_prog_info() Greg Kroah-Hartman
` (412 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Ian Rogers, Jiri Olsa,
Namhyung Kim, Arnaldo Carvalho de Melo, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit ef0580ecd8b0306acf09b7a7508d72cafc67896d ]
If libbpf isn't selected, no need for a bunch of related code, that were
not even being used, as code using these perf_env methods was also
enclosed in HAVE_LIBBPF_SUPPORT.
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Stable-dep-of: 03edb7020bb9 ("perf bpf: Fix two memory leakages when calling perf_env__insert_bpf_prog_info()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/dso.c | 14 ++++++++++----
tools/perf/util/env.c | 15 ++++++++++++---
tools/perf/util/env.h | 4 ++--
| 21 ++++++++-------------
4 files changed, 32 insertions(+), 22 deletions(-)
diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c
index 5e9902fa1dc8a..48b5d6ec27b6e 100644
--- a/tools/perf/util/dso.c
+++ b/tools/perf/util/dso.c
@@ -11,8 +11,10 @@
#include <errno.h>
#include <fcntl.h>
#include <stdlib.h>
+#ifdef HAVE_LIBBPF_SUPPORT
#include <bpf/libbpf.h>
#include "bpf-event.h"
+#endif
#include "compress.h"
#include "env.h"
#include "namespaces.h"
@@ -728,6 +730,7 @@ bool dso__data_status_seen(struct dso *dso, enum dso_data_status_seen by)
return false;
}
+#ifdef HAVE_LIBBPF_SUPPORT
static ssize_t bpf_read(struct dso *dso, u64 offset, char *data)
{
struct bpf_prog_info_node *node;
@@ -765,6 +768,7 @@ static int bpf_size(struct dso *dso)
dso->data.file_size = node->info_linear->info.jited_prog_len;
return 0;
}
+#endif // HAVE_LIBBPF_SUPPORT
static void
dso_cache__free(struct dso *dso)
@@ -894,10 +898,12 @@ static struct dso_cache *dso_cache__populate(struct dso *dso,
*ret = -ENOMEM;
return NULL;
}
-
+#ifdef HAVE_LIBBPF_SUPPORT
if (dso->binary_type == DSO_BINARY_TYPE__BPF_PROG_INFO)
*ret = bpf_read(dso, cache_offset, cache->data);
- else if (dso->binary_type == DSO_BINARY_TYPE__OOL)
+ else
+#endif
+ if (dso->binary_type == DSO_BINARY_TYPE__OOL)
*ret = DSO__DATA_CACHE_SIZE;
else
*ret = file_read(dso, machine, cache_offset, cache->data);
@@ -1018,10 +1024,10 @@ int dso__data_file_size(struct dso *dso, struct machine *machine)
if (dso->data.status == DSO_DATA_STATUS_ERROR)
return -1;
-
+#ifdef HAVE_LIBBPF_SUPPORT
if (dso->binary_type == DSO_BINARY_TYPE__BPF_PROG_INFO)
return bpf_size(dso);
-
+#endif
return file_size(dso, machine);
}
diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c
index abb43643c7857..08d641c4e4580 100644
--- a/tools/perf/util/env.c
+++ b/tools/perf/util/env.c
@@ -5,16 +5,18 @@
#include "util/header.h"
#include <linux/ctype.h>
#include <linux/zalloc.h>
-#include "bpf-event.h"
#include "cgroup.h"
#include <errno.h>
#include <sys/utsname.h>
-#include <bpf/libbpf.h>
#include <stdlib.h>
#include <string.h>
struct perf_env perf_env;
+#ifdef HAVE_LIBBPF_SUPPORT
+#include "bpf-event.h"
+#include <bpf/libbpf.h>
+
void perf_env__insert_bpf_prog_info(struct perf_env *env,
struct bpf_prog_info_node *info_node)
{
@@ -182,6 +184,11 @@ static void perf_env__purge_bpf(struct perf_env *env)
up_write(&env->bpf_progs.lock);
}
+#else // HAVE_LIBBPF_SUPPORT
+static void perf_env__purge_bpf(struct perf_env *env __maybe_unused)
+{
+}
+#endif // HAVE_LIBBPF_SUPPORT
void perf_env__exit(struct perf_env *env)
{
@@ -218,11 +225,13 @@ void perf_env__exit(struct perf_env *env)
zfree(&env->memory_nodes);
}
-void perf_env__init(struct perf_env *env)
+void perf_env__init(struct perf_env *env __maybe_unused)
{
+#ifdef HAVE_LIBBPF_SUPPORT
env->bpf_progs.infos = RB_ROOT;
env->bpf_progs.btfs = RB_ROOT;
init_rwsem(&env->bpf_progs.lock);
+#endif
}
int perf_env__set_cmdline(struct perf_env *env, int argc, const char *argv[])
diff --git a/tools/perf/util/env.h b/tools/perf/util/env.h
index 64b63e989472e..b5ddf2ab0e8c6 100644
--- a/tools/perf/util/env.h
+++ b/tools/perf/util/env.h
@@ -77,7 +77,7 @@ struct perf_env {
struct numa_node *numa_nodes;
struct memory_node *memory_nodes;
unsigned long long memory_bsize;
-
+#ifdef HAVE_LIBBPF_SUPPORT
/*
* bpf_info_lock protects bpf rbtrees. This is needed because the
* trees are accessed by different threads in perf-top
@@ -89,7 +89,7 @@ struct perf_env {
struct rb_root btfs;
u32 btfs_cnt;
} bpf_progs;
-
+#endif // HAVE_LIBBPF_SUPPORT
/* same reason as above (for perf-top) */
struct {
struct rw_semaphore lock;
--git a/tools/perf/util/header.c b/tools/perf/util/header.c
index 8d4f35e08905c..94b9c96c29d58 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -19,7 +19,9 @@
#include <sys/utsname.h>
#include <linux/time64.h>
#include <dirent.h>
+#ifdef HAVE_LIBBPF_SUPPORT
#include <bpf/libbpf.h>
+#endif
#include <perf/cpumap.h>
#include "dso.h"
@@ -987,13 +989,6 @@ static int write_bpf_prog_info(struct feat_fd *ff,
up_read(&env->bpf_progs.lock);
return ret;
}
-#else // HAVE_LIBBPF_SUPPORT
-static int write_bpf_prog_info(struct feat_fd *ff __maybe_unused,
- struct evlist *evlist __maybe_unused)
-{
- return 0;
-}
-#endif // HAVE_LIBBPF_SUPPORT
static int write_bpf_btf(struct feat_fd *ff,
struct evlist *evlist __maybe_unused)
@@ -1027,6 +1022,7 @@ static int write_bpf_btf(struct feat_fd *ff,
up_read(&env->bpf_progs.lock);
return ret;
}
+#endif // HAVE_LIBBPF_SUPPORT
static int cpu_cache_level__sort(const void *a, const void *b)
{
@@ -1638,6 +1634,7 @@ static void print_dir_format(struct feat_fd *ff, FILE *fp)
fprintf(fp, "# directory data version : %"PRIu64"\n", data->dir.version);
}
+#ifdef HAVE_LIBBPF_SUPPORT
static void print_bpf_prog_info(struct feat_fd *ff, FILE *fp)
{
struct perf_env *env = &ff->ph->env;
@@ -1683,6 +1680,7 @@ static void print_bpf_btf(struct feat_fd *ff, FILE *fp)
up_read(&env->bpf_progs.lock);
}
+#endif // HAVE_LIBBPF_SUPPORT
static void free_event_desc(struct evsel *events)
{
@@ -2941,12 +2939,6 @@ static int process_bpf_prog_info(struct feat_fd *ff, void *data __maybe_unused)
up_write(&env->bpf_progs.lock);
return err;
}
-#else // HAVE_LIBBPF_SUPPORT
-static int process_bpf_prog_info(struct feat_fd *ff __maybe_unused, void *data __maybe_unused)
-{
- return 0;
-}
-#endif // HAVE_LIBBPF_SUPPORT
static int process_bpf_btf(struct feat_fd *ff, void *data __maybe_unused)
{
@@ -2994,6 +2986,7 @@ static int process_bpf_btf(struct feat_fd *ff, void *data __maybe_unused)
free(node);
return err;
}
+#endif // HAVE_LIBBPF_SUPPORT
static int process_compressed(struct feat_fd *ff,
void *data __maybe_unused)
@@ -3124,8 +3117,10 @@ const struct perf_header_feature_ops feat_ops[HEADER_LAST_FEATURE] = {
FEAT_OPR(MEM_TOPOLOGY, mem_topology, true),
FEAT_OPR(CLOCKID, clockid, false),
FEAT_OPN(DIR_FORMAT, dir_format, false),
+#ifdef HAVE_LIBBPF_SUPPORT
FEAT_OPR(BPF_PROG_INFO, bpf_prog_info, false),
FEAT_OPR(BPF_BTF, bpf_btf, false),
+#endif
FEAT_OPR(COMPRESSED, compressed, false),
FEAT_OPR(CPU_PMU_CAPS, cpu_pmu_caps, false),
FEAT_OPR(CLOCK_DATA, clock_data, false),
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 054/462] perf bpf: Fix two memory leakages when calling perf_env__insert_bpf_prog_info()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 053/462] perf env: Conditionally compile BPF support code on having HAVE_LIBBPF_SUPPORT Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 055/462] ktest.pl: Remove unused declarations in run_bisect_test function Greg Kroah-Hartman
` (411 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namhyung Kim, Zhongqiu Han,
Adrian Hunter, Alexander Shishkin, Ian Rogers, Ingo Molnar,
James Clark, Jiri Olsa, Kan Liang, Mark Rutland, Peter Zijlstra,
Song Liu, Yicong Yang, Arnaldo Carvalho de Melo, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhongqiu Han <quic_zhonhan@quicinc.com>
[ Upstream commit 03edb7020bb920f1935c3f30acad0bb27fdb99af ]
If perf_env__insert_bpf_prog_info() returns false due to a duplicate bpf
prog info node insertion, the temporary info_node and info_linear memory
will leak. Add a check to ensure the memory is freed if the function
returns false.
Fixes: d56354dc49091e33 ("perf tools: Save bpf_prog_info and BTF of new BPF programs")
Reviewed-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Song Liu <song@kernel.org>
Cc: Yicong Yang <yangyicong@hisilicon.com>
Link: https://lore.kernel.org/r/20241205084500.823660-4-quic_zhonhan@quicinc.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/bpf-event.c | 10 ++++++++--
tools/perf/util/env.c | 8 ++++++--
tools/perf/util/env.h | 2 +-
3 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/tools/perf/util/bpf-event.c b/tools/perf/util/bpf-event.c
index c50d2c7a264fe..c4de19eba3880 100644
--- a/tools/perf/util/bpf-event.c
+++ b/tools/perf/util/bpf-event.c
@@ -280,7 +280,10 @@ static int perf_event__synthesize_one_bpf_prog(struct perf_session *session,
}
info_node->info_linear = info_linear;
- perf_env__insert_bpf_prog_info(env, info_node);
+ if (!perf_env__insert_bpf_prog_info(env, info_node)) {
+ free(info_linear);
+ free(info_node);
+ }
info_linear = NULL;
/*
@@ -468,7 +471,10 @@ static void perf_env__add_bpf_info(struct perf_env *env, u32 id)
info_node = malloc(sizeof(struct bpf_prog_info_node));
if (info_node) {
info_node->info_linear = info_linear;
- perf_env__insert_bpf_prog_info(env, info_node);
+ if (!perf_env__insert_bpf_prog_info(env, info_node)) {
+ free(info_linear);
+ free(info_node);
+ }
} else
free(info_linear);
diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c
index 08d641c4e4580..485ee960debfd 100644
--- a/tools/perf/util/env.c
+++ b/tools/perf/util/env.c
@@ -17,12 +17,16 @@ struct perf_env perf_env;
#include "bpf-event.h"
#include <bpf/libbpf.h>
-void perf_env__insert_bpf_prog_info(struct perf_env *env,
+bool perf_env__insert_bpf_prog_info(struct perf_env *env,
struct bpf_prog_info_node *info_node)
{
+ bool ret;
+
down_write(&env->bpf_progs.lock);
- __perf_env__insert_bpf_prog_info(env, info_node);
+ ret = __perf_env__insert_bpf_prog_info(env, info_node);
up_write(&env->bpf_progs.lock);
+
+ return ret;
}
bool __perf_env__insert_bpf_prog_info(struct perf_env *env, struct bpf_prog_info_node *info_node)
diff --git a/tools/perf/util/env.h b/tools/perf/util/env.h
index b5ddf2ab0e8c6..76c918544db1b 100644
--- a/tools/perf/util/env.h
+++ b/tools/perf/util/env.h
@@ -141,7 +141,7 @@ int perf_env__nr_cpus_avail(struct perf_env *env);
void perf_env__init(struct perf_env *env);
bool __perf_env__insert_bpf_prog_info(struct perf_env *env,
struct bpf_prog_info_node *info_node);
-void perf_env__insert_bpf_prog_info(struct perf_env *env,
+bool perf_env__insert_bpf_prog_info(struct perf_env *env,
struct bpf_prog_info_node *info_node);
struct bpf_prog_info_node *perf_env__find_bpf_prog_info(struct perf_env *env,
__u32 prog_id);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 055/462] ktest.pl: Remove unused declarations in run_bisect_test function
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 054/462] perf bpf: Fix two memory leakages when calling perf_env__insert_bpf_prog_info() Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 056/462] padata: fix sysfs store callback check Greg Kroah-Hartman
` (410 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ba Jing, Steven Rostedt, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ba Jing <bajing@cmss.chinamobile.com>
[ Upstream commit 776735b954f49f85fd19e1198efa421fae2ad77c ]
Since $output and $ret are not used in the subsequent code, the declarations
should be removed.
Fixes: a75fececff3c ("ktest: Added sample.conf, new %default option format")
Link: https://lore.kernel.org/20240902130735.6034-1-bajing@cmss.chinamobile.com
Signed-off-by: Ba Jing <bajing@cmss.chinamobile.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/ktest/ktest.pl | 2 --
1 file changed, 2 deletions(-)
diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
index f260b455b74d4..72101e172e073 100755
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -2892,8 +2892,6 @@ sub run_bisect_test {
my $failed = 0;
my $result;
- my $output;
- my $ret;
$in_bisect = 1;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 056/462] padata: fix sysfs store callback check
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 055/462] ktest.pl: Remove unused declarations in run_bisect_test function Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 057/462] perf top: Dont complain about lack of vmlinux when not resolving some kernel samples Greg Kroah-Hartman
` (409 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, Herbert Xu,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
[ Upstream commit 9ff6e943bce67d125781fe4780a5d6f072dc44c0 ]
padata_sysfs_store() was copied from padata_sysfs_show() but this check
was not adapted. Today there is no attribute which can fail this
check, but if there is one it may as well be correct.
Fixes: 5e017dc3f8bc ("padata: Added sysfs primitives to padata subsystem")
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/padata.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/padata.c b/kernel/padata.c
index 914a88d9cee14..a2badc5dd922e 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -972,7 +972,7 @@ static ssize_t padata_sysfs_store(struct kobject *kobj, struct attribute *attr,
pinst = kobj2pinst(kobj);
pentry = attr2pentry(attr);
- if (pentry->show)
+ if (pentry->store)
ret = pentry->store(pinst, attr, buf, count);
return ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 057/462] perf top: Dont complain about lack of vmlinux when not resolving some kernel samples
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 056/462] padata: fix sysfs store callback check Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 058/462] perf report: Fix misleading help message about --demangle Greg Kroah-Hartman
` (408 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namhyung Kim, Adrian Hunter,
Ian Rogers, Christophe Leroy, James Clark, Jiri Olsa, Kan Liang,
Arnaldo Carvalho de Melo, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit 058b38ccd2af9e5c95590b018e8425fa148d7aca ]
Recently we got a case where a kernel sample wasn't being resolved due
to a bug that was not setting the end address on kernel functions
implemented in assembly (see Link: tag), and then those were not being
found by machine__resolve() -> map__find_symbol().
So we ended up with:
# perf top --stdio
PerfTop: 0 irqs/s kernel: 0% exact: 0% lost: 0/0 drop: 0/0 [cycles/P]
-----------------------------------------------------------------------
Warning:
A vmlinux file was not found.
Kernel samples will not be resolved.
^Z
[1]+ Stopped perf top --stdio
#
But then resolving all other kernel symbols.
So just fixup the logic to only print that warning when there are no
symbols in the kernel map.
Fixes: d88205db9caa0e9d ("perf dso: Add dso__has_symbols() method")
Reviewed-by: Namhyung Kim <namhyung@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Link: https://lore.kernel.org/lkml/Z3buKhcCsZi3_aGb@x1
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-top.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c
index ee30372f77133..f14970acc6ba8 100644
--- a/tools/perf/builtin-top.c
+++ b/tools/perf/builtin-top.c
@@ -809,7 +809,7 @@ static void perf_event__process_sample(struct perf_tool *tool,
* invalid --vmlinux ;-)
*/
if (!machine->kptr_restrict_warned && !top->vmlinux_warned &&
- __map__is_kernel(al.map) && map__has_symbols(al.map)) {
+ __map__is_kernel(al.map) && !map__has_symbols(al.map)) {
if (symbol_conf.vmlinux_name) {
char serr[256];
dso__strerror_load(al.map->dso, serr, sizeof(serr));
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 058/462] perf report: Fix misleading help message about --demangle
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 057/462] perf top: Dont complain about lack of vmlinux when not resolving some kernel samples Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 059/462] bpf: Send signals asynchronously if !preemptible Greg Kroah-Hartman
` (407 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namhyung Kim, Jiachen Zhang,
Adrian Hunter, Alexander Shishkin, Ian Rogers, Ingo Molnar,
Jiri Olsa, Kan Liang, Mark Rutland, Namhyung Kim, Peter Zijlstra,
Arnaldo Carvalho de Melo, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiachen Zhang <me@jcix.top>
[ Upstream commit ac0ac75189a4d6a29a2765a7adbb62bc6cc650c7 ]
The wrong help message may mislead users. This commit fixes it.
Fixes: 328ccdace8855289 ("perf report: Add --no-demangle option")
Reviewed-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Jiachen Zhang <me@jcix.top>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung.kim@lge.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20250109152220.1869581-1-me@jcix.top
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-report.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c
index b55ee073c2f72..575ad3c4fb373 100644
--- a/tools/perf/builtin-report.c
+++ b/tools/perf/builtin-report.c
@@ -1276,7 +1276,7 @@ int cmd_report(int argc, const char **argv)
OPT_STRING(0, "objdump", &report.annotation_opts.objdump_path, "path",
"objdump binary to use for disassembly and annotations"),
OPT_BOOLEAN(0, "demangle", &symbol_conf.demangle,
- "Disable symbol demangling"),
+ "Symbol demangling. Enabled by default, use --no-demangle to disable."),
OPT_BOOLEAN(0, "demangle-kernel", &symbol_conf.demangle_kernel,
"Enable kernel symbol demangling"),
OPT_BOOLEAN(0, "mem-mode", &report.mem_mode, "mem access profile"),
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 059/462] bpf: Send signals asynchronously if !preemptible
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 058/462] perf report: Fix misleading help message about --demangle Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 060/462] padata: fix UAF in padata_reorder Greg Kroah-Hartman
` (406 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+97da3d7e0112d59971de,
Puranjay Mohan, Yonghong Song, Alexei Starovoitov, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puranjay Mohan <puranjay@kernel.org>
[ Upstream commit 87c544108b612512b254c8f79aa5c0a8546e2cc4 ]
BPF programs can execute in all kinds of contexts and when a program
running in a non-preemptible context uses the bpf_send_signal() kfunc,
it will cause issues because this kfunc can sleep.
Change `irqs_disabled()` to `!preemptible()`.
Reported-by: syzbot+97da3d7e0112d59971de@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/67486b09.050a0220.253251.0084.GAE@google.com/
Fixes: 1bc7896e9ef4 ("bpf: Fix deadlock with rq_lock in bpf_send_signal()")
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20250115103647.38487-1-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/bpf_trace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 71e0c1bc9759e..1656a7d9bb697 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -1081,7 +1081,7 @@ static int bpf_send_signal_common(u32 sig, enum pid_type type)
if (unlikely(is_global_init(current)))
return -EPERM;
- if (irqs_disabled()) {
+ if (!preemptible()) {
/* Do an early check on signal validity. Otherwise,
* the error is lost in deferred irq_work.
*/
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 060/462] padata: fix UAF in padata_reorder
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 059/462] bpf: Send signals asynchronously if !preemptible Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 061/462] padata: add pd get/put refcnt helper Greg Kroah-Hartman
` (405 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Ridong, Qu Zicheng,
Daniel Jordan, Herbert Xu, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ridong <chenridong@huawei.com>
[ Upstream commit e01780ea4661172734118d2a5f41bc9720765668 ]
A bug was found when run ltp test:
BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0
Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206
CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+
Workqueue: pdecrypt_parallel padata_parallel_worker
Call Trace:
<TASK>
dump_stack_lvl+0x32/0x50
print_address_description.constprop.0+0x6b/0x3d0
print_report+0xdd/0x2c0
kasan_report+0xa5/0xd0
padata_find_next+0x29/0x1a0
padata_reorder+0x131/0x220
padata_parallel_worker+0x3d/0xc0
process_one_work+0x2ec/0x5a0
If 'mdelay(10)' is added before calling 'padata_find_next' in the
'padata_reorder' function, this issue could be reproduced easily with
ltp test (pcrypt_aead01).
This can be explained as bellow:
pcrypt_aead_encrypt
...
padata_do_parallel
refcount_inc(&pd->refcnt); // add refcnt
...
padata_do_serial
padata_reorder // pd
while (1) {
padata_find_next(pd, true); // using pd
queue_work_on
...
padata_serial_worker crypto_del_alg
padata_put_pd_cnt // sub refcnt
padata_free_shell
padata_put_pd(ps->pd);
// pd is freed
// loop again, but pd is freed
// call padata_find_next, UAF
}
In the padata_reorder function, when it loops in 'while', if the alg is
deleted, the refcnt may be decreased to 0 before entering
'padata_find_next', which leads to UAF.
As mentioned in [1], do_serial is supposed to be called with BHs disabled
and always happen under RCU protection, to address this issue, add
synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls
to finish.
[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/
[2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/
Fixes: b128a3040935 ("padata: allocate workqueue internally")
Signed-off-by: Chen Ridong <chenridong@huawei.com>
Signed-off-by: Qu Zicheng <quzicheng@huawei.com>
Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/padata.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/kernel/padata.c b/kernel/padata.c
index a2badc5dd922e..e4e0121ef3da2 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -1123,6 +1123,12 @@ void padata_free_shell(struct padata_shell *ps)
if (!ps)
return;
+ /*
+ * Wait for all _do_serial calls to finish to avoid touching
+ * freed pd's and ps's.
+ */
+ synchronize_rcu();
+
mutex_lock(&ps->pinst->lock);
list_del(&ps->list);
pd = rcu_dereference_protected(ps->pd, 1);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 061/462] padata: add pd get/put refcnt helper
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 060/462] padata: fix UAF in padata_reorder Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 062/462] padata: avoid UAF for reorder_work Greg Kroah-Hartman
` (404 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Ridong, Daniel Jordan,
Herbert Xu, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ridong <chenridong@huawei.com>
[ Upstream commit ae154202cc6a189b035359f3c4e143d5c24d5352 ]
Add helpers for pd to get/put refcnt to make code consice.
Signed-off-by: Chen Ridong <chenridong@huawei.com>
Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: dd7d37ccf6b1 ("padata: avoid UAF for reorder_work")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/padata.c | 27 ++++++++++++++++++++-------
1 file changed, 20 insertions(+), 7 deletions(-)
diff --git a/kernel/padata.c b/kernel/padata.c
index e4e0121ef3da2..02bb06a2c797d 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -60,6 +60,22 @@ struct padata_mt_job_state {
static void padata_free_pd(struct parallel_data *pd);
static void __init padata_mt_helper(struct work_struct *work);
+static inline void padata_get_pd(struct parallel_data *pd)
+{
+ refcount_inc(&pd->refcnt);
+}
+
+static inline void padata_put_pd_cnt(struct parallel_data *pd, int cnt)
+{
+ if (refcount_sub_and_test(cnt, &pd->refcnt))
+ padata_free_pd(pd);
+}
+
+static inline void padata_put_pd(struct parallel_data *pd)
+{
+ padata_put_pd_cnt(pd, 1);
+}
+
static int padata_index_to_cpu(struct parallel_data *pd, int cpu_index)
{
int cpu, target_cpu;
@@ -211,7 +227,7 @@ int padata_do_parallel(struct padata_shell *ps,
if ((pinst->flags & PADATA_RESET))
goto out;
- refcount_inc(&pd->refcnt);
+ padata_get_pd(pd);
padata->pd = pd;
padata->cb_cpu = *cb_cpu;
@@ -385,8 +401,7 @@ static void padata_serial_worker(struct work_struct *serial_work)
}
local_bh_enable();
- if (refcount_sub_and_test(cnt, &pd->refcnt))
- padata_free_pd(pd);
+ padata_put_pd_cnt(pd, cnt);
}
/**
@@ -683,8 +698,7 @@ static int padata_replace(struct padata_instance *pinst)
synchronize_rcu();
list_for_each_entry_continue_reverse(ps, &pinst->pslist, list)
- if (refcount_dec_and_test(&ps->opd->refcnt))
- padata_free_pd(ps->opd);
+ padata_put_pd(ps->opd);
pinst->flags &= ~PADATA_RESET;
@@ -1132,8 +1146,7 @@ void padata_free_shell(struct padata_shell *ps)
mutex_lock(&ps->pinst->lock);
list_del(&ps->list);
pd = rcu_dereference_protected(ps->pd, 1);
- if (refcount_dec_and_test(&pd->refcnt))
- padata_free_pd(pd);
+ padata_put_pd(pd);
mutex_unlock(&ps->pinst->lock);
kfree(ps);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 062/462] padata: avoid UAF for reorder_work
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 061/462] padata: add pd get/put refcnt helper Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 063/462] arm64: dts: mediatek: mt8516: fix GICv2 range Greg Kroah-Hartman
` (403 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Ridong, Daniel Jordan,
Herbert Xu, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ridong <chenridong@huawei.com>
[ Upstream commit dd7d37ccf6b11f3d95e797ebe4e9e886d0332600 ]
Although the previous patch can avoid ps and ps UAF for _do_serial, it
can not avoid potential UAF issue for reorder_work. This issue can
happen just as below:
crypto_request crypto_request crypto_del_alg
padata_do_serial
...
padata_reorder
// processes all remaining
// requests then breaks
while (1) {
if (!padata)
break;
...
}
padata_do_serial
// new request added
list_add
// sees the new request
queue_work(reorder_work)
padata_reorder
queue_work_on(squeue->work)
...
<kworker context>
padata_serial_worker
// completes new request,
// no more outstanding
// requests
crypto_del_alg
// free pd
<kworker context>
invoke_padata_reorder
// UAF of pd
To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work'
into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish.
Fixes: bbefa1dd6a6d ("crypto: pcrypt - Avoid deadlock by using per-instance padata queues")
Signed-off-by: Chen Ridong <chenridong@huawei.com>
Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/padata.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/kernel/padata.c b/kernel/padata.c
index 02bb06a2c797d..c7aa60907fdf8 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -357,8 +357,14 @@ static void padata_reorder(struct parallel_data *pd)
smp_mb();
reorder = per_cpu_ptr(pd->reorder_list, pd->cpu);
- if (!list_empty(&reorder->list) && padata_find_next(pd, false))
+ if (!list_empty(&reorder->list) && padata_find_next(pd, false)) {
+ /*
+ * Other context(eg. the padata_serial_worker) can finish the request.
+ * To avoid UAF issue, add pd ref here, and put pd ref after reorder_work finish.
+ */
+ padata_get_pd(pd);
queue_work(pinst->serial_wq, &pd->reorder_work);
+ }
}
static void invoke_padata_reorder(struct work_struct *work)
@@ -369,6 +375,8 @@ static void invoke_padata_reorder(struct work_struct *work)
pd = container_of(work, struct parallel_data, reorder_work);
padata_reorder(pd);
local_bh_enable();
+ /* Pairs with putting the reorder_work in the serial_wq */
+ padata_put_pd(pd);
}
static void padata_serial_worker(struct work_struct *serial_work)
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 063/462] arm64: dts: mediatek: mt8516: fix GICv2 range
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 062/462] padata: avoid UAF for reorder_work Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 064/462] arm64: dts: mediatek: mt8516: fix wdt irq type Greg Kroah-Hartman
` (402 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Val Packett,
AngeloGioacchino Del Regno, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit e3ee31e4409f051c021a30122f3c470f093a7386 ]
On the MT8167 which is based on the MT8516 DTS, the following error
was appearing on boot, breaking interrupt operation:
GICv2 detected, but range too small and irqchip.gicv2_force_probe not set
Similar to what's been proposed for MT7622 which has the same issue,
fix by using the range reported by force_probe.
Link: https://lore.kernel.org/all/YmhNSLgp%2Fyg8Vr1F@makrotopia.org/
Fixes: 5236347bde42 ("arm64: dts: mediatek: add dtsi for MT8516")
Signed-off-by: Val Packett <val@packett.cool>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20241204190524.21862-2-val@packett.cool
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt8516.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt8516.dtsi b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
index 89af661e7f631..6d2804065ca89 100644
--- a/arch/arm64/boot/dts/mediatek/mt8516.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
@@ -262,7 +262,7 @@
interrupt-parent = <&gic>;
interrupt-controller;
reg = <0 0x10310000 0 0x1000>,
- <0 0x10320000 0 0x1000>,
+ <0 0x1032f000 0 0x2000>,
<0 0x10340000 0 0x2000>,
<0 0x10360000 0 0x2000>;
interrupts = <GIC_PPI 9
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 064/462] arm64: dts: mediatek: mt8516: fix wdt irq type
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 063/462] arm64: dts: mediatek: mt8516: fix GICv2 range Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 065/462] arm64: dts: mediatek: mt8516: remove 2 invalid i2c clocks Greg Kroah-Hartman
` (401 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Val Packett,
AngeloGioacchino Del Regno, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit 03a80442030e7147391738fb6cbe5fa0b3b91bb1 ]
The GICv2 does not support EDGE_FALLING interrupts, so the watchdog
would refuse to attach due to a failing check coming from the GIC driver.
Fixes: 5236347bde42 ("arm64: dts: mediatek: add dtsi for MT8516")
Signed-off-by: Val Packett <val@packett.cool>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20241204190524.21862-3-val@packett.cool
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt8516.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt8516.dtsi b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
index 6d2804065ca89..247e89ee2f88e 100644
--- a/arch/arm64/boot/dts/mediatek/mt8516.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
@@ -206,7 +206,7 @@
compatible = "mediatek,mt8516-wdt",
"mediatek,mt6589-wdt";
reg = <0 0x10007000 0 0x1000>;
- interrupts = <GIC_SPI 198 IRQ_TYPE_EDGE_FALLING>;
+ interrupts = <GIC_SPI 198 IRQ_TYPE_LEVEL_LOW>;
#reset-cells = <1>;
};
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 065/462] arm64: dts: mediatek: mt8516: remove 2 invalid i2c clocks
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 064/462] arm64: dts: mediatek: mt8516: fix wdt irq type Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 066/462] arm64: dts: mediatek: mt8516: add i2c clock-div property Greg Kroah-Hartman
` (400 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fabien Parent, Matthias Brugger,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabien Parent <fparent@baylibre.com>
[ Upstream commit 9cf6a26ae352a6a150662c0c4ddff87664cc6e3c ]
The two clocks "main-source" and "main-sel" are not present in the
driver and not defined in the binding documentation. Remove them
as they are not used and not described in the documentation.
Signed-off-by: Fabien Parent <fparent@baylibre.com>
Link: https://lore.kernel.org/r/20211110193520.488-1-fparent@baylibre.com
Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
Stable-dep-of: eb72341fd92b ("arm64: dts: mediatek: mt8516: add i2c clock-div property")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt8516.dtsi | 27 ++++++------------------
1 file changed, 6 insertions(+), 21 deletions(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt8516.dtsi b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
index 247e89ee2f88e..5163dda398d56 100644
--- a/arch/arm64/boot/dts/mediatek/mt8516.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
@@ -308,14 +308,9 @@
reg = <0 0x11009000 0 0x90>,
<0 0x11000180 0 0x80>;
interrupts = <GIC_SPI 80 IRQ_TYPE_LEVEL_LOW>;
- clocks = <&topckgen CLK_TOP_AHB_INFRA_D2>,
- <&infracfg CLK_IFR_I2C0_SEL>,
- <&topckgen CLK_TOP_I2C0>,
+ clocks = <&topckgen CLK_TOP_I2C0>,
<&topckgen CLK_TOP_APDMA>;
- clock-names = "main-source",
- "main-sel",
- "main",
- "dma";
+ clock-names = "main", "dma";
#address-cells = <1>;
#size-cells = <0>;
status = "disabled";
@@ -327,14 +322,9 @@
reg = <0 0x1100a000 0 0x90>,
<0 0x11000200 0 0x80>;
interrupts = <GIC_SPI 81 IRQ_TYPE_LEVEL_LOW>;
- clocks = <&topckgen CLK_TOP_AHB_INFRA_D2>,
- <&infracfg CLK_IFR_I2C1_SEL>,
- <&topckgen CLK_TOP_I2C1>,
+ clocks = <&topckgen CLK_TOP_I2C1>,
<&topckgen CLK_TOP_APDMA>;
- clock-names = "main-source",
- "main-sel",
- "main",
- "dma";
+ clock-names = "main", "dma";
#address-cells = <1>;
#size-cells = <0>;
status = "disabled";
@@ -346,14 +336,9 @@
reg = <0 0x1100b000 0 0x90>,
<0 0x11000280 0 0x80>;
interrupts = <GIC_SPI 82 IRQ_TYPE_LEVEL_LOW>;
- clocks = <&topckgen CLK_TOP_AHB_INFRA_D2>,
- <&infracfg CLK_IFR_I2C2_SEL>,
- <&topckgen CLK_TOP_I2C2>,
+ clocks = <&topckgen CLK_TOP_I2C2>,
<&topckgen CLK_TOP_APDMA>;
- clock-names = "main-source",
- "main-sel",
- "main",
- "dma";
+ clock-names = "main", "dma";
#address-cells = <1>;
#size-cells = <0>;
status = "disabled";
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 066/462] arm64: dts: mediatek: mt8516: add i2c clock-div property
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 065/462] arm64: dts: mediatek: mt8516: remove 2 invalid i2c clocks Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 067/462] arm64: dts: mediatek: mt8516: reserve 192 KiB for TF-A Greg Kroah-Hartman
` (399 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Val Packett,
AngeloGioacchino Del Regno, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit eb72341fd92b7af510d236e5a8554d855ed38d3c ]
Move the clock-div property from the pumpkin board dtsi to the SoC's
since it belongs to the SoC itself and is required on other devices.
Fixes: 5236347bde42 ("arm64: dts: mediatek: add dtsi for MT8516")
Signed-off-by: Val Packett <val@packett.cool>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20241204190524.21862-4-val@packett.cool
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt8516.dtsi | 3 +++
arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi | 2 --
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt8516.dtsi b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
index 5163dda398d56..383ae46891ec2 100644
--- a/arch/arm64/boot/dts/mediatek/mt8516.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
@@ -308,6 +308,7 @@
reg = <0 0x11009000 0 0x90>,
<0 0x11000180 0 0x80>;
interrupts = <GIC_SPI 80 IRQ_TYPE_LEVEL_LOW>;
+ clock-div = <2>;
clocks = <&topckgen CLK_TOP_I2C0>,
<&topckgen CLK_TOP_APDMA>;
clock-names = "main", "dma";
@@ -322,6 +323,7 @@
reg = <0 0x1100a000 0 0x90>,
<0 0x11000200 0 0x80>;
interrupts = <GIC_SPI 81 IRQ_TYPE_LEVEL_LOW>;
+ clock-div = <2>;
clocks = <&topckgen CLK_TOP_I2C1>,
<&topckgen CLK_TOP_APDMA>;
clock-names = "main", "dma";
@@ -336,6 +338,7 @@
reg = <0 0x1100b000 0 0x90>,
<0 0x11000280 0 0x80>;
interrupts = <GIC_SPI 82 IRQ_TYPE_LEVEL_LOW>;
+ clock-div = <2>;
clocks = <&topckgen CLK_TOP_I2C2>,
<&topckgen CLK_TOP_APDMA>;
clock-names = "main", "dma";
diff --git a/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi b/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi
index d5059735c5940..e5e3a3969145b 100644
--- a/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi
+++ b/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi
@@ -48,7 +48,6 @@
};
&i2c0 {
- clock-div = <2>;
pinctrl-names = "default";
pinctrl-0 = <&i2c0_pins_a>;
status = "okay";
@@ -157,7 +156,6 @@
};
&i2c2 {
- clock-div = <2>;
pinctrl-names = "default";
pinctrl-0 = <&i2c2_pins_a>;
status = "okay";
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 067/462] arm64: dts: mediatek: mt8516: reserve 192 KiB for TF-A
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 066/462] arm64: dts: mediatek: mt8516: add i2c clock-div property Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 068/462] RDMA/mlx4: Avoid false error about access to uninitialized gids array Greg Kroah-Hartman
` (398 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Val Packett,
AngeloGioacchino Del Regno, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit 2561c7d5d497b988deccc36fe5eac7fd50b937f8 ]
The Android DTB for the related MT8167 reserves 0x30000. This is likely
correct for MT8516 Android devices as well, and there's never any harm
in reserving 64KiB more.
Fixes: 5236347bde42 ("arm64: dts: mediatek: add dtsi for MT8516")
Signed-off-by: Val Packett <val@packett.cool>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20241204190524.21862-5-val@packett.cool
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt8516.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt8516.dtsi b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
index 383ae46891ec2..afb66d1439511 100644
--- a/arch/arm64/boot/dts/mediatek/mt8516.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
@@ -144,10 +144,10 @@
#size-cells = <2>;
ranges;
- /* 128 KiB reserved for ARM Trusted Firmware (BL31) */
+ /* 192 KiB reserved for ARM Trusted Firmware (BL31) */
bl31_secmon_reserved: secmon@43000000 {
no-map;
- reg = <0 0x43000000 0 0x20000>;
+ reg = <0 0x43000000 0 0x30000>;
};
};
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 068/462] RDMA/mlx4: Avoid false error about access to uninitialized gids array
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 067/462] arm64: dts: mediatek: mt8516: reserve 192 KiB for TF-A Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 069/462] rdma/cxgb4: Prevent potential integer overflow on 32bit Greg Kroah-Hartman
` (397 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Leon Romanovsky, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@nvidia.com>
[ Upstream commit 1f53d88cbb0dcc7df235bf6611ae632b254fccd8 ]
Smatch generates the following false error report:
drivers/infiniband/hw/mlx4/main.c:393 mlx4_ib_del_gid() error: uninitialized symbol 'gids'.
Traditionally, we are not changing kernel code and asking people to fix
the tools. However in this case, the fix can be done by simply rearranging
the code to be more clear.
Fixes: e26be1bfef81 ("IB/mlx4: Implement ib_device callbacks")
Link: https://patch.msgid.link/6a3a1577463da16962463fcf62883a87506e9b62.1733233426.git.leonro@nvidia.com
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/mlx4/main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c
index c62cdd6456962..0c49f3f5e6247 100644
--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -391,10 +391,10 @@ static int mlx4_ib_del_gid(const struct ib_gid_attr *attr, void **context)
}
spin_unlock_bh(&iboe->lock);
- if (!ret && hw_update) {
+ if (gids)
ret = mlx4_ib_update_gids(gids, ibdev, attr->port_num);
- kfree(gids);
- }
+
+ kfree(gids);
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 069/462] rdma/cxgb4: Prevent potential integer overflow on 32bit
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 068/462] RDMA/mlx4: Avoid false error about access to uninitialized gids array Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 070/462] arm64: dts: mediatek: mt8173-evb: Drop regulator-compatible property Greg Kroah-Hartman
` (396 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Jason Gunthorpe,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit bd96a3935e89486304461a21752f824fc25e0f0b ]
The "gl->tot_len" variable is controlled by the user. It comes from
process_responses(). On 32bit systems, the "gl->tot_len + sizeof(struct
cpl_pass_accept_req) + sizeof(struct rss_header)" addition could have an
integer wrapping bug. Use size_add() to prevent this.
Fixes: 1cab775c3e75 ("RDMA/cxgb4: Fix LE hash collision bug for passive open connection")
Link: https://patch.msgid.link/r/86b404e1-4a75-4a35-a34e-e3054fa554c7@stanley.mountain
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/cxgb4/device.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/cxgb4/device.c b/drivers/infiniband/hw/cxgb4/device.c
index 541dbcf22d0eb..13e4b2c40d835 100644
--- a/drivers/infiniband/hw/cxgb4/device.c
+++ b/drivers/infiniband/hw/cxgb4/device.c
@@ -1114,8 +1114,10 @@ static inline struct sk_buff *copy_gl_to_skb_pkt(const struct pkt_gl *gl,
* The math here assumes sizeof cpl_pass_accept_req >= sizeof
* cpl_rx_pkt.
*/
- skb = alloc_skb(gl->tot_len + sizeof(struct cpl_pass_accept_req) +
- sizeof(struct rss_header) - pktshift, GFP_ATOMIC);
+ skb = alloc_skb(size_add(gl->tot_len,
+ sizeof(struct cpl_pass_accept_req) +
+ sizeof(struct rss_header)) - pktshift,
+ GFP_ATOMIC);
if (unlikely(!skb))
return NULL;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 070/462] arm64: dts: mediatek: mt8173-evb: Drop regulator-compatible property
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 069/462] rdma/cxgb4: Prevent potential integer overflow on 32bit Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 071/462] arm64: dts: mediatek: mt8173-elm: " Greg Kroah-Hartman
` (395 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen-Yu Tsai,
AngeloGioacchino Del Regno, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wenst@chromium.org>
[ Upstream commit a6d5983e40f5d5b219337569cdd269727f5a3e2e ]
The "regulator-compatible" property has been deprecated since 2012 in
commit 13511def87b9 ("regulator: deprecate regulator-compatible DT
property"), which is so old it's not even mentioned in the converted
regulator bindings YAML file. It is also not listed in the MT6397
regulator bindings. Having them present produces a whole bunch of
validation errors:
Unevaluated properties are not allowed ('regulator-compatible' was unexpected)
Drop the "regulator-compatible" property from the board dts. The
property values are the same as the node name, so everything should
continue to work.
Fixes: 16ea61fc5614 ("arm64: dts: mt8173-evb: Add PMIC support")
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20241211052427.4178367-3-wenst@chromium.org
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt8173-evb.dts | 23 ---------------------
1 file changed, 23 deletions(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt8173-evb.dts b/arch/arm64/boot/dts/mediatek/mt8173-evb.dts
index 2b66afcf026e1..66f0e5b24fda4 100644
--- a/arch/arm64/boot/dts/mediatek/mt8173-evb.dts
+++ b/arch/arm64/boot/dts/mediatek/mt8173-evb.dts
@@ -307,7 +307,6 @@
compatible = "mediatek,mt6397-regulator";
mt6397_vpca15_reg: buck_vpca15 {
- regulator-compatible = "buck_vpca15";
regulator-name = "vpca15";
regulator-min-microvolt = < 700000>;
regulator-max-microvolt = <1350000>;
@@ -316,7 +315,6 @@
};
mt6397_vpca7_reg: buck_vpca7 {
- regulator-compatible = "buck_vpca7";
regulator-name = "vpca7";
regulator-min-microvolt = < 700000>;
regulator-max-microvolt = <1350000>;
@@ -325,7 +323,6 @@
};
mt6397_vsramca15_reg: buck_vsramca15 {
- regulator-compatible = "buck_vsramca15";
regulator-name = "vsramca15";
regulator-min-microvolt = < 700000>;
regulator-max-microvolt = <1350000>;
@@ -334,7 +331,6 @@
};
mt6397_vsramca7_reg: buck_vsramca7 {
- regulator-compatible = "buck_vsramca7";
regulator-name = "vsramca7";
regulator-min-microvolt = < 700000>;
regulator-max-microvolt = <1350000>;
@@ -343,7 +339,6 @@
};
mt6397_vcore_reg: buck_vcore {
- regulator-compatible = "buck_vcore";
regulator-name = "vcore";
regulator-min-microvolt = < 700000>;
regulator-max-microvolt = <1350000>;
@@ -352,7 +347,6 @@
};
mt6397_vgpu_reg: buck_vgpu {
- regulator-compatible = "buck_vgpu";
regulator-name = "vgpu";
regulator-min-microvolt = < 700000>;
regulator-max-microvolt = <1350000>;
@@ -361,7 +355,6 @@
};
mt6397_vdrm_reg: buck_vdrm {
- regulator-compatible = "buck_vdrm";
regulator-name = "vdrm";
regulator-min-microvolt = <1200000>;
regulator-max-microvolt = <1400000>;
@@ -370,7 +363,6 @@
};
mt6397_vio18_reg: buck_vio18 {
- regulator-compatible = "buck_vio18";
regulator-name = "vio18";
regulator-min-microvolt = <1620000>;
regulator-max-microvolt = <1980000>;
@@ -379,19 +371,16 @@
};
mt6397_vtcxo_reg: ldo_vtcxo {
- regulator-compatible = "ldo_vtcxo";
regulator-name = "vtcxo";
regulator-always-on;
};
mt6397_va28_reg: ldo_va28 {
- regulator-compatible = "ldo_va28";
regulator-name = "va28";
regulator-always-on;
};
mt6397_vcama_reg: ldo_vcama {
- regulator-compatible = "ldo_vcama";
regulator-name = "vcama";
regulator-min-microvolt = <1500000>;
regulator-max-microvolt = <2800000>;
@@ -399,18 +388,15 @@
};
mt6397_vio28_reg: ldo_vio28 {
- regulator-compatible = "ldo_vio28";
regulator-name = "vio28";
regulator-always-on;
};
mt6397_vusb_reg: ldo_vusb {
- regulator-compatible = "ldo_vusb";
regulator-name = "vusb";
};
mt6397_vmc_reg: ldo_vmc {
- regulator-compatible = "ldo_vmc";
regulator-name = "vmc";
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <3300000>;
@@ -418,7 +404,6 @@
};
mt6397_vmch_reg: ldo_vmch {
- regulator-compatible = "ldo_vmch";
regulator-name = "vmch";
regulator-min-microvolt = <3000000>;
regulator-max-microvolt = <3300000>;
@@ -426,7 +411,6 @@
};
mt6397_vemc_3v3_reg: ldo_vemc3v3 {
- regulator-compatible = "ldo_vemc3v3";
regulator-name = "vemc_3v3";
regulator-min-microvolt = <3000000>;
regulator-max-microvolt = <3300000>;
@@ -434,7 +418,6 @@
};
mt6397_vgp1_reg: ldo_vgp1 {
- regulator-compatible = "ldo_vgp1";
regulator-name = "vcamd";
regulator-min-microvolt = <1220000>;
regulator-max-microvolt = <3300000>;
@@ -442,7 +425,6 @@
};
mt6397_vgp2_reg: ldo_vgp2 {
- regulator-compatible = "ldo_vgp2";
regulator-name = "vcamio";
regulator-min-microvolt = <1000000>;
regulator-max-microvolt = <3300000>;
@@ -450,7 +432,6 @@
};
mt6397_vgp3_reg: ldo_vgp3 {
- regulator-compatible = "ldo_vgp3";
regulator-name = "vcamaf";
regulator-min-microvolt = <1200000>;
regulator-max-microvolt = <3300000>;
@@ -458,7 +439,6 @@
};
mt6397_vgp4_reg: ldo_vgp4 {
- regulator-compatible = "ldo_vgp4";
regulator-name = "vgp4";
regulator-min-microvolt = <1200000>;
regulator-max-microvolt = <3300000>;
@@ -466,7 +446,6 @@
};
mt6397_vgp5_reg: ldo_vgp5 {
- regulator-compatible = "ldo_vgp5";
regulator-name = "vgp5";
regulator-min-microvolt = <1200000>;
regulator-max-microvolt = <3000000>;
@@ -474,7 +453,6 @@
};
mt6397_vgp6_reg: ldo_vgp6 {
- regulator-compatible = "ldo_vgp6";
regulator-name = "vgp6";
regulator-min-microvolt = <1200000>;
regulator-max-microvolt = <3300000>;
@@ -482,7 +460,6 @@
};
mt6397_vibr_reg: ldo_vibr {
- regulator-compatible = "ldo_vibr";
regulator-name = "vibr";
regulator-min-microvolt = <1300000>;
regulator-max-microvolt = <3300000>;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 071/462] arm64: dts: mediatek: mt8173-elm: Drop regulator-compatible property
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 070/462] arm64: dts: mediatek: mt8173-evb: Drop regulator-compatible property Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 072/462] arm64: dts: mediatek: mt8173-elm: Fix MT6397 PMIC sub-node names Greg Kroah-Hartman
` (394 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen-Yu Tsai,
AngeloGioacchino Del Regno, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wenst@chromium.org>
[ Upstream commit 4b907b3ea5fba240808136cc5599d14b52230b39 ]
The "regulator-compatible" property has been deprecated since 2012 in
commit 13511def87b9 ("regulator: deprecate regulator-compatible DT
property"), which is so old it's not even mentioned in the converted
regulator bindings YAML file. It is also not listed in the MT6397
regulator bindings. Having them present produces a whole bunch of
validation errors:
Unevaluated properties are not allowed ('regulator-compatible' was unexpected)
Drop the "regulator-compatible" property from the board dts. The
property values are the same as the node name, so everything should
continue to work.
Fixes: 689b937bedde ("arm64: dts: mediatek: add mt8173 elm and hana board")
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20241211052427.4178367-4-wenst@chromium.org
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi | 23 --------------------
1 file changed, 23 deletions(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi b/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi
index 44a0346133cde..908b87735819e 100644
--- a/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi
@@ -921,7 +921,6 @@
compatible = "mediatek,mt6397-regulator";
mt6397_vpca15_reg: buck_vpca15 {
- regulator-compatible = "buck_vpca15";
regulator-name = "vpca15";
regulator-min-microvolt = < 700000>;
regulator-max-microvolt = <1350000>;
@@ -931,7 +930,6 @@
};
mt6397_vpca7_reg: buck_vpca7 {
- regulator-compatible = "buck_vpca7";
regulator-name = "vpca7";
regulator-min-microvolt = < 700000>;
regulator-max-microvolt = <1350000>;
@@ -941,7 +939,6 @@
};
mt6397_vsramca15_reg: buck_vsramca15 {
- regulator-compatible = "buck_vsramca15";
regulator-name = "vsramca15";
regulator-min-microvolt = < 700000>;
regulator-max-microvolt = <1350000>;
@@ -950,7 +947,6 @@
};
mt6397_vsramca7_reg: buck_vsramca7 {
- regulator-compatible = "buck_vsramca7";
regulator-name = "vsramca7";
regulator-min-microvolt = < 700000>;
regulator-max-microvolt = <1350000>;
@@ -959,7 +955,6 @@
};
mt6397_vcore_reg: buck_vcore {
- regulator-compatible = "buck_vcore";
regulator-name = "vcore";
regulator-min-microvolt = < 700000>;
regulator-max-microvolt = <1350000>;
@@ -968,7 +963,6 @@
};
mt6397_vgpu_reg: buck_vgpu {
- regulator-compatible = "buck_vgpu";
regulator-name = "vgpu";
regulator-min-microvolt = < 700000>;
regulator-max-microvolt = <1350000>;
@@ -977,7 +971,6 @@
};
mt6397_vdrm_reg: buck_vdrm {
- regulator-compatible = "buck_vdrm";
regulator-name = "vdrm";
regulator-min-microvolt = <1200000>;
regulator-max-microvolt = <1400000>;
@@ -986,7 +979,6 @@
};
mt6397_vio18_reg: buck_vio18 {
- regulator-compatible = "buck_vio18";
regulator-name = "vio18";
regulator-min-microvolt = <1620000>;
regulator-max-microvolt = <1980000>;
@@ -995,18 +987,15 @@
};
mt6397_vtcxo_reg: ldo_vtcxo {
- regulator-compatible = "ldo_vtcxo";
regulator-name = "vtcxo";
regulator-always-on;
};
mt6397_va28_reg: ldo_va28 {
- regulator-compatible = "ldo_va28";
regulator-name = "va28";
};
mt6397_vcama_reg: ldo_vcama {
- regulator-compatible = "ldo_vcama";
regulator-name = "vcama";
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <1800000>;
@@ -1014,18 +1003,15 @@
};
mt6397_vio28_reg: ldo_vio28 {
- regulator-compatible = "ldo_vio28";
regulator-name = "vio28";
regulator-always-on;
};
mt6397_vusb_reg: ldo_vusb {
- regulator-compatible = "ldo_vusb";
regulator-name = "vusb";
};
mt6397_vmc_reg: ldo_vmc {
- regulator-compatible = "ldo_vmc";
regulator-name = "vmc";
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <3300000>;
@@ -1033,7 +1019,6 @@
};
mt6397_vmch_reg: ldo_vmch {
- regulator-compatible = "ldo_vmch";
regulator-name = "vmch";
regulator-min-microvolt = <3000000>;
regulator-max-microvolt = <3300000>;
@@ -1041,7 +1026,6 @@
};
mt6397_vemc_3v3_reg: ldo_vemc3v3 {
- regulator-compatible = "ldo_vemc3v3";
regulator-name = "vemc_3v3";
regulator-min-microvolt = <3000000>;
regulator-max-microvolt = <3300000>;
@@ -1049,7 +1033,6 @@
};
mt6397_vgp1_reg: ldo_vgp1 {
- regulator-compatible = "ldo_vgp1";
regulator-name = "vcamd";
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <1800000>;
@@ -1057,7 +1040,6 @@
};
mt6397_vgp2_reg: ldo_vgp2 {
- regulator-compatible = "ldo_vgp2";
regulator-name = "vcamio";
regulator-min-microvolt = <3300000>;
regulator-max-microvolt = <3300000>;
@@ -1065,7 +1047,6 @@
};
mt6397_vgp3_reg: ldo_vgp3 {
- regulator-compatible = "ldo_vgp3";
regulator-name = "vcamaf";
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <1800000>;
@@ -1073,7 +1054,6 @@
};
mt6397_vgp4_reg: ldo_vgp4 {
- regulator-compatible = "ldo_vgp4";
regulator-name = "vgp4";
regulator-min-microvolt = <1200000>;
regulator-max-microvolt = <3300000>;
@@ -1081,7 +1061,6 @@
};
mt6397_vgp5_reg: ldo_vgp5 {
- regulator-compatible = "ldo_vgp5";
regulator-name = "vgp5";
regulator-min-microvolt = <1200000>;
regulator-max-microvolt = <3000000>;
@@ -1089,7 +1068,6 @@
};
mt6397_vgp6_reg: ldo_vgp6 {
- regulator-compatible = "ldo_vgp6";
regulator-name = "vgp6";
regulator-min-microvolt = <3300000>;
regulator-max-microvolt = <3300000>;
@@ -1098,7 +1076,6 @@
};
mt6397_vibr_reg: ldo_vibr {
- regulator-compatible = "ldo_vibr";
regulator-name = "vibr";
regulator-min-microvolt = <1300000>;
regulator-max-microvolt = <3300000>;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 072/462] arm64: dts: mediatek: mt8173-elm: Fix MT6397 PMIC sub-node names
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 071/462] arm64: dts: mediatek: mt8173-elm: " Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 073/462] arm64: dts: mediatek: mt8173-evb: " Greg Kroah-Hartman
` (393 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen-Yu Tsai,
AngeloGioacchino Del Regno, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wenst@chromium.org>
[ Upstream commit beb06b727194f68b0a4b5183e50c88265ce185af ]
The MT6397 PMIC bindings specify exact names for its sub-nodes. The
names used in the current dts don't match, causing a validation error.
Fix up the names. Also drop the label for the regulators node, since
any reference should be against the individual regulator sub-nodes.
Fixes: 689b937bedde ("arm64: dts: mediatek: add mt8173 elm and hana board")
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Link: https://lore.kernel.org/r/20241210092614.3951748-1-wenst@chromium.org
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi b/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi
index 908b87735819e..3eeeb1b8dbad1 100644
--- a/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi
@@ -905,7 +905,7 @@
interrupt-controller;
#interrupt-cells = <2>;
- clock: mt6397clock {
+ clock: clocks {
compatible = "mediatek,mt6397-clk";
#clock-cells = <1>;
};
@@ -917,7 +917,7 @@
#gpio-cells = <2>;
};
- regulator: mt6397regulator {
+ regulators {
compatible = "mediatek,mt6397-regulator";
mt6397_vpca15_reg: buck_vpca15 {
@@ -1083,7 +1083,7 @@
};
};
- rtc: mt6397rtc {
+ rtc: rtc {
compatible = "mediatek,mt6397-rtc";
};
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 073/462] arm64: dts: mediatek: mt8173-evb: Fix MT6397 PMIC sub-node names
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 072/462] arm64: dts: mediatek: mt8173-elm: Fix MT6397 PMIC sub-node names Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 074/462] arm64: dts: qcom: msm8916: correct sleep clock frequency Greg Kroah-Hartman
` (392 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen-Yu Tsai,
AngeloGioacchino Del Regno, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wenst@chromium.org>
[ Upstream commit 9545ba142865b9099d43c972b9ebcf463606499a ]
The MT6397 PMIC bindings specify exact names for its sub-nodes. The
names used in the current dts don't match, causing a validation error.
Fix up the names. Also drop the label for the regulators node, since
any reference should be against the individual regulator sub-nodes.
Fixes: 16ea61fc5614 ("arm64: dts: mt8173-evb: Add PMIC support")
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Link: https://lore.kernel.org/r/20241210092614.3951748-2-wenst@chromium.org
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt8173-evb.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt8173-evb.dts b/arch/arm64/boot/dts/mediatek/mt8173-evb.dts
index 66f0e5b24fda4..1158bee050e13 100644
--- a/arch/arm64/boot/dts/mediatek/mt8173-evb.dts
+++ b/arch/arm64/boot/dts/mediatek/mt8173-evb.dts
@@ -303,7 +303,7 @@
interrupt-controller;
#interrupt-cells = <2>;
- mt6397regulator: mt6397regulator {
+ regulators {
compatible = "mediatek,mt6397-regulator";
mt6397_vpca15_reg: buck_vpca15 {
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 074/462] arm64: dts: qcom: msm8916: correct sleep clock frequency
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 073/462] arm64: dts: mediatek: mt8173-evb: " Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 075/462] arm64: dts: qcom: msm8994: " Greg Kroah-Hartman
` (391 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Bjorn Andersson,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit f088b921890cef28862913e5627bb2e2b5f82125 ]
The MSM8916 platform uses PM8916 to provide sleep clock. According to the
documentation, that clock has 32.7645 kHz frequency. Correct the sleep
clock definition.
Fixes: f4fb6aeafaaa ("arm64: dts: qcom: msm8916: Add fixed rate on-board oscillators")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/20241224-fix-board-clocks-v3-1-e9b08fbeadd3@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi
index c39a299fc636f..4e0441d99eefa 100644
--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi
+++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi
@@ -104,7 +104,7 @@
sleep_clk: sleep-clk {
compatible = "fixed-clock";
#clock-cells = <0>;
- clock-frequency = <32768>;
+ clock-frequency = <32764>;
};
};
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 075/462] arm64: dts: qcom: msm8994: correct sleep clock frequency
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 074/462] arm64: dts: qcom: msm8916: correct sleep clock frequency Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 076/462] arm64: dts: qcom: sm8250: " Greg Kroah-Hartman
` (390 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Bjorn Andersson,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit a4148d869d47d8c86da0291dd95d411a5ebe90c8 ]
The MSM8994 platform uses PM8994/6 to provide sleep clock. According to the
documentation, that clock has 32.7645 kHz frequency. Correct the sleep
clock definition.
Fixes: feeaf56ac78d ("arm64: dts: msm8994 SoC and Huawei Angler (Nexus 6P) support")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/20241224-fix-board-clocks-v3-3-e9b08fbeadd3@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/msm8994.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/msm8994.dtsi b/arch/arm64/boot/dts/qcom/msm8994.dtsi
index caaf7102f5798..9a8c365abbda4 100644
--- a/arch/arm64/boot/dts/qcom/msm8994.dtsi
+++ b/arch/arm64/boot/dts/qcom/msm8994.dtsi
@@ -24,7 +24,7 @@
sleep_clk: sleep-clk {
compatible = "fixed-clock";
#clock-cells = <0>;
- clock-frequency = <32768>;
+ clock-frequency = <32764>;
clock-output-names = "sleep_clk";
};
};
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 076/462] arm64: dts: qcom: sm8250: correct sleep clock frequency
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 075/462] arm64: dts: qcom: msm8994: " Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 077/462] ARM: dts: mediatek: mt7623: fix IR nodename Greg Kroah-Hartman
` (389 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Bjorn Andersson,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit 75420e437eed69fa95d1d7c339dad86dea35319a ]
The SM8250 platform uses PM8150 to provide sleep clock. According to the
documentation, that clock has 32.7645 kHz frequency. Correct the sleep
clock definition.
Fixes: 9ff8b0591fcf ("arm64: dts: qcom: sm8250: use the right clock-freqency for sleep-clk")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/20241224-fix-board-clocks-v3-13-e9b08fbeadd3@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8250.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi
index ec356fe07ac8a..025503ce88780 100644
--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi
@@ -75,7 +75,7 @@
sleep_clk: sleep-clk {
compatible = "fixed-clock";
- clock-frequency = <32768>;
+ clock-frequency = <32764>;
#clock-cells = <0>;
};
};
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 077/462] ARM: dts: mediatek: mt7623: fix IR nodename
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 076/462] arm64: dts: qcom: sm8250: " Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 078/462] fbdev: omapfb: Fix an OF node leak in dss_of_port_get_parent_device() Greg Kroah-Hartman
` (388 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-media, Rafał Miłecki,
Matthias Brugger, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafał Miłecki <rafal@milecki.pl>
[ Upstream commit 90234cf9b37c57201a24b78c217a91a8af774109 ]
Fix following validation error:
arch/arm/boot/dts/mediatek/mt7623a-rfb-emmc.dtb: cir@10013000: $nodename:0: 'cir@10013000' does not match '^ir(-receiver)?(@[a-f0-9]+)?$'
from schema $id: http://devicetree.org/schemas/media/mediatek,mt7622-cir.yaml#
Fixes: 91044f38dae7 ("arm: dts: mt7623: add ir nodes to the mt7623.dtsi file")
Cc: linux-media@vger.kernel.org
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Link: https://lore.kernel.org/r/20240617094634.23173-1-zajec5@gmail.com
Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/mt7623.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/mt7623.dtsi b/arch/arm/boot/dts/mt7623.dtsi
index aea6809500d74..c267fc1f83579 100644
--- a/arch/arm/boot/dts/mt7623.dtsi
+++ b/arch/arm/boot/dts/mt7623.dtsi
@@ -309,7 +309,7 @@
clock-names = "spi", "wrap";
};
- cir: cir@10013000 {
+ cir: ir-receiver@10013000 {
compatible = "mediatek,mt7623-cir";
reg = <0 0x10013000 0 0x1000>;
interrupts = <GIC_SPI 87 IRQ_TYPE_LEVEL_LOW>;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 078/462] fbdev: omapfb: Fix an OF node leak in dss_of_port_get_parent_device()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 077/462] ARM: dts: mediatek: mt7623: fix IR nodename Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 079/462] media: rc: iguanair: handle timeouts Greg Kroah-Hartman
` (387 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joe Hattori, Laurent Pinchart,
Helge Deller, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
[ Upstream commit de124b61e179e690277116e6be512e4f422b5dd8 ]
dss_of_port_get_parent_device() leaks an OF node reference when i >= 2
and struct device_node *np is present. Since of_get_next_parent()
obtains a reference of the returned OF node, call of_node_put() before
returning NULL.
This was found by an experimental verifier that I am developing, and no
runtime test was able to be performed due to that lack of actual
devices.
Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb")
Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/omap2/omapfb/dss/dss-of.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dss-of.c b/drivers/video/fbdev/omap2/omapfb/dss/dss-of.c
index 0282d4eef139d..3b16c3342cb77 100644
--- a/drivers/video/fbdev/omap2/omapfb/dss/dss-of.c
+++ b/drivers/video/fbdev/omap2/omapfb/dss/dss-of.c
@@ -102,6 +102,7 @@ struct device_node *dss_of_port_get_parent_device(struct device_node *port)
np = of_get_next_parent(np);
}
+ of_node_put(np);
return NULL;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 079/462] media: rc: iguanair: handle timeouts
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 078/462] fbdev: omapfb: Fix an OF node leak in dss_of_port_get_parent_device() Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 080/462] media: lmedm04: Use GFP_KERNEL for URB allocation/submission Greg Kroah-Hartman
` (386 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver Neukum,
syzbot+ffba8e636870dac0e0c0, Sean Young, Mauro Carvalho Chehab,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit b98d5000c50544f14bacb248c34e5219fbe81287 ]
In case of a timeout the IO must be cancelled or
the next IO using the URB will fail and/or overwrite
an operational URB.
The automatic bisection fails because it arrives
at a commit that correctly lets the test case run
without an error.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Fixes: e99a7cfe93fd ("[media] iguanair: reuse existing urb callback for command responses")
Reported-by: syzbot+ffba8e636870dac0e0c0@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/66f5cc9a.050a0220.46d20.0004.GAE@google.com/
Tested-by: syzbot+ffba8e636870dac0e0c0@syzkaller.appspotmail.com
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/rc/iguanair.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/media/rc/iguanair.c b/drivers/media/rc/iguanair.c
index 84949baf9f6b3..c1343df0dbbab 100644
--- a/drivers/media/rc/iguanair.c
+++ b/drivers/media/rc/iguanair.c
@@ -197,8 +197,10 @@ static int iguanair_send(struct iguanair *ir, unsigned size)
if (rc)
return rc;
- if (wait_for_completion_timeout(&ir->completion, TIMEOUT) == 0)
+ if (wait_for_completion_timeout(&ir->completion, TIMEOUT) == 0) {
+ usb_kill_urb(ir->urb_out);
return -ETIMEDOUT;
+ }
return rc;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 080/462] media: lmedm04: Use GFP_KERNEL for URB allocation/submission.
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 079/462] media: rc: iguanair: handle timeouts Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 081/462] media: lmedm04: Handle errors for lme2510_int_read Greg Kroah-Hartman
` (385 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Malcolm Priestley, Sean Young,
Mauro Carvalho Chehab, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Malcolm Priestley <tvboxspy@gmail.com>
[ Upstream commit add5861769f912af0181f5fbd79dbf19c8211c20 ]
lme2510_int_read is not atomically called so use GFP_KERNEL for
usb_alloc_urb and usb_submit_urb which is the first in the chain
of interrupt submissions.
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Stable-dep-of: a2836d3fe220 ("media: lmedm04: Handle errors for lme2510_int_read")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/dvb-usb-v2/lmedm04.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c
index 9ddda8d68ee0f..0f5a1eed5ea9f 100644
--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
@@ -373,7 +373,7 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap)
struct lme2510_state *lme_int = adap_to_priv(adap);
struct usb_host_endpoint *ep;
- lme_int->lme_urb = usb_alloc_urb(0, GFP_ATOMIC);
+ lme_int->lme_urb = usb_alloc_urb(0, GFP_KERNEL);
if (lme_int->lme_urb == NULL)
return -ENOMEM;
@@ -393,7 +393,7 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap)
if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa);
- usb_submit_urb(lme_int->lme_urb, GFP_ATOMIC);
+ usb_submit_urb(lme_int->lme_urb, GFP_KERNEL);
info("INT Interrupt Service Started");
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 081/462] media: lmedm04: Handle errors for lme2510_int_read
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 080/462] media: lmedm04: Use GFP_KERNEL for URB allocation/submission Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 082/462] PCI: endpoint: Destroy the EPC device in devm_pci_epc_destroy() Greg Kroah-Hartman
` (384 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Ni, Mauro Carvalho Chehab,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit a2836d3fe220220ff8c495ca9722f89cea8a67e7 ]
Add check for the return value of usb_pipe_endpoint() and
usb_submit_urb() in order to catch the errors.
Fixes: 15e1ce33182d ("[media] lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in interrupt urb")
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Link: https://lore.kernel.org/r/20240521091042.1769684-1-nichen@iscas.ac.cn
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/dvb-usb-v2/lmedm04.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c
index 0f5a1eed5ea9f..b54eb5a083561 100644
--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
@@ -372,6 +372,7 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap)
struct dvb_usb_device *d = adap_to_d(adap);
struct lme2510_state *lme_int = adap_to_priv(adap);
struct usb_host_endpoint *ep;
+ int ret;
lme_int->lme_urb = usb_alloc_urb(0, GFP_KERNEL);
@@ -389,11 +390,20 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap)
/* Quirk of pipe reporting PIPE_BULK but behaves as interrupt */
ep = usb_pipe_endpoint(d->udev, lme_int->lme_urb->pipe);
+ if (!ep) {
+ usb_free_urb(lme_int->lme_urb);
+ return -ENODEV;
+ }
if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa);
- usb_submit_urb(lme_int->lme_urb, GFP_KERNEL);
+ ret = usb_submit_urb(lme_int->lme_urb, GFP_KERNEL);
+ if (ret) {
+ usb_free_urb(lme_int->lme_urb);
+ return ret;
+ }
+
info("INT Interrupt Service Started");
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 082/462] PCI: endpoint: Destroy the EPC device in devm_pci_epc_destroy()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 081/462] media: lmedm04: Handle errors for lme2510_int_read Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 083/462] media: marvell: Add check for clk_enable() Greg Kroah-Hartman
` (383 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu, Bjorn Helgaas, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
[ Upstream commit d4929755e4d02bd3de3ae5569dab69cb9502c54f ]
The devm_pci_epc_destroy() comment says destroys the EPC device, but it
does not actually do that since devres_destroy() does not call
devm_pci_epc_release(), and it also can not fully undo what the API
devm_pci_epc_create() does, so it is faulty.
Fortunately, the faulty API has not been used by current kernel tree. Use
devres_release() instead of devres_destroy() so the EPC device will be
released.
Link: https://lore.kernel.org/r/20241210-pci-epc-core_fix-v3-1-4d86dd573e4b@quicinc.com
Fixes: 5e8cb4033807 ("PCI: endpoint: Add EP core layer to enable EP controller and EP functions")
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/endpoint/pci-epc-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/endpoint/pci-epc-core.c b/drivers/pci/endpoint/pci-epc-core.c
index ea7e7465ce7a6..8062bc2432303 100644
--- a/drivers/pci/endpoint/pci-epc-core.c
+++ b/drivers/pci/endpoint/pci-epc-core.c
@@ -616,7 +616,7 @@ void devm_pci_epc_destroy(struct device *dev, struct pci_epc *epc)
{
int r;
- r = devres_destroy(dev, devm_pci_epc_release, devm_pci_epc_match,
+ r = devres_release(dev, devm_pci_epc_release, devm_pci_epc_match,
epc);
dev_WARN_ONCE(dev, r, "couldn't find PCI EPC resource\n");
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 083/462] media: marvell: Add check for clk_enable()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 082/462] PCI: endpoint: Destroy the EPC device in devm_pci_epc_destroy() Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 084/462] media: mipi-csis: " Greg Kroah-Hartman
` (382 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Sakari Ailus,
Mauro Carvalho Chehab, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
[ Upstream commit 11f68d2ba2e1521a608af773bf788e8cfa260f68 ]
Add check for the return value of clk_enable() to guarantee the success.
Fixes: 81a409bfd551 ("media: marvell-ccic: provide a clock for the sensor")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
[Sakari Ailus: Fix spelling in commit message.]
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/marvell-ccic/mcam-core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/media/platform/marvell-ccic/mcam-core.c b/drivers/media/platform/marvell-ccic/mcam-core.c
index e56c5e56e824a..2d7e68fa2b9af 100644
--- a/drivers/media/platform/marvell-ccic/mcam-core.c
+++ b/drivers/media/platform/marvell-ccic/mcam-core.c
@@ -935,7 +935,12 @@ static int mclk_enable(struct clk_hw *hw)
ret = pm_runtime_resume_and_get(cam->dev);
if (ret < 0)
return ret;
- clk_enable(cam->clk[0]);
+ ret = clk_enable(cam->clk[0]);
+ if (ret) {
+ pm_runtime_put(cam->dev);
+ return ret;
+ }
+
mcam_reg_write(cam, REG_CLKCTRL, (mclk_src << 29) | mclk_div);
mcam_ctlr_power_up(cam);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 084/462] media: mipi-csis: Add check for clk_enable()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 083/462] media: marvell: Add check for clk_enable() Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 085/462] media: camif-core: " Greg Kroah-Hartman
` (381 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Krzysztof Kozlowski,
Sakari Ailus, Mauro Carvalho Chehab, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
[ Upstream commit 125ad1aeec77eb55273b420be6894b284a01e4b6 ]
Add check for the return value of clk_enable() to gurantee the success.
Fixes: b5f1220d587d ("[media] v4l: Add v4l2 subdev driver for S5P/EXYNOS4 MIPI-CSI receivers")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/exynos4-is/mipi-csis.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/exynos4-is/mipi-csis.c b/drivers/media/platform/exynos4-is/mipi-csis.c
index ebf39c8568943..e6c86ba30fa32 100644
--- a/drivers/media/platform/exynos4-is/mipi-csis.c
+++ b/drivers/media/platform/exynos4-is/mipi-csis.c
@@ -939,13 +939,19 @@ static int s5pcsis_pm_resume(struct device *dev, bool runtime)
state->supplies);
goto unlock;
}
- clk_enable(state->clock[CSIS_CLK_GATE]);
+ ret = clk_enable(state->clock[CSIS_CLK_GATE]);
+ if (ret) {
+ phy_power_off(state->phy);
+ regulator_bulk_disable(CSIS_NUM_SUPPLIES,
+ state->supplies);
+ goto unlock;
+ }
}
if (state->flags & ST_STREAMING)
s5pcsis_start_stream(state);
state->flags &= ~ST_SUSPENDED;
- unlock:
+unlock:
mutex_unlock(&state->lock);
return ret ? -EAGAIN : 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 085/462] media: camif-core: Add check for clk_enable()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 084/462] media: mipi-csis: " Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 086/462] media: uvcvideo: Propagate buf->error to userspace Greg Kroah-Hartman
` (380 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Krzysztof Kozlowski,
Sakari Ailus, Mauro Carvalho Chehab, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
[ Upstream commit 77ed2470ac09c2b0a33cf3f98cc51d18ba9ed976 ]
Add check for the return value of clk_enable() to gurantee the success.
Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/s3c-camif/camif-core.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/s3c-camif/camif-core.c b/drivers/media/platform/s3c-camif/camif-core.c
index 422fd549e9c87..aa2427cb2e63b 100644
--- a/drivers/media/platform/s3c-camif/camif-core.c
+++ b/drivers/media/platform/s3c-camif/camif-core.c
@@ -529,10 +529,19 @@ static int s3c_camif_remove(struct platform_device *pdev)
static int s3c_camif_runtime_resume(struct device *dev)
{
struct camif_dev *camif = dev_get_drvdata(dev);
+ int ret;
+
+ ret = clk_enable(camif->clock[CLK_GATE]);
+ if (ret)
+ return ret;
- clk_enable(camif->clock[CLK_GATE]);
/* null op on s3c244x */
- clk_enable(camif->clock[CLK_CAM]);
+ ret = clk_enable(camif->clock[CLK_CAM]);
+ if (ret) {
+ clk_disable(camif->clock[CLK_GATE]);
+ return ret;
+ }
+
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 086/462] media: uvcvideo: Propagate buf->error to userspace
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 085/462] media: camif-core: " Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 087/462] mtd: hyperbus: hbmc-am654: fix an OF node reference leak Greg Kroah-Hartman
` (379 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Ricardo Ribalda,
Laurent Pinchart, Mauro Carvalho Chehab, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
[ Upstream commit 87ce177654e388451850905a1d376658aebe8699 ]
Now we return VB2_BUF_STATE_DONE for valid and invalid frames. Propagate
the correct value, so the user can know if the frame is valid or not via
struct v4l2_buffer->flags.
Reported-by: Hans de Goede <hdegoede@redhat.com>
Closes: https://lore.kernel.org/linux-media/84b0f212-cd88-46bb-8e6f-b94ec3eccba6@redhat.com
Fixes: 6998b6fb4b1c ("[media] uvcvideo: Use videobuf2-vmalloc")
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20241218-uvc-deprecate-v2-1-ab814139e983@chromium.org
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/uvc/uvc_queue.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/usb/uvc/uvc_queue.c b/drivers/media/usb/uvc/uvc_queue.c
index cd60c6c1749ea..6a9fdd32cfb86 100644
--- a/drivers/media/usb/uvc/uvc_queue.c
+++ b/drivers/media/usb/uvc/uvc_queue.c
@@ -486,7 +486,8 @@ static void uvc_queue_buffer_complete(struct kref *ref)
buf->state = buf->error ? UVC_BUF_STATE_ERROR : UVC_BUF_STATE_DONE;
vb2_set_plane_payload(&buf->buf.vb2_buf, 0, buf->bytesused);
- vb2_buffer_done(&buf->buf.vb2_buf, VB2_BUF_STATE_DONE);
+ vb2_buffer_done(&buf->buf.vb2_buf, buf->error ? VB2_BUF_STATE_ERROR :
+ VB2_BUF_STATE_DONE);
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 087/462] mtd: hyperbus: hbmc-am654: fix an OF node reference leak
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 086/462] media: uvcvideo: Propagate buf->error to userspace Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 088/462] staging: media: imx: fix OF node leak in imx_media_add_of_subdevs() Greg Kroah-Hartman
` (378 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joe Hattori, Miquel Raynal,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
[ Upstream commit bf5821909eb9c7f5d07d5c6e852ead2c373c94a0 ]
In am654_hbmc_platform_driver, .remove() and the error path of .probe()
do not decrement the refcount of an OF node obtained by
of_get_next_child(). Fix this by adding of_node_put() calls.
Fixes: aca31ce96814 ("mtd: hyperbus: hbmc-am654: Fix direct mapping setup flash access")
Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/hyperbus/hbmc-am654.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
--- a/drivers/mtd/hyperbus/hbmc-am654.c
+++ b/drivers/mtd/hyperbus/hbmc-am654.c
@@ -174,26 +174,30 @@ static int am654_hbmc_probe(struct platf
priv->hbdev.np = of_get_next_child(np, NULL);
ret = of_address_to_resource(priv->hbdev.np, 0, &res);
if (ret)
- return ret;
+ goto put_node;
if (of_property_read_bool(dev->of_node, "mux-controls")) {
struct mux_control *control = devm_mux_control_get(dev, NULL);
- if (IS_ERR(control))
- return PTR_ERR(control);
+ if (IS_ERR(control)) {
+ ret = PTR_ERR(control);
+ goto put_node;
+ }
ret = mux_control_select(control, 1);
if (ret) {
dev_err(dev, "Failed to select HBMC mux\n");
- return ret;
+ goto put_node;
}
priv->mux_ctrl = control;
}
priv->hbdev.map.size = resource_size(&res);
priv->hbdev.map.virt = devm_ioremap_resource(dev, &res);
- if (IS_ERR(priv->hbdev.map.virt))
- return PTR_ERR(priv->hbdev.map.virt);
+ if (IS_ERR(priv->hbdev.map.virt)) {
+ ret = PTR_ERR(priv->hbdev.map.virt);
+ goto disable_mux;
+ }
priv->ctlr.dev = dev;
priv->ctlr.ops = &am654_hbmc_ops;
@@ -226,6 +230,8 @@ release_dma:
disable_mux:
if (priv->mux_ctrl)
mux_control_deselect(priv->mux_ctrl);
+put_node:
+ of_node_put(priv->hbdev.np);
return ret;
}
@@ -241,6 +247,7 @@ static int am654_hbmc_remove(struct plat
if (dev_priv->rx_chan)
dma_release_channel(dev_priv->rx_chan);
+ of_node_put(priv->hbdev.np);
return ret;
}
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 088/462] staging: media: imx: fix OF node leak in imx_media_add_of_subdevs()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 087/462] mtd: hyperbus: hbmc-am654: fix an OF node reference leak Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 089/462] PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region() Greg Kroah-Hartman
` (377 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joe Hattori, Vladimir Zapolskiy,
Philipp Zabel, Hans Verkuil, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
[ Upstream commit 094f5c315f756b19198e6c401aa821ac0e868750 ]
imx_media_add_of_subdevs() calls of_parse_phandle() and passes the
obtained node to imx_media_of_add_csi(). The passed node is used in
v4l2_async_nf_add_fwnode(), which increments the refcount of the node.
Therefore, while the current implementation only releases the node when
imx_media_of_add_csi() fails, but should always release it. Call
of_node_put() right after imx_media_of_add_csi().
Fixes: dee747f88167 ("media: imx: Don't register IPU subdevs/links if CSI port missing")
Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
Reviewed-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/media/imx/imx-media-of.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/drivers/staging/media/imx/imx-media-of.c b/drivers/staging/media/imx/imx-media-of.c
index 82e13e972e233..566e133ad3f42 100644
--- a/drivers/staging/media/imx/imx-media-of.c
+++ b/drivers/staging/media/imx/imx-media-of.c
@@ -55,22 +55,18 @@ int imx_media_add_of_subdevs(struct imx_media_dev *imxmd,
break;
ret = imx_media_of_add_csi(imxmd, csi_np);
+ of_node_put(csi_np);
if (ret) {
/* unavailable or already added is not an error */
if (ret == -ENODEV || ret == -EEXIST) {
- of_node_put(csi_np);
continue;
}
/* other error, can't continue */
- goto err_out;
+ return ret;
}
}
return 0;
-
-err_out:
- of_node_put(csi_np);
- return ret;
}
EXPORT_SYMBOL_GPL(imx_media_add_of_subdevs);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 089/462] PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 088/462] staging: media: imx: fix OF node leak in imx_media_add_of_subdevs() Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 090/462] scsi: mpt3sas: Set ioc->manu_pg11.EEDPTagMode directly to 1 Greg Kroah-Hartman
` (376 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lad Prabhakar, King Dix,
Krzysztof Wilczyński, Manivannan Sadhasivam, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: King Dix <kingdix10@qq.com>
[ Upstream commit 2d2da5a4c1b4509f6f7e5a8db015cd420144beb4 ]
The rcar_pcie_parse_outbound_ranges() uses the devm_request_mem_region()
macro to request a needed resource. A string variable that lives on the
stack is then used to store a dynamically computed resource name, which
is then passed on as one of the macro arguments. This can lead to
undefined behavior.
Depending on the current contents of the memory, the manifestations of
errors may vary. One possible output may be as follows:
$ cat /proc/iomem
30000000-37ffffff :
38000000-3fffffff :
Sometimes, garbage may appear after the colon.
In very rare cases, if no NULL-terminator is found in memory, the system
might crash because the string iterator will overrun which can lead to
access of unmapped memory above the stack.
Thus, fix this by replacing outbound_name with the name of the previously
requested resource. With the changes applied, the output will be as
follows:
$ cat /proc/iomem
30000000-37ffffff : memory2
38000000-3fffffff : memory3
Fixes: 2a6d0d63d999 ("PCI: rcar: Add endpoint mode support")
Link: https://lore.kernel.org/r/tencent_DBDCC19D60F361119E76919ADAB25EC13C06@qq.com
Tested-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Signed-off-by: King Dix <kingdix10@qq.com>
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/pcie-rcar-ep.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/controller/pcie-rcar-ep.c b/drivers/pci/controller/pcie-rcar-ep.c
index c91d85b151290..fc85263797e91 100644
--- a/drivers/pci/controller/pcie-rcar-ep.c
+++ b/drivers/pci/controller/pcie-rcar-ep.c
@@ -110,7 +110,7 @@ static int rcar_pcie_parse_outbound_ranges(struct rcar_pcie_endpoint *ep,
}
if (!devm_request_mem_region(&pdev->dev, res->start,
resource_size(res),
- outbound_name)) {
+ res->name)) {
dev_err(pcie->dev, "Cannot request memory region %s.\n",
outbound_name);
return -EIO;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 090/462] scsi: mpt3sas: Set ioc->manu_pg11.EEDPTagMode directly to 1
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 089/462] PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region() Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 091/462] scsi: ufs: bsg: Delete bsg_dev when setting up bsg fails Greg Kroah-Hartman
` (375 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sreekanth Reddy, Paul Menzel,
Martin K. Petersen, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Menzel <pmenzel@molgen.mpg.de>
[ Upstream commit ad7c3c0cb8f61d6d5a48b83e62ca4a9fd2f26153 ]
Currently, the code does:
if (x == 0) {
x &= ~0x3;
x |= 0x1;
}
Zeroing bits 0 and 1 of a variable that is 0 is not necessary. So directly
set the variable to 1.
Cc: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS")
Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
Link: https://lore.kernel.org/r/20241212221817.78940-2-pmenzel@molgen.mpg.de
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mpt3sas/mpt3sas_base.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c
index 768635de93da9..78b178aa46e94 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
@@ -4771,8 +4771,7 @@ _base_static_config_pages(struct MPT3SAS_ADAPTER *ioc)
if (!ioc->is_gen35_ioc && ioc->manu_pg11.EEDPTagMode == 0) {
pr_err("%s: overriding NVDATA EEDPTagMode setting\n",
ioc->name);
- ioc->manu_pg11.EEDPTagMode &= ~0x3;
- ioc->manu_pg11.EEDPTagMode |= 0x1;
+ ioc->manu_pg11.EEDPTagMode = 0x1;
mpt3sas_config_set_manufacturing_pg11(ioc, &mpi_reply,
&ioc->manu_pg11);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 091/462] scsi: ufs: bsg: Delete bsg_dev when setting up bsg fails
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 090/462] scsi: mpt3sas: Set ioc->manu_pg11.EEDPTagMode directly to 1 Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 092/462] ocfs2: mark dquot as inactive if failed to start trans while releasing dquot Greg Kroah-Hartman
` (374 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guixin Liu, Avri Altman,
Martin K. Petersen, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guixin Liu <kanie@linux.alibaba.com>
[ Upstream commit fcf247deb3c3e1c6be5774e3fa03bbd018eff1a9 ]
We should remove the bsg device when bsg_setup_queue() fails to release the
resources.
Fixes: df032bf27a41 ("scsi: ufs: Add a bsg endpoint that supports UPIUs")
Signed-off-by: Guixin Liu <kanie@linux.alibaba.com>
Link: https://lore.kernel.org/r/20241218014214.64533-2-kanie@linux.alibaba.com
Reviewed-by: Avri Altman <avri.altman@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ufs/ufs_bsg.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/ufs/ufs_bsg.c b/drivers/scsi/ufs/ufs_bsg.c
index 5b2bc1a6f9226..05c7347eda188 100644
--- a/drivers/scsi/ufs/ufs_bsg.c
+++ b/drivers/scsi/ufs/ufs_bsg.c
@@ -213,6 +213,7 @@ int ufs_bsg_probe(struct ufs_hba *hba)
q = bsg_setup_queue(bsg_dev, dev_name(bsg_dev), ufs_bsg_request, NULL, 0);
if (IS_ERR(q)) {
ret = PTR_ERR(q);
+ device_del(bsg_dev);
goto out;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 092/462] ocfs2: mark dquot as inactive if failed to start trans while releasing dquot
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 091/462] scsi: ufs: bsg: Delete bsg_dev when setting up bsg fails Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:55 ` [PATCH 5.10 093/462] module: Extend the preempt disabled section in dereference_symbol_descriptor() Greg Kroah-Hartman
` (373 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Su Yue, Joseph Qi, Mark Fasheh,
Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao, Andrew Morton,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Su Yue <glass.su@suse.com>
[ Upstream commit 276c61385f6bc3223a5ecd307cf4aba2dfbb9a31 ]
While running fstests generic/329, the kernel workqueue
quota_release_workfn is dead looping in calling ocfs2_release_dquot().
The ocfs2 state is already readonly but ocfs2_release_dquot wants to
start a transaction but fails and returns.
=====================================================================
[ 2918.123602 ][ T275 ] On-disk corruption discovered. Please run
fsck.ocfs2 once the filesystem is unmounted.
[ 2918.124034 ][ T275 ] (kworker/u135:1,275,11):ocfs2_release_dquot:765
ERROR: status = -30
[ 2918.124452 ][ T275 ] (kworker/u135:1,275,11):ocfs2_release_dquot:795
ERROR: status = -30
[ 2918.124883 ][ T275 ] (kworker/u135:1,275,11):ocfs2_start_trans:357
ERROR: status = -30
[ 2918.125276 ][ T275 ] OCFS2: abort (device dm-0): ocfs2_start_trans:
Detected aborted journal
[ 2918.125710 ][ T275 ] On-disk corruption discovered. Please run
fsck.ocfs2 once the filesystem is unmounted.
=====================================================================
ocfs2_release_dquot() is much like dquot_release(), which is called by
ext4 to handle similar situation. So here fix it by marking the dquot as
inactive like what dquot_release() does.
Link: https://lkml.kernel.org/r/20250106140653.92292-1-glass.su@suse.com
Fixes: 9e33d69f553a ("ocfs2: Implementation of local and global quota file handling")
Signed-off-by: Su Yue <glass.su@suse.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/quota_global.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c
index 1ce3780e8b499..742bf103d2eb2 100644
--- a/fs/ocfs2/quota_global.c
+++ b/fs/ocfs2/quota_global.c
@@ -749,6 +749,11 @@ static int ocfs2_release_dquot(struct dquot *dquot)
handle = ocfs2_start_trans(osb,
ocfs2_calc_qdel_credits(dquot->dq_sb, dquot->dq_id.type));
if (IS_ERR(handle)) {
+ /*
+ * Mark dquot as inactive to avoid endless cycle in
+ * quota_release_workfn().
+ */
+ clear_bit(DQ_ACTIVE_B, &dquot->dq_flags);
status = PTR_ERR(handle);
mlog_errno(status);
goto out_ilock;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 093/462] module: Extend the preempt disabled section in dereference_symbol_descriptor().
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 092/462] ocfs2: mark dquot as inactive if failed to start trans while releasing dquot Greg Kroah-Hartman
@ 2025-03-11 14:55 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 094/462] NFSv4.2: fix COPY_NOTIFY xdr buf size calculation Greg Kroah-Hartman
` (372 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, James E.J. Bottomley,
Christophe Leroy, Helge Deller, Madhavan Srinivasan,
Michael Ellerman, Naveen N Rao, Nicholas Piggin,
Sergey Senozhatsky, linux-parisc, linuxppc-dev,
Sergey Senozhatsky, Peter Zijlstra (Intel),
Sebastian Andrzej Siewior, Petr Pavlu, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit a145c848d69f9c6f32008d8319edaa133360dd74 ]
dereference_symbol_descriptor() needs to obtain the module pointer
belonging to pointer in order to resolve that pointer.
The returned mod pointer is obtained under RCU-sched/ preempt_disable()
guarantees and needs to be used within this section to ensure that the
module is not removed in the meantime.
Extend the preempt_disable() section to also cover
dereference_module_function_descriptor().
Fixes: 04b8eb7a4ccd9 ("symbol lookup: introduce dereference_symbol_descriptor()")
Cc: James E.J. Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Helge Deller <deller@gmx.de>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Naveen N Rao <naveen@kernel.org>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
Cc: linux-parisc@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: https://lore.kernel.org/r/20250108090457.512198-2-bigeasy@linutronix.de
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/kallsyms.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/kallsyms.h b/include/linux/kallsyms.h
index 430f1cefbb9e1..ea2eb5fe83a3c 100644
--- a/include/linux/kallsyms.h
+++ b/include/linux/kallsyms.h
@@ -63,10 +63,10 @@ static inline void *dereference_symbol_descriptor(void *ptr)
preempt_disable();
mod = __module_address((unsigned long)ptr);
- preempt_enable();
if (mod)
ptr = dereference_module_function_descriptor(mod, ptr);
+ preempt_enable();
#endif
return ptr;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 094/462] NFSv4.2: fix COPY_NOTIFY xdr buf size calculation
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2025-03-11 14:55 ` [PATCH 5.10 093/462] module: Extend the preempt disabled section in dereference_symbol_descriptor() Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 095/462] tools/bootconfig: Fix the wrong format specifier Greg Kroah-Hartman
` (371 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olga Kornievskaia, Anna Schumaker,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Olga Kornievskaia <okorniev@redhat.com>
[ Upstream commit e8380c2d06055665b3df6c03964911375d7f9290 ]
We need to include sequence size in the compound.
Fixes: 0491567b51ef ("NFS: add COPY_NOTIFY operation")
Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/nfs42xdr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/nfs/nfs42xdr.c b/fs/nfs/nfs42xdr.c
index df5bee2f505c4..c9987d615ebc5 100644
--- a/fs/nfs/nfs42xdr.c
+++ b/fs/nfs/nfs42xdr.c
@@ -122,9 +122,11 @@
decode_putfh_maxsz + \
decode_offload_cancel_maxsz)
#define NFS4_enc_copy_notify_sz (compound_encode_hdr_maxsz + \
+ encode_sequence_maxsz + \
encode_putfh_maxsz + \
encode_copy_notify_maxsz)
#define NFS4_dec_copy_notify_sz (compound_decode_hdr_maxsz + \
+ decode_sequence_maxsz + \
decode_putfh_maxsz + \
decode_copy_notify_maxsz)
#define NFS4_enc_deallocate_sz (compound_encode_hdr_maxsz + \
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 095/462] tools/bootconfig: Fix the wrong format specifier
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 094/462] NFSv4.2: fix COPY_NOTIFY xdr buf size calculation Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 096/462] xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO Greg Kroah-Hartman
` (370 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luo Yifan, Masami Hiramatsu (Google),
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luo Yifan <luoyifan@cmss.chinamobile.com>
[ Upstream commit f6ab7384d554ba80ff4793259d75535874b366f5 ]
Use '%u' instead of '%d' for unsigned int.
Link: https://lore.kernel.org/all/20241105011048.201629-1-luoyifan@cmss.chinamobile.com/
Fixes: 973780011106 ("tools/bootconfig: Suppress non-error messages")
Signed-off-by: Luo Yifan <luoyifan@cmss.chinamobile.com>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/bootconfig/main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c
index 6cd6080cac04c..365c022fb7cdd 100644
--- a/tools/bootconfig/main.c
+++ b/tools/bootconfig/main.c
@@ -207,7 +207,7 @@ static int load_xbc_from_initrd(int fd, char **buf)
/* Wrong Checksum */
rcsum = checksum((unsigned char *)*buf, size);
if (csum != rcsum) {
- pr_err("checksum error: %d != %d\n", csum, rcsum);
+ pr_err("checksum error: %u != %u\n", csum, rcsum);
return -EINVAL;
}
@@ -375,7 +375,7 @@ static int apply_xbc(const char *path, const char *xbc_path)
printf("Apply %s to %s\n", xbc_path, path);
printf("\tNumber of nodes: %d\n", ret);
printf("\tSize: %u bytes\n", (unsigned int)size);
- printf("\tChecksum: %d\n", (unsigned int)csum);
+ printf("\tChecksum: %u\n", (unsigned int)csum);
/* TODO: Check the options by schema */
xbc_destroy_all();
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 096/462] xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 095/462] tools/bootconfig: Fix the wrong format specifier Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 097/462] dmaengine: ti: edma: fix OF node reference leaks in edma_driver Greg Kroah-Hartman
` (369 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianbo Liu, Patrisious Haddad,
Leon Romanovsky, Steffen Klassert, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianbo Liu <jianbol@nvidia.com>
[ Upstream commit c05c5e5aa163f4682ca97a2f0536575fc7dbdecb ]
When skb needs GSO and wrap around happens, if xo->seq.low (seqno of
the first skb segment) is before the last seq number but oseq (seqno
of the last segment) is after it, xo->seq.low is still bigger than
replay_esn->oseq while oseq is smaller than it, so the update of
replay_esn->oseq_hi is missed for this case wrap around because of
the change in the cited commit.
For example, if sending a packet with gso_segs=3 while old
replay_esn->oseq=0xfffffffe, we calculate:
xo->seq.low = 0xfffffffe + 1 = 0x0xffffffff
oseq = 0xfffffffe + 3 = 0x1
(oseq < replay_esn->oseq) is true, but (xo->seq.low <
replay_esn->oseq) is false, so replay_esn->oseq_hi is not incremented.
To fix this issue, change the outer checking back for the update of
replay_esn->oseq_hi. And add new checking inside for the update of
packet's oseq_hi.
Fixes: 4b549ccce941 ("xfrm: replay: Fix ESN wrap around for GSO")
Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Patrisious Haddad <phaddad@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_replay.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index 65d009e3b6bbe..aedc61ceadb30 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -657,10 +657,12 @@ static int xfrm_replay_overflow_offload_esn(struct xfrm_state *x, struct sk_buff
oseq += skb_shinfo(skb)->gso_segs;
}
- if (unlikely(xo->seq.low < replay_esn->oseq)) {
- XFRM_SKB_CB(skb)->seq.output.hi = ++oseq_hi;
- xo->seq.hi = oseq_hi;
- replay_esn->oseq_hi = oseq_hi;
+ if (unlikely(oseq < replay_esn->oseq)) {
+ replay_esn->oseq_hi = ++oseq_hi;
+ if (xo->seq.low < replay_esn->oseq) {
+ XFRM_SKB_CB(skb)->seq.output.hi = oseq_hi;
+ xo->seq.hi = oseq_hi;
+ }
if (replay_esn->oseq_hi == 0) {
replay_esn->oseq--;
replay_esn->oseq_hi--;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 097/462] dmaengine: ti: edma: fix OF node reference leaks in edma_driver
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 096/462] xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 098/462] rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read Greg Kroah-Hartman
` (368 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joe Hattori, Dan Carpenter,
Vinod Koul, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
[ Upstream commit e883c64778e5a9905fce955681f8ee38c7197e0f ]
The .probe() of edma_driver calls of_parse_phandle_with_fixed_args() but
does not release the obtained OF nodes. Thus add a of_node_put() call.
This bug was found by an experimental verification tool that I am
developing.
Fixes: 1be5336bc7ba ("dmaengine: edma: New device tree binding")
Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/20241219020507.1983124-3-joe@pf.is.s.u-tokyo.ac.jp
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/ti/edma.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/dma/ti/edma.c b/drivers/dma/ti/edma.c
index 69292d4a0c441..560fe658b8942 100644
--- a/drivers/dma/ti/edma.c
+++ b/drivers/dma/ti/edma.c
@@ -217,7 +217,6 @@ struct edma_desc {
struct edma_cc;
struct edma_tc {
- struct device_node *node;
u16 id;
};
@@ -2524,13 +2523,13 @@ static int edma_probe(struct platform_device *pdev)
if (ret || i == ecc->num_tc)
break;
- ecc->tc_list[i].node = tc_args.np;
ecc->tc_list[i].id = i;
queue_priority_mapping[i][1] = tc_args.args[0];
if (queue_priority_mapping[i][1] > lowest_priority) {
lowest_priority = queue_priority_mapping[i][1];
info->default_queue = i;
}
+ of_node_put(tc_args.np);
}
/* See if we have optional dma-channel-mask array */
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 098/462] rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 097/462] dmaengine: ti: edma: fix OF node reference leaks in edma_driver Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 099/462] ubifs: skip dumping tnc tree when zroot is null Greg Kroah-Hartman
` (367 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Ahmad Fatoum,
Alexandre Belloni, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
[ Upstream commit 3ab8c5ed4f84fa20cd16794fe8dc31f633fbc70c ]
The nvmem interface supports variable buffer sizes, while the regmap
interface operates with fixed-size storage. If an nvmem client uses a
buffer size less than 4 bytes, regmap_read will write out of bounds
as it expects the buffer to point at an unsigned int.
Fix this by using an intermediary unsigned int to hold the value.
Fixes: fadfd092ee91 ("rtc: pcf85063: add nvram support")
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Link: https://lore.kernel.org/r/20241218-rtc-pcf85063-stack-corruption-v1-1-12fd0ee0f046@pengutronix.de
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-pcf85063.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c
index 449204d84c61d..dd3336cbb7921 100644
--- a/drivers/rtc/rtc-pcf85063.c
+++ b/drivers/rtc/rtc-pcf85063.c
@@ -328,7 +328,16 @@ static const struct rtc_class_ops pcf85063_rtc_ops_alarm = {
static int pcf85063_nvmem_read(void *priv, unsigned int offset,
void *val, size_t bytes)
{
- return regmap_read(priv, PCF85063_REG_RAM, val);
+ unsigned int tmp;
+ int ret;
+
+ ret = regmap_read(priv, PCF85063_REG_RAM, &tmp);
+ if (ret < 0)
+ return ret;
+
+ *(u8 *)val = tmp;
+
+ return 0;
}
static int pcf85063_nvmem_write(void *priv, unsigned int offset,
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 099/462] ubifs: skip dumping tnc tree when zroot is null
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 098/462] rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 100/462] net: hns3: fix oops when unload drivers paralleling Greg Kroah-Hartman
` (366 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, pangliyuan, Zhihao Cheng,
Richard Weinberger, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: pangliyuan <pangliyuan1@huawei.com>
[ Upstream commit bdb0ca39e0acccf6771db49c3f94ed787d05f2d7 ]
Clearing slab cache will free all znode in memory and make
c->zroot.znode = NULL, then dumping tnc tree will access
c->zroot.znode which cause null pointer dereference.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=219624#c0
Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
Signed-off-by: pangliyuan <pangliyuan1@huawei.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ubifs/debug.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/fs/ubifs/debug.c b/fs/ubifs/debug.c
index ebff43f8009c2..9ee58cf4d53f6 100644
--- a/fs/ubifs/debug.c
+++ b/fs/ubifs/debug.c
@@ -925,16 +925,20 @@ void ubifs_dump_tnc(struct ubifs_info *c)
pr_err("\n");
pr_err("(pid %d) start dumping TNC tree\n", current->pid);
- znode = ubifs_tnc_levelorder_next(c, c->zroot.znode, NULL);
- level = znode->level;
- pr_err("== Level %d ==\n", level);
- while (znode) {
- if (level != znode->level) {
- level = znode->level;
- pr_err("== Level %d ==\n", level);
+ if (c->zroot.znode) {
+ znode = ubifs_tnc_levelorder_next(c, c->zroot.znode, NULL);
+ level = znode->level;
+ pr_err("== Level %d ==\n", level);
+ while (znode) {
+ if (level != znode->level) {
+ level = znode->level;
+ pr_err("== Level %d ==\n", level);
+ }
+ ubifs_dump_znode(c, znode);
+ znode = ubifs_tnc_levelorder_next(c, c->zroot.znode, znode);
}
- ubifs_dump_znode(c, znode);
- znode = ubifs_tnc_levelorder_next(c, c->zroot.znode, znode);
+ } else {
+ pr_err("empty TNC tree in memory\n");
}
pr_err("(pid %d) finish dumping TNC tree\n", current->pid);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 100/462] net: hns3: fix oops when unload drivers paralleling
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 099/462] ubifs: skip dumping tnc tree when zroot is null Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 101/462] net: fec: implement TSO descriptor cleanup Greg Kroah-Hartman
` (365 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Shen, Jijie Shao,
Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Shen <shenjian15@huawei.com>
[ Upstream commit 92e5995773774a3e70257e9c95ea03518268bea5 ]
When unload hclge driver, it tries to disable sriov first for each
ae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at
the time, because it removes all the ae_dev nodes, and it may cause
oops.
But we can't simply use hnae3_common_lock for this. Because in the
process flow of pci_disable_sriov(), it will trigger the remove flow
of VF, which will also take hnae3_common_lock.
To fixes it, introduce a new mutex to protect the unload process.
Fixes: 0dd8a25f355b ("net: hns3: disable sriov before unload hclge layer")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Link: https://patch.msgid.link/20250118094741.3046663-1-shaojijie@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hnae3.c | 15 +++++++++++++++
drivers/net/ethernet/hisilicon/hns3/hnae3.h | 2 ++
drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 ++
.../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 ++
.../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 2 ++
5 files changed, 23 insertions(+)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.c b/drivers/net/ethernet/hisilicon/hns3/hnae3.c
index 9a63fbc694083..b25fb400f4767 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.c
@@ -40,6 +40,21 @@ EXPORT_SYMBOL(hnae3_unregister_ae_algo_prepare);
*/
static DEFINE_MUTEX(hnae3_common_lock);
+/* ensure the drivers being unloaded one by one */
+static DEFINE_MUTEX(hnae3_unload_lock);
+
+void hnae3_acquire_unload_lock(void)
+{
+ mutex_lock(&hnae3_unload_lock);
+}
+EXPORT_SYMBOL(hnae3_acquire_unload_lock);
+
+void hnae3_release_unload_lock(void)
+{
+ mutex_unlock(&hnae3_unload_lock);
+}
+EXPORT_SYMBOL(hnae3_release_unload_lock);
+
static bool hnae3_client_match(enum hnae3_client_type client_type)
{
if (client_type == HNAE3_CLIENT_KNIC ||
diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.h b/drivers/net/ethernet/hisilicon/hns3/hnae3.h
index 4a9576a449e10..25b6b4f780f1d 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.h
+++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.h
@@ -764,4 +764,6 @@ int hnae3_register_client(struct hnae3_client *client);
void hnae3_set_client_init_flag(struct hnae3_client *client,
struct hnae3_ae_dev *ae_dev,
unsigned int inited);
+void hnae3_acquire_unload_lock(void);
+void hnae3_release_unload_lock(void);
#endif
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
index 9ff5179b4d879..110baa9949a0c 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
@@ -4751,9 +4751,11 @@ module_init(hns3_init_module);
*/
static void __exit hns3_exit_module(void)
{
+ hnae3_acquire_unload_lock();
pci_unregister_driver(&hns3_driver);
hnae3_unregister_client(&client);
hns3_dbg_unregister_debugfs();
+ hnae3_release_unload_lock();
}
module_exit(hns3_exit_module);
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
index 885793707a5f1..ec918f2981ec2 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
@@ -11539,9 +11539,11 @@ static int hclge_init(void)
static void hclge_exit(void)
{
+ hnae3_acquire_unload_lock();
hnae3_unregister_ae_algo_prepare(&ae_algo);
hnae3_unregister_ae_algo(&ae_algo);
destroy_workqueue(hclge_wq);
+ hnae3_release_unload_lock();
}
module_init(hclge_init);
module_exit(hclge_exit);
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
index 755935f9efc81..aa026eb5cf588 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
@@ -3726,8 +3726,10 @@ static int hclgevf_init(void)
static void hclgevf_exit(void)
{
+ hnae3_acquire_unload_lock();
hnae3_unregister_ae_algo(&ae_algovf);
destroy_workqueue(hclgevf_wq);
+ hnae3_release_unload_lock();
}
module_init(hclgevf_init);
module_exit(hclgevf_exit);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 101/462] net: fec: implement TSO descriptor cleanup
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 100/462] net: hns3: fix oops when unload drivers paralleling Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 102/462] ipmr: do not call mr_mfc_uses_dev() for unres entries Greg Kroah-Hartman
` (364 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dheeraj Reddy Jonnalagadda, Wei Fang,
Paolo Abeni, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com>
[ Upstream commit 61dc1fd9205bc9d9918aa933a847b08e80b4dc20 ]
Implement cleanup of descriptors in the TSO error path of
fec_enet_txq_submit_tso(). The cleanup
- Unmaps DMA buffers for data descriptors skipping TSO header
- Clears all buffer descriptors
- Handles extended descriptors by clearing cbd_esc when enabled
Fixes: 79f339125ea3 ("net: fec: Add software TSO support")
Signed-off-by: Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com>
Reviewed-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20250120085430.99318-1-dheeraj.linuxdev@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fec_main.c | 31 ++++++++++++++++++++++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index a591ca0b37787..8e30e999456d4 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -728,6 +728,8 @@ static int fec_enet_txq_submit_tso(struct fec_enet_priv_tx_q *txq,
struct fec_enet_private *fep = netdev_priv(ndev);
int hdr_len, total_len, data_left;
struct bufdesc *bdp = txq->bd.cur;
+ struct bufdesc *tmp_bdp;
+ struct bufdesc_ex *ebdp;
struct tso_t tso;
unsigned int index = 0;
int ret;
@@ -801,7 +803,34 @@ static int fec_enet_txq_submit_tso(struct fec_enet_priv_tx_q *txq,
return 0;
err_release:
- /* TODO: Release all used data descriptors for TSO */
+ /* Release all used data descriptors for TSO */
+ tmp_bdp = txq->bd.cur;
+
+ while (tmp_bdp != bdp) {
+ /* Unmap data buffers */
+ if (tmp_bdp->cbd_bufaddr &&
+ !IS_TSO_HEADER(txq, fec32_to_cpu(tmp_bdp->cbd_bufaddr)))
+ dma_unmap_single(&fep->pdev->dev,
+ fec32_to_cpu(tmp_bdp->cbd_bufaddr),
+ fec16_to_cpu(tmp_bdp->cbd_datlen),
+ DMA_TO_DEVICE);
+
+ /* Clear standard buffer descriptor fields */
+ tmp_bdp->cbd_sc = 0;
+ tmp_bdp->cbd_datlen = 0;
+ tmp_bdp->cbd_bufaddr = 0;
+
+ /* Handle extended descriptor if enabled */
+ if (fep->bufdesc_ex) {
+ ebdp = (struct bufdesc_ex *)tmp_bdp;
+ ebdp->cbd_esc = 0;
+ }
+
+ tmp_bdp = fec_enet_get_nextdesc(tmp_bdp, &txq->bd);
+ }
+
+ dev_kfree_skb_any(skb);
+
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 102/462] ipmr: do not call mr_mfc_uses_dev() for unres entries
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 101/462] net: fec: implement TSO descriptor cleanup Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 103/462] PM: hibernate: Add error handling for syscore_suspend() Greg Kroah-Hartman
` (363 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5cfae50c0e5f2c500013,
Eric Dumazet, David Ahern, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 15a901361ec3fb1c393f91880e1cbf24ec0a88bd ]
syzbot found that calling mr_mfc_uses_dev() for unres entries
would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif
alias to "struct sk_buff_head unresolved", which contain two pointers.
This code never worked, lets remove it.
[1]
Unable to handle kernel paging request at virtual address ffff5fff2d536613
KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f]
Modules linked in:
CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline]
pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334
lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline]
lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334
Call trace:
mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P)
mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P)
mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382
ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648
rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327
rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791
netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317
netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973
sock_recvmsg_nosec net/socket.c:1033 [inline]
sock_recvmsg net/socket.c:1055 [inline]
sock_read_iter+0x2d8/0x40c net/socket.c:1125
new_sync_read fs/read_write.c:484 [inline]
vfs_read+0x740/0x970 fs/read_write.c:565
ksys_read+0x15c/0x26c fs/read_write.c:708
Fixes: cb167893f41e ("net: Plumb support for filtering ipv4 and ipv6 multicast route dumps")
Reported-by: syzbot+5cfae50c0e5f2c500013@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/678fe2d1.050a0220.15cac.00b3.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250121181241.841212-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ipmr_base.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/ipv4/ipmr_base.c b/net/ipv4/ipmr_base.c
index c45cb7cb57590..8b5b6f196cdc4 100644
--- a/net/ipv4/ipmr_base.c
+++ b/net/ipv4/ipmr_base.c
@@ -321,9 +321,6 @@ int mr_table_dump(struct mr_table *mrt, struct sk_buff *skb,
list_for_each_entry(mfc, &mrt->mfc_unres_queue, list) {
if (e < s_e)
goto next_entry2;
- if (filter->dev &&
- !mr_mfc_uses_dev(mrt, mfc, filter->dev))
- goto next_entry2;
err = fill(mrt, skb, NETLINK_CB(cb->skb).portid,
cb->nlh->nlmsg_seq, mfc, RTM_NEWROUTE, flags);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 103/462] PM: hibernate: Add error handling for syscore_suspend()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 102/462] ipmr: do not call mr_mfc_uses_dev() for unres entries Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 104/462] net: rose: fix timer races against user threads Greg Kroah-Hartman
` (362 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wentao Liang, Rafael J. Wysocki,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
[ Upstream commit e20a70c572539a486dbd91b225fa6a194a5e2122 ]
In hibernation_platform_enter(), the code did not check the
return value of syscore_suspend(), potentially leading to a
situation where syscore_resume() would be called even if
syscore_suspend() failed. This could cause unpredictable
behavior or system instability.
Modify the code sequence in question to properly handle errors returned
by syscore_suspend(). If an error occurs in the suspend path, the code
now jumps to label 'Enable_irqs' skipping the syscore_resume() call and
only enabling interrupts after setting the system state to SYSTEM_RUNNING.
Fixes: 40dc166cb5dd ("PM / Core: Introduce struct syscore_ops for core subsystems PM")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20250119143205.2103-1-vulab@iscas.ac.cn
[ rjw: Changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/power/hibernate.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index 59a1b126c369b..f2b2a2dcdb87b 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -590,7 +590,11 @@ int hibernation_platform_enter(void)
local_irq_disable();
system_state = SYSTEM_SUSPEND;
- syscore_suspend();
+
+ error = syscore_suspend();
+ if (error)
+ goto Enable_irqs;
+
if (pm_wakeup_pending()) {
error = -EAGAIN;
goto Power_up;
@@ -602,6 +606,7 @@ int hibernation_platform_enter(void)
Power_up:
syscore_resume();
+ Enable_irqs:
system_state = SYSTEM_RUNNING;
local_irq_enable();
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 104/462] net: rose: fix timer races against user threads
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 103/462] PM: hibernate: Add error handling for syscore_suspend() Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 105/462] net: netdevsim: try to close UDP port harness races Greg Kroah-Hartman
` (361 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet, Jakub Kicinski,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 5de7665e0a0746b5ad7943554b34db8f8614a196 ]
Rose timers only acquire the socket spinlock, without
checking if the socket is owned by one user thread.
Add a check and rearm the timers if needed.
BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174
Read of size 2 at addr ffff88802f09b82a by task swapper/0/0
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174
call_timer_fn+0x187/0x650 kernel/time/timer.c:1793
expire_timers kernel/time/timer.c:1844 [inline]
__run_timers kernel/time/timer.c:2418 [inline]
__run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430
run_timer_base kernel/time/timer.c:2439 [inline]
run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449
handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561
__do_softirq kernel/softirq.c:595 [inline]
invoke_softirq kernel/softirq.c:435 [inline]
__irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662
irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
</IRQ>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250122180244.1861468-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rose/rose_timer.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/net/rose/rose_timer.c b/net/rose/rose_timer.c
index f06ddbed3fed6..1525773e94aa1 100644
--- a/net/rose/rose_timer.c
+++ b/net/rose/rose_timer.c
@@ -122,6 +122,10 @@ static void rose_heartbeat_expiry(struct timer_list *t)
struct rose_sock *rose = rose_sk(sk);
bh_lock_sock(sk);
+ if (sock_owned_by_user(sk)) {
+ sk_reset_timer(sk, &sk->sk_timer, jiffies + HZ/20);
+ goto out;
+ }
switch (rose->state) {
case ROSE_STATE_0:
/* Magic here: If we listen() and a new link dies before it
@@ -152,6 +156,7 @@ static void rose_heartbeat_expiry(struct timer_list *t)
}
rose_start_heartbeat(sk);
+out:
bh_unlock_sock(sk);
sock_put(sk);
}
@@ -162,6 +167,10 @@ static void rose_timer_expiry(struct timer_list *t)
struct sock *sk = &rose->sock;
bh_lock_sock(sk);
+ if (sock_owned_by_user(sk)) {
+ sk_reset_timer(sk, &rose->timer, jiffies + HZ/20);
+ goto out;
+ }
switch (rose->state) {
case ROSE_STATE_1: /* T1 */
case ROSE_STATE_4: /* T2 */
@@ -182,6 +191,7 @@ static void rose_timer_expiry(struct timer_list *t)
}
break;
}
+out:
bh_unlock_sock(sk);
sock_put(sk);
}
@@ -192,6 +202,10 @@ static void rose_idletimer_expiry(struct timer_list *t)
struct sock *sk = &rose->sock;
bh_lock_sock(sk);
+ if (sock_owned_by_user(sk)) {
+ sk_reset_timer(sk, &rose->idletimer, jiffies + HZ/20);
+ goto out;
+ }
rose_clear_queues(sk);
rose_write_internal(sk, ROSE_CLEAR_REQUEST);
@@ -207,6 +221,7 @@ static void rose_idletimer_expiry(struct timer_list *t)
sk->sk_state_change(sk);
sock_set_flag(sk, SOCK_DEAD);
}
+out:
bh_unlock_sock(sk);
sock_put(sk);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 105/462] net: netdevsim: try to close UDP port harness races
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 104/462] net: rose: fix timer races against user threads Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 106/462] net: davicom: fix UAF in dm9000_drv_remove Greg Kroah-Hartman
` (360 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+2e5de9e3ab986b71d2bf,
Michal Swiatkowski, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 50bf398e1ceacb9a7f85bd3bdca065ebe5cb6159 ]
syzbot discovered that we remove the debugfs files after we free
the netdev. Try to clean up the relevant dir while the device
is still around.
Reported-by: syzbot+2e5de9e3ab986b71d2bf@syzkaller.appspotmail.com
Fixes: 424be63ad831 ("netdevsim: add UDP tunnel port offload support")
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Link: https://patch.msgid.link/20250122224503.762705-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/netdevsim/netdevsim.h | 1 +
drivers/net/netdevsim/udp_tunnels.c | 23 +++++++++++--------
.../drivers/net/netdevsim/udp_tunnel_nic.sh | 16 ++++++-------
3 files changed, 23 insertions(+), 17 deletions(-)
diff --git a/drivers/net/netdevsim/netdevsim.h b/drivers/net/netdevsim/netdevsim.h
index c4e7ad2a19642..a001db758b13f 100644
--- a/drivers/net/netdevsim/netdevsim.h
+++ b/drivers/net/netdevsim/netdevsim.h
@@ -87,6 +87,7 @@ struct netdevsim {
u32 sleep;
u32 __ports[2][NSIM_UDP_TUNNEL_N_PORTS];
u32 (*ports)[NSIM_UDP_TUNNEL_N_PORTS];
+ struct dentry *ddir;
struct debugfs_u32_array dfs_ports[2];
} udp_ports;
diff --git a/drivers/net/netdevsim/udp_tunnels.c b/drivers/net/netdevsim/udp_tunnels.c
index 02dc3123eb6c1..640b4983a9a0d 100644
--- a/drivers/net/netdevsim/udp_tunnels.c
+++ b/drivers/net/netdevsim/udp_tunnels.c
@@ -112,9 +112,11 @@ nsim_udp_tunnels_info_reset_write(struct file *file, const char __user *data,
struct net_device *dev = file->private_data;
struct netdevsim *ns = netdev_priv(dev);
- memset(ns->udp_ports.ports, 0, sizeof(ns->udp_ports.__ports));
rtnl_lock();
- udp_tunnel_nic_reset_ntf(dev);
+ if (dev->reg_state == NETREG_REGISTERED) {
+ memset(ns->udp_ports.ports, 0, sizeof(ns->udp_ports.__ports));
+ udp_tunnel_nic_reset_ntf(dev);
+ }
rtnl_unlock();
return count;
@@ -144,23 +146,23 @@ int nsim_udp_tunnels_info_create(struct nsim_dev *nsim_dev,
else
ns->udp_ports.ports = nsim_dev->udp_ports.__ports;
- debugfs_create_u32("udp_ports_inject_error", 0600,
- ns->nsim_dev_port->ddir,
+ ns->udp_ports.ddir = debugfs_create_dir("udp_ports",
+ ns->nsim_dev_port->ddir);
+
+ debugfs_create_u32("inject_error", 0600, ns->udp_ports.ddir,
&ns->udp_ports.inject_error);
ns->udp_ports.dfs_ports[0].array = ns->udp_ports.ports[0];
ns->udp_ports.dfs_ports[0].n_elements = NSIM_UDP_TUNNEL_N_PORTS;
- debugfs_create_u32_array("udp_ports_table0", 0400,
- ns->nsim_dev_port->ddir,
+ debugfs_create_u32_array("table0", 0400, ns->udp_ports.ddir,
&ns->udp_ports.dfs_ports[0]);
ns->udp_ports.dfs_ports[1].array = ns->udp_ports.ports[1];
ns->udp_ports.dfs_ports[1].n_elements = NSIM_UDP_TUNNEL_N_PORTS;
- debugfs_create_u32_array("udp_ports_table1", 0400,
- ns->nsim_dev_port->ddir,
+ debugfs_create_u32_array("table1", 0400, ns->udp_ports.ddir,
&ns->udp_ports.dfs_ports[1]);
- debugfs_create_file("udp_ports_reset", 0200, ns->nsim_dev_port->ddir,
+ debugfs_create_file("reset", 0200, ns->udp_ports.ddir,
dev, &nsim_udp_tunnels_info_reset_fops);
/* Note: it's not normal to allocate the info struct like this!
@@ -196,6 +198,9 @@ int nsim_udp_tunnels_info_create(struct nsim_dev *nsim_dev,
void nsim_udp_tunnels_info_destroy(struct net_device *dev)
{
+ struct netdevsim *ns = netdev_priv(dev);
+
+ debugfs_remove_recursive(ns->udp_ports.ddir);
kfree(dev->udp_tunnel_nic_info);
dev->udp_tunnel_nic_info = NULL;
}
diff --git a/tools/testing/selftests/drivers/net/netdevsim/udp_tunnel_nic.sh b/tools/testing/selftests/drivers/net/netdevsim/udp_tunnel_nic.sh
index 185b02d2d4cd1..7af78990b5bb6 100755
--- a/tools/testing/selftests/drivers/net/netdevsim/udp_tunnel_nic.sh
+++ b/tools/testing/selftests/drivers/net/netdevsim/udp_tunnel_nic.sh
@@ -142,7 +142,7 @@ function pre_ethtool {
}
function check_table {
- local path=$NSIM_DEV_DFS/ports/$port/udp_ports_table$1
+ local path=$NSIM_DEV_DFS/ports/$port/udp_ports/table$1
local -n expected=$2
local last=$3
@@ -212,7 +212,7 @@ function check_tables {
}
function print_table {
- local path=$NSIM_DEV_DFS/ports/$port/udp_ports_table$1
+ local path=$NSIM_DEV_DFS/ports/$port/udp_ports/table$1
read -a have < $path
tree $NSIM_DEV_DFS/
@@ -640,7 +640,7 @@ for port in 0 1; do
NSIM_NETDEV=`get_netdev_name old_netdevs`
ifconfig $NSIM_NETDEV up
- echo 110 > $NSIM_DEV_DFS/ports/$port/udp_ports_inject_error
+ echo 110 > $NSIM_DEV_DFS/ports/$port/udp_ports/inject_error
msg="1 - create VxLANs v6"
exp0=( 0 0 0 0 )
@@ -662,7 +662,7 @@ for port in 0 1; do
new_geneve gnv0 20000
msg="2 - destroy GENEVE"
- echo 2 > $NSIM_DEV_DFS/ports/$port/udp_ports_inject_error
+ echo 2 > $NSIM_DEV_DFS/ports/$port/udp_ports/inject_error
exp1=( `mke 20000 2` 0 0 0 )
del_dev gnv0
@@ -763,7 +763,7 @@ for port in 0 1; do
msg="create VxLANs v4"
new_vxlan vxlan0 10000 $NSIM_NETDEV
- echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports_reset
+ echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports/reset
check_tables
msg="NIC device goes down"
@@ -774,7 +774,7 @@ for port in 0 1; do
fi
check_tables
- echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports_reset
+ echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports/reset
check_tables
msg="NIC device goes up again"
@@ -788,7 +788,7 @@ for port in 0 1; do
del_dev vxlan0
check_tables
- echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports_reset
+ echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports/reset
check_tables
msg="destroy NIC"
@@ -895,7 +895,7 @@ msg="vacate VxLAN in overflow table"
exp0=( `mke 10000 1` `mke 10004 1` 0 `mke 10003 1` )
del_dev vxlan2
-echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports_reset
+echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports/reset
check_tables
msg="tunnels destroyed 2"
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 106/462] net: davicom: fix UAF in dm9000_drv_remove
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 105/462] net: netdevsim: try to close UDP port harness races Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 107/462] perf trace: Fix runtime error of index out of bounds Greg Kroah-Hartman
` (359 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Uwe Kleine-König,
Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenyuan Yang <chenyuan0y@gmail.com>
[ Upstream commit 19e65c45a1507a1a2926649d2db3583ed9d55fd9 ]
dm is netdev private data and it cannot be
used after free_netdev() call. Using dm after free_netdev()
can cause UAF bug. Fix it by moving free_netdev() at the end of the
function.
This is similar to the issue fixed in commit
ad297cd2db89 ("net: qcom/emac: fix UAF in emac_remove").
This bug is detected by our static analysis tool.
Fixes: cf9e60aa69ae ("net: davicom: Fix regulator not turned off on driver removal")
Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
CC: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://patch.msgid.link/20250123214213.623518-1-chenyuan0y@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/davicom/dm9000.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/davicom/dm9000.c b/drivers/net/ethernet/davicom/dm9000.c
index afc4a103c5080..79aef6b368836 100644
--- a/drivers/net/ethernet/davicom/dm9000.c
+++ b/drivers/net/ethernet/davicom/dm9000.c
@@ -1779,10 +1779,11 @@ dm9000_drv_remove(struct platform_device *pdev)
unregister_netdev(ndev);
dm9000_release_board(pdev, dm);
- free_netdev(ndev); /* free device structure */
if (dm->power_supply)
regulator_disable(dm->power_supply);
+ free_netdev(ndev); /* free device structure */
+
dev_dbg(&pdev->dev, "released and freed device\n");
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 107/462] perf trace: Fix runtime error of index out of bounds
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 106/462] net: davicom: fix UAF in dm9000_drv_remove Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 108/462] vsock: Allow retrying on connect() failure Greg Kroah-Hartman
` (358 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Howard Chu, Namhyung Kim,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Howard Chu <howardchu95@gmail.com>
[ Upstream commit c7b87ce0dd10b64b68a0b22cb83bbd556e28fe81 ]
libtraceevent parses and returns an array of argument fields, sometimes
larger than RAW_SYSCALL_ARGS_NUM (6) because it includes "__syscall_nr",
idx will traverse to index 6 (7th element) whereas sc->fmt->arg holds 6
elements max, creating an out-of-bounds access. This runtime error is
found by UBsan. The error message:
$ sudo UBSAN_OPTIONS=print_stacktrace=1 ./perf trace -a --max-events=1
builtin-trace.c:1966:35: runtime error: index 6 out of bounds for type 'syscall_arg_fmt [6]'
#0 0x5c04956be5fe in syscall__alloc_arg_fmts /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:1966
#1 0x5c04956c0510 in trace__read_syscall_info /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:2110
#2 0x5c04956c372b in trace__syscall_info /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:2436
#3 0x5c04956d2f39 in trace__init_syscalls_bpf_prog_array_maps /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:3897
#4 0x5c04956d6d25 in trace__run /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:4335
#5 0x5c04956e112e in cmd_trace /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:5502
#6 0x5c04956eda7d in run_builtin /home/howard/hw/linux-perf/tools/perf/perf.c:351
#7 0x5c04956ee0a8 in handle_internal_command /home/howard/hw/linux-perf/tools/perf/perf.c:404
#8 0x5c04956ee37f in run_argv /home/howard/hw/linux-perf/tools/perf/perf.c:448
#9 0x5c04956ee8e9 in main /home/howard/hw/linux-perf/tools/perf/perf.c:556
#10 0x79eb3622a3b7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#11 0x79eb3622a47a in __libc_start_main_impl ../csu/libc-start.c:360
#12 0x5c04955422d4 in _start (/home/howard/hw/linux-perf/tools/perf/perf+0x4e02d4) (BuildId: 5b6cab2d59e96a4341741765ad6914a4d784dbc6)
0.000 ( 0.014 ms): Chrome_ChildIO/117244 write(fd: 238, buf: !, count: 1) = 1
Fixes: 5e58fcfaf4c6 ("perf trace: Allow allocating sc->arg_fmt even without the syscall tracepoint")
Signed-off-by: Howard Chu <howardchu95@gmail.com>
Link: https://lore.kernel.org/r/20250122025519.361873-1-howardchu95@gmail.com
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-trace.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
index 68189e6347205..178cf3a11f089 100644
--- a/tools/perf/builtin-trace.c
+++ b/tools/perf/builtin-trace.c
@@ -1803,8 +1803,12 @@ static int trace__read_syscall_info(struct trace *trace, int id)
return PTR_ERR(sc->tp_format);
}
+ /*
+ * The tracepoint format contains __syscall_nr field, so it's one more
+ * than the actual number of syscall arguments.
+ */
if (syscall__alloc_arg_fmts(sc, IS_ERR(sc->tp_format) ?
- RAW_SYSCALL_ARGS_NUM : sc->tp_format->format.nr_fields))
+ RAW_SYSCALL_ARGS_NUM : sc->tp_format->format.nr_fields - 1))
return -ENOMEM;
sc->args = sc->tp_format->format.fields;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 108/462] vsock: Allow retrying on connect() failure
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 107/462] perf trace: Fix runtime error of index out of bounds Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 109/462] bgmac: reduce max frame size to support just MTU 1500 Greg Kroah-Hartman
` (357 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefano Garzarella, Luigi Leonardi,
Michal Luczaj, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Luczaj <mhal@rbox.co>
[ Upstream commit aa388c72113b7458127b709bdd7d3628af26e9b4 ]
sk_err is set when a (connectible) connect() fails. Effectively, this makes
an otherwise still healthy SS_UNCONNECTED socket impossible to use for any
subsequent connection attempts.
Clear sk_err upon trying to establish a connection.
Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Link: https://patch.msgid.link/20250128-vsock-transport-vs-autobind-v3-2-1cf57065b770@rbox.co
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/vmw_vsock/af_vsock.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 53a9c0a73489b..473ba765a4356 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -1340,6 +1340,11 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr,
if (err < 0)
goto out;
+ /* sk_err might have been set as a result of an earlier
+ * (failed) connect attempt.
+ */
+ sk->sk_err = 0;
+
/* Mark sock as connecting and set the error code to in
* progress in case this is a non-blocking connect.
*/
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 109/462] bgmac: reduce max frame size to support just MTU 1500
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 108/462] vsock: Allow retrying on connect() failure Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 110/462] net: sh_eth: Fix missing rtnl lock in suspend/resume path Greg Kroah-Hartman
` (356 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafał Miłecki,
Simon Horman, Florian Fainelli, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafał Miłecki <rafal@milecki.pl>
[ Upstream commit 752e5fcc2e77358936d36ef8e522d6439372e201 ]
bgmac allocates new replacement buffer before handling each received
frame. Allocating & DMA-preparing 9724 B each time consumes a lot of CPU
time. Ideally bgmac should just respect currently set MTU but it isn't
the case right now. For now just revert back to the old limited frame
size.
This change bumps NAT masquerade speed by ~95%.
Since commit 8218f62c9c9b ("mm: page_frag: use initial zero offset for
page_frag_alloc_align()"), the bgmac driver fails to open its network
interface successfully and runs out of memory in the following call
stack:
bgmac_open
-> bgmac_dma_init
-> bgmac_dma_rx_skb_for_slot
-> netdev_alloc_frag
BGMAC_RX_ALLOC_SIZE = 10048 and PAGE_FRAG_CACHE_MAX_SIZE = 32768.
Eventually we land into __page_frag_alloc_align() with the following
parameters across multiple successive calls:
__page_frag_alloc_align: fragsz=10048, align_mask=-1, size=32768, offset=0
__page_frag_alloc_align: fragsz=10048, align_mask=-1, size=32768, offset=10048
__page_frag_alloc_align: fragsz=10048, align_mask=-1, size=32768, offset=20096
__page_frag_alloc_align: fragsz=10048, align_mask=-1, size=32768, offset=30144
So in that case we do indeed have offset + fragsz (40192) > size (32768)
and so we would eventually return NULL. Reverting to the older 1500
bytes MTU allows the network driver to be usable again.
Fixes: 8c7da63978f1 ("bgmac: configure MTU and add support for frames beyond 8192 byte size")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
[florian: expand commit message about recent commits]
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250127175159.1788246-1-florian.fainelli@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/bgmac.h | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bgmac.h b/drivers/net/ethernet/broadcom/bgmac.h
index d1200b27af1ed..51ff5aceba99e 100644
--- a/drivers/net/ethernet/broadcom/bgmac.h
+++ b/drivers/net/ethernet/broadcom/bgmac.h
@@ -366,8 +366,7 @@
#define BGMAC_RX_FRAME_OFFSET 30 /* There are 2 unused bytes between header and real data */
#define BGMAC_RX_BUF_OFFSET (NET_SKB_PAD + NET_IP_ALIGN - \
BGMAC_RX_FRAME_OFFSET)
-/* Jumbo frame size with FCS */
-#define BGMAC_RX_MAX_FRAME_SIZE 9724
+#define BGMAC_RX_MAX_FRAME_SIZE 1536
#define BGMAC_RX_BUF_SIZE (BGMAC_RX_FRAME_OFFSET + BGMAC_RX_MAX_FRAME_SIZE)
#define BGMAC_RX_ALLOC_SIZE (SKB_DATA_ALIGN(BGMAC_RX_BUF_SIZE + BGMAC_RX_BUF_OFFSET) + \
SKB_DATA_ALIGN(sizeof(struct skb_shared_info)))
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 110/462] net: sh_eth: Fix missing rtnl lock in suspend/resume path
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 109/462] bgmac: reduce max frame size to support just MTU 1500 Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 111/462] net: hsr: fix fill_frame_info() regression vs VLAN packets Greg Kroah-Hartman
` (355 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Söderlund,
Sergey Shtylyov, Kory Maincent, Paolo Abeni, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kory Maincent <kory.maincent@bootlin.com>
[ Upstream commit b95102215a8d0987789715ce11c0d4ec031cbfbe ]
Fix the suspend/resume path by ensuring the rtnl lock is held where
required. Calls to sh_eth_close, sh_eth_open and wol operations must be
performed under the rtnl lock to prevent conflicts with ongoing ndo
operations.
Fixes: b71af04676e9 ("sh_eth: add more PM methods")
Tested-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/renesas/sh_eth.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
index 8927d59977458..e2019dc3ac563 100644
--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -3446,10 +3446,12 @@ static int sh_eth_suspend(struct device *dev)
netif_device_detach(ndev);
+ rtnl_lock();
if (mdp->wol_enabled)
ret = sh_eth_wol_setup(ndev);
else
ret = sh_eth_close(ndev);
+ rtnl_unlock();
return ret;
}
@@ -3463,10 +3465,12 @@ static int sh_eth_resume(struct device *dev)
if (!netif_running(ndev))
return 0;
+ rtnl_lock();
if (mdp->wol_enabled)
ret = sh_eth_wol_restore(ndev);
else
ret = sh_eth_open(ndev);
+ rtnl_unlock();
if (ret < 0)
return ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 111/462] net: hsr: fix fill_frame_info() regression vs VLAN packets
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 110/462] net: sh_eth: Fix missing rtnl lock in suspend/resume path Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 112/462] genksyms: fix memory leak when the same symbol is added from source Greg Kroah-Hartman
` (354 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Wurm, Eric Dumazet,
Simon Horman, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 0f5697f1a3f99bc2b674b8aa3c5da822c5673c11 ]
Stephan Wurm reported that my recent patch broke VLAN support.
Apparently skb->mac_len is not correct for VLAN traffic as
shown by debug traces [1].
Use instead pskb_may_pull() to make sure the expected header
is present in skb->head.
Many thanks to Stephan for his help.
[1]
kernel: skb len=170 headroom=2 headlen=170 tailroom=20
mac=(2,14) mac_len=14 net=(16,-1) trans=-1
shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0))
csum(0x0 start=0 offset=0 ip_summed=0 complete_sw=0 valid=0 level=0)
hash(0x0 sw=0 l4=0) proto=0x0000 pkttype=0 iif=0
priority=0x0 mark=0x0 alloc_cpu=0 vlan_all=0x0
encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0)
kernel: dev name=prp0 feat=0x0000000000007000
kernel: sk family=17 type=3 proto=0
kernel: skb headroom: 00000000: 74 00
kernel: skb linear: 00000000: 01 0c cd 01 00 01 00 d0 93 53 9c cb 81 00 80 00
kernel: skb linear: 00000010: 88 b8 00 01 00 98 00 00 00 00 61 81 8d 80 16 52
kernel: skb linear: 00000020: 45 47 44 4e 43 54 52 4c 2f 4c 4c 4e 30 24 47 4f
kernel: skb linear: 00000030: 24 47 6f 43 62 81 01 14 82 16 52 45 47 44 4e 43
kernel: skb linear: 00000040: 54 52 4c 2f 4c 4c 4e 30 24 44 73 47 6f 6f 73 65
kernel: skb linear: 00000050: 83 07 47 6f 49 64 65 6e 74 84 08 67 8d f5 93 7e
kernel: skb linear: 00000060: 76 c8 00 85 01 01 86 01 00 87 01 00 88 01 01 89
kernel: skb linear: 00000070: 01 00 8a 01 02 ab 33 a2 15 83 01 00 84 03 03 00
kernel: skb linear: 00000080: 00 91 08 67 8d f5 92 77 4b c6 1f 83 01 00 a2 1a
kernel: skb linear: 00000090: a2 06 85 01 00 83 01 00 84 03 03 00 00 91 08 67
kernel: skb linear: 000000a0: 8d f5 92 77 4b c6 1f 83 01 00
kernel: skb tailroom: 00000000: 80 18 02 00 fe 4e 00 00 01 01 08 0a 4f fd 5e d1
kernel: skb tailroom: 00000010: 4f fd 5e cd
Fixes: b9653d19e556 ("net: hsr: avoid potential out-of-bound access in fill_frame_info()")
Reported-by: Stephan Wurm <stephan.wurm@a-eberle.de>
Tested-by: Stephan Wurm <stephan.wurm@a-eberle.de>
Closes: https://lore.kernel.org/netdev/Z4o_UC0HweBHJ_cw@PC-LX-SteWu/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250129130007.644084-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/hsr/hsr_forward.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
index a58c0be64272b..66df4d7cbfb1e 100644
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -525,9 +525,12 @@ static int fill_frame_info(struct hsr_frame_info *frame,
frame->is_vlan = true;
if (frame->is_vlan) {
- if (skb->mac_len < offsetofend(struct hsr_vlan_ethhdr, vlanhdr))
+ /* Note: skb->mac_len might be wrong here. */
+ if (!pskb_may_pull(skb,
+ skb_mac_offset(skb) +
+ offsetofend(struct hsr_vlan_ethhdr, vlanhdr)))
return -EINVAL;
- vlan_hdr = (struct hsr_vlan_ethhdr *)ethhdr;
+ vlan_hdr = (struct hsr_vlan_ethhdr *)skb_mac_header(skb);
proto = vlan_hdr->vlanhdr.h_vlan_encapsulated_proto;
/* FIXME: */
netdev_warn_once(skb->dev, "VLAN not yet supported");
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 112/462] genksyms: fix memory leak when the same symbol is added from source
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 111/462] net: hsr: fix fill_frame_info() regression vs VLAN packets Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 113/462] genksyms: fix memory leak when the same symbol is read from *.symref file Greg Kroah-Hartman
` (353 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Masahiro Yamada, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masahiro Yamada <masahiroy@kernel.org>
[ Upstream commit 45c9c4101d3d2fdfa00852274bbebba65fcc3cf2 ]
When a symbol that is already registered is added again, __add_symbol()
returns without freeing the symbol definition, making it unreachable.
The following test cases demonstrate different memory leak points.
[Test Case 1]
Forward declaration with exactly the same definition
$ cat foo.c
#include <linux/export.h>
void foo(void);
void foo(void) {}
EXPORT_SYMBOL(foo);
[Test Case 2]
Forward declaration with a different definition (e.g. attribute)
$ cat foo.c
#include <linux/export.h>
void foo(void);
__attribute__((__section__(".ref.text"))) void foo(void) {}
EXPORT_SYMBOL(foo);
[Test Case 3]
Preserving an overridden symbol (compile with KBUILD_PRESERVE=1)
$ cat foo.c
#include <linux/export.h>
void foo(void);
void foo(void) { }
EXPORT_SYMBOL(foo);
$ cat foo.symref
override foo void foo ( int )
The memory leaks in Test Case 1 and 2 have existed since the introduction
of genksyms into the kernel tree. [1]
The memory leak in Test Case 3 was introduced by commit 5dae9a550a74
("genksyms: allow to ignore symbol checksum changes").
When multiple init_declarators are reduced to an init_declarator_list,
the decl_spec must be duplicated. Otherwise, the following Test Case 4
would result in a double-free bug.
[Test Case 4]
$ cat foo.c
#include <linux/export.h>
extern int foo, bar;
int foo, bar;
EXPORT_SYMBOL(foo);
In this case, 'foo' and 'bar' share the same decl_spec, 'int'. It must
be unshared before being passed to add_symbol().
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/history/history.git/commit/?id=46bd1da672d66ccd8a639d3c1f8a166048cca608
Fixes: 5dae9a550a74 ("genksyms: allow to ignore symbol checksum changes")
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/genksyms/genksyms.c | 3 +++
scripts/genksyms/parse.y | 14 ++++++++++++--
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/scripts/genksyms/genksyms.c b/scripts/genksyms/genksyms.c
index 23eff234184f3..d74bad87ef1a7 100644
--- a/scripts/genksyms/genksyms.c
+++ b/scripts/genksyms/genksyms.c
@@ -241,6 +241,7 @@ static struct symbol *__add_symbol(const char *name, enum symbol_type type,
"unchanged\n");
}
sym->is_declared = 1;
+ free_list(defn, NULL);
return sym;
} else if (!sym->is_declared) {
if (sym->is_override && flag_preserve) {
@@ -249,6 +250,7 @@ static struct symbol *__add_symbol(const char *name, enum symbol_type type,
print_type_name(type, name);
fprintf(stderr, " modversion change\n");
sym->is_declared = 1;
+ free_list(defn, NULL);
return sym;
} else {
status = is_unknown_symbol(sym) ?
@@ -256,6 +258,7 @@ static struct symbol *__add_symbol(const char *name, enum symbol_type type,
}
} else {
error_with_pos("redefinition of %s", name);
+ free_list(defn, NULL);
return sym;
}
break;
diff --git a/scripts/genksyms/parse.y b/scripts/genksyms/parse.y
index e22b42245bcc2..7df3fe290d535 100644
--- a/scripts/genksyms/parse.y
+++ b/scripts/genksyms/parse.y
@@ -149,14 +149,19 @@ simple_declaration:
;
init_declarator_list_opt:
- /* empty */ { $$ = NULL; }
- | init_declarator_list
+ /* empty */ { $$ = NULL; }
+ | init_declarator_list { free_list(decl_spec, NULL); $$ = $1; }
;
init_declarator_list:
init_declarator
{ struct string_list *decl = *$1;
*$1 = NULL;
+
+ /* avoid sharing among multiple init_declarators */
+ if (decl_spec)
+ decl_spec = copy_list_range(decl_spec, NULL);
+
add_symbol(current_name,
is_typedef ? SYM_TYPEDEF : SYM_NORMAL, decl, is_extern);
current_name = NULL;
@@ -167,6 +172,11 @@ init_declarator_list:
*$3 = NULL;
free_list(*$2, NULL);
*$2 = decl_spec;
+
+ /* avoid sharing among multiple init_declarators */
+ if (decl_spec)
+ decl_spec = copy_list_range(decl_spec, NULL);
+
add_symbol(current_name,
is_typedef ? SYM_TYPEDEF : SYM_NORMAL, decl, is_extern);
current_name = NULL;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 113/462] genksyms: fix memory leak when the same symbol is read from *.symref file
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 112/462] genksyms: fix memory leak when the same symbol is added from source Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 114/462] hexagon: fix using plain integer as NULL pointer warning in cmpxchg Greg Kroah-Hartman
` (352 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Masahiro Yamada, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masahiro Yamada <masahiroy@kernel.org>
[ Upstream commit be2fa44b5180a1f021efb40c55fdf63c249c3209 ]
When a symbol that is already registered is read again from *.symref
file, __add_symbol() removes the previous one from the hash table without
freeing it.
[Test Case]
$ cat foo.c
#include <linux/export.h>
void foo(void);
void foo(void) {}
EXPORT_SYMBOL(foo);
$ cat foo.symref
foo void foo ( void )
foo void foo ( void )
When a symbol is removed from the hash table, it must be freed along
with its ->name and ->defn members. However, sym->name cannot be freed
because it is sometimes shared with node->string, but not always. If
sym->name and node->string share the same memory, free(sym->name) could
lead to a double-free bug.
To resolve this issue, always assign a strdup'ed string to sym->name.
Fixes: 64e6c1e12372 ("genksyms: track symbol checksum changes")
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/genksyms/genksyms.c | 8 ++++++--
scripts/genksyms/genksyms.h | 2 +-
scripts/genksyms/parse.y | 4 ++--
3 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/scripts/genksyms/genksyms.c b/scripts/genksyms/genksyms.c
index d74bad87ef1a7..a87fafbbec268 100644
--- a/scripts/genksyms/genksyms.c
+++ b/scripts/genksyms/genksyms.c
@@ -274,11 +274,15 @@ static struct symbol *__add_symbol(const char *name, enum symbol_type type,
break;
}
}
+
+ free_list(sym->defn, NULL);
+ free(sym->name);
+ free(sym);
--nsyms;
}
sym = xmalloc(sizeof(*sym));
- sym->name = name;
+ sym->name = xstrdup(name);
sym->type = type;
sym->defn = defn;
sym->expansion_trail = NULL;
@@ -485,7 +489,7 @@ static void read_reference(FILE *f)
defn = def;
def = read_node(f);
}
- subsym = add_reference_symbol(xstrdup(sym->string), sym->tag,
+ subsym = add_reference_symbol(sym->string, sym->tag,
defn, is_extern);
subsym->is_override = is_override;
free_node(sym);
diff --git a/scripts/genksyms/genksyms.h b/scripts/genksyms/genksyms.h
index 2bcdb9bebab40..4ead4e0adb821 100644
--- a/scripts/genksyms/genksyms.h
+++ b/scripts/genksyms/genksyms.h
@@ -32,7 +32,7 @@ struct string_list {
struct symbol {
struct symbol *hash_next;
- const char *name;
+ char *name;
enum symbol_type type;
struct string_list *defn;
struct symbol *expansion_trail;
diff --git a/scripts/genksyms/parse.y b/scripts/genksyms/parse.y
index 7df3fe290d535..84813ce54a2dd 100644
--- a/scripts/genksyms/parse.y
+++ b/scripts/genksyms/parse.y
@@ -479,12 +479,12 @@ enumerator_list:
enumerator:
IDENT
{
- const char *name = strdup((*$1)->string);
+ const char *name = (*$1)->string;
add_symbol(name, SYM_ENUM_CONST, NULL, 0);
}
| IDENT '=' EXPRESSION_PHRASE
{
- const char *name = strdup((*$1)->string);
+ const char *name = (*$1)->string;
struct string_list *expr = copy_list_range(*$3, *$2);
add_symbol(name, SYM_ENUM_CONST, expr, 0);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 114/462] hexagon: fix using plain integer as NULL pointer warning in cmpxchg
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 113/462] genksyms: fix memory leak when the same symbol is read from *.symref file Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 115/462] hexagon: Fix unbalanced spinlock in die() Greg Kroah-Hartman
` (351 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Willem de Bruijn,
Christian Gmeiner, Brian Cain, Brian Cain, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <willemb@google.com>
[ Upstream commit 8a20030038742b9915c6d811a4e6c14b126cafb4 ]
Sparse reports
net/ipv4/inet_diag.c:1511:17: sparse: sparse: Using plain integer as NULL pointer
Due to this code calling cmpxchg on a non-integer type
struct inet_diag_handler *
return !cmpxchg((const struct inet_diag_handler**)&inet_diag_table[type],
NULL, h) ? 0 : -EEXIST;
While hexagon's cmpxchg assigns an integer value to a variable of this
type.
__typeof__(*(ptr)) __oldval = 0;
Update this assignment to cast 0 to the correct type.
The original issue is easily reproduced at head with the below block,
and is absent after this change.
make LLVM=1 ARCH=hexagon defconfig
make C=1 LLVM=1 ARCH=hexagon net/ipv4/inet_diag.o
Fixes: 99a70aa051d2 ("Hexagon: Add processor and system headers")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202411091538.PGSTqUBi-lkp@intel.com/
Signed-off-by: Willem de Bruijn <willemb@google.com>
Tested-by: Christian Gmeiner <cgmeiner@igalia.com>
Link: https://lore.kernel.org/r/20241203221736.282020-1-willemdebruijn.kernel@gmail.com
Signed-off-by: Brian Cain <bcain@quicinc.com>
Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/hexagon/include/asm/cmpxchg.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/hexagon/include/asm/cmpxchg.h b/arch/hexagon/include/asm/cmpxchg.h
index 92b8a02e588ac..9c5f07749933e 100644
--- a/arch/hexagon/include/asm/cmpxchg.h
+++ b/arch/hexagon/include/asm/cmpxchg.h
@@ -56,7 +56,7 @@ static inline unsigned long __xchg(unsigned long x, volatile void *ptr,
__typeof__(ptr) __ptr = (ptr); \
__typeof__(*(ptr)) __old = (old); \
__typeof__(*(ptr)) __new = (new); \
- __typeof__(*(ptr)) __oldval = 0; \
+ __typeof__(*(ptr)) __oldval = (__typeof__(*(ptr))) 0; \
\
asm volatile( \
"1: %0 = memw_locked(%1);\n" \
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 115/462] hexagon: Fix unbalanced spinlock in die()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 114/462] hexagon: fix using plain integer as NULL pointer warning in cmpxchg Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 116/462] NFSD: Reset cb_seq_status after NFS4ERR_DELAY Greg Kroah-Hartman
` (350 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lin Yujun, Brian Cain, Brian Cain,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lin Yujun <linyujun809@huawei.com>
[ Upstream commit 03410e87563a122075c3721acc7d5510e41d8332 ]
die executes holding the spinlock of &die.lock and unlock
it after printing the oops message.
However in the code if the notify_die() returns NOTIFY_STOP
, die() exit with returning 1 but never unlocked the spinlock.
Fix this by adding spin_unlock_irq(&die.lock) before returning.
Fixes: cf9750bae262 ("Hexagon: Provide basic debugging and system trap support.")
Signed-off-by: Lin Yujun <linyujun809@huawei.com>
Link: https://lore.kernel.org/r/20230522025608.2515558-1-linyujun809@huawei.com
Signed-off-by: Brian Cain <bcain@quicinc.com>
Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/hexagon/kernel/traps.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/hexagon/kernel/traps.c b/arch/hexagon/kernel/traps.c
index b334e80717099..653328606ef31 100644
--- a/arch/hexagon/kernel/traps.c
+++ b/arch/hexagon/kernel/traps.c
@@ -199,8 +199,10 @@ int die(const char *str, struct pt_regs *regs, long err)
printk(KERN_EMERG "Oops: %s[#%d]:\n", str, ++die.counter);
if (notify_die(DIE_OOPS, str, regs, err, pt_cause(regs), SIGSEGV) ==
- NOTIFY_STOP)
+ NOTIFY_STOP) {
+ spin_unlock_irq(&die.lock);
return 1;
+ }
print_modules();
show_regs(regs);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 116/462] NFSD: Reset cb_seq_status after NFS4ERR_DELAY
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 115/462] hexagon: Fix unbalanced spinlock in die() Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 117/462] netfilter: nf_tables: reject mismatching sum of field_len with set key length Greg Kroah-Hartman
` (349 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeff Layton, Benjamin Coddington,
Chuck Lever
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit 961b4b5e86bf56a2e4b567f81682defa5cba957e upstream.
I noticed that once an NFSv4.1 callback operation gets a
NFS4ERR_DELAY status on CB_SEQUENCE and then the connection is lost,
the callback client loops, resending it indefinitely.
The switch arm in nfsd4_cb_sequence_done() that handles
NFS4ERR_DELAY uses rpc_restart_call() to rearm the RPC state machine
for the retransmit, but that path does not call the rpc_prepare_call
callback again. Thus cb_seq_status is set to -10008 by the first
NFS4ERR_DELAY result, but is never set back to 1 for the retransmits.
nfsd4_cb_sequence_done() thinks it's getting nothing but a
long series of CB_SEQUENCE NFS4ERR_DELAY replies.
Fixes: 7ba6cad6c88f ("nfsd: New helper nfsd4_cb_sequence_done() for processing more cb errors")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4callback.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c
@@ -1202,6 +1202,7 @@ static bool nfsd4_cb_sequence_done(struc
ret = false;
break;
case -NFS4ERR_DELAY:
+ cb->cb_seq_status = 1;
if (!rpc_restart_call(task))
goto out;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 117/462] netfilter: nf_tables: reject mismatching sum of field_len with set key length
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 116/462] NFSD: Reset cb_seq_status after NFS4ERR_DELAY Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 118/462] ktest.pl: Check kernelrelease return in get_version Greg Kroah-Hartman
` (348 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Noam Rathaus, Florian Westphal,
Pablo Neira Ayuso
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
commit 1b9335a8000fb70742f7db10af314104b6ace220 upstream.
The field length description provides the length of each separated key
field in the concatenation, each field gets rounded up to 32-bits to
calculate the pipapo rule width from pipapo_init(). The set key length
provides the total size of the key aligned to 32-bits.
Register-based arithmetics still allows for combining mismatching set
key length and field length description, eg. set key length 10 and field
description [ 5, 4 ] leading to pipapo width of 12.
Cc: stable@vger.kernel.org
Fixes: 3ce67e3793f4 ("netfilter: nf_tables: do not allow mismatch field size and set key length")
Reported-by: Noam Rathaus <noamr@ssd-disclosure.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4346,7 +4346,7 @@ static int nft_set_desc_concat_parse(con
static int nft_set_desc_concat(struct nft_set_desc *desc,
const struct nlattr *nla)
{
- u32 num_regs = 0, key_num_regs = 0;
+ u32 len = 0, num_regs;
struct nlattr *attr;
int rem, err, i;
@@ -4360,12 +4360,12 @@ static int nft_set_desc_concat(struct nf
}
for (i = 0; i < desc->field_count; i++)
- num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
+ len += round_up(desc->field_len[i], sizeof(u32));
- key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));
- if (key_num_regs != num_regs)
+ if (len != desc->klen)
return -EINVAL;
+ num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));
if (num_regs > NFT_REG32_COUNT)
return -E2BIG;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 118/462] ktest.pl: Check kernelrelease return in get_version
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 117/462] netfilter: nf_tables: reject mismatching sum of field_len with set key length Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 119/462] drivers/card_reader/rtsx_usb: Restore interrupt based detection Greg Kroah-Hartman
` (347 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Hawley, Ricardo B. Marliere,
Steven Rostedt
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo B. Marliere <rbm@suse.com>
commit a4e17a8f239a545c463f8ec27db4ed6e74b31841 upstream.
In the case of a test that uses the special option ${KERNEL_VERSION} in one
of its settings but has no configuration available in ${OUTPUT_DIR}, for
example if it's a new empty directory, then the `make kernelrelease` call
will fail and the subroutine will chomp an empty string, silently. Fix that
by adding an empty configuration and retrying.
Cc: stable@vger.kernel.org
Cc: John Hawley <warthog9@eaglescrag.net>
Fixes: 5f9b6ced04a4e ("ktest: Bisecting, install modules, add logging")
Link: https://lore.kernel.org/20241205-ktest_kver_fallback-v2-1-869dae4c7777@suse.com
Signed-off-by: Ricardo B. Marliere <rbm@suse.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/ktest/ktest.pl | 5 +++++
1 file changed, 5 insertions(+)
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -2350,6 +2350,11 @@ sub get_version {
return if ($have_version);
doprint "$make kernelrelease ... ";
$version = `$make -s kernelrelease | tail -1`;
+ if (!length($version)) {
+ run_command "$make allnoconfig" or return 0;
+ doprint "$make kernelrelease ... ";
+ $version = `$make -s kernelrelease | tail -1`;
+ }
chomp($version);
doprint "$version\n";
$have_version = 1;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 119/462] drivers/card_reader/rtsx_usb: Restore interrupt based detection
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 118/462] ktest.pl: Check kernelrelease return in get_version Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 120/462] usb: gadget: f_tcm: Fix Get/SetInterface return value Greg Kroah-Hartman
` (346 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Sean Rhodes
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Rhodes <sean@starlabs.systems>
commit 235b630eda072d7e7b102ab346d6b8a2c028a772 upstream.
This commit reintroduces interrupt-based card detection previously
used in the rts5139 driver. This functionality was removed in commit
00d8521dcd23 ("staging: remove rts5139 driver code").
Reintroducing this mechanism fixes presence detection for certain card
readers, which with the current driver, will taken approximately 20
seconds to enter S3 as `mmc_rescan` has to be frozen.
Fixes: 00d8521dcd23 ("staging: remove rts5139 driver code")
Cc: stable@vger.kernel.org
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sean Rhodes <sean@starlabs.systems>
Link: https://lore.kernel.org/r/20241119085815.11769-1-sean@starlabs.systems
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/cardreader/rtsx_usb.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/drivers/misc/cardreader/rtsx_usb.c
+++ b/drivers/misc/cardreader/rtsx_usb.c
@@ -286,6 +286,7 @@ static int rtsx_usb_get_status_with_bulk
int rtsx_usb_get_card_status(struct rtsx_ucr *ucr, u16 *status)
{
int ret;
+ u8 interrupt_val = 0;
u16 *buf;
if (!status)
@@ -308,6 +309,20 @@ int rtsx_usb_get_card_status(struct rtsx
ret = rtsx_usb_get_status_with_bulk(ucr, status);
}
+ rtsx_usb_read_register(ucr, CARD_INT_PEND, &interrupt_val);
+ /* Cross check presence with interrupts */
+ if (*status & XD_CD)
+ if (!(interrupt_val & XD_INT))
+ *status &= ~XD_CD;
+
+ if (*status & SD_CD)
+ if (!(interrupt_val & SD_INT))
+ *status &= ~SD_CD;
+
+ if (*status & MS_CD)
+ if (!(interrupt_val & MS_INT))
+ *status &= ~MS_CD;
+
/* usb_control_msg may return positive when success */
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 120/462] usb: gadget: f_tcm: Fix Get/SetInterface return value
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 119/462] drivers/card_reader/rtsx_usb: Restore interrupt based detection Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 121/462] usb: typec: tcpm: set SRC_SEND_CAPABILITIES timeout to PD_T_SENDER_RESPONSE Greg Kroah-Hartman
` (345 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thinh Nguyen
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
commit 3b997089903b909684114aca6f79d683e5c64a0e upstream.
Check to make sure that the GetInterface and SetInterface are for valid
interface. Return proper alternate setting number on GetInterface.
Fixes: 0b8b1a1fede0 ("usb: gadget: f_tcm: Provide support to get alternate setting in tcm function")
Cc: stable@vger.kernel.org
Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/ffd91b4640945ea4d3b4f4091cf1abbdbd9cf4fc.1733876548.git.Thinh.Nguyen@synopsys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_tcm.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/function/f_tcm.c
+++ b/drivers/usb/gadget/function/f_tcm.c
@@ -2102,9 +2102,14 @@ static void tcm_delayed_set_alt(struct w
static int tcm_get_alt(struct usb_function *f, unsigned intf)
{
- if (intf == bot_intf_desc.bInterfaceNumber)
+ struct f_uas *fu = to_f_uas(f);
+
+ if (fu->iface != intf)
+ return -EOPNOTSUPP;
+
+ if (fu->flags & USBG_IS_BOT)
return USB_G_ALT_INT_BBB;
- if (intf == uasp_intf_desc.bInterfaceNumber)
+ else if (fu->flags & USBG_IS_UAS)
return USB_G_ALT_INT_UAS;
return -EOPNOTSUPP;
@@ -2114,6 +2119,9 @@ static int tcm_set_alt(struct usb_functi
{
struct f_uas *fu = to_f_uas(f);
+ if (fu->iface != intf)
+ return -EOPNOTSUPP;
+
if ((alt == USB_G_ALT_INT_BBB) || (alt == USB_G_ALT_INT_UAS)) {
struct guas_setup_wq *work;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 121/462] usb: typec: tcpm: set SRC_SEND_CAPABILITIES timeout to PD_T_SENDER_RESPONSE
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 120/462] usb: gadget: f_tcm: Fix Get/SetInterface return value Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 122/462] HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections Greg Kroah-Hartman
` (344 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jos Wang, Badhri Jagan Sridharan
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jos Wang <joswang@lenovo.com>
commit 2eb3da037c2c20fa30bc502bc092479b2a1aaae2 upstream.
As PD2.0 spec ("8.3.3.2.3 PE_SRC_Send_Capabilities state"), after the
Source receives the GoodCRC Message from the Sink in response to the
Source_Capabilities message, it should start the SenderResponseTimer,
after the timer times out, the state machine transitions to the
HARD_RESET state.
Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)")
Cc: stable@vger.kernel.org
Signed-off-by: Jos Wang <joswang@lenovo.com>
Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
Link: https://lore.kernel.org/r/20250105135245.7493-1-joswang1221@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -3195,7 +3195,7 @@ static void run_state_machine(struct tcp
port->caps_count = 0;
port->pd_capable = true;
tcpm_set_state_cond(port, SRC_SEND_CAPABILITIES_TIMEOUT,
- PD_T_SEND_SOURCE_CAP);
+ PD_T_SENDER_RESPONSE);
}
break;
case SRC_SEND_CAPABILITIES_TIMEOUT:
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 122/462] HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 121/462] usb: typec: tcpm: set SRC_SEND_CAPABILITIES timeout to PD_T_SENDER_RESPONSE Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 123/462] media: uvcvideo: Fix double free in error path Greg Kroah-Hartman
` (343 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ec5f884c4a135aa0dbb9,
Alan Stern, Peter Hutterer, Jiri Kosina
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 64f2657b579343cf923aa933f08074e6258eb07b upstream.
A report in 2019 by the syzbot fuzzer was found to be connected to two
errors in the HID core associated with Resolution Multipliers. One of
the errors was fixed by commit ea427a222d8b ("HID: core: Fix deadloop
in hid_apply_multiplier."), but the other has not been fixed.
This error arises because hid_apply_multipler() assumes that every
Resolution Multiplier control is contained in a Logical Collection,
i.e., there's no way the routine can ever set multiplier_collection to
NULL. This is in spite of the fact that the function starts with a
big comment saying:
* "The Resolution Multiplier control must be contained in the same
* Logical Collection as the control(s) to which it is to be applied.
...
* If no Logical Collection is
* defined, the Resolution Multiplier is associated with all
* controls in the report."
* HID Usage Table, v1.12, Section 4.3.1, p30
*
* Thus, search from the current collection upwards until we find a
* logical collection...
The comment and the code overlook the possibility that none of the
collections found may be a Logical Collection.
The fix is to set the multiplier_collection pointer to NULL if the
collection found isn't a Logical Collection.
Reported-by: syzbot+ec5f884c4a135aa0dbb9@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/000000000000109c040597dc5843@google.com/
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Cc: Peter Hutterer <peter.hutterer@who-t.net>
Fixes: 5a4abb36f312 ("HID: core: process the Resolution Multiplier")
Cc: stable@vger.kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-core.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1124,6 +1124,8 @@ static void hid_apply_multiplier(struct
while (multiplier_collection->parent_idx != -1 &&
multiplier_collection->type != HID_COLLECTION_LOGICAL)
multiplier_collection = &hid->collection[multiplier_collection->parent_idx];
+ if (multiplier_collection->type != HID_COLLECTION_LOGICAL)
+ multiplier_collection = NULL;
effective_multiplier = hid_calculate_multiplier(hid, multiplier);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 123/462] media: uvcvideo: Fix double free in error path
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 122/462] HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 124/462] usb: gadget: f_tcm: Dont free command immediately Greg Kroah-Hartman
` (342 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Laurent Pinchart,
Mauro Carvalho Chehab
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
commit c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac upstream.
If the uvc_status_init() function fails to allocate the int_urb, it will
free the dev->status pointer but doesn't reset the pointer to NULL. This
results in the kfree() call in uvc_status_cleanup() trying to
double-free the memory. Fix it by resetting the dev->status pointer to
NULL after freeing it.
Fixes: a31a4055473b ("V4L/DVB:usbvideo:don't use part of buffer for USB transfer #4")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20241107235130.31372-1-laurent.pinchart@ideasonboard.com
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/uvc/uvc_status.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/usb/uvc/uvc_status.c
+++ b/drivers/media/usb/uvc/uvc_status.c
@@ -269,6 +269,7 @@ int uvc_status_init(struct uvc_device *d
dev->int_urb = usb_alloc_urb(0, GFP_KERNEL);
if (dev->int_urb == NULL) {
kfree(dev->status);
+ dev->status = NULL;
return -ENOMEM;
}
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 124/462] usb: gadget: f_tcm: Dont free command immediately
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 123/462] media: uvcvideo: Fix double free in error path Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 125/462] btrfs: output the reason for open_ctree() failure Greg Kroah-Hartman
` (341 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thinh Nguyen
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
commit c225d006a31949d673e646d585d9569bc28feeb9 upstream.
Don't prematurely free the command. Wait for the status completion of
the sense status. It can be freed then. Otherwise we will double-free
the command.
Fixes: cff834c16d23 ("usb-gadget/tcm: Convert to TARGET_SCF_ACK_KREF I/O krefs")
Cc: stable@vger.kernel.org
Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/ae919ac431f16275e05ec819bdffb3ac5f44cbe1.1733876548.git.Thinh.Nguyen@synopsys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_tcm.c | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/usb/gadget/function/f_tcm.c
+++ b/drivers/usb/gadget/function/f_tcm.c
@@ -1068,7 +1068,6 @@ static void usbg_cmd_work(struct work_st
out:
transport_send_check_condition_and_sense(se_cmd,
TCM_UNSUPPORTED_SCSI_OPCODE, 1);
- transport_generic_free_cmd(&cmd->se_cmd, 0);
}
static struct usbg_cmd *usbg_get_cmd(struct f_uas *fu,
@@ -1199,7 +1198,6 @@ static void bot_cmd_work(struct work_str
out:
transport_send_check_condition_and_sense(se_cmd,
TCM_UNSUPPORTED_SCSI_OPCODE, 1);
- transport_generic_free_cmd(&cmd->se_cmd, 0);
}
static int bot_submit_command(struct f_uas *fu,
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 125/462] btrfs: output the reason for open_ctree() failure
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 124/462] usb: gadget: f_tcm: Dont free command immediately Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 126/462] btrfs: fix use-after-free when attempting to join an aborted transaction Greg Kroah-Hartman
` (340 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Anton Mitterer,
Filipe Manana, Qu Wenruo, David Sterba
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
commit d0f038104fa37380e2a725e669508e43d0c503e9 upstream.
There is a recent ML report that mounting a large fs backed by hardware
RAID56 controller (with one device missing) took too much time, and
systemd seems to kill the mount attempt.
In that case, the only error message is:
BTRFS error (device sdj): open_ctree failed
There is no reason on why the failure happened, making it very hard to
understand the reason.
At least output the error number (in the particular case it should be
-EINTR) to provide some clue.
Link: https://lore.kernel.org/linux-btrfs/9b9c4d2810abcca2f9f76e32220ed9a90febb235.camel@scientia.org/
Reported-by: Christoph Anton Mitterer <calestyo@scientia.org>
Cc: stable@vger.kernel.org
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -1340,7 +1340,7 @@ static int btrfs_fill_super(struct super
err = open_ctree(sb, fs_devices, (char *)data);
if (err) {
- btrfs_err(fs_info, "open_ctree failed");
+ btrfs_err(fs_info, "open_ctree failed: %d", err);
return err;
}
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 126/462] btrfs: fix use-after-free when attempting to join an aborted transaction
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 125/462] btrfs: output the reason for open_ctree() failure Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 127/462] btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling Greg Kroah-Hartman
` (339 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+45212e9d87a98c3f5b42,
Dmitry Vyukov, Johannes Thumshirn, Qu Wenruo, Filipe Manana,
David Sterba, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit e2f0943cf37305dbdeaf9846e3c941451bcdef63 ]
When we are trying to join the current transaction and if it's aborted,
we read its 'aborted' field after unlocking fs_info->trans_lock and
without holding any extra reference count on it. This means that a
concurrent task that is aborting the transaction may free the transaction
before we read its 'aborted' field, leading to a use-after-free.
Fix this by reading the 'aborted' field while holding fs_info->trans_lock
since any freeing task must first acquire that lock and set
fs_info->running_transaction to NULL before freeing the transaction.
This was reported by syzbot and Dmitry with the following stack traces
from KASAN:
==================================================================
BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278
Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128
CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound btrfs_async_reclaim_data_space
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278
start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697
flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803
btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317
worker_thread+0x870/0xd30 kernel/workqueue.c:3398
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5315:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329
kmalloc_noprof include/linux/slab.h:901 [inline]
join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308
start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697
btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572
lookup_open fs/namei.c:3649 [inline]
open_last_lookups fs/namei.c:3748 [inline]
path_openat+0x1c03/0x3590 fs/namei.c:3984
do_filp_open+0x27f/0x4e0 fs/namei.c:4014
do_sys_openat2+0x13e/0x1d0 fs/open.c:1402
do_sys_open fs/open.c:1417 [inline]
__do_sys_creat fs/open.c:1495 [inline]
__se_sys_creat fs/open.c:1489 [inline]
__x64_sys_creat+0x123/0x170 fs/open.c:1489
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5336:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2353 [inline]
slab_free mm/slub.c:4613 [inline]
kfree+0x196/0x430 mm/slub.c:4761
cleanup_transaction fs/btrfs/transaction.c:2063 [inline]
btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598
insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757
btrfs_balance+0x992/0x10c0 fs/btrfs/volumes.c:4633
btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3670
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888011839000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 36 bytes inside of
freed 2048-byte region [ffff888011839000, ffff888011839800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11838
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801ac42000 ffffea0000493400 dead000000000002
raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801ac42000 ffffea0000493400 dead000000000002
head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0000460e01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 57, tgid 57 (kworker/0:2), ts 67248182943, free_ts 67229742023
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1558
prep_new_page mm/page_alloc.c:1566 [inline]
get_page_from_freelist+0x365c/0x37a0 mm/page_alloc.c:3476
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4753
alloc_pages_mpol_noprof+0x3e1/0x780 mm/mempolicy.c:2269
alloc_slab_page+0x6a/0x110 mm/slub.c:2423
allocate_slab+0x5a/0x2b0 mm/slub.c:2589
new_slab mm/slub.c:2642 [inline]
___slab_alloc+0xc27/0x14a0 mm/slub.c:3830
__slab_alloc+0x58/0xa0 mm/slub.c:3920
__slab_alloc_node mm/slub.c:3995 [inline]
slab_alloc_node mm/slub.c:4156 [inline]
__do_kmalloc_node mm/slub.c:4297 [inline]
__kmalloc_node_track_caller_noprof+0x2e9/0x4c0 mm/slub.c:4317
kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:609
__alloc_skb+0x1f3/0x440 net/core/skbuff.c:678
alloc_skb include/linux/skbuff.h:1323 [inline]
alloc_skb_with_frags+0xc3/0x820 net/core/skbuff.c:6612
sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2884
sock_alloc_send_skb include/net/sock.h:1803 [inline]
mld_newpack+0x1c3/0xaf0 net/ipv6/mcast.c:1747
add_grhead net/ipv6/mcast.c:1850 [inline]
add_grec+0x1492/0x19a0 net/ipv6/mcast.c:1988
mld_send_cr net/ipv6/mcast.c:2114 [inline]
mld_ifc_work+0x691/0xd90 net/ipv6/mcast.c:2651
page last free pid 5300 tgid 5300 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_page+0xd3f/0x1010 mm/page_alloc.c:2659
__slab_free+0x2c2/0x380 mm/slub.c:4524
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4119 [inline]
slab_alloc_node mm/slub.c:4168 [inline]
__do_kmalloc_node mm/slub.c:4297 [inline]
__kmalloc_noprof+0x236/0x4c0 mm/slub.c:4310
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
fib_create_info+0xc14/0x25b0 net/ipv4/fib_semantics.c:1435
fib_table_insert+0x1f6/0x1f20 net/ipv4/fib_trie.c:1231
fib_magic+0x3d8/0x620 net/ipv4/fib_frontend.c:1112
fib_add_ifaddr+0x40c/0x5e0 net/ipv4/fib_frontend.c:1156
fib_netdev_event+0x375/0x490 net/ipv4/fib_frontend.c:1494
notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85
__dev_notify_flags+0x207/0x400
dev_change_flags+0xf0/0x1a0 net/core/dev.c:9045
do_setlink+0xc90/0x4210 net/core/rtnetlink.c:3109
rtnl_changelink net/core/rtnetlink.c:3723 [inline]
__rtnl_newlink net/core/rtnetlink.c:3875 [inline]
rtnl_newlink+0x1bb6/0x2210 net/core/rtnetlink.c:4012
Memory state around the buggy address:
ffff888011838f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888011838f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888011839000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888011839080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888011839100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Reported-by: syzbot+45212e9d87a98c3f5b42@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-btrfs/678e7da5.050a0220.303755.007c.GAE@google.com/
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Link: https://lore.kernel.org/linux-btrfs/CACT4Y+ZFBdo7pT8L2AzM=vegZwjp-wNkVJZQf0Ta3vZqtExaSw@mail.gmail.com/
Fixes: 871383be592b ("btrfs: add missing unlocks to transaction abort paths")
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/transaction.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
index d1f010022f689..21a5a963c70e3 100644
--- a/fs/btrfs/transaction.c
+++ b/fs/btrfs/transaction.c
@@ -285,8 +285,10 @@ static noinline int join_transaction(struct btrfs_fs_info *fs_info,
cur_trans = fs_info->running_transaction;
if (cur_trans) {
if (TRANS_ABORTED(cur_trans)) {
+ const int abort_error = cur_trans->aborted;
+
spin_unlock(&fs_info->trans_lock);
- return cur_trans->aborted;
+ return abort_error;
}
if (btrfs_blocked_trans_types[cur_trans->state] & type) {
spin_unlock(&fs_info->trans_lock);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 127/462] btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 126/462] btrfs: fix use-after-free when attempting to join an aborted transaction Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 128/462] sched: Dont try to catch up excess steal time Greg Kroah-Hartman
` (338 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boris Burkov, Josef Bacik,
David Sterba, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josef Bacik <josef@toxicpanda.com>
[ Upstream commit 6a4730b325aaa48f7a5d5ba97aff0a955e2d9cec ]
This BUG_ON is meant to catch backref cache problems, but these can
arise from either bugs in the backref cache or corruption in the extent
tree. Fix it to be a proper error.
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/relocation.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
index 98e3b3749ec12..5b921e6ed94e2 100644
--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
@@ -3976,8 +3976,18 @@ int btrfs_reloc_cow_block(struct btrfs_trans_handle *trans,
WARN_ON(!first_cow && level == 0);
node = rc->backref_cache.path[level];
- BUG_ON(node->bytenr != buf->start &&
- node->new_bytenr != buf->start);
+
+ /*
+ * If node->bytenr != buf->start and node->new_bytenr !=
+ * buf->start then we've got the wrong backref node for what we
+ * expected to see here and the cache is incorrect.
+ */
+ if (unlikely(node->bytenr != buf->start && node->new_bytenr != buf->start)) {
+ btrfs_err(fs_info,
+"bytenr %llu was found but our backref cache was expecting %llu or %llu",
+ buf->start, node->bytenr, node->new_bytenr);
+ return -EUCLEAN;
+ }
btrfs_backref_drop_node_buffer(node);
atomic_inc(&cow->refs);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 128/462] sched: Dont try to catch up excess steal time.
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 127/462] btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 129/462] lockdep: Fix upper limit for LOCKDEP_*_BITS configs Greg Kroah-Hartman
` (337 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suleiman Souhlal,
Peter Zijlstra (Intel), Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suleiman Souhlal <suleiman@google.com>
[ Upstream commit 108ad0999085df2366dd9ef437573955cb3f5586 ]
When steal time exceeds the measured delta when updating clock_task, we
currently try to catch up the excess in future updates.
However, this results in inaccurate run times for the future things using
clock_task, in some situations, as they end up getting additional steal
time that did not actually happen.
This is because there is a window between reading the elapsed time in
update_rq_clock() and sampling the steal time in update_rq_clock_task().
If the VCPU gets preempted between those two points, any additional
steal time is accounted to the outgoing task even though the calculated
delta did not actually contain any of that "stolen" time.
When this race happens, we can end up with steal time that exceeds the
calculated delta, and the previous code would try to catch up that excess
steal time in future clock updates, which is given to the next,
incoming task, even though it did not actually have any time stolen.
This behavior is particularly bad when steal time can be very long,
which we've seen when trying to extend steal time to contain the duration
that the host was suspended [0]. When this happens, clock_task stays
frozen, during which the running task stays running for the whole
duration, since its run time doesn't increase.
However the race can happen even under normal operation.
Ideally we would read the elapsed cpu time and the steal time atomically,
to prevent this race from happening in the first place, but doing so
is non-trivial.
Since the time between those two points isn't otherwise accounted anywhere,
neither to the outgoing task nor the incoming task (because the "end of
outgoing task" and "start of incoming task" timestamps are the same),
I would argue that the right thing to do is to simply drop any excess steal
time, in order to prevent these issues.
[0] https://lore.kernel.org/kvm/20240820043543.837914-1-suleiman@google.com/
Signed-off-by: Suleiman Souhlal <suleiman@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/r/20241118043745.1857272-1-suleiman@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/core.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 7cf45d506688c..42dad8c8d6f28 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -279,13 +279,15 @@ static void update_rq_clock_task(struct rq *rq, s64 delta)
#endif
#ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING
if (static_key_false((¶virt_steal_rq_enabled))) {
- steal = paravirt_steal_clock(cpu_of(rq));
+ u64 prev_steal;
+
+ steal = prev_steal = paravirt_steal_clock(cpu_of(rq));
steal -= rq->prev_steal_time_rq;
if (unlikely(steal > delta))
steal = delta;
- rq->prev_steal_time_rq += steal;
+ rq->prev_steal_time_rq = prev_steal;
delta -= steal;
}
#endif
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 129/462] lockdep: Fix upper limit for LOCKDEP_*_BITS configs
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 128/462] sched: Dont try to catch up excess steal time Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 130/462] x86/amd_nb: Restrict init function to AMD-based systems Greg Kroah-Hartman
` (336 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, J. R. Okajima, Peter Zijlstra,
Boqun Feng, Ingo Molnar, Waiman Long, Will Deacon, Carlos Llamas,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Llamas <cmllamas@google.com>
[ Upstream commit e638072e61726cae363d48812815197a2a0e097f ]
Lockdep has a set of configs used to determine the size of the static
arrays that it uses. However, the upper limit that was initially setup
for these configs is too high (30 bit shift). This equates to several
GiB of static memory for individual symbols. Using such high values
leads to linker errors:
$ make defconfig
$ ./scripts/config -e PROVE_LOCKING --set-val LOCKDEP_BITS 30
$ make olddefconfig all
[...]
ld: kernel image bigger than KERNEL_IMAGE_SIZE
ld: section .bss VMA wraps around address space
Adjust the upper limits to the maximum values that avoid these issues.
The need for anything more, likely points to a problem elsewhere. Note
that LOCKDEP_CHAINS_BITS was intentionally left out as its upper limit
had a different symptom and has already been fixed [1].
Reported-by: J. R. Okajima <hooanon05g@gmail.com>
Closes: https://lore.kernel.org/all/30795.1620913191@jrobl/ [1]
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Waiman Long <longman@redhat.com>
Cc: Will Deacon <will@kernel.org>
Acked-by: Waiman Long <longman@redhat.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Link: https://lore.kernel.org/r/20241024183631.643450-2-cmllamas@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/Kconfig.debug | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 24ca61cf86ddc..c20729cd67b1e 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -1315,7 +1315,7 @@ config LOCKDEP_SMALL
config LOCKDEP_BITS
int "Bitsize for MAX_LOCKDEP_ENTRIES"
depends on LOCKDEP && !LOCKDEP_SMALL
- range 10 30
+ range 10 24
default 15
help
Try increasing this value if you hit "BUG: MAX_LOCKDEP_ENTRIES too low!" message.
@@ -1331,7 +1331,7 @@ config LOCKDEP_CHAINS_BITS
config LOCKDEP_STACK_TRACE_BITS
int "Bitsize for MAX_STACK_TRACE_ENTRIES"
depends on LOCKDEP && !LOCKDEP_SMALL
- range 10 30
+ range 10 26
default 19
help
Try increasing this value if you hit "BUG: MAX_STACK_TRACE_ENTRIES too low!" message.
@@ -1339,7 +1339,7 @@ config LOCKDEP_STACK_TRACE_BITS
config LOCKDEP_STACK_TRACE_HASH_BITS
int "Bitsize for STACK_TRACE_HASH_SIZE"
depends on LOCKDEP && !LOCKDEP_SMALL
- range 10 30
+ range 10 26
default 14
help
Try increasing this value if you need large MAX_STACK_TRACE_ENTRIES.
@@ -1347,7 +1347,7 @@ config LOCKDEP_STACK_TRACE_HASH_BITS
config LOCKDEP_CIRCULAR_QUEUE_BITS
int "Bitsize for elements in circular_queue struct"
depends on LOCKDEP
- range 10 30
+ range 10 26
default 12
help
Try increasing this value if you hit "lockdep bfs error:-1" warning due to __cq_enqueue() failure.
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 130/462] x86/amd_nb: Restrict init function to AMD-based systems
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 129/462] lockdep: Fix upper limit for LOCKDEP_*_BITS configs Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 131/462] printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX Greg Kroah-Hartman
` (335 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yazen Ghannam, Borislav Petkov (AMD),
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yazen Ghannam <yazen.ghannam@amd.com>
[ Upstream commit bee9e840609cc67d0a7d82f22a2130fb7a0a766d ]
The code implicitly operates on AMD-based systems by matching on PCI
IDs. However, the use of these IDs is going away.
Add an explicit CPU vendor check instead of relying on PCI IDs.
Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/r/20241206161210.163701-3-yazen.ghannam@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/amd_nb.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c
index 16cd56627574d..3dcaeb25ee301 100644
--- a/arch/x86/kernel/amd_nb.c
+++ b/arch/x86/kernel/amd_nb.c
@@ -536,6 +536,10 @@ static __init void fix_erratum_688(void)
static __init int init_amd_nbs(void)
{
+ if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD &&
+ boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)
+ return 0;
+
amd_cache_northbridges();
amd_cache_gart();
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 131/462] printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 130/462] x86/amd_nb: Restrict init function to AMD-based systems Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 132/462] safesetid: check size of policy writes Greg Kroah-Hartman
` (334 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kuan-Wei Chiu, Petr Mladek,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuan-Wei Chiu <visitorckw@gmail.com>
[ Upstream commit 3d6f83df8ff2d5de84b50377e4f0d45e25311c7a ]
Shifting 1 << 31 on a 32-bit int causes signed integer overflow, which
leads to undefined behavior. To prevent this, cast 1 to u32 before
performing the shift, ensuring well-defined behavior.
This change explicitly avoids any potential overflow by ensuring that
the shift occurs on an unsigned 32-bit integer.
Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
Acked-by: Petr Mladek <pmladek@suse.com>
Link: https://lore.kernel.org/r/20240928113608.1438087-1-visitorckw@gmail.com
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/printk/printk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index a8af93cbc2936..3a7fd61c0e7be 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -420,7 +420,7 @@ static u64 clear_seq;
/* record buffer */
#define LOG_ALIGN __alignof__(unsigned long)
#define __LOG_BUF_LEN (1 << CONFIG_LOG_BUF_SHIFT)
-#define LOG_BUF_LEN_MAX (u32)(1 << 31)
+#define LOG_BUF_LEN_MAX ((u32)1 << 31)
static char __log_buf[__LOG_BUF_LEN] __aligned(LOG_ALIGN);
static char *log_buf = __log_buf;
static u32 log_buf_len = __LOG_BUF_LEN;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 132/462] safesetid: check size of policy writes
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 131/462] printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 133/462] tun: fix group permission check Greg Kroah-Hartman
` (333 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4eb7a741b3216020043a,
Leo Stone, Paul Moore, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Stone <leocstone@gmail.com>
[ Upstream commit f09ff307c7299392f1c88f763299e24bc99811c7 ]
syzbot attempts to write a buffer with a large size to a sysfs entry
with writes handled by handle_policy_update(), triggering a warning
in kmalloc.
Check the size specified for write buffers before allocating.
Reported-by: syzbot+4eb7a741b3216020043a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4eb7a741b3216020043a
Signed-off-by: Leo Stone <leocstone@gmail.com>
[PM: subject tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/safesetid/securityfs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/security/safesetid/securityfs.c b/security/safesetid/securityfs.c
index 25310468bcddf..8e1ffd70b18ab 100644
--- a/security/safesetid/securityfs.c
+++ b/security/safesetid/securityfs.c
@@ -143,6 +143,9 @@ static ssize_t handle_policy_update(struct file *file,
char *buf, *p, *end;
int err;
+ if (len >= KMALLOC_MAX_SIZE)
+ return -EINVAL;
+
pol = kmalloc(sizeof(struct setid_ruleset), GFP_KERNEL);
if (!pol)
return -ENOMEM;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 133/462] tun: fix group permission check
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 132/462] safesetid: check size of policy writes Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 134/462] mmc: core: Respect quirk_max_rate for non-UHS SDIO card Greg Kroah-Hartman
` (332 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stas Sergeev, Willem de Bruijn,
Jason Wang, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stas Sergeev <stsp2@yandex.ru>
[ Upstream commit 3ca459eaba1bf96a8c7878de84fa8872259a01e3 ]
Currently tun checks the group permission even if the user have matched.
Besides going against the usual permission semantic, this has a
very interesting implication: if the tun group is not among the
supplementary groups of the tun user, then effectively no one can
access the tun device. CAP_SYS_ADMIN still can, but its the same as
not setting the tun ownership.
This patch relaxes the group checking so that either the user match
or the group match is enough. This avoids the situation when no one
can access the device even though the ownership is properly set.
Also I simplified the logic by removing the redundant inversions:
tun_not_capable() --> !tun_capable()
Signed-off-by: Stas Sergeev <stsp2@yandex.ru>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Link: https://patch.msgid.link/20241205073614.294773-1-stsp2@yandex.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/tun.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index c34c6f0d23efe..52ea9f81d388b 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -586,14 +586,18 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb,
return ret;
}
-static inline bool tun_not_capable(struct tun_struct *tun)
+static inline bool tun_capable(struct tun_struct *tun)
{
const struct cred *cred = current_cred();
struct net *net = dev_net(tun->dev);
- return ((uid_valid(tun->owner) && !uid_eq(cred->euid, tun->owner)) ||
- (gid_valid(tun->group) && !in_egroup_p(tun->group))) &&
- !ns_capable(net->user_ns, CAP_NET_ADMIN);
+ if (ns_capable(net->user_ns, CAP_NET_ADMIN))
+ return 1;
+ if (uid_valid(tun->owner) && uid_eq(cred->euid, tun->owner))
+ return 1;
+ if (gid_valid(tun->group) && in_egroup_p(tun->group))
+ return 1;
+ return 0;
}
static void tun_set_real_num_queues(struct tun_struct *tun)
@@ -2772,7 +2776,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
!!(tun->flags & IFF_MULTI_QUEUE))
return -EINVAL;
- if (tun_not_capable(tun))
+ if (!tun_capable(tun))
return -EPERM;
err = security_tun_dev_open(tun->security);
if (err < 0)
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 134/462] mmc: core: Respect quirk_max_rate for non-UHS SDIO card
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 133/462] tun: fix group permission check Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 135/462] wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() Greg Kroah-Hartman
` (331 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shawn Lin, Ulf Hansson, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
[ Upstream commit a2a44f8da29352f76c99c6904ee652911b8dc7dd ]
The card-quirk was added to limit the clock-rate for a card with UHS-mode
support, although let's respect the quirk for non-UHS mode too, to make the
behaviour consistent.
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Message-ID: <1732268242-72799-1-git-send-email-shawn.lin@rock-chips.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/core/sdio.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/mmc/core/sdio.c b/drivers/mmc/core/sdio.c
index 85c2947ed45e3..a719f23fa1e95 100644
--- a/drivers/mmc/core/sdio.c
+++ b/drivers/mmc/core/sdio.c
@@ -443,6 +443,8 @@ static unsigned mmc_sdio_get_max_clock(struct mmc_card *card)
if (card->type == MMC_TYPE_SD_COMBO)
max_dtr = min(max_dtr, mmc_sd_get_max_clock(card));
+ max_dtr = min_not_zero(max_dtr, card->quirk_max_rate);
+
return max_dtr;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 135/462] wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 134/462] mmc: core: Respect quirk_max_rate for non-UHS SDIO card Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 136/462] tomoyo: dont emit warning in tomoyo_write_control() Greg Kroah-Hartman
` (330 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Antipov, Arend van Spriel,
Kalle Valo, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit 3f4a0948c3524ae50f166dbc6572a3296b014e62 ]
In 'wlc_phy_iqcal_gainparams_nphy()', add gain range check to WARN()
instead of possible out-of-bounds 'tbl_iqcal_gainparams_nphy' access.
Compile tested only.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://patch.msgid.link/20241210070441.836362-1-dmantipov@yandex.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c
index 8580a27547891..42e7bc67e9143 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c
@@ -23427,6 +23427,9 @@ wlc_phy_iqcal_gainparams_nphy(struct brcms_phy *pi, u16 core_no,
break;
}
+ if (WARN_ON(k == NPHY_IQCAL_NUMGAINS))
+ return;
+
params->txgm = tbl_iqcal_gainparams_nphy[band_idx][k][1];
params->pga = tbl_iqcal_gainparams_nphy[band_idx][k][2];
params->pad = tbl_iqcal_gainparams_nphy[band_idx][k][3];
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 136/462] tomoyo: dont emit warning in tomoyo_write_control()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 135/462] wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 137/462] mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id Greg Kroah-Hartman
` (329 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+7536f77535e5210a5c76,
Leo Stone, Tetsuo Handa, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit 3df7546fc03b8f004eee0b9e3256369f7d096685 ]
syzbot is reporting too large allocation warning at tomoyo_write_control(),
for one can write a very very long line without new line character. To fix
this warning, I use __GFP_NOWARN rather than checking for KMALLOC_MAX_SIZE,
for practically a valid line should be always shorter than 32KB where the
"too small to fail" memory-allocation rule applies.
One might try to write a valid line that is longer than 32KB, but such
request will likely fail with -ENOMEM. Therefore, I feel that separately
returning -EINVAL when a line is longer than KMALLOC_MAX_SIZE is redundant.
There is no need to distinguish over-32KB and over-KMALLOC_MAX_SIZE.
Reported-by: syzbot+7536f77535e5210a5c76@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7536f77535e5210a5c76
Reported-by: Leo Stone <leocstone@gmail.com>
Closes: https://lkml.kernel.org/r/20241216021459.178759-2-leocstone@gmail.com
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/tomoyo/common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 6235c3be832aa..e23993c784405 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -2673,7 +2673,7 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
if (head->w.avail >= head->writebuf_size - 1) {
const int len = head->writebuf_size * 2;
- char *cp = kzalloc(len, GFP_NOFS);
+ char *cp = kzalloc(len, GFP_NOFS | __GFP_NOWARN);
if (!cp) {
error = -ENOMEM;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 137/462] mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 136/462] tomoyo: dont emit warning in tomoyo_write_control() Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 138/462] HID: Wacom: Add PCI Wacom device support Greg Kroah-Hartman
` (328 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Andy Shevchenko,
Lee Jones, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit 1e89d21f8189d286f80b900e1b7cf57cb1f3037e ]
On N4100 / N4120 Gemini Lake SoCs the ISA bridge PCI device-id is 31e8
rather the 3197 found on e.g. the N4000 / N4020.
While at fix the existing GLK PCI-id table entry breaking the table
being sorted by device-id.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Link: https://lore.kernel.org/r/20241114193808.110132-1-hdegoede@redhat.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/lpc_ich.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/mfd/lpc_ich.c b/drivers/mfd/lpc_ich.c
index 2411b7a2e6f47..4c21c00124d5e 100644
--- a/drivers/mfd/lpc_ich.c
+++ b/drivers/mfd/lpc_ich.c
@@ -687,8 +687,9 @@ static const struct pci_device_id lpc_ich_ids[] = {
{ PCI_VDEVICE(INTEL, 0x2917), LPC_ICH9ME},
{ PCI_VDEVICE(INTEL, 0x2918), LPC_ICH9},
{ PCI_VDEVICE(INTEL, 0x2919), LPC_ICH9M},
- { PCI_VDEVICE(INTEL, 0x3197), LPC_GLK},
{ PCI_VDEVICE(INTEL, 0x2b9c), LPC_COUGARMOUNTAIN},
+ { PCI_VDEVICE(INTEL, 0x3197), LPC_GLK},
+ { PCI_VDEVICE(INTEL, 0x31e8), LPC_GLK},
{ PCI_VDEVICE(INTEL, 0x3a14), LPC_ICH10DO},
{ PCI_VDEVICE(INTEL, 0x3a16), LPC_ICH10R},
{ PCI_VDEVICE(INTEL, 0x3a18), LPC_ICH10},
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 138/462] HID: Wacom: Add PCI Wacom device support
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 137/462] mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 139/462] net/mlx5: use do_aux_work for PHC overflow checks Greg Kroah-Hartman
` (327 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Even Xu, Tatsunosuke Tobita,
Ping Cheng, Jiri Kosina, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Even Xu <even.xu@intel.com>
[ Upstream commit c4c123504a65583e3689b3de04a61dc5272e453a ]
Add PCI device ID of wacom device into driver support list.
Signed-off-by: Even Xu <even.xu@intel.com>
Tested-by: Tatsunosuke Tobita <tatsunosuke.tobita@wacom.com>
Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/wacom_wac.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
index fd1491b7ccbd4..0ad3924324ae2 100644
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -4851,6 +4851,10 @@ static const struct wacom_features wacom_features_0x94 =
HID_DEVICE(BUS_I2C, HID_GROUP_WACOM, USB_VENDOR_ID_WACOM, prod),\
.driver_data = (kernel_ulong_t)&wacom_features_##prod
+#define PCI_DEVICE_WACOM(prod) \
+ HID_DEVICE(BUS_PCI, HID_GROUP_WACOM, USB_VENDOR_ID_WACOM, prod),\
+ .driver_data = (kernel_ulong_t)&wacom_features_##prod
+
#define USB_DEVICE_LENOVO(prod) \
HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, prod), \
.driver_data = (kernel_ulong_t)&wacom_features_##prod
@@ -5020,6 +5024,7 @@ const struct hid_device_id wacom_ids[] = {
{ USB_DEVICE_WACOM(HID_ANY_ID) },
{ I2C_DEVICE_WACOM(HID_ANY_ID) },
+ { PCI_DEVICE_WACOM(HID_ANY_ID) },
{ BT_DEVICE_WACOM(HID_ANY_ID) },
{ }
};
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 139/462] net/mlx5: use do_aux_work for PHC overflow checks
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 138/462] HID: Wacom: Add PCI Wacom device support Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 140/462] i2c: Force ELAN06FA touchpad I2C bus freq to 100KHz Greg Kroah-Hartman
` (326 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dragos Tatulea, Vadim Fedorenko,
Tariq Toukan, Paolo Abeni, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vadim Fedorenko <vadfed@meta.com>
[ Upstream commit e61e6c415ba9ff2b32bb6780ce1b17d1d76238f1 ]
The overflow_work is using system wq to do overflow checks and updates
for PHC device timecounter, which might be overhelmed by other tasks.
But there is dedicated kthread in PTP subsystem designed for such
things. This patch changes the work queue to proper align with PTP
subsystem and to avoid overloading system work queue.
The adjfine() function acts the same way as overflow check worker,
we can postpone ptp aux worker till the next overflow period after
adjfine() was called.
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
Acked-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20250107104812.380225-1-vadfed@meta.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/mellanox/mlx5/core/lib/clock.c | 24 ++++++++++---------
include/linux/mlx5/driver.h | 1 -
2 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
index 80dee8c692495..3d0029fb5b579 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
@@ -150,17 +150,16 @@ static void mlx5_pps_out(struct work_struct *work)
}
}
-static void mlx5_timestamp_overflow(struct work_struct *work)
+static long mlx5_timestamp_overflow(struct ptp_clock_info *ptp_info)
{
- struct delayed_work *dwork = to_delayed_work(work);
struct mlx5_core_dev *mdev;
struct mlx5_timer *timer;
struct mlx5_clock *clock;
unsigned long flags;
- timer = container_of(dwork, struct mlx5_timer, overflow_work);
- clock = container_of(timer, struct mlx5_clock, timer);
+ clock = container_of(ptp_info, struct mlx5_clock, ptp_info);
mdev = container_of(clock, struct mlx5_core_dev, clock);
+ timer = &clock->timer;
if (mdev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR)
goto out;
@@ -171,7 +170,7 @@ static void mlx5_timestamp_overflow(struct work_struct *work)
write_sequnlock_irqrestore(&clock->lock, flags);
out:
- schedule_delayed_work(&timer->overflow_work, timer->overflow_period);
+ return timer->overflow_period;
}
static int mlx5_ptp_settime(struct ptp_clock_info *ptp, const struct timespec64 *ts)
@@ -253,6 +252,7 @@ static int mlx5_ptp_adjfreq(struct ptp_clock_info *ptp, s32 delta)
timer->nominal_c_mult + diff;
mlx5_update_clock_info_page(mdev);
write_sequnlock_irqrestore(&clock->lock, flags);
+ ptp_schedule_worker(clock->ptp, timer->overflow_period);
return 0;
}
@@ -467,6 +467,7 @@ static const struct ptp_clock_info mlx5_ptp_clock_info = {
.settime64 = mlx5_ptp_settime,
.enable = NULL,
.verify = NULL,
+ .do_aux_work = mlx5_timestamp_overflow,
};
static int mlx5_query_mtpps_pin_mode(struct mlx5_core_dev *mdev, u8 pin,
@@ -649,12 +650,11 @@ static void mlx5_init_overflow_period(struct mlx5_clock *clock)
do_div(ns, NSEC_PER_SEC / HZ);
timer->overflow_period = ns;
- INIT_DELAYED_WORK(&timer->overflow_work, mlx5_timestamp_overflow);
- if (timer->overflow_period)
- schedule_delayed_work(&timer->overflow_work, 0);
- else
+ if (!timer->overflow_period) {
+ timer->overflow_period = HZ;
mlx5_core_warn(mdev,
- "invalid overflow period, overflow_work is not scheduled\n");
+ "invalid overflow period, overflow_work is scheduled once per second\n");
+ }
if (clock_info)
clock_info->overflow_period = timer->overflow_period;
@@ -718,6 +718,9 @@ void mlx5_init_clock(struct mlx5_core_dev *mdev)
MLX5_NB_INIT(&clock->pps_nb, mlx5_pps_event, PPS_EVENT);
mlx5_eq_notifier_register(mdev, &clock->pps_nb);
+
+ if (clock->ptp)
+ ptp_schedule_worker(clock->ptp, 0);
}
void mlx5_cleanup_clock(struct mlx5_core_dev *mdev)
@@ -734,7 +737,6 @@ void mlx5_cleanup_clock(struct mlx5_core_dev *mdev)
}
cancel_work_sync(&clock->pps_info.out_work);
- cancel_delayed_work_sync(&clock->timer.overflow_work);
if (mdev->clock_info) {
free_page((unsigned long)mdev->clock_info);
diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
index 68a12caf5eb16..56cb2fbc496e6 100644
--- a/include/linux/mlx5/driver.h
+++ b/include/linux/mlx5/driver.h
@@ -651,7 +651,6 @@ struct mlx5_timer {
struct timecounter tc;
u32 nominal_c_mult;
unsigned long overflow_period;
- struct delayed_work overflow_work;
};
struct mlx5_clock {
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 140/462] i2c: Force ELAN06FA touchpad I2C bus freq to 100KHz
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 139/462] net/mlx5: use do_aux_work for PHC overflow checks Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 141/462] APEI: GHES: Have GHES honor the panic= setting Greg Kroah-Hartman
` (325 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randolph Ha, Mika Westerberg,
Wolfram Sang, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randolph Ha <rha051117@gmail.com>
[ Upstream commit bfd74cd1fbc026f04446e67d6915c7e199c2bffd ]
When a 400KHz freq is used on this model of ELAN touchpad in Linux,
excessive smoothing (similar to when the touchpad's firmware detects
a noisy signal) is sometimes applied. As some devices' (e.g, Lenovo
V15 G4) ACPI tables specify a 400KHz frequency for this device and
some I2C busses (e.g, Designware I2C) default to a 400KHz freq,
force the speed to 100KHz as a workaround.
For future investigation: This problem may be related to the default
HCNT/LCNT values given by some busses' drivers, because they are not
specified in the aforementioned devices' ACPI tables, and because
the device works without issues on Windows at what is expected to be
a 400KHz frequency. The root cause of the issue is not known.
Signed-off-by: Randolph Ha <rha051117@gmail.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/i2c-core-acpi.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c
index 4b136d8710743..e7aed9442d56d 100644
--- a/drivers/i2c/i2c-core-acpi.c
+++ b/drivers/i2c/i2c-core-acpi.c
@@ -299,6 +299,25 @@ static const struct acpi_device_id i2c_acpi_force_400khz_device_ids[] = {
{}
};
+static const struct acpi_device_id i2c_acpi_force_100khz_device_ids[] = {
+ /*
+ * When a 400KHz freq is used on this model of ELAN touchpad in Linux,
+ * excessive smoothing (similar to when the touchpad's firmware detects
+ * a noisy signal) is sometimes applied. As some devices' (e.g, Lenovo
+ * V15 G4) ACPI tables specify a 400KHz frequency for this device and
+ * some I2C busses (e.g, Designware I2C) default to a 400KHz freq,
+ * force the speed to 100KHz as a workaround.
+ *
+ * For future investigation: This problem may be related to the default
+ * HCNT/LCNT values given by some busses' drivers, because they are not
+ * specified in the aforementioned devices' ACPI tables, and because
+ * the device works without issues on Windows at what is expected to be
+ * a 400KHz frequency. The root cause of the issue is not known.
+ */
+ { "ELAN06FA", 0 },
+ {}
+};
+
static acpi_status i2c_acpi_lookup_speed(acpi_handle handle, u32 level,
void *data, void **return_value)
{
@@ -320,6 +339,9 @@ static acpi_status i2c_acpi_lookup_speed(acpi_handle handle, u32 level,
if (acpi_match_device_ids(adev, i2c_acpi_force_400khz_device_ids) == 0)
lookup->force_speed = I2C_MAX_FAST_MODE_FREQ;
+ if (acpi_match_device_ids(adev, i2c_acpi_force_100khz_device_ids) == 0)
+ lookup->force_speed = I2C_MAX_STANDARD_MODE_FREQ;
+
return AE_OK;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 141/462] APEI: GHES: Have GHES honor the panic= setting
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 140/462] i2c: Force ELAN06FA touchpad I2C bus freq to 100KHz Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 142/462] mmc: sdhci-msm: Correctly set the load for the regulator Greg Kroah-Hartman
` (324 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Feng Tang, Borislav Petkov (AMD),
Ira Weiny, Rafael J. Wysocki, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Borislav Petkov <bp@alien8.de>
[ Upstream commit 5c0e00a391dd0099fe95991bb2f962848d851916 ]
The GHES driver overrides the panic= setting by force-rebooting the
system after a fatal hw error has been reported. The intent being that
such an error would be reported earlier.
However, this is not optimal when a hard-to-debug issue requires long
time to reproduce and when that happens, the box will get rebooted after
30 seconds and thus destroy the whole hw context of when the error
happened.
So rip out the default GHES panic timeout and honor the global one.
In the panic disabled (panic=0) case, the error will still be logged to
dmesg for later inspection and if panic after a hw error is really
required, then that can be controlled the usual way - use panic= on the
cmdline or set it in the kernel .config's CONFIG_PANIC_TIMEOUT.
Reported-by: Feng Tang <feng.tang@linux.alibaba.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Feng Tang <feng.tang@linux.alibaba.com>
Reviewed-by: Ira Weiny <ira.weiny@intel.com>
Link: https://patch.msgid.link/20250113125224.GFZ4UMiNtWIJvgpveU@fat_crate.local
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/apei/ghes.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
index 160606af8b4f5..a6c8514110736 100644
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -155,8 +155,6 @@ static unsigned long ghes_estatus_pool_size_request;
static struct ghes_estatus_cache *ghes_estatus_caches[GHES_ESTATUS_CACHES_SIZE];
static atomic_t ghes_estatus_cache_alloced;
-static int ghes_panic_timeout __read_mostly = 30;
-
static void __iomem *ghes_map(u64 pfn, enum fixed_addresses fixmap_idx)
{
phys_addr_t paddr;
@@ -858,14 +856,16 @@ static void __ghes_panic(struct ghes *ghes,
struct acpi_hest_generic_status *estatus,
u64 buf_paddr, enum fixed_addresses fixmap_idx)
{
+ const char *msg = GHES_PFX "Fatal hardware error";
+
__ghes_print_estatus(KERN_EMERG, ghes->generic, estatus);
ghes_clear_estatus(ghes, estatus, buf_paddr, fixmap_idx);
- /* reboot to log the error! */
if (!panic_timeout)
- panic_timeout = ghes_panic_timeout;
- panic("Fatal hardware error!");
+ pr_emerg("%s but panic disabled\n", msg);
+
+ panic(msg);
}
static int ghes_proc(struct ghes *ghes)
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 142/462] mmc: sdhci-msm: Correctly set the load for the regulator
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 141/462] APEI: GHES: Have GHES honor the panic= setting Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 143/462] tipc: re-order conditions in tipc_crypto_key_rcv() Greg Kroah-Hartman
` (323 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuanjie Yang, Dmitry Baryshkov,
Ulf Hansson, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuanjie Yang <quic_yuanjiey@quicinc.com>
[ Upstream commit 20a0c37e44063997391430c4ae09973e9cbc3911 ]
Qualcomm regulator supports two power supply modes: HPM and LPM.
Currently, the sdhci-msm.c driver does not set the load to adjust
the current for eMMC and SD. If the regulator dont't set correct
load in LPM state, it will lead to the inability to properly
initialize eMMC and SD.
Set the correct regulator current for eMMC and SD to ensure that the
device can work normally even when the regulator is in LPM.
Signed-off-by: Yuanjie Yang <quic_yuanjiey@quicinc.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/20250114083514.258379-1-quic_yuanjiey@quicinc.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/sdhci-msm.c | 53 ++++++++++++++++++++++++++++++++++--
1 file changed, 51 insertions(+), 2 deletions(-)
diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c
index 3366956a4ff18..c9298a986ef0a 100644
--- a/drivers/mmc/host/sdhci-msm.c
+++ b/drivers/mmc/host/sdhci-msm.c
@@ -131,9 +131,18 @@
/* Timeout value to avoid infinite waiting for pwr_irq */
#define MSM_PWR_IRQ_TIMEOUT_MS 5000
+/* Max load for eMMC Vdd supply */
+#define MMC_VMMC_MAX_LOAD_UA 570000
+
/* Max load for eMMC Vdd-io supply */
#define MMC_VQMMC_MAX_LOAD_UA 325000
+/* Max load for SD Vdd supply */
+#define SD_VMMC_MAX_LOAD_UA 800000
+
+/* Max load for SD Vdd-io supply */
+#define SD_VQMMC_MAX_LOAD_UA 22000
+
#define msm_host_readl(msm_host, host, offset) \
msm_host->var_ops->msm_readl_relaxed(host, offset)
@@ -1383,11 +1392,48 @@ static int sdhci_msm_set_pincfg(struct sdhci_msm_host *msm_host, bool level)
return ret;
}
-static int sdhci_msm_set_vmmc(struct mmc_host *mmc)
+static void msm_config_vmmc_regulator(struct mmc_host *mmc, bool hpm)
+{
+ int load;
+
+ if (!hpm)
+ load = 0;
+ else if (!mmc->card)
+ load = max(MMC_VMMC_MAX_LOAD_UA, SD_VMMC_MAX_LOAD_UA);
+ else if (mmc_card_mmc(mmc->card))
+ load = MMC_VMMC_MAX_LOAD_UA;
+ else if (mmc_card_sd(mmc->card))
+ load = SD_VMMC_MAX_LOAD_UA;
+ else
+ return;
+
+ regulator_set_load(mmc->supply.vmmc, load);
+}
+
+static void msm_config_vqmmc_regulator(struct mmc_host *mmc, bool hpm)
+{
+ int load;
+
+ if (!hpm)
+ load = 0;
+ else if (!mmc->card)
+ load = max(MMC_VQMMC_MAX_LOAD_UA, SD_VQMMC_MAX_LOAD_UA);
+ else if (mmc_card_sd(mmc->card))
+ load = SD_VQMMC_MAX_LOAD_UA;
+ else
+ return;
+
+ regulator_set_load(mmc->supply.vqmmc, load);
+}
+
+static int sdhci_msm_set_vmmc(struct sdhci_msm_host *msm_host,
+ struct mmc_host *mmc, bool hpm)
{
if (IS_ERR(mmc->supply.vmmc))
return 0;
+ msm_config_vmmc_regulator(mmc, hpm);
+
return mmc_regulator_set_ocr(mmc, mmc->supply.vmmc, mmc->ios.vdd);
}
@@ -1400,6 +1446,8 @@ static int msm_toggle_vqmmc(struct sdhci_msm_host *msm_host,
if (msm_host->vqmmc_enabled == level)
return 0;
+ msm_config_vqmmc_regulator(mmc, level);
+
if (level) {
/* Set the IO voltage regulator to default voltage level */
if (msm_host->caps_0 & CORE_3_0V_SUPPORT)
@@ -1622,7 +1670,8 @@ static void sdhci_msm_handle_pwr_irq(struct sdhci_host *host, int irq)
}
if (pwr_state) {
- ret = sdhci_msm_set_vmmc(mmc);
+ ret = sdhci_msm_set_vmmc(msm_host, mmc,
+ pwr_state & REQ_BUS_ON);
if (!ret)
ret = sdhci_msm_set_vqmmc(msm_host, mmc,
pwr_state & REQ_BUS_ON);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 143/462] tipc: re-order conditions in tipc_crypto_key_rcv()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 142/462] mmc: sdhci-msm: Correctly set the load for the regulator Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 144/462] selftests/net/ipsec: Fix Null pointer dereference in rtattr_pack() Greg Kroah-Hartman
` (322 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Simon Horman,
David S. Miller, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 5fe71fda89745fc3cd95f70d06e9162b595c3702 ]
On a 32bit system the "keylen + sizeof(struct tipc_aead_key)" math could
have an integer wrapping issue. It doesn't matter because the "keylen"
is checked on the next line, but just to make life easier for static
analysis tools, let's re-order these conditions and avoid the integer
overflow.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/crypto.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
index b5aa0a835bced..bf384bd126963 100644
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -2297,8 +2297,8 @@ static bool tipc_crypto_key_rcv(struct tipc_crypto *rx, struct tipc_msg *hdr)
keylen = ntohl(*((__be32 *)(data + TIPC_AEAD_ALG_NAME)));
/* Verify the supplied size values */
- if (unlikely(size != keylen + sizeof(struct tipc_aead_key) ||
- keylen > TIPC_AEAD_KEY_SIZE_MAX)) {
+ if (unlikely(keylen > TIPC_AEAD_KEY_SIZE_MAX ||
+ size != keylen + sizeof(struct tipc_aead_key))) {
pr_debug("%s: invalid MSG_CRYPTO key size\n", rx->name);
goto exit;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 144/462] selftests/net/ipsec: Fix Null pointer dereference in rtattr_pack()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 143/462] tipc: re-order conditions in tipc_crypto_key_rcv() Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 145/462] Input: allocate keycode for phone linking Greg Kroah-Hartman
` (321 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liu Ye, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liu Ye <liuye@kylinos.cn>
[ Upstream commit 3a0b7fa095212b51ed63892540c4f249991a2d74 ]
Address Null pointer dereference / undefined behavior in rtattr_pack
(note that size is 0 in the bad case).
Flagged by cppcheck as:
tools/testing/selftests/net/ipsec.c:230:25: warning: Possible null pointer
dereference: payload [nullPointer]
memcpy(RTA_DATA(attr), payload, size);
^
tools/testing/selftests/net/ipsec.c:1618:54: note: Calling function 'rtattr_pack',
4th argument 'NULL' value is 0
if (rtattr_pack(&req.nh, sizeof(req), XFRMA_IF_ID, NULL, 0)) {
^
tools/testing/selftests/net/ipsec.c:230:25: note: Null pointer dereference
memcpy(RTA_DATA(attr), payload, size);
^
Signed-off-by: Liu Ye <liuye@kylinos.cn>
Link: https://patch.msgid.link/20250116013037.29470-1-liuye@kylinos.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/ipsec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/net/ipsec.c b/tools/testing/selftests/net/ipsec.c
index 03b048b668315..38f0de299605a 100644
--- a/tools/testing/selftests/net/ipsec.c
+++ b/tools/testing/selftests/net/ipsec.c
@@ -189,7 +189,8 @@ static int rtattr_pack(struct nlmsghdr *nh, size_t req_sz,
attr->rta_len = RTA_LENGTH(size);
attr->rta_type = rta_type;
- memcpy(RTA_DATA(attr), payload, size);
+ if (payload)
+ memcpy(RTA_DATA(attr), payload, size);
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 145/462] Input: allocate keycode for phone linking
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 144/462] selftests/net/ipsec: Fix Null pointer dereference in rtattr_pack() Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 146/462] x86/mm: Dont disable PCID when INVLPG has been fixed by microcode Greg Kroah-Hartman
` (320 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Illia Ostapyshyn, Dmitry Torokhov,
Ilpo Järvinen, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Illia Ostapyshyn <illia@yshyn.com>
[ Upstream commit 1bebc7869c99d466f819dd2cffaef0edf7d7a035 ]
The F11 key on the new Lenovo Thinkpad T14 Gen 5, T16 Gen 3, and P14s
Gen 5 laptops includes a symbol showing a smartphone and a laptop
chained together. According to the user manual, it starts the Microsoft
Phone Link software used to connect to Android/iOS devices and relay
messages/calls or sync data.
As there are no suitable keycodes for this action, introduce a new one.
Signed-off-by: Illia Ostapyshyn <illia@yshyn.com>
Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Link: https://lore.kernel.org/r/20241114173930.44983-2-illia@yshyn.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/input-event-codes.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/uapi/linux/input-event-codes.h b/include/uapi/linux/input-event-codes.h
index bed20a89c14c1..6128146bb133b 100644
--- a/include/uapi/linux/input-event-codes.h
+++ b/include/uapi/linux/input-event-codes.h
@@ -519,6 +519,7 @@
#define KEY_NOTIFICATION_CENTER 0x1bc /* Show/hide the notification center */
#define KEY_PICKUP_PHONE 0x1bd /* Answer incoming call */
#define KEY_HANGUP_PHONE 0x1be /* Decline incoming call */
+#define KEY_LINK_PHONE 0x1bf /* AL Phone Syncing */
#define KEY_DEL_EOL 0x1c0
#define KEY_DEL_EOS 0x1c1
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 146/462] x86/mm: Dont disable PCID when INVLPG has been fixed by microcode
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 145/462] Input: allocate keycode for phone linking Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 147/462] net: usb: rtl8150: use new tasklet API Greg Kroah-Hartman
` (319 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xi Ruoyao, Dave Hansen, Pawan Gupta
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xi Ruoyao <xry111@xry111.site>
commit f24f669d03f884a6ef95cca84317d0f329e93961 upstream.
Per the "Processor Specification Update" documentations referred by
the intel-microcode-20240312 release note, this microcode release has
fixed the issue for all affected models.
So don't disable PCID if the microcode is new enough. The precise
minimum microcode revision fixing the issue was provided by Pawan
Intel.
[ dhansen: comment and changelog tweaks ]
Signed-off-by: Xi Ruoyao <xry111@xry111.site>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Acked-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Link: https://lore.kernel.org/all/168436059559.404.13934972543631851306.tip-bot2@tip-bot2/
Link: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312
Link: https://cdrdv2.intel.com/v1/dl/getContent/740518 # RPL042, rev. 13
Link: https://cdrdv2.intel.com/v1/dl/getContent/682436 # ADL063, rev. 24
Link: https://lore.kernel.org/all/20240325231300.qrltbzf6twm43ftb@desk/
Link: https://lore.kernel.org/all/20240522020625.69418-1-xry111%40xry111.site
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/mm/init.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
@@ -258,28 +258,33 @@ static void __init probe_page_size_mask(
}
/*
- * INVLPG may not properly flush Global entries
- * on these CPUs when PCIDs are enabled.
+ * INVLPG may not properly flush Global entries on
+ * these CPUs. New microcode fixes the issue.
*/
static const struct x86_cpu_id invlpg_miss_ids[] = {
- X86_MATCH_INTEL_FAM6_MODEL(ALDERLAKE, 0),
- X86_MATCH_INTEL_FAM6_MODEL(ALDERLAKE_L, 0),
- X86_MATCH_INTEL_FAM6_MODEL(ALDERLAKE_N, 0),
- X86_MATCH_INTEL_FAM6_MODEL(RAPTORLAKE, 0),
- X86_MATCH_INTEL_FAM6_MODEL(RAPTORLAKE_P, 0),
- X86_MATCH_INTEL_FAM6_MODEL(RAPTORLAKE_S, 0),
+ X86_MATCH_INTEL_FAM6_MODEL(ALDERLAKE, 0x2e),
+ X86_MATCH_INTEL_FAM6_MODEL(ALDERLAKE_L, 0x42c),
+ X86_MATCH_INTEL_FAM6_MODEL(ALDERLAKE_N, 0x11),
+ X86_MATCH_INTEL_FAM6_MODEL(RAPTORLAKE, 0x118),
+ X86_MATCH_INTEL_FAM6_MODEL(RAPTORLAKE_P, 0x4117),
+ X86_MATCH_INTEL_FAM6_MODEL(RAPTORLAKE_S, 0x2e),
{}
};
static void setup_pcid(void)
{
+ const struct x86_cpu_id *invlpg_miss_match;
+
if (!IS_ENABLED(CONFIG_X86_64))
return;
if (!boot_cpu_has(X86_FEATURE_PCID))
return;
- if (x86_match_cpu(invlpg_miss_ids)) {
+ invlpg_miss_match = x86_match_cpu(invlpg_miss_ids);
+
+ if (invlpg_miss_match &&
+ boot_cpu_data.microcode < invlpg_miss_match->driver_data) {
pr_info("Incomplete global flushes, disabling PCID");
setup_clear_cpu_cap(X86_FEATURE_PCID);
return;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 147/462] net: usb: rtl8150: use new tasklet API
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 146/462] x86/mm: Dont disable PCID when INVLPG has been fixed by microcode Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 148/462] net: usb: rtl8150: enable basic endpoint checking Greg Kroah-Hartman
` (318 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emil Renner Berthing, Jakub Kicinski,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emil Renner Berthing <kernel@esmil.dk>
[ Upstream commit 1999ad32d4ff00581007543adffc465694b2e77b ]
This converts the driver to use the new tasklet API introduced in
commit 12cc923f1ccc ("tasklet: Introduce new initialization API")
Signed-off-by: Emil Renner Berthing <kernel@esmil.dk>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/rtl8150.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index d128b4ac7c9f0..c7137fa9eb269 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -577,9 +577,9 @@ static void free_skb_pool(rtl8150_t *dev)
dev_kfree_skb(dev->rx_skb_pool[i]);
}
-static void rx_fixup(unsigned long data)
+static void rx_fixup(struct tasklet_struct *t)
{
- struct rtl8150 *dev = (struct rtl8150 *)data;
+ struct rtl8150 *dev = from_tasklet(dev, t, tl);
struct sk_buff *skb;
int status;
@@ -879,7 +879,7 @@ static int rtl8150_probe(struct usb_interface *intf,
return -ENOMEM;
}
- tasklet_init(&dev->tl, rx_fixup, (unsigned long)dev);
+ tasklet_setup(&dev->tl, rx_fixup);
spin_lock_init(&dev->rx_pool_lock);
dev->udev = udev;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 148/462] net: usb: rtl8150: enable basic endpoint checking
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 147/462] net: usb: rtl8150: use new tasklet API Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 149/462] usb: xhci: Add timeout argument in address_device USB HCD callback Greg Kroah-Hartman
` (317 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikita Zhandarovich, Paolo Abeni,
Sasha Levin, syzbot+d7e968426f644b567e31
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
[ Upstream commit 90b7f2961798793275b4844348619b622f983907 ]
Syzkaller reports [1] encountering a common issue of utilizing a wrong
usb endpoint type during URB submitting stage. This, in turn, triggers
a warning shown below.
For now, enable simple endpoint checking (specifically, bulk and
interrupt eps, testing control one is not essential) to mitigate
the issue with a view to do other related cosmetic changes later,
if they are necessary.
[1] Syzkaller report:
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 1 PID: 2586 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 driv>
Modules linked in:
CPU: 1 UID: 0 PID: 2586 Comm: dhcpcd Not tainted 6.11.0-rc4-syzkaller-00069-gfc88bb11617>
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
Code: 84 3c 02 00 00 e8 05 e4 fc fc 4c 89 ef e8 fd 25 d7 fe 45 89 e0 89 e9 4c 89 f2 48 8>
RSP: 0018:ffffc9000441f740 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff888112487a00 RCX: ffffffff811a99a9
RDX: ffff88810df6ba80 RSI: ffffffff811a99b6 RDI: 0000000000000001
RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
R13: ffff8881023bf0a8 R14: ffff888112452a20 R15: ffff888112487a7c
FS: 00007fc04eea5740(0000) GS:ffff8881f6300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0a1de9f870 CR3: 000000010dbd0000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
rtl8150_open+0x300/0xe30 drivers/net/usb/rtl8150.c:733
__dev_open+0x2d4/0x4e0 net/core/dev.c:1474
__dev_change_flags+0x561/0x720 net/core/dev.c:8838
dev_change_flags+0x8f/0x160 net/core/dev.c:8910
devinet_ioctl+0x127a/0x1f10 net/ipv4/devinet.c:1177
inet_ioctl+0x3aa/0x3f0 net/ipv4/af_inet.c:1003
sock_do_ioctl+0x116/0x280 net/socket.c:1222
sock_ioctl+0x22e/0x6c0 net/socket.c:1341
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x193/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc04ef73d49
...
This change has not been tested on real hardware.
Reported-and-tested-by: syzbot+d7e968426f644b567e31@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d7e968426f644b567e31
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Link: https://patch.msgid.link/20250124093020.234642-1-n.zhandarovich@fintech.ru
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/rtl8150.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index c7137fa9eb269..acef52b0729bf 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -71,6 +71,14 @@
#define MSR_SPEED (1<<3)
#define MSR_LINK (1<<2)
+/* USB endpoints */
+enum rtl8150_usb_ep {
+ RTL8150_USB_EP_CONTROL = 0,
+ RTL8150_USB_EP_BULK_IN = 1,
+ RTL8150_USB_EP_BULK_OUT = 2,
+ RTL8150_USB_EP_INT_IN = 3,
+};
+
/* Interrupt pipe data */
#define INT_TSR 0x00
#define INT_RSR 0x01
@@ -866,6 +874,13 @@ static int rtl8150_probe(struct usb_interface *intf,
struct usb_device *udev = interface_to_usbdev(intf);
rtl8150_t *dev;
struct net_device *netdev;
+ static const u8 bulk_ep_addr[] = {
+ RTL8150_USB_EP_BULK_IN | USB_DIR_IN,
+ RTL8150_USB_EP_BULK_OUT | USB_DIR_OUT,
+ 0};
+ static const u8 int_ep_addr[] = {
+ RTL8150_USB_EP_INT_IN | USB_DIR_IN,
+ 0};
netdev = alloc_etherdev(sizeof(rtl8150_t));
if (!netdev)
@@ -879,6 +894,13 @@ static int rtl8150_probe(struct usb_interface *intf,
return -ENOMEM;
}
+ /* Verify that all required endpoints are present */
+ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) ||
+ !usb_check_int_endpoints(intf, int_ep_addr)) {
+ dev_err(&intf->dev, "couldn't find required endpoints\n");
+ goto out;
+ }
+
tasklet_setup(&dev->tl, rx_fixup);
spin_lock_init(&dev->rx_pool_lock);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 149/462] usb: xhci: Add timeout argument in address_device USB HCD callback
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 148/462] net: usb: rtl8150: enable basic endpoint checking Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 150/462] usb: xhci: Fix NULL pointer dereference on certain command aborts Greg Kroah-Hartman
` (316 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hardik Gajjar, Mathias Nyman,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hardik Gajjar <hgajjar@de.adit-jv.com>
[ Upstream commit a769154c7cac037914ba375ae88aae55b2c853e0 ]
- The HCD address_device callback now accepts a user-defined timeout value
in milliseconds, providing better control over command execution times.
- The default timeout value for the address_device command has been set
to 5000 ms, aligning with the USB 3.2 specification. However, this
timeout can be adjusted as needed.
- The xhci_setup_device function has been updated to accept the timeout
value, allowing it to specify the maximum wait time for the command
operation to complete.
- The hub driver has also been updated to accommodate the newly added
timeout parameter during the SET_ADDRESS request.
Signed-off-by: Hardik Gajjar <hgajjar@de.adit-jv.com>
Reviewed-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20231027152029.104363-1-hgajjar@de.adit-jv.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 1e0a19912adb ("usb: xhci: Fix NULL pointer dereference on certain command aborts")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/core/hub.c | 2 +-
drivers/usb/host/xhci-mem.c | 2 ++
drivers/usb/host/xhci-ring.c | 11 ++++++-----
drivers/usb/host/xhci.c | 23 ++++++++++++++++-------
drivers/usb/host/xhci.h | 9 +++++++--
include/linux/usb/hcd.h | 5 +++--
6 files changed, 35 insertions(+), 17 deletions(-)
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index edf61091f202b..6e1e2493507d9 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -4662,7 +4662,7 @@ static int hub_set_address(struct usb_device *udev, int devnum)
if (udev->state != USB_STATE_DEFAULT)
return -EINVAL;
if (hcd->driver->address_device)
- retval = hcd->driver->address_device(hcd, udev);
+ retval = hcd->driver->address_device(hcd, udev, USB_CTRL_SET_TIMEOUT);
else
retval = usb_control_msg(udev, usb_sndaddr0pipe(),
USB_REQ_SET_ADDRESS, 0, devnum, 0,
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index 006e1b15fbda9..8740bd443f138 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -1779,6 +1779,8 @@ struct xhci_command *xhci_alloc_command(struct xhci_hcd *xhci,
}
command->status = 0;
+ /* set default timeout to 5000 ms */
+ command->timeout_ms = XHCI_CMD_DEFAULT_TIMEOUT;
INIT_LIST_HEAD(&command->cmd_list);
return command;
}
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 32c039027d7fe..100f392cd1dfc 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -288,9 +288,10 @@ void xhci_ring_cmd_db(struct xhci_hcd *xhci)
readl(&xhci->dba->doorbell[0]);
}
-static bool xhci_mod_cmd_timer(struct xhci_hcd *xhci, unsigned long delay)
+static bool xhci_mod_cmd_timer(struct xhci_hcd *xhci)
{
- return mod_delayed_work(system_wq, &xhci->cmd_timer, delay);
+ return mod_delayed_work(system_wq, &xhci->cmd_timer,
+ msecs_to_jiffies(xhci->current_cmd->timeout_ms));
}
static struct xhci_command *xhci_next_queued_cmd(struct xhci_hcd *xhci)
@@ -334,7 +335,7 @@ static void xhci_handle_stopped_cmd_ring(struct xhci_hcd *xhci,
if ((xhci->cmd_ring->dequeue != xhci->cmd_ring->enqueue) &&
!(xhci->xhc_state & XHCI_STATE_DYING)) {
xhci->current_cmd = cur_cmd;
- xhci_mod_cmd_timer(xhci, XHCI_CMD_DEFAULT_TIMEOUT);
+ xhci_mod_cmd_timer(xhci);
xhci_ring_cmd_db(xhci);
}
}
@@ -1687,7 +1688,7 @@ static void handle_cmd_completion(struct xhci_hcd *xhci,
if (!list_is_singular(&xhci->cmd_list)) {
xhci->current_cmd = list_first_entry(&cmd->cmd_list,
struct xhci_command, cmd_list);
- xhci_mod_cmd_timer(xhci, XHCI_CMD_DEFAULT_TIMEOUT);
+ xhci_mod_cmd_timer(xhci);
} else if (xhci->current_cmd == cmd) {
xhci->current_cmd = NULL;
}
@@ -4203,7 +4204,7 @@ static int queue_command(struct xhci_hcd *xhci, struct xhci_command *cmd,
/* if there are no other commands queued we start the timeout timer */
if (list_empty(&xhci->cmd_list)) {
xhci->current_cmd = cmd;
- xhci_mod_cmd_timer(xhci, XHCI_CMD_DEFAULT_TIMEOUT);
+ xhci_mod_cmd_timer(xhci);
}
list_add_tail(&cmd->cmd_list, &xhci->cmd_list);
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 19914d08fc0dd..908445cff24f8 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -4116,12 +4116,18 @@ int xhci_alloc_dev(struct usb_hcd *hcd, struct usb_device *udev)
return 0;
}
-/*
- * Issue an Address Device command and optionally send a corresponding
- * SetAddress request to the device.
+/**
+ * xhci_setup_device - issues an Address Device command to assign a unique
+ * USB bus address.
+ * @hcd: USB host controller data structure.
+ * @udev: USB dev structure representing the connected device.
+ * @setup: Enum specifying setup mode: address only or with context.
+ * @timeout_ms: Max wait time (ms) for the command operation to complete.
+ *
+ * Return: 0 if successful; otherwise, negative error code.
*/
static int xhci_setup_device(struct usb_hcd *hcd, struct usb_device *udev,
- enum xhci_setup_dev setup)
+ enum xhci_setup_dev setup, unsigned int timeout_ms)
{
const char *act = setup == SETUP_CONTEXT_ONLY ? "context" : "address";
unsigned long flags;
@@ -4178,6 +4184,7 @@ static int xhci_setup_device(struct usb_hcd *hcd, struct usb_device *udev,
}
command->in_ctx = virt_dev->in_ctx;
+ command->timeout_ms = timeout_ms;
slot_ctx = xhci_get_slot_ctx(xhci, virt_dev->in_ctx);
ctrl_ctx = xhci_get_input_control_ctx(virt_dev->in_ctx);
@@ -4306,14 +4313,16 @@ static int xhci_setup_device(struct usb_hcd *hcd, struct usb_device *udev,
return ret;
}
-static int xhci_address_device(struct usb_hcd *hcd, struct usb_device *udev)
+static int xhci_address_device(struct usb_hcd *hcd, struct usb_device *udev,
+ unsigned int timeout_ms)
{
- return xhci_setup_device(hcd, udev, SETUP_CONTEXT_ADDRESS);
+ return xhci_setup_device(hcd, udev, SETUP_CONTEXT_ADDRESS, timeout_ms);
}
static int xhci_enable_device(struct usb_hcd *hcd, struct usb_device *udev)
{
- return xhci_setup_device(hcd, udev, SETUP_CONTEXT_ONLY);
+ return xhci_setup_device(hcd, udev, SETUP_CONTEXT_ONLY,
+ XHCI_CMD_DEFAULT_TIMEOUT);
}
/*
diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
index 6304e9b00ecc6..efce7f40dd949 100644
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -815,6 +815,8 @@ struct xhci_command {
struct completion *completion;
union xhci_trb *command_trb;
struct list_head cmd_list;
+ /* xHCI command response timeout in milliseconds */
+ unsigned int timeout_ms;
};
/* drop context bitmasks */
@@ -1558,8 +1560,11 @@ struct xhci_td {
unsigned int num_trbs;
};
-/* xHCI command default timeout value */
-#define XHCI_CMD_DEFAULT_TIMEOUT (5 * HZ)
+/*
+ * xHCI command default timeout value in milliseconds.
+ * USB 3.2 spec, section 9.2.6.1
+ */
+#define XHCI_CMD_DEFAULT_TIMEOUT 5000
/* command descriptor */
struct xhci_cd {
diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h
index 4cd545402a634..4ff23d3ad3d98 100644
--- a/include/linux/usb/hcd.h
+++ b/include/linux/usb/hcd.h
@@ -385,8 +385,9 @@ struct hc_driver {
* or bandwidth constraints.
*/
void (*reset_bandwidth)(struct usb_hcd *, struct usb_device *);
- /* Returns the hardware-chosen device address */
- int (*address_device)(struct usb_hcd *, struct usb_device *udev);
+ /* Set the hardware-chosen device address */
+ int (*address_device)(struct usb_hcd *, struct usb_device *udev,
+ unsigned int timeout_ms);
/* prepares the hardware to send commands to the device */
int (*enable_device)(struct usb_hcd *, struct usb_device *udev);
/* Notifies the HCD after a hub descriptor is fetched.
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 150/462] usb: xhci: Fix NULL pointer dereference on certain command aborts
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 149/462] usb: xhci: Add timeout argument in address_device USB HCD callback Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 151/462] nvme: handle connectivity loss in nvme_set_queue_count Greg Kroah-Hartman
` (315 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Pecio, Mathias Nyman,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Pecio <michal.pecio@gmail.com>
[ Upstream commit 1e0a19912adb68a4b2b74fd77001c96cd83eb073 ]
If a command is queued to the final usable TRB of a ring segment, the
enqueue pointer is advanced to the subsequent link TRB and no further.
If the command is later aborted, when the abort completion is handled
the dequeue pointer is advanced to the first TRB of the next segment.
If no further commands are queued, xhci_handle_stopped_cmd_ring() sees
the ring pointers unequal and assumes that there is a pending command,
so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL.
Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell
ring likely is unnecessary too, but it's harmless. Leave it alone.
This is probably Bug 219532, but no confirmation has been received.
The issue has been independently reproduced and confirmed fixed using
a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever.
Everything continued working normally after several prevented crashes.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=219532
Fixes: c311e391a7ef ("xhci: rework command timeout and cancellation,")
CC: stable@vger.kernel.org
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20241227120142.1035206-4-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/xhci-ring.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 100f392cd1dfc..954cd962e113c 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -335,7 +335,8 @@ static void xhci_handle_stopped_cmd_ring(struct xhci_hcd *xhci,
if ((xhci->cmd_ring->dequeue != xhci->cmd_ring->enqueue) &&
!(xhci->xhc_state & XHCI_STATE_DYING)) {
xhci->current_cmd = cur_cmd;
- xhci_mod_cmd_timer(xhci);
+ if (cur_cmd)
+ xhci_mod_cmd_timer(xhci);
xhci_ring_cmd_db(xhci);
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 151/462] nvme: handle connectivity loss in nvme_set_queue_count
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 150/462] usb: xhci: Fix NULL pointer dereference on certain command aborts Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 152/462] firmware: iscsi_ibft: fix ISCSI_IBFT Kconfig entry Greg Kroah-Hartman
` (314 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Hannes Reinecke,
Sagi Grimberg, Daniel Wagner, Keith Busch, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Wagner <wagi@kernel.org>
[ Upstream commit 294b2b7516fd06a8dd82e4a6118f318ec521e706 ]
When the set feature attempts fails with any NVME status code set in
nvme_set_queue_count, the function still report success. Though the
numbers of queues set to 0. This is done to support controllers in
degraded state (the admin queue is still up and running but no IO
queues).
Though there is an exception. When nvme_set_features reports an host
path error, nvme_set_queue_count should propagate this error as the
connectivity is lost, which means also the admin queue is not working
anymore.
Fixes: 9a0be7abb62f ("nvme: refactor set_queue_count")
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Daniel Wagner <wagi@kernel.org>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/core.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index f988a5e3f0e15..019a6dbdcbc28 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -1491,7 +1491,13 @@ int nvme_set_queue_count(struct nvme_ctrl *ctrl, int *count)
status = nvme_set_features(ctrl, NVME_FEAT_NUM_QUEUES, q_count, NULL, 0,
&result);
- if (status < 0)
+
+ /*
+ * It's either a kernel error or the host observed a connection
+ * lost. In either case it's not possible communicate with the
+ * controller and thus enter the error code path.
+ */
+ if (status < 0 || status == NVME_SC_HOST_PATH_ERROR)
return status;
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 152/462] firmware: iscsi_ibft: fix ISCSI_IBFT Kconfig entry
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 151/462] nvme: handle connectivity loss in nvme_set_queue_count Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:56 ` [PATCH 5.10 153/462] gpu: drm_dp_cec: fix broken CEC adapter properties check Greg Kroah-Hartman
` (313 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Prasad Pandit, Konrad Rzeszutek Wilk,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prasad Pandit <pjp@fedoraproject.org>
[ Upstream commit e1e17a1715982201034024863efbf238bee2bdf9 ]
Fix ISCSI_IBFT Kconfig entry, replace tab with a space character.
Fixes: 138fe4e0697 ("Firmware: add iSCSI iBFT Support")
Signed-off-by: Prasad Pandit <pjp@fedoraproject.org>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig
index 807c5320dc0ff..a83101310e34f 100644
--- a/drivers/firmware/Kconfig
+++ b/drivers/firmware/Kconfig
@@ -171,7 +171,7 @@ config ISCSI_IBFT
select ISCSI_BOOT_SYSFS
select ISCSI_IBFT_FIND if X86
depends on ACPI && SCSI && SCSI_LOWLEVEL
- default n
+ default n
help
This option enables support for detection and exposing of iSCSI
Boot Firmware Table (iBFT) via sysfs to userspace. If you wish to
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 153/462] gpu: drm_dp_cec: fix broken CEC adapter properties check
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 152/462] firmware: iscsi_ibft: fix ISCSI_IBFT Kconfig entry Greg Kroah-Hartman
@ 2025-03-11 14:56 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 154/462] tg3: Disable tg3 PCIe AER on system reboot Greg Kroah-Hartman
` (312 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans Verkuil, Farblos,
Dmitry Baryshkov, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Verkuil <hverkuil@xs4all.nl>
[ Upstream commit 6daaae5ff7f3b23a2dacc9c387ff3d4f95b67cad ]
If the hotplug detect of a display is low for longer than one second
(configurable through drm_dp_cec_unregister_delay), then the CEC adapter
is unregistered since we assume the display was disconnected. If the
HPD went low for less than one second, then we check if the properties
of the CEC adapter have changed, since that indicates that we actually
switch to new hardware and we have to unregister the old CEC device and
register a new one.
Unfortunately, the test for changed properties was written poorly, and
after a new CEC capability was added to the CEC core code the test always
returned true (i.e. the properties had changed).
As a result the CEC device was unregistered and re-registered for every
HPD toggle. If the CEC remote controller integration was also enabled
(CONFIG_MEDIA_CEC_RC was set), then the corresponding input device was
also unregistered and re-registered. As a result the input device in
/sys would keep incrementing its number, e.g.:
/sys/devices/pci0000:00/0000:00:08.1/0000:e7:00.0/rc/rc0/input20
Since short HPD toggles are common, the number could over time get into
the thousands.
While not a serious issue (i.e. nothing crashes), it is not intended
to work that way.
This patch changes the test so that it only checks for the single CEC
capability that can actually change, and it ignores any other
capabilities, so this is now safe as well if new caps are added in
the future.
With the changed test the bit under #ifndef CONFIG_MEDIA_CEC_RC can be
dropped as well, so that's a nice cleanup.
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Reported-by: Farblos <farblos@vodafonemail.de>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Fixes: 2c6d1fffa1d9 ("drm: add support for DisplayPort CEC-Tunneling-over-AUX")
Tested-by: Farblos <farblos@vodafonemail.de>
Link: https://patchwork.freedesktop.org/patch/msgid/361bb03d-1691-4e23-84da-0861ead5dbdc@xs4all.nl
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_dp_cec.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/drivers/gpu/drm/drm_dp_cec.c b/drivers/gpu/drm/drm_dp_cec.c
index 3ab2609f9ec74..3ec770d602da6 100644
--- a/drivers/gpu/drm/drm_dp_cec.c
+++ b/drivers/gpu/drm/drm_dp_cec.c
@@ -310,16 +310,6 @@ void drm_dp_cec_set_edid(struct drm_dp_aux *aux, const struct edid *edid)
if (!aux->transfer)
return;
-#ifndef CONFIG_MEDIA_CEC_RC
- /*
- * CEC_CAP_RC is part of CEC_CAP_DEFAULTS, but it is stripped by
- * cec_allocate_adapter() if CONFIG_MEDIA_CEC_RC is undefined.
- *
- * Do this here as well to ensure the tests against cec_caps are
- * correct.
- */
- cec_caps &= ~CEC_CAP_RC;
-#endif
cancel_delayed_work_sync(&aux->cec.unregister_work);
mutex_lock(&aux->cec.lock);
@@ -336,7 +326,9 @@ void drm_dp_cec_set_edid(struct drm_dp_aux *aux, const struct edid *edid)
num_las = CEC_MAX_LOG_ADDRS;
if (aux->cec.adap) {
- if (aux->cec.adap->capabilities == cec_caps &&
+ /* Check if the adapter properties have changed */
+ if ((aux->cec.adap->capabilities & CEC_CAP_MONITOR_ALL) ==
+ (cec_caps & CEC_CAP_MONITOR_ALL) &&
aux->cec.adap->available_log_addrs == num_las) {
/* Unchanged, so just set the phys addr */
cec_s_phys_addr_from_edid(aux->cec.adap, edid);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 154/462] tg3: Disable tg3 PCIe AER on system reboot
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2025-03-11 14:56 ` [PATCH 5.10 153/462] gpu: drm_dp_cec: fix broken CEC adapter properties check Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 155/462] udp: gso: do not drop small packets when PMTU reduces Greg Kroah-Hartman
` (311 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lenny Szubowicz, Pavan Chebbi,
Simon Horman, David S. Miller, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lenny Szubowicz <lszubowi@redhat.com>
[ Upstream commit e0efe83ed325277bb70f9435d4d9fc70bebdcca8 ]
Disable PCIe AER on the tg3 device on system reboot on a limited
list of Dell PowerEdge systems. This prevents a fatal PCIe AER event
on the tg3 device during the ACPI _PTS (prepare to sleep) method for
S5 on those systems. The _PTS is invoked by acpi_enter_sleep_state_prep()
as part of the kernel's reboot sequence as a result of commit
38f34dba806a ("PM: ACPI: reboot: Reinstate S5 for reboot").
There was an earlier fix for this problem by commit 2ca1c94ce0b6
("tg3: Disable tg3 device on system reboot to avoid triggering AER").
But it was discovered that this earlier fix caused a reboot hang
when some Dell PowerEdge servers were booted via ipxe. To address
this reboot hang, the earlier fix was essentially reverted by commit
9fc3bc764334 ("tg3: power down device only on SYSTEM_POWER_OFF").
This re-exposed the tg3 PCIe AER on reboot problem.
This fix is not an ideal solution because the root cause of the AER
is in system firmware. Instead, it's a targeted work-around in the
tg3 driver.
Note also that the PCIe AER must be disabled on the tg3 device even
if the system is configured to use "firmware first" error handling.
V3:
- Fix sparse warning on improper comparison of pdev->current_state
- Adhere to netdev comment style
Fixes: 9fc3bc764334 ("tg3: power down device only on SYSTEM_POWER_OFF")
Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/tg3.c | 58 +++++++++++++++++++++++++++++
1 file changed, 58 insertions(+)
diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
index 937579817f226..a7e8f13bb9761 100644
--- a/drivers/net/ethernet/broadcom/tg3.c
+++ b/drivers/net/ethernet/broadcom/tg3.c
@@ -55,6 +55,7 @@
#include <linux/hwmon.h>
#include <linux/hwmon-sysfs.h>
#include <linux/crc32poly.h>
+#include <linux/dmi.h>
#include <net/checksum.h>
#include <net/ip.h>
@@ -18184,6 +18185,50 @@ static int tg3_resume(struct device *device)
static SIMPLE_DEV_PM_OPS(tg3_pm_ops, tg3_suspend, tg3_resume);
+/* Systems where ACPI _PTS (Prepare To Sleep) S5 will result in a fatal
+ * PCIe AER event on the tg3 device if the tg3 device is not, or cannot
+ * be, powered down.
+ */
+static const struct dmi_system_id tg3_restart_aer_quirk_table[] = {
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "PowerEdge R440"),
+ },
+ },
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "PowerEdge R540"),
+ },
+ },
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "PowerEdge R640"),
+ },
+ },
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "PowerEdge R650"),
+ },
+ },
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "PowerEdge R740"),
+ },
+ },
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "PowerEdge R750"),
+ },
+ },
+ {}
+};
+
static void tg3_shutdown(struct pci_dev *pdev)
{
struct net_device *dev = pci_get_drvdata(pdev);
@@ -18200,6 +18245,19 @@ static void tg3_shutdown(struct pci_dev *pdev)
if (system_state == SYSTEM_POWER_OFF)
tg3_power_down(tp);
+ else if (system_state == SYSTEM_RESTART &&
+ dmi_first_match(tg3_restart_aer_quirk_table) &&
+ pdev->current_state != PCI_D3cold &&
+ pdev->current_state != PCI_UNKNOWN) {
+ /* Disable PCIe AER on the tg3 to avoid a fatal
+ * error during this system restart.
+ */
+ pcie_capability_clear_word(pdev, PCI_EXP_DEVCTL,
+ PCI_EXP_DEVCTL_CERE |
+ PCI_EXP_DEVCTL_NFERE |
+ PCI_EXP_DEVCTL_FERE |
+ PCI_EXP_DEVCTL_URRE);
+ }
rtnl_unlock();
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 155/462] udp: gso: do not drop small packets when PMTU reduces
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 154/462] tg3: Disable tg3 PCIe AER on system reboot Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 156/462] gpio: pca953x: Improve interrupt support Greg Kroah-Hartman
` (310 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yan Zhai, Willem de Bruijn,
Willem de Bruijn, David S. Miller, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yan Zhai <yan@cloudflare.com>
[ Upstream commit 235174b2bed88501fda689c113c55737f99332d8 ]
Commit 4094871db1d6 ("udp: only do GSO if # of segs > 1") avoided GSO
for small packets. But the kernel currently dismisses GSO requests only
after checking MTU/PMTU on gso_size. This means any packets, regardless
of their payload sizes, could be dropped when PMTU becomes smaller than
requested gso_size. We encountered this issue in production and it
caused a reliability problem that new QUIC connection cannot be
established before PMTU cache expired, while non GSO sockets still
worked fine at the same time.
Ideally, do not check any GSO related constraints when payload size is
smaller than requested gso_size, and return EMSGSIZE instead of EINVAL
on MTU/PMTU check failure to be more specific on the error cause.
Fixes: 4094871db1d6 ("udp: only do GSO if # of segs > 1")
Signed-off-by: Yan Zhai <yan@cloudflare.com>
Suggested-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/udp.c | 4 ++--
net/ipv6/udp.c | 4 ++--
tools/testing/selftests/net/udpgso.c | 26 ++++++++++++++++++++++++++
3 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 6ad25dc9710c1..b801759147a68 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -923,9 +923,9 @@ static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4,
const int hlen = skb_network_header_len(skb) +
sizeof(struct udphdr);
- if (hlen + cork->gso_size > cork->fragsize) {
+ if (hlen + min(datalen, cork->gso_size) > cork->fragsize) {
kfree_skb(skb);
- return -EINVAL;
+ return -EMSGSIZE;
}
if (datalen > cork->gso_size * UDP_MAX_SEGMENTS) {
kfree_skb(skb);
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 203a6d64d7e99..224339c3d831d 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1210,9 +1210,9 @@ static int udp_v6_send_skb(struct sk_buff *skb, struct flowi6 *fl6,
const int hlen = skb_network_header_len(skb) +
sizeof(struct udphdr);
- if (hlen + cork->gso_size > cork->fragsize) {
+ if (hlen + min(datalen, cork->gso_size) > cork->fragsize) {
kfree_skb(skb);
- return -EINVAL;
+ return -EMSGSIZE;
}
if (datalen > cork->gso_size * UDP_MAX_SEGMENTS) {
kfree_skb(skb);
diff --git a/tools/testing/selftests/net/udpgso.c b/tools/testing/selftests/net/udpgso.c
index 7badaf215de28..0e137182a4f40 100644
--- a/tools/testing/selftests/net/udpgso.c
+++ b/tools/testing/selftests/net/udpgso.c
@@ -94,6 +94,19 @@ struct testcase testcases_v4[] = {
.gso_len = CONST_MSS_V4,
.r_num_mss = 1,
},
+ {
+ /* datalen <= MSS < gso_len: will fall back to no GSO */
+ .tlen = CONST_MSS_V4,
+ .gso_len = CONST_MSS_V4 + 1,
+ .r_num_mss = 0,
+ .r_len_last = CONST_MSS_V4,
+ },
+ {
+ /* MSS < datalen < gso_len: fail */
+ .tlen = CONST_MSS_V4 + 1,
+ .gso_len = CONST_MSS_V4 + 2,
+ .tfail = true,
+ },
{
/* send a single MSS + 1B */
.tlen = CONST_MSS_V4 + 1,
@@ -197,6 +210,19 @@ struct testcase testcases_v6[] = {
.gso_len = CONST_MSS_V6,
.r_num_mss = 1,
},
+ {
+ /* datalen <= MSS < gso_len: will fall back to no GSO */
+ .tlen = CONST_MSS_V6,
+ .gso_len = CONST_MSS_V6 + 1,
+ .r_num_mss = 0,
+ .r_len_last = CONST_MSS_V6,
+ },
+ {
+ /* MSS < datalen < gso_len: fail */
+ .tlen = CONST_MSS_V6 + 1,
+ .gso_len = CONST_MSS_V6 + 2,
+ .tfail = true
+ },
{
/* send a single MSS + 1B */
.tlen = CONST_MSS_V6 + 1,
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 156/462] gpio: pca953x: Improve interrupt support
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 155/462] udp: gso: do not drop small packets when PMTU reduces Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 157/462] net: atlantic: fix warning during hot unplug Greg Kroah-Hartman
` (309 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Tomlinson, Andy Shevchenko,
Bartosz Golaszewski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
[ Upstream commit d6179f6c6204f9932aed3a7a2100b4a295dfed9d ]
The GPIO drivers with latch interrupt support (typically types starting
with PCAL) have interrupt status registers to determine which particular
inputs have caused an interrupt. Unfortunately there is no atomic
operation to read these registers and clear the interrupt. Clearing the
interrupt is done by reading the input registers.
The code was reading the interrupt status registers, and then reading
the input registers. If an input changed between these two events it was
lost.
The solution in this patch is to revert to the non-latch version of
code, i.e. remembering the previous input status, and looking for the
changes. This system results in no more I2C transfers, so is no slower.
The latch property of the device still means interrupts will still be
noticed if the input changes back to its initial state.
Fixes: 44896beae605 ("gpio: pca953x: add PCAL9535 interrupt support for Galileo Gen2")
Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20240606033102.2271916-1-mark.tomlinson@alliedtelesis.co.nz
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-pca953x.c | 19 -------------------
1 file changed, 19 deletions(-)
diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c
index 3ad1a9e432c8a..64a4128b9a422 100644
--- a/drivers/gpio/gpio-pca953x.c
+++ b/drivers/gpio/gpio-pca953x.c
@@ -732,25 +732,6 @@ static bool pca953x_irq_pending(struct pca953x_chip *chip, unsigned long *pendin
DECLARE_BITMAP(trigger, MAX_LINE);
int ret;
- if (chip->driver_data & PCA_PCAL) {
- /* Read the current interrupt status from the device */
- ret = pca953x_read_regs(chip, PCAL953X_INT_STAT, trigger);
- if (ret)
- return false;
-
- /* Check latched inputs and clear interrupt status */
- ret = pca953x_read_regs(chip, chip->regs->input, cur_stat);
- if (ret)
- return false;
-
- /* Apply filter for rising/falling edge selection */
- bitmap_replace(new_stat, chip->irq_trig_fall, chip->irq_trig_raise, cur_stat, gc->ngpio);
-
- bitmap_and(pending, new_stat, trigger, gc->ngpio);
-
- return !bitmap_empty(pending, gc->ngpio);
- }
-
ret = pca953x_read_regs(chip, chip->regs->input, cur_stat);
if (ret)
return false;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 157/462] net: atlantic: fix warning during hot unplug
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 156/462] gpio: pca953x: Improve interrupt support Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 158/462] net: rose: lock the socket in rose_bind() Greg Kroah-Hartman
` (308 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacob Moroni, Igor Russkikh,
Simon Horman, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacob Moroni <mail@jakemoroni.com>
[ Upstream commit 028676bb189ed6d1b550a0fc570a9d695b6acfd3 ]
Firmware deinitialization performs MMIO accesses which are not
necessary if the device has already been removed. In some cases,
these accesses happen via readx_poll_timeout_atomic which ends up
timing out, resulting in a warning at hw_atl2_utils_fw.c:112:
[ 104.595913] Call Trace:
[ 104.595915] <TASK>
[ 104.595918] ? show_regs+0x6c/0x80
[ 104.595923] ? __warn+0x8d/0x150
[ 104.595925] ? aq_a2_fw_deinit+0xcf/0xe0 [atlantic]
[ 104.595934] ? report_bug+0x182/0x1b0
[ 104.595938] ? handle_bug+0x6e/0xb0
[ 104.595940] ? exc_invalid_op+0x18/0x80
[ 104.595942] ? asm_exc_invalid_op+0x1b/0x20
[ 104.595944] ? aq_a2_fw_deinit+0xcf/0xe0 [atlantic]
[ 104.595952] ? aq_a2_fw_deinit+0xcf/0xe0 [atlantic]
[ 104.595959] aq_nic_deinit.part.0+0xbd/0xf0 [atlantic]
[ 104.595964] aq_nic_deinit+0x17/0x30 [atlantic]
[ 104.595970] aq_ndev_close+0x2b/0x40 [atlantic]
[ 104.595975] __dev_close_many+0xad/0x160
[ 104.595978] dev_close_many+0x99/0x170
[ 104.595979] unregister_netdevice_many_notify+0x18b/0xb20
[ 104.595981] ? __call_rcu_common+0xcd/0x700
[ 104.595984] unregister_netdevice_queue+0xc6/0x110
[ 104.595986] unregister_netdev+0x1c/0x30
[ 104.595988] aq_pci_remove+0xb1/0xc0 [atlantic]
Fix this by skipping firmware deinitialization altogether if the
PCI device is no longer present.
Tested with an AQC113 attached via Thunderbolt by performing
repeated unplug cycles while traffic was running via iperf.
Fixes: 97bde5c4f909 ("net: ethernet: aquantia: Support for NIC-specific code")
Signed-off-by: Jacob Moroni <mail@jakemoroni.com>
Reviewed-by: Igor Russkikh <irusskikh@marvell.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250203143604.24930-3-mail@jakemoroni.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
index 2d491efa11bdf..54aa84f06e403 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
@@ -1294,7 +1294,9 @@ void aq_nic_deinit(struct aq_nic_s *self, bool link_down)
aq_ptp_ring_free(self);
aq_ptp_free(self);
- if (likely(self->aq_fw_ops->deinit) && link_down) {
+ /* May be invoked during hot unplug. */
+ if (pci_device_is_present(self->pdev) &&
+ likely(self->aq_fw_ops->deinit) && link_down) {
mutex_lock(&self->fwreq_mutex);
self->aq_fw_ops->deinit(self->aq_hw);
mutex_unlock(&self->fwreq_mutex);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 158/462] net: rose: lock the socket in rose_bind()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 157/462] net: atlantic: fix warning during hot unplug Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 159/462] x86/xen: fix xen_hypercall_hvm() to not clobber %rbx Greg Kroah-Hartman
` (307 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+7ff41b5215f0c534534e,
Eric Dumazet, Paolo Abeni, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a1300691aed9ee852b0a9192e29e2bdc2411a7e6 ]
syzbot reported a soft lockup in rose_loopback_timer(),
with a repro calling bind() from multiple threads.
rose_bind() must lock the socket to avoid this issue.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+7ff41b5215f0c534534e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/67a0f78d.050a0220.d7c5a.00a0.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Link: https://patch.msgid.link/20250203170838.3521361-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rose/af_rose.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index 65fd5b99f9dea..f8cd085c42345 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -700,11 +700,9 @@ static int rose_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
struct net_device *dev;
ax25_address *source;
ax25_uid_assoc *user;
+ int err = -EINVAL;
int n;
- if (!sock_flag(sk, SOCK_ZAPPED))
- return -EINVAL;
-
if (addr_len != sizeof(struct sockaddr_rose) && addr_len != sizeof(struct full_sockaddr_rose))
return -EINVAL;
@@ -717,8 +715,15 @@ static int rose_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
return -EINVAL;
- if ((dev = rose_dev_get(&addr->srose_addr)) == NULL)
- return -EADDRNOTAVAIL;
+ lock_sock(sk);
+
+ if (!sock_flag(sk, SOCK_ZAPPED))
+ goto out_release;
+
+ err = -EADDRNOTAVAIL;
+ dev = rose_dev_get(&addr->srose_addr);
+ if (!dev)
+ goto out_release;
source = &addr->srose_call;
@@ -729,7 +734,8 @@ static int rose_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
} else {
if (ax25_uid_policy && !capable(CAP_NET_BIND_SERVICE)) {
dev_put(dev);
- return -EACCES;
+ err = -EACCES;
+ goto out_release;
}
rose->source_call = *source;
}
@@ -751,8 +757,10 @@ static int rose_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
rose_insert_socket(sk);
sock_reset_flag(sk, SOCK_ZAPPED);
-
- return 0;
+ err = 0;
+out_release:
+ release_sock(sk);
+ return err;
}
static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_len, int flags)
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 159/462] x86/xen: fix xen_hypercall_hvm() to not clobber %rbx
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 158/462] net: rose: lock the socket in rose_bind() Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 160/462] x86/xen: add FRAME_END to xen_hypercall_hvm() Greg Kroah-Hartman
` (306 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Juergen Gross, Jan Beulich,
Andrew Cooper, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Juergen Gross <jgross@suse.com>
[ Upstream commit 98a5cfd2320966f40fe049a9855f8787f0126825 ]
xen_hypercall_hvm(), which is used when running as a Xen PVH guest at
most only once during early boot, is clobbering %rbx. Depending on
whether the caller relies on %rbx to be preserved across the call or
not, this clobbering might result in an early crash of the system.
This can be avoided by using an already saved register instead of %rbx.
Fixes: b4845bb63838 ("x86/xen: add central hypercall functions")
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/xen/xen-head.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/xen/xen-head.S b/arch/x86/xen/xen-head.S
index 152bbe900a174..0dce73077c8cb 100644
--- a/arch/x86/xen/xen-head.S
+++ b/arch/x86/xen/xen-head.S
@@ -115,8 +115,8 @@ SYM_FUNC_START(xen_hypercall_hvm)
pop %ebx
pop %eax
#else
- lea xen_hypercall_amd(%rip), %rbx
- cmp %rax, %rbx
+ lea xen_hypercall_amd(%rip), %rcx
+ cmp %rax, %rcx
#ifdef CONFIG_FRAME_POINTER
pop %rax /* Dummy pop. */
#endif
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 160/462] x86/xen: add FRAME_END to xen_hypercall_hvm()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 159/462] x86/xen: fix xen_hypercall_hvm() to not clobber %rbx Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 161/462] netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() Greg Kroah-Hartman
` (305 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Juergen Gross,
Jan Beulich, Andrew Cooper, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Juergen Gross <jgross@suse.com>
[ Upstream commit 0bd797b801bd8ee06c822844e20d73aaea0878dd ]
xen_hypercall_hvm() is missing a FRAME_END at the end, add it.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202502030848.HTNTTuo9-lkp@intel.com/
Fixes: b4845bb63838 ("x86/xen: add central hypercall functions")
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/xen/xen-head.S | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/xen/xen-head.S b/arch/x86/xen/xen-head.S
index 0dce73077c8cb..6105404ba5703 100644
--- a/arch/x86/xen/xen-head.S
+++ b/arch/x86/xen/xen-head.S
@@ -130,6 +130,7 @@ SYM_FUNC_START(xen_hypercall_hvm)
pop %rcx
pop %rax
#endif
+ FRAME_END
/* Use correct hypercall function. */
jz xen_hypercall_amd
jmp xen_hypercall_intel
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 161/462] netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 160/462] x86/xen: add FRAME_END to xen_hypercall_hvm() Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 162/462] tun: revert fix group permission check Greg Kroah-Hartman
` (304 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Ottens, Mingi Cho, Cong Wang,
Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <cong.wang@bytedance.com>
[ Upstream commit 638ba5089324796c2ee49af10427459c2de35f71 ]
qdisc_tree_reduce_backlog() notifies parent qdisc only if child
qdisc becomes empty, therefore we need to reduce the backlog of the
child qdisc before calling it. Otherwise it would miss the opportunity
to call cops->qlen_notify(), in the case of DRR, it resulted in UAF
since DRR uses ->qlen_notify() to maintain its active list.
Fixes: f8d4bc455047 ("net/sched: netem: account for backlog updates from child qdisc")
Cc: Martin Ottens <martin.ottens@fau.de>
Reported-by: Mingi Cho <mincho@theori.io>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Link: https://patch.msgid.link/20250204005841.223511-4-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index f459e34684ad3..22f5d9421f6a6 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -739,9 +739,9 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
if (err != NET_XMIT_SUCCESS) {
if (net_xmit_drop_count(err))
qdisc_qstats_drop(sch);
- qdisc_tree_reduce_backlog(sch, 1, pkt_len);
sch->qstats.backlog -= pkt_len;
sch->q.qlen--;
+ qdisc_tree_reduce_backlog(sch, 1, pkt_len);
}
goto tfifo_dequeue;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 162/462] tun: revert fix group permission check
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 161/462] netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 163/462] cpufreq: s3c64xx: Fix compilation warning Greg Kroah-Hartman
` (303 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Willem de Bruijn, Ondrej Mosnacek,
Stas Sergeev, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <willemb@google.com>
[ Upstream commit a70c7b3cbc0688016810bb2e0b9b8a0d6a530045 ]
This reverts commit 3ca459eaba1bf96a8c7878de84fa8872259a01e3.
The blamed commit caused a regression when neither tun->owner nor
tun->group is set. This is intended to be allowed, but now requires
CAP_NET_ADMIN.
Discussion in the referenced thread pointed out that the original
issue that prompted this patch can be resolved in userspace.
The relaxed access control may also make a device accessible when it
previously wasn't, while existing users may depend on it to not be.
This is a clean pure git revert, except for fixing the indentation on
the gid_valid line that checkpatch correctly flagged.
Fixes: 3ca459eaba1b ("tun: fix group permission check")
Link: https://lore.kernel.org/netdev/CAFqZXNtkCBT4f+PwyVRmQGoT3p1eVa01fCG_aNtpt6dakXncUg@mail.gmail.com/
Signed-off-by: Willem de Bruijn <willemb@google.com>
Cc: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Stas Sergeev <stsp2@yandex.ru>
Link: https://patch.msgid.link/20250204161015.739430-1-willemdebruijn.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/tun.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 52ea9f81d388b..3a89f9457fa24 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -586,18 +586,14 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb,
return ret;
}
-static inline bool tun_capable(struct tun_struct *tun)
+static inline bool tun_not_capable(struct tun_struct *tun)
{
const struct cred *cred = current_cred();
struct net *net = dev_net(tun->dev);
- if (ns_capable(net->user_ns, CAP_NET_ADMIN))
- return 1;
- if (uid_valid(tun->owner) && uid_eq(cred->euid, tun->owner))
- return 1;
- if (gid_valid(tun->group) && in_egroup_p(tun->group))
- return 1;
- return 0;
+ return ((uid_valid(tun->owner) && !uid_eq(cred->euid, tun->owner)) ||
+ (gid_valid(tun->group) && !in_egroup_p(tun->group))) &&
+ !ns_capable(net->user_ns, CAP_NET_ADMIN);
}
static void tun_set_real_num_queues(struct tun_struct *tun)
@@ -2776,7 +2772,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
!!(tun->flags & IFF_MULTI_QUEUE))
return -EINVAL;
- if (!tun_capable(tun))
+ if (tun_not_capable(tun))
return -EPERM;
err = security_tun_dev_open(tun->security);
if (err < 0)
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 163/462] cpufreq: s3c64xx: Fix compilation warning
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 162/462] tun: revert fix group permission check Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 164/462] leds: lp8860: Write full EEPROM, not only half of it Greg Kroah-Hartman
` (302 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Viresh Kumar,
Rafael J. Wysocki
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viresh Kumar <viresh.kumar@linaro.org>
commit 43855ac61483cb914f060851535ea753c094b3e0 upstream.
The driver generates following warning when regulator support isn't
enabled in the kernel. Fix it.
drivers/cpufreq/s3c64xx-cpufreq.c: In function 's3c64xx_cpufreq_set_target':
>> drivers/cpufreq/s3c64xx-cpufreq.c:55:22: warning: variable 'old_freq' set but not used [-Wunused-but-set-variable]
55 | unsigned int old_freq, new_freq;
| ^~~~~~~~
>> drivers/cpufreq/s3c64xx-cpufreq.c:54:30: warning: variable 'dvfs' set but not used [-Wunused-but-set-variable]
54 | struct s3c64xx_dvfs *dvfs;
| ^~~~
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202501191803.CtfT7b2o-lkp@intel.com/
Cc: 5.4+ <stable@vger.kernel.org> # v5.4+
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Link: https://patch.msgid.link/236b227e929e5adc04d1e9e7af6845a46c8e9432.1737525916.git.viresh.kumar@linaro.org
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/s3c64xx-cpufreq.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/drivers/cpufreq/s3c64xx-cpufreq.c
+++ b/drivers/cpufreq/s3c64xx-cpufreq.c
@@ -24,6 +24,7 @@ struct s3c64xx_dvfs {
unsigned int vddarm_max;
};
+#ifdef CONFIG_REGULATOR
static struct s3c64xx_dvfs s3c64xx_dvfs_table[] = {
[0] = { 1000000, 1150000 },
[1] = { 1050000, 1150000 },
@@ -31,6 +32,7 @@ static struct s3c64xx_dvfs s3c64xx_dvfs_
[3] = { 1200000, 1350000 },
[4] = { 1300000, 1350000 },
};
+#endif
static struct cpufreq_frequency_table s3c64xx_freq_table[] = {
{ 0, 0, 66000 },
@@ -51,15 +53,16 @@ static struct cpufreq_frequency_table s3
static int s3c64xx_cpufreq_set_target(struct cpufreq_policy *policy,
unsigned int index)
{
- struct s3c64xx_dvfs *dvfs;
- unsigned int old_freq, new_freq;
+ unsigned int new_freq = s3c64xx_freq_table[index].frequency;
int ret;
+#ifdef CONFIG_REGULATOR
+ struct s3c64xx_dvfs *dvfs;
+ unsigned int old_freq;
+
old_freq = clk_get_rate(policy->clk) / 1000;
- new_freq = s3c64xx_freq_table[index].frequency;
dvfs = &s3c64xx_dvfs_table[s3c64xx_freq_table[index].driver_data];
-#ifdef CONFIG_REGULATOR
if (vddarm && new_freq > old_freq) {
ret = regulator_set_voltage(vddarm,
dvfs->vddarm_min,
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 164/462] leds: lp8860: Write full EEPROM, not only half of it
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 163/462] cpufreq: s3c64xx: Fix compilation warning Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 165/462] drm/modeset: Handle tiled displays in pan_display_atomic Greg Kroah-Hartman
` (301 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexander Sverdlin, Lee Jones
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
commit 0d2e820a86793595e2a776855d04701109e46663 upstream.
I struggle to explain dividing an ARRAY_SIZE() by the size of an element
once again. As the latter equals to 2, only the half of EEPROM was ever
written. Drop the unexplainable division and write full ARRAY_SIZE().
Cc: stable@vger.kernel.org
Fixes: 7a8685accb95 ("leds: lp8860: Introduce TI lp8860 4 channel LED driver")
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Link: https://lore.kernel.org/r/20241114101402.2562878-1-alexander.sverdlin@siemens.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/leds/leds-lp8860.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/leds/leds-lp8860.c
+++ b/drivers/leds/leds-lp8860.c
@@ -267,7 +267,7 @@ static int lp8860_init(struct lp8860_led
goto out;
}
- reg_count = ARRAY_SIZE(lp8860_eeprom_disp_regs) / sizeof(lp8860_eeprom_disp_regs[0]);
+ reg_count = ARRAY_SIZE(lp8860_eeprom_disp_regs);
for (i = 0; i < reg_count; i++) {
ret = regmap_write(led->eeprom_regmap,
lp8860_eeprom_disp_regs[i].reg,
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 165/462] drm/modeset: Handle tiled displays in pan_display_atomic.
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 164/462] leds: lp8860: Write full EEPROM, not only half of it Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 166/462] s390/futex: Fix FUTEX_OP_ANDN implementation Greg Kroah-Hartman
` (300 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Maarten Lankhorst
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maarten Lankhorst <dev@lankhorst.se>
commit f4a9dd57e549a17a7dac1c1defec26abd7e5c2d4 upstream.
Tiled displays have a different x/y offset to begin with. Instead of
attempting to remember this, just apply a delta instead.
This fixes the first tile being duplicated on other tiles when vt
switching.
Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20250116142825.3933-1-dev@lankhorst.se
Signed-off-by: Maarten Lankhorst <dev@lankhorst.se>
Cc: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_fb_helper.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -1380,14 +1380,14 @@ int drm_fb_helper_set_par(struct fb_info
}
EXPORT_SYMBOL(drm_fb_helper_set_par);
-static void pan_set(struct drm_fb_helper *fb_helper, int x, int y)
+static void pan_set(struct drm_fb_helper *fb_helper, int dx, int dy)
{
struct drm_mode_set *mode_set;
mutex_lock(&fb_helper->client.modeset_mutex);
drm_client_for_each_modeset(mode_set, &fb_helper->client) {
- mode_set->x = x;
- mode_set->y = y;
+ mode_set->x += dx;
+ mode_set->y += dy;
}
mutex_unlock(&fb_helper->client.modeset_mutex);
}
@@ -1396,16 +1396,18 @@ static int pan_display_atomic(struct fb_
struct fb_info *info)
{
struct drm_fb_helper *fb_helper = info->par;
- int ret;
+ int ret, dx, dy;
- pan_set(fb_helper, var->xoffset, var->yoffset);
+ dx = var->xoffset - info->var.xoffset;
+ dy = var->yoffset - info->var.yoffset;
+ pan_set(fb_helper, dx, dy);
ret = drm_client_modeset_commit_locked(&fb_helper->client);
if (!ret) {
info->var.xoffset = var->xoffset;
info->var.yoffset = var->yoffset;
} else
- pan_set(fb_helper, info->var.xoffset, info->var.yoffset);
+ pan_set(fb_helper, -dx, -dy);
return ret;
}
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 166/462] s390/futex: Fix FUTEX_OP_ANDN implementation
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 165/462] drm/modeset: Handle tiled displays in pan_display_atomic Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 167/462] m68k: vga: Fix I/O defines Greg Kroah-Hartman
` (299 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Alexander Gordeev
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
commit 26701574cee6777f867f89b4a5c667817e1ee0dd upstream.
The futex operation FUTEX_OP_ANDN is supposed to implement
*(int *)UADDR2 &= ~OPARG;
The s390 implementation just implements an AND instead of ANDN.
Add the missing bitwise not operation to oparg to fix this.
This is broken since nearly 19 years, so it looks like user space is
not making use of this operation.
Fixes: 3363fbdd6fb4 ("[PATCH] s390: futex atomic operations")
Cc: stable@vger.kernel.org
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Acked-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/include/asm/futex.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/s390/include/asm/futex.h
+++ b/arch/s390/include/asm/futex.h
@@ -45,7 +45,7 @@ static inline int arch_futex_atomic_op_i
break;
case FUTEX_OP_ANDN:
__futex_atomic_op("lr %2,%1\nnr %2,%5\n",
- ret, oldval, newval, uaddr, oparg);
+ ret, oldval, newval, uaddr, ~oparg);
break;
case FUTEX_OP_XOR:
__futex_atomic_op("lr %2,%1\nxr %2,%5\n",
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 167/462] m68k: vga: Fix I/O defines
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 166/462] s390/futex: Fix FUTEX_OP_ANDN implementation Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 168/462] binfmt_flat: Fix integer overflow bug on 32 bit systems Greg Kroah-Hartman
` (298 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, kernel test robot,
Geert Uytterhoeven, linux-fbdev, dri-devel, Helge Deller
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
commit 53036937a101b5faeaf98e7438555fa854a1a844 upstream.
Including m68k's <asm/raw_io.h> in vga.h on nommu platforms results
in conflicting defines with io_no.h for various I/O macros from the
__raw_read and __raw_write families. An example error is
In file included from arch/m68k/include/asm/vga.h:12,
from include/video/vga.h:22,
from include/linux/vgaarb.h:34,
from drivers/video/aperture.c:12:
>> arch/m68k/include/asm/raw_io.h:39: warning: "__raw_readb" redefined
39 | #define __raw_readb in_8
|
In file included from arch/m68k/include/asm/io.h:6,
from include/linux/io.h:13,
from include/linux/irq.h:20,
from include/asm-generic/hardirq.h:17,
from ./arch/m68k/include/generated/asm/hardirq.h:1,
from include/linux/hardirq.h:11,
from include/linux/interrupt.h:11,
from include/linux/trace_recursion.h:5,
from include/linux/ftrace.h:10,
from include/linux/kprobes.h:28,
from include/linux/kgdb.h:19,
from include/linux/fb.h:6,
from drivers/video/aperture.c:5:
arch/m68k/include/asm/io_no.h:16: note: this is the location of the previous definition
16 | #define __raw_readb(addr) \
|
Include <asm/io.h>, which avoids raw_io.h on nommu platforms.
Also change the defined values of some of the read/write symbols in
vga.h to __raw_read/__raw_write as the raw_in/raw_out symbols are not
generally available.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202501071629.DNEswlm8-lkp@intel.com/
Fixes: 5c3f968712ce ("m68k/video: Create <asm/vga.h>")
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: linux-fbdev@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Cc: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v3.5+
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Link: https://lore.kernel.org/20250107095912.130530-1-tzimmermann@suse.de
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/m68k/include/asm/vga.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/m68k/include/asm/vga.h
+++ b/arch/m68k/include/asm/vga.h
@@ -9,7 +9,7 @@
*/
#ifndef CONFIG_PCI
-#include <asm/raw_io.h>
+#include <asm/io.h>
#include <asm/kmap.h>
/*
@@ -29,9 +29,9 @@
#define inw_p(port) 0
#define outb_p(port, val) do { } while (0)
#define outw(port, val) do { } while (0)
-#define readb raw_inb
-#define writeb raw_outb
-#define writew raw_outw
+#define readb __raw_readb
+#define writeb __raw_writeb
+#define writew __raw_writew
#endif /* CONFIG_PCI */
#endif /* _ASM_M68K_VGA_H */
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 168/462] binfmt_flat: Fix integer overflow bug on 32 bit systems
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 167/462] m68k: vga: Fix I/O defines Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 169/462] arm64: dts: rockchip: increase gmac rx_delay on rk3399-puma Greg Kroah-Hartman
` (297 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Nicolas Pitre,
Kees Cook
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
commit 55cf2f4b945f6a6416cc2524ba740b83cc9af25a upstream.
Most of these sizes and counts are capped at 256MB so the math doesn't
result in an integer overflow. The "relocs" count needs to be checked
as well. Otherwise on 32bit systems the calculation of "full_data"
could be wrong.
full_data = data_len + relocs * sizeof(unsigned long);
Fixes: c995ee28d29d ("binfmt_flat: prevent kernel dammage from corrupted executable headers")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Acked-by: Nicolas Pitre <npitre@baylibre.com>
Link: https://lore.kernel.org/r/5be17f6c-5338-43be-91ef-650153b975cb@stanley.mountain
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/binfmt_flat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/binfmt_flat.c
+++ b/fs/binfmt_flat.c
@@ -534,7 +534,7 @@ static int load_flat_file(struct linux_b
* 28 bits (256 MB) is way more than reasonable in this case.
* If some top bits are set we have probable binary corruption.
*/
- if ((text_len | data_len | bss_len | stack_len | full_data) >> 28) {
+ if ((text_len | data_len | bss_len | stack_len | relocs | full_data) >> 28) {
pr_err("bad header\n");
ret = -ENOEXEC;
goto err;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 169/462] arm64: dts: rockchip: increase gmac rx_delay on rk3399-puma
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 168/462] binfmt_flat: Fix integer overflow bug on 32 bit systems Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 170/462] KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() Greg Kroah-Hartman
` (296 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quentin Schulz, Jakob Unterwurzacher,
Heiko Stuebner
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakob Unterwurzacher <jakobunt@gmail.com>
commit 9d241b06802c6c2176ae7aa4f9f17f8a577ed337 upstream.
During mass manufacturing, we noticed the mmc_rx_crc_error counter,
as reported by "ethtool -S eth0 | grep mmc_rx_crc_error", to increase
above zero during nuttcp speedtests. Most of the time, this did not
affect the achieved speed, but it prompted this investigation.
Cycling through the rx_delay range on six boards (see table below) of
various ages shows that there is a large good region from 0x12 to 0x35
where we see zero crc errors on all tested boards.
The old rx_delay value (0x10) seems to have always been on the edge for
the KSZ9031RNX that is usually placed on Puma.
Choose "rx_delay = 0x23" to put us smack in the middle of the good
region. This works fine as well with the KSZ9131RNX PHY that was used
for a small number of boards during the COVID chip shortages.
Board S/N PHY rx_delay good region
--------- --- --------------------
Puma TT0069903 KSZ9031RNX 0x11 0x35
Puma TT0157733 KSZ9031RNX 0x11 0x35
Puma TT0681551 KSZ9031RNX 0x12 0x37
Puma TT0681156 KSZ9031RNX 0x10 0x38
Puma 17496030079 KSZ9031RNX 0x10 0x37 (Puma v1.2 from 2017)
Puma TT0681720 KSZ9131RNX 0x02 0x39 (alternative PHY used in very few boards)
Intersection of good regions = 0x12 0x35
Middle of good region = 0x23
Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM")
Cc: stable@vger.kernel.org
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Tested-by: Quentin Schulz <quentin.schulz@cherry.de> # Puma v2.1 and v2.3 with KSZ9031
Signed-off-by: Jakob Unterwurzacher <jakob.unterwurzacher@cherry.de>
Link: https://lore.kernel.org/r/20241213-puma_rx_delay-v4-1-8e8e11cc6ed7@cherry.de
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi
+++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi
@@ -176,7 +176,7 @@
snps,reset-active-low;
snps,reset-delays-us = <0 10000 50000>;
tx_delay = <0x10>;
- rx_delay = <0x10>;
+ rx_delay = <0x23>;
status = "okay";
};
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 170/462] KVM: Explicitly verify target vCPU is online in kvm_get_vcpu()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 169/462] arm64: dts: rockchip: increase gmac rx_delay on rk3399-puma Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 171/462] KVM: s390: vsie: fix some corner-cases when grabbing vsie pages Greg Kroah-Hartman
` (295 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Will Deacon, Michal Luczaj,
Pankaj Gupta, Sean Christopherson
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 1e7381f3617d14b3c11da80ff5f8a93ab14cfc46 upstream.
Explicitly verify the target vCPU is fully online _prior_ to clamping the
index in kvm_get_vcpu(). If the index is "bad", the nospec clamping will
generate '0', i.e. KVM will return vCPU0 instead of NULL.
In practice, the bug is unlikely to cause problems, as it will only come
into play if userspace or the guest is buggy or misbehaving, e.g. KVM may
send interrupts to vCPU0 instead of dropping them on the floor.
However, returning vCPU0 when it shouldn't exist per online_vcpus is
problematic now that KVM uses an xarray for the vCPUs array, as KVM needs
to insert into the xarray before publishing the vCPU to userspace (see
commit c5b077549136 ("KVM: Convert the kvm->vcpus array to a xarray")),
i.e. before vCPU creation is guaranteed to succeed.
As a result, incorrectly providing access to vCPU0 will trigger a
use-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu()
bails out of vCPU creation due to an error and frees vCPU0. Commit
afb2acb2e3a3 ("KVM: Fix vcpu_array[0] races") papered over that issue, but
in doing so introduced an unsolvable teardown conundrum. Preventing
accesses to vCPU0 before it's fully online will allow reverting commit
afb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race.
Fixes: 1d487e9bf8ba ("KVM: fix spectrev1 gadgets")
Cc: stable@vger.kernel.org
Cc: Will Deacon <will@kernel.org>
Cc: Michal Luczaj <mhal@rbox.co>
Reviewed-by: Pankaj Gupta <pankaj.gupta@amd.com>
Acked-by: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20241009150455.1057573-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/kvm_host.h | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -575,6 +575,15 @@ static inline struct kvm_io_bus *kvm_get
static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i)
{
int num_vcpus = atomic_read(&kvm->online_vcpus);
+
+ /*
+ * Explicitly verify the target vCPU is online, as the anti-speculation
+ * logic only limits the CPU's ability to speculate, e.g. given a "bad"
+ * index, clamping the index to 0 would return vCPU0, not NULL.
+ */
+ if (i >= num_vcpus)
+ return NULL;
+
i = array_index_nospec(i, num_vcpus);
/* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu. */
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 171/462] KVM: s390: vsie: fix some corner-cases when grabbing vsie pages
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 170/462] KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 172/462] drm/komeda: Add check for komeda_get_layer_fourcc_list() Greg Kroah-Hartman
` (294 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand, Claudio Imbrenda,
Christoph Schlameuss
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
commit 5f230f41fdd9e799f43a699348dc572bca7159aa upstream.
We try to reuse the same vsie page when re-executing the vsie with a
given SCB address. The result is that we use the same shadow SCB --
residing in the vsie page -- and can avoid flushing the TLB when
re-running the vsie on a CPU.
So, when we allocate a fresh vsie page, or when we reuse a vsie page for
a different SCB address -- reusing the shadow SCB in different context --
we set ihcpu=0xffff to trigger the flush.
However, after we looked up the SCB address in the radix tree, but before
we grabbed the vsie page by raising the refcount to 2, someone could reuse
the vsie page for a different SCB address, adjusting page->index and the
radix tree. In that case, we would be reusing the vsie page with a
wrong page->index.
Another corner case is that we might set the SCB address for a vsie
page, but fail the insertion into the radix tree. Whoever would reuse
that page would remove the corresponding radix tree entry -- which might
now be a valid entry pointing at another page, resulting in the wrong
vsie page getting removed from the radix tree.
Let's handle such races better, by validating that the SCB address of a
vsie page didn't change after we grabbed it (not reuse for a different
SCB; the alternative would be performing another tree lookup), and by
setting the SCB address to invalid until the insertion in the tree
succeeded (SCB addresses are aligned to 512, so ULONG_MAX is invalid).
These scenarios are rare, the effects a bit unclear, and these issues were
only found by code inspection. Let's CC stable to be safe.
Fixes: a3508fbe9dc6 ("KVM: s390: vsie: initial support for nested virtualization")
Cc: stable@vger.kernel.org
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Reviewed-by: Christoph Schlameuss <schlameuss@linux.ibm.com>
Tested-by: Christoph Schlameuss <schlameuss@linux.ibm.com>
Message-ID: <20250107154344.1003072-2-david@redhat.com>
Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kvm/vsie.c | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)
--- a/arch/s390/kvm/vsie.c
+++ b/arch/s390/kvm/vsie.c
@@ -1316,8 +1316,14 @@ static struct vsie_page *get_vsie_page(s
page = radix_tree_lookup(&kvm->arch.vsie.addr_to_page, addr >> 9);
rcu_read_unlock();
if (page) {
- if (page_ref_inc_return(page) == 2)
- return page_to_virt(page);
+ if (page_ref_inc_return(page) == 2) {
+ if (page->index == addr)
+ return page_to_virt(page);
+ /*
+ * We raced with someone reusing + putting this vsie
+ * page before we grabbed it.
+ */
+ }
page_ref_dec(page);
}
@@ -1347,15 +1353,20 @@ static struct vsie_page *get_vsie_page(s
kvm->arch.vsie.next++;
kvm->arch.vsie.next %= nr_vcpus;
}
- radix_tree_delete(&kvm->arch.vsie.addr_to_page, page->index >> 9);
+ if (page->index != ULONG_MAX)
+ radix_tree_delete(&kvm->arch.vsie.addr_to_page,
+ page->index >> 9);
}
- page->index = addr;
- /* double use of the same address */
+ /* Mark it as invalid until it resides in the tree. */
+ page->index = ULONG_MAX;
+
+ /* Double use of the same address or allocation failure. */
if (radix_tree_insert(&kvm->arch.vsie.addr_to_page, addr >> 9, page)) {
page_ref_dec(page);
mutex_unlock(&kvm->arch.vsie.mutex);
return NULL;
}
+ page->index = addr;
mutex_unlock(&kvm->arch.vsie.mutex);
vsie_page = page_to_virt(page);
@@ -1448,7 +1459,9 @@ void kvm_s390_vsie_destroy(struct kvm *k
vsie_page = page_to_virt(page);
release_gmap_shadow(vsie_page);
/* free the radix tree entry */
- radix_tree_delete(&kvm->arch.vsie.addr_to_page, page->index >> 9);
+ if (page->index != ULONG_MAX)
+ radix_tree_delete(&kvm->arch.vsie.addr_to_page,
+ page->index >> 9);
__free_page(page);
}
kvm->arch.vsie.page_count = 0;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 172/462] drm/komeda: Add check for komeda_get_layer_fourcc_list()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 171/462] KVM: s390: vsie: fix some corner-cases when grabbing vsie pages Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 173/462] Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc Greg Kroah-Hartman
` (293 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Liviu Dudau
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit 79fc672a092d93a7eac24fe20a571d4efd8fa5a4 upstream.
Add check for the return value of komeda_get_layer_fourcc_list()
to catch the potential exception.
Fixes: 5d51f6c0da1b ("drm/komeda: Add writeback support")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Acked-by: Liviu Dudau <liviu.dudau@arm.com>
Link: https://lore.kernel.org/r/20241219090256.146424-1-haoxiang_li2024@163.com
Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c
+++ b/drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c
@@ -160,6 +160,10 @@ static int komeda_wb_connector_add(struc
formats = komeda_get_layer_fourcc_list(&mdev->fmt_tbl,
kwb_conn->wb_layer->layer_type,
&n_formats);
+ if (!formats) {
+ kfree(kwb_conn);
+ return -ENOMEM;
+ }
err = drm_writeback_connector_init(&kms->base, wb_conn,
&komeda_wb_connector_funcs,
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 173/462] Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 172/462] drm/komeda: Add check for komeda_get_layer_fourcc_list() Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 174/462] Bluetooth: L2CAP: accept zero as a special value for MTU auto-selection Greg Kroah-Hartman
` (292 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Kuniyuki Iwashima,
Luiz Augusto von Dentz
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit 5f397409f8ee5bc82901eeaf799e1cbc4f8edcf1 upstream.
A NULL sock pointer is passed into l2cap_sock_alloc() when it is called
from l2cap_sock_new_connection_cb() and the error handling paths should
also be aware of it.
Seemingly a more elegant solution would be to swap bt_sock_alloc() and
l2cap_chan_create() calls since they are not interdependent to that moment
but then l2cap_chan_create() adds the soon to be deallocated and still
dummy-initialized channel to the global list accessible by many L2CAP
paths. The channel would be removed from the list in short period of time
but be a bit more straight-forward here and just check for NULL instead of
changing the order of function calls.
Found by Linux Verification Center (linuxtesting.org) with SVACE static
analysis tool.
Fixes: 7c4f78cdb8e7 ("Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_sock.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1864,7 +1864,8 @@ static struct sock *l2cap_sock_alloc(str
chan = l2cap_chan_create();
if (!chan) {
sk_free(sk);
- sock->sk = NULL;
+ if (sock)
+ sock->sk = NULL;
return NULL;
}
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 174/462] Bluetooth: L2CAP: accept zero as a special value for MTU auto-selection
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 173/462] Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 175/462] clk: sunxi-ng: a100: enable MMC clock reparenting Greg Kroah-Hartman
` (291 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin,
Luiz Augusto von Dentz
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit 5c61419e02033eaf01733d66e2fcd4044808f482 upstream.
One of the possible ways to enable the input MTU auto-selection for L2CAP
connections is supposed to be through passing a special "0" value for it
as a socket option. Commit [1] added one of those into avdtp. However, it
simply wouldn't work because the kernel still treats the specified value
as invalid and denies the setting attempt. Recorded BlueZ logs include the
following:
bluetoothd[496]: profiles/audio/avdtp.c:l2cap_connect() setsockopt(L2CAP_OPTIONS): Invalid argument (22)
[1]: https://github.com/bluez/bluez/commit/ae5be371a9f53fed33d2b34748a95a5498fd4b77
Found by Linux Verification Center (linuxtesting.org).
Fixes: 4b6e228e297b ("Bluetooth: Auto tune if input MTU is set to 0")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_sock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -727,12 +727,12 @@ static bool l2cap_valid_mtu(struct l2cap
{
switch (chan->scid) {
case L2CAP_CID_ATT:
- if (mtu < L2CAP_LE_MIN_MTU)
+ if (mtu && mtu < L2CAP_LE_MIN_MTU)
return false;
break;
default:
- if (mtu < L2CAP_DEFAULT_MIN_MTU)
+ if (mtu && mtu < L2CAP_DEFAULT_MIN_MTU)
return false;
}
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 175/462] clk: sunxi-ng: a100: enable MMC clock reparenting
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 174/462] Bluetooth: L2CAP: accept zero as a special value for MTU auto-selection Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 176/462] clk: qcom: clk-alpha-pll: fix alpha mode configuration Greg Kroah-Hartman
` (290 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cody Eksal, Andre Przywara,
Chen-Yu Tsai
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cody Eksal <masterr3c0rd@epochal.quest>
commit 16414720045de30945b8d14b7907e0cbf81a4b49 upstream.
While testing the MMC nodes proposed in [1], it was noted that mmc0/1
would fail to initialize, with "mmc: fatal err update clk timeout" in
the kernel logs. A closer look at the clock definitions showed that the MMC
MPs had the "CLK_SET_RATE_NO_REPARENT" flag set. No reason was given for
adding this flag in the first place, and its original purpose is unknown,
but it doesn't seem to make sense and results in severe limitations to MMC
speeds. Thus, remove this flag from the 3 MMC MPs.
[1] https://msgid.link/20241024170540.2721307-10-masterr3c0rd@epochal.quest
Fixes: fb038ce4db55 ("clk: sunxi-ng: add support for the Allwinner A100 CCU")
Cc: stable@vger.kernel.org
Signed-off-by: Cody Eksal <masterr3c0rd@epochal.quest>
Reviewed-by: Andre Przywara <andre.przywara@arm.com>
Link: https://patch.msgid.link/20241109003739.3440904-1-masterr3c0rd@epochal.quest
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/sunxi-ng/ccu-sun50i-a100.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/clk/sunxi-ng/ccu-sun50i-a100.c
+++ b/drivers/clk/sunxi-ng/ccu-sun50i-a100.c
@@ -437,7 +437,7 @@ static SUNXI_CCU_MP_WITH_MUX_GATE_POSTDI
24, 2, /* mux */
BIT(31), /* gate */
2, /* post-div */
- CLK_SET_RATE_NO_REPARENT);
+ 0);
static SUNXI_CCU_MP_WITH_MUX_GATE_POSTDIV(mmc1_clk, "mmc1", mmc_parents, 0x834,
0, 4, /* M */
@@ -445,7 +445,7 @@ static SUNXI_CCU_MP_WITH_MUX_GATE_POSTDI
24, 2, /* mux */
BIT(31), /* gate */
2, /* post-div */
- CLK_SET_RATE_NO_REPARENT);
+ 0);
static SUNXI_CCU_MP_WITH_MUX_GATE_POSTDIV(mmc2_clk, "mmc2", mmc_parents, 0x838,
0, 4, /* M */
@@ -453,7 +453,7 @@ static SUNXI_CCU_MP_WITH_MUX_GATE_POSTDI
24, 2, /* mux */
BIT(31), /* gate */
2, /* post-div */
- CLK_SET_RATE_NO_REPARENT);
+ 0);
static SUNXI_CCU_GATE(bus_mmc0_clk, "bus-mmc0", "ahb3", 0x84c, BIT(0), 0);
static SUNXI_CCU_GATE(bus_mmc1_clk, "bus-mmc1", "ahb3", 0x84c, BIT(1), 0);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 176/462] clk: qcom: clk-alpha-pll: fix alpha mode configuration
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 175/462] clk: sunxi-ng: a100: enable MMC clock reparenting Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 177/462] clk: qcom: clk-rpmh: prevent integer overflow in recalc_rate Greg Kroah-Hartman
` (289 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gabor Juhos, Dmitry Baryshkov,
Bjorn Andersson
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
commit 33f1722eb86e45320a3dd7b3d42f6593a1d595c2 upstream.
Commit c45ae598fc16 ("clk: qcom: support for alpha mode configuration")
added support for configuring alpha mode, but it seems that the feature
was never working in practice.
The value of the alpha_{en,mode}_mask members of the configuration gets
added to the value parameter passed to the regmap_update_bits() function,
however the same values are not getting applied to the bitmask. As the
result, the respective bits in the USER_CTL register are never modifed
which leads to improper configuration of several PLLs.
The following table shows the PLL configurations where the 'alpha_en_mask'
member is set and which are passed as a parameter for the
clk_alpha_pll_configure() function. In the table the 'expected rate' column
shows the rate the PLL should run at with the given configuration, and
the 'real rate' column shows the rate the PLL runs at actually. The real
rates has been verified on hardwareOn IPQ* platforms, on other platforms,
those are computed values only.
file pll expected rate real rate
dispcc-qcm2290.c disp_cc_pll0 768.0 MHz 768.0 MHz
dispcc-sm6115.c disp_cc_pll0 768.0 MHz 768.0 MHz
gcc-ipq5018.c ubi32_pll 1000.0 MHz != 984.0 MHz
gcc-ipq6018.c nss_crypto_pll 1200.0 MHz 1200.0 MHz
gcc-ipq6018.c ubi32_pll 1497.6 MHz != 1488.0 MHz
gcc-ipq8074.c nss_crypto_pll 1200.0 MHz != 1190.4 MHz
gcc-qcm2290.c gpll11 532.0 MHz != 518.4 MHz
gcc-qcm2290.c gpll8 533.2 MHz != 518.4 MHz
gcc-qcs404.c gpll3 921.6 MHz 921.6 MHz
gcc-sm6115.c gpll11 600.0 MHz != 595.2 MHz
gcc-sm6115.c gpll8 800.0 MHz != 787.2 MHz
gpucc-sdm660.c gpu_cc_pll0 800.0 MHz != 787.2 MHz
gpucc-sdm660.c gpu_cc_pll1 740.0 MHz != 729.6 MHz
gpucc-sm6115.c gpu_cc_pll0 1200.0 MHz != 1190.4 MHz
gpucc-sm6115.c gpu_cc_pll1 640.0 MHz != 633.6 MHz
gpucc-sm6125.c gpu_pll0 1020.0 MHz != 1017.6 MHz
gpucc-sm6125.c gpu_pll1 930.0 MHz != 921.6 MHz
mmcc-sdm660.c mmpll8 930.0 MHz != 921.6 MHz
mmcc-sdm660.c mmpll5 825.0 MHz != 806.4 MHz
As it can be seen from the above, there are several PLLs which are
configured incorrectly.
Change the code to apply both 'alpha_en_mask' and 'alpha_mode_mask'
values to the bitmask in order to configure the alpha mode correctly.
Applying the 'alpha_en_mask' fixes the initial rate of the PLLs showed
in the table above. Since the 'alpha_mode_mask' is not used by any driver
currently, that part of the change causes no functional changes.
Cc: stable@vger.kernel.org
Fixes: c45ae598fc16 ("clk: qcom: support for alpha mode configuration")
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Tested-by: Gabor Juhos <j4g8y7@gmail.com>
Link: https://lore.kernel.org/r/20241021-fix-alpha-mode-config-v1-1-f32c254e02bc@gmail.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/qcom/clk-alpha-pll.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/clk/qcom/clk-alpha-pll.c
+++ b/drivers/clk/qcom/clk-alpha-pll.c
@@ -240,6 +240,8 @@ void clk_alpha_pll_configure(struct clk_
mask |= config->pre_div_mask;
mask |= config->post_div_mask;
mask |= config->vco_mask;
+ mask |= config->alpha_en_mask;
+ mask |= config->alpha_mode_mask;
regmap_update_bits(regmap, PLL_USER_CTL(pll), mask, val);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 177/462] clk: qcom: clk-rpmh: prevent integer overflow in recalc_rate
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 176/462] clk: qcom: clk-alpha-pll: fix alpha mode configuration Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 178/462] blk-cgroup: Fix class @block_classs subsystem refcount leakage Greg Kroah-Hartman
` (288 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Anastasia Belova, Bjorn Andersson
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anastasia Belova <abelova@astralinux.ru>
commit 89aa5925d201b90a48416784831916ca203658f9 upstream.
aggr_state and unit fields are u32. The result of their
multiplication may not fit in this type.
Add explicit casting to prevent overflow.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 04053f4d23a4 ("clk: qcom: clk-rpmh: Add IPA clock support")
Cc: stable@vger.kernel.org # 5.4+
Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
Link: https://lore.kernel.org/r/20241203084231.6001-1-abelova@astralinux.ru
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/qcom/clk-rpmh.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/clk/qcom/clk-rpmh.c
+++ b/drivers/clk/qcom/clk-rpmh.c
@@ -331,7 +331,7 @@ static unsigned long clk_rpmh_bcm_recalc
{
struct clk_rpmh *c = to_clk_rpmh(hw);
- return c->aggr_state * c->unit;
+ return (unsigned long)c->aggr_state * c->unit;
}
static const struct clk_ops clk_rpmh_bcm_ops = {
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 178/462] blk-cgroup: Fix class @block_classs subsystem refcount leakage
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 177/462] clk: qcom: clk-rpmh: prevent integer overflow in recalc_rate Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 179/462] efi: libstub: Use -std=gnu11 to fix build with GCC 15 Greg Kroah-Hartman
` (287 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michal Koutný, Tejun Heo,
Zijun Hu
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit d1248436cbef1f924c04255367ff4845ccd9025e upstream.
blkcg_fill_root_iostats() iterates over @block_class's devices by
class_dev_iter_(init|next)(), but does not end iterating with
class_dev_iter_exit(), so causes the class's subsystem refcount leakage.
Fix by ending the iterating with class_dev_iter_exit().
Fixes: ef45fe470e1e ("blk-cgroup: show global disk stats in root cgroup io.stat")
Reviewed-by: Michal Koutný <mkoutny@suse.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250105-class_fix-v6-2-3a2f1768d4d4@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-cgroup.c | 1 +
1 file changed, 1 insertion(+)
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -851,6 +851,7 @@ static void blkcg_fill_root_iostats(void
}
disk_put_part(part);
}
+ class_dev_iter_exit(&iter);
}
static int blkcg_print_stat(struct seq_file *sf, void *v)
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 179/462] efi: libstub: Use -std=gnu11 to fix build with GCC 15
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 178/462] blk-cgroup: Fix class @block_classs subsystem refcount leakage Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 180/462] perf bench: Fix undefined behavior in cmpworker() Greg Kroah-Hartman
` (286 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kostadin Shishmanov, Jakub Jelinek,
Nathan Chancellor, Ard Biesheuvel
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 8ba14d9f490aef9fd535c04e9e62e1169eb7a055 upstream.
GCC 15 changed the default C standard version to C23, which should not
have impacted the kernel because it requests the gnu11 standard via
'-std=' in the main Makefile. However, the EFI libstub Makefile uses its
own set of KBUILD_CFLAGS for x86 without a '-std=' value (i.e., using
the default), resulting in errors from the kernel's definitions of bool,
true, and false in stddef.h, which are reserved keywords under C23.
./include/linux/stddef.h:11:9: error: expected identifier before ‘false’
11 | false = 0,
./include/linux/types.h:35:33: error: two or more data types in declaration specifiers
35 | typedef _Bool bool;
Set '-std=gnu11' in the x86 cflags to resolve the error and consistently
use the same C standard version for the entire kernel. All other
architectures reuse KBUILD_CFLAGS from the rest of the kernel, so this
issue is not visible for them.
Cc: stable@vger.kernel.org
Reported-by: Kostadin Shishmanov <kostadinshishmanov@protonmail.com>
Closes: https://lore.kernel.org/4OAhbllK7x4QJGpZjkYjtBYNLd_2whHx9oFiuZcGwtVR4hIzvduultkgfAIRZI3vQpZylu7Gl929HaYFRGeMEalWCpeMzCIIhLxxRhq4U-Y=@protonmail.com/
Reported-by: Jakub Jelinek <jakub@redhat.com>
Closes: https://lore.kernel.org/Z4467umXR2PZ0M1H@tucnak/
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/efi/libstub/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/firmware/efi/libstub/Makefile
+++ b/drivers/firmware/efi/libstub/Makefile
@@ -7,7 +7,7 @@
#
cflags-$(CONFIG_X86_32) := -march=i386
cflags-$(CONFIG_X86_64) := -mcmodel=small
-cflags-$(CONFIG_X86) += -m$(BITS) -D__KERNEL__ \
+cflags-$(CONFIG_X86) += -m$(BITS) -D__KERNEL__ -std=gnu11 \
-fPIC -fno-strict-aliasing -mno-red-zone \
-mno-mmx -mno-sse -fshort-wchar \
-Wno-pointer-sign \
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 180/462] perf bench: Fix undefined behavior in cmpworker()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 179/462] efi: libstub: Use -std=gnu11 to fix build with GCC 15 Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 181/462] of: Correct child specifier used as input of the 2nd nexus node Greg Kroah-Hartman
` (285 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuan-Wei Chiu, James Clark,
Namhyung Kim
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuan-Wei Chiu <visitorckw@gmail.com>
commit 62892e77b8a64b9dc0e1da75980aa145347b6820 upstream.
The comparison function cmpworker() violates the C standard's
requirements for qsort() comparison functions, which mandate symmetry
and transitivity:
Symmetry: If x < y, then y > x.
Transitivity: If x < y and y < z, then x < z.
In its current implementation, cmpworker() incorrectly returns 0 when
w1->tid < w2->tid, which breaks both symmetry and transitivity. This
violation causes undefined behavior, potentially leading to issues such
as memory corruption in glibc [1].
Fix the issue by returning -1 when w1->tid < w2->tid, ensuring
compliance with the C standard and preventing undefined behavior.
Link: https://www.qualys.com/2024/01/30/qsort.txt [1]
Fixes: 121dd9ea0116 ("perf bench: Add epoll parallel epoll_wait benchmark")
Cc: stable@vger.kernel.org
Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
Reviewed-by: James Clark <james.clark@linaro.org>
Link: https://lore.kernel.org/r/20250116110842.4087530-1-visitorckw@gmail.com
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/perf/bench/epoll-wait.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/tools/perf/bench/epoll-wait.c
+++ b/tools/perf/bench/epoll-wait.c
@@ -407,7 +407,12 @@ static int cmpworker(const void *p1, con
struct worker *w1 = (struct worker *) p1;
struct worker *w2 = (struct worker *) p2;
- return w1->tid > w2->tid;
+
+ if (w1->tid > w2->tid)
+ return 1;
+ if (w1->tid < w2->tid)
+ return -1;
+ return 0;
}
int bench_epoll_wait(int argc, const char **argv)
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 181/462] of: Correct child specifier used as input of the 2nd nexus node
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 180/462] perf bench: Fix undefined behavior in cmpworker() Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 182/462] of: Fix of_find_node_opts_by_path() handling of alias+path+options Greg Kroah-Hartman
` (284 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rob Herring (Arm)
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit e4c00c9b1f70cd11792ff5b825899a6ee0234a62 upstream.
API of_parse_phandle_with_args_map() will use wrong input for nexus node
Nexus_2 as shown below:
Node_1 Nexus_1 Nexus_2
&Nexus_1,arg_1 -> arg_1,&Nexus_2,arg_2' -> &Nexus_2,arg_2 -> arg_2,...
map-pass-thru=<...>
Nexus_1's output arg_2 should be used as input of Nexus_2, but the API
wrongly uses arg_2' instead which != arg_2 due to Nexus_1's map-pass-thru.
Fix by always making @match_array point to @initial_match_array into
which to store nexus output.
Fixes: bd6f2fd5a1d5 ("of: Support parsing phandle argument lists through a nexus node")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250109-of_core_fix-v4-1-db8a72415b8c@quicinc.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/of/base.c
+++ b/drivers/of/base.c
@@ -1659,7 +1659,6 @@ int of_parse_phandle_with_args_map(const
* specifier into the out_args structure, keeping the
* bits specified in <list>-map-pass-thru.
*/
- match_array = map - new_size;
for (i = 0; i < new_size; i++) {
__be32 val = *(map - new_size + i);
@@ -1668,6 +1667,7 @@ int of_parse_phandle_with_args_map(const
val |= cpu_to_be32(out_args->args[i]) & pass[i];
}
+ initial_match_array[i] = val;
out_args->args[i] = be32_to_cpu(val);
}
out_args->args_count = list_size = new_size;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 182/462] of: Fix of_find_node_opts_by_path() handling of alias+path+options
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 181/462] of: Correct child specifier used as input of the 2nd nexus node Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 183/462] of: reserved-memory: Fix using wrong number of cells to get property alignment Greg Kroah-Hartman
` (283 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rob Herring (Arm)
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit b9e58c934c56aa35b0fb436d9afd86ef326bae0e upstream.
of_find_node_opts_by_path() fails to find OF device node when its
@path parameter have pattern below:
"alias-name/node-name-1/.../node-name-N:options".
The reason is that alias name length calculated by the API is wrong, as
explained by example below:
"testcase-alias/phandle-tests/consumer-a:testaliasoption".
^ ^ ^
0 14 39
The right length of alias 'testcase-alias' is 14, but the result worked
out by the API is 39 which is obvious wrong.
Fix by using index of either '/' or ':' as the length who comes earlier.
Fixes: 75c28c09af99 ("of: add optional options parameter to of_find_node_by_path()")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20241216-of_core_fix-v2-1-e69b8f60da63@quicinc.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/base.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/of/base.c
+++ b/drivers/of/base.c
@@ -926,10 +926,10 @@ struct device_node *of_find_node_opts_by
/* The path could begin with an alias */
if (*path != '/') {
int len;
- const char *p = separator;
+ const char *p = strchrnul(path, '/');
- if (!p)
- p = strchrnul(path, '/');
+ if (separator && separator < p)
+ p = separator;
len = p - path;
/* of_aliases must not be NULL */
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 183/462] of: reserved-memory: Fix using wrong number of cells to get property alignment
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 182/462] of: Fix of_find_node_opts_by_path() handling of alias+path+options Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 184/462] HID: hid-sensor-hub: dont use stale platform-data on remove Greg Kroah-Hartman
` (282 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rob Herring (Arm)
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit 267b21d0bef8e67dbe6c591c9991444e58237ec9 upstream.
According to DT spec, size of property 'alignment' is based on parent
node’s #size-cells property.
But __reserved_mem_alloc_size() wrongly uses @dt_root_addr_cells to get
the property obviously.
Fix by using @dt_root_size_cells instead of @dt_root_addr_cells.
Fixes: 3f0c82066448 ("drivers: of: add initialization code for dynamic reserved memory")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250109-of_core_fix-v4-9-db8a72415b8c@quicinc.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/of_reserved_mem.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/of/of_reserved_mem.c
+++ b/drivers/of/of_reserved_mem.c
@@ -94,12 +94,12 @@ static int __init __reserved_mem_alloc_s
prop = of_get_flat_dt_prop(node, "alignment", &len);
if (prop) {
- if (len != dt_root_addr_cells * sizeof(__be32)) {
+ if (len != dt_root_size_cells * sizeof(__be32)) {
pr_err("invalid alignment property in '%s' node.\n",
uname);
return -EINVAL;
}
- align = dt_mem_next_cell(dt_root_addr_cells, &prop);
+ align = dt_mem_next_cell(dt_root_size_cells, &prop);
}
nomap = of_get_flat_dt_prop(node, "no-map", NULL) != NULL;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 184/462] HID: hid-sensor-hub: dont use stale platform-data on remove
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 183/462] of: reserved-memory: Fix using wrong number of cells to get property alignment Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 185/462] wifi: rtlwifi: rtl8821ae: Fix media status report Greg Kroah-Hartman
` (281 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Stuebner, Benjamin Tissoires,
Srinivas Pandruvada, Jiri Kosina, Lee Jones
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Stuebner <heiko@sntech.de>
commit 8a5b38c3fd709e8acd2bfdedf66c25e6af759576 upstream.
The hid-sensor-hub creates the individual device structs and transfers them
to the created mfd platform-devices via the platform_data in the mfd_cell.
Before e651a1da442a ("HID: hid-sensor-hub: Allow parallel synchronous reads")
the sensor-hub was managing access centrally, with one "completion" in the
hub's data structure, which needed to be finished on removal at the latest.
The mentioned commit then moved this central management to each hid sensor
device, resulting on a completion in each struct hid_sensor_hub_device.
The remove procedure was adapted to go through all sensor devices and
finish any pending "completion".
What this didn't take into account was, platform_device_add_data() that is
used by mfd_add{_hotplug}_devices() does a kmemdup on the submitted
platform-data. So the data the platform-device gets is a copy of the
original data, meaning that the device worked on a different completion
than what sensor_hub_remove() currently wants to access.
To fix that, use device_for_each_child() to go through each child-device
similar to how mfd_remove_devices() unregisters the devices later and
with that get the live platform_data to finalize the correct completion.
Fixes: e651a1da442a ("HID: hid-sensor-hub: Allow parallel synchronous reads")
Cc: stable@vger.kernel.org
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Acked-by: Benjamin Tissoires <bentiss@kernel.org>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Acked-by: Jiri Kosina <jkosina@suse.com>
Link: https://lore.kernel.org/r/20241107114712.538976-2-heiko@sntech.de
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-sensor-hub.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
--- a/drivers/hid/hid-sensor-hub.c
+++ b/drivers/hid/hid-sensor-hub.c
@@ -730,23 +730,30 @@ err_stop_hw:
return ret;
}
+static int sensor_hub_finalize_pending_fn(struct device *dev, void *data)
+{
+ struct hid_sensor_hub_device *hsdev = dev->platform_data;
+
+ if (hsdev->pending.status)
+ complete(&hsdev->pending.ready);
+
+ return 0;
+}
+
static void sensor_hub_remove(struct hid_device *hdev)
{
struct sensor_hub_data *data = hid_get_drvdata(hdev);
unsigned long flags;
- int i;
hid_dbg(hdev, " hardware removed\n");
hid_hw_close(hdev);
hid_hw_stop(hdev);
+
spin_lock_irqsave(&data->lock, flags);
- for (i = 0; i < data->hid_sensor_client_cnt; ++i) {
- struct hid_sensor_hub_device *hsdev =
- data->hid_sensor_hub_client_devs[i].platform_data;
- if (hsdev->pending.status)
- complete(&hsdev->pending.ready);
- }
+ device_for_each_child(&hdev->dev, NULL,
+ sensor_hub_finalize_pending_fn);
spin_unlock_irqrestore(&data->lock, flags);
+
mfd_remove_devices(&hdev->dev);
mutex_destroy(&data->mutex);
}
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 185/462] wifi: rtlwifi: rtl8821ae: Fix media status report
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 184/462] HID: hid-sensor-hub: dont use stale platform-data on remove Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 186/462] wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() Greg Kroah-Hartman
` (280 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bitterblue Smith, Ping-Ke Shih
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
commit 66ef0289ac99e155d206ddaa0fdfad09ae3cd007 upstream.
RTL8821AE is stuck transmitting at the lowest rate allowed by the rate
mask. This is because the firmware doesn't know the device is connected
to a network.
Fix the macros SET_H2CCMD_MSRRPT_PARM_OPMODE and
SET_H2CCMD_MSRRPT_PARM_MACID_IND to work on the first byte of __cmd,
not the second. Now the firmware is correctly notified when the device
is connected to a network and it activates the rate control.
Before (MCS3):
[ 5] 0.00-1.00 sec 12.5 MBytes 105 Mbits/sec 0 339 KBytes
[ 5] 1.00-2.00 sec 10.6 MBytes 89.1 Mbits/sec 0 339 KBytes
[ 5] 2.00-3.00 sec 10.6 MBytes 89.1 Mbits/sec 0 386 KBytes
[ 5] 3.00-4.00 sec 10.6 MBytes 89.1 Mbits/sec 0 386 KBytes
[ 5] 4.00-5.00 sec 10.2 MBytes 86.0 Mbits/sec 0 427 KBytes
After (MCS9):
[ 5] 0.00-1.00 sec 33.9 MBytes 284 Mbits/sec 0 771 KBytes
[ 5] 1.00-2.00 sec 31.6 MBytes 265 Mbits/sec 0 865 KBytes
[ 5] 2.00-3.00 sec 29.9 MBytes 251 Mbits/sec 0 963 KBytes
[ 5] 3.00-4.00 sec 28.2 MBytes 237 Mbits/sec 0 963 KBytes
[ 5] 4.00-5.00 sec 26.8 MBytes 224 Mbits/sec 0 963 KBytes
Fixes: 39f40710d0b5 ("rtlwifi: rtl88821ae: Remove usage of private bit manipulation macros")
Cc: stable@vger.kernel.org
Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/754785b3-8a78-4554-b80d-de5f603b410b@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.h
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.h
@@ -197,9 +197,9 @@ enum rtl8821a_h2c_cmd {
/* _MEDIA_STATUS_RPT_PARM_CMD1 */
#define SET_H2CCMD_MSRRPT_PARM_OPMODE(__cmd, __value) \
- u8p_replace_bits(__cmd + 1, __value, BIT(0))
+ u8p_replace_bits(__cmd, __value, BIT(0))
#define SET_H2CCMD_MSRRPT_PARM_MACID_IND(__cmd, __value) \
- u8p_replace_bits(__cmd + 1, __value, BIT(1))
+ u8p_replace_bits(__cmd, __value, BIT(1))
/* AP_OFFLOAD */
#define SET_H2CCMD_AP_OFFLOAD_ON(__cmd, __value) \
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 186/462] wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 185/462] wifi: rtlwifi: rtl8821ae: Fix media status report Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 187/462] usb: gadget: f_tcm: Translate error to sense Greg Kroah-Hartman
` (279 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcel Hamer, Arend van Spriel,
Kalle Valo
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcel Hamer <marcel.hamer@windriver.com>
commit 68abd0c4ebf24cd499841a488b97a6873d5efabb upstream.
On removal of the device or unloading of the kernel module a potential NULL
pointer dereference occurs.
The following sequence deletes the interface:
brcmf_detach()
brcmf_remove_interface()
brcmf_del_if()
Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to
BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches.
After brcmf_remove_interface() call the brcmf_proto_detach() function is
called providing the following sequence:
brcmf_detach()
brcmf_proto_detach()
brcmf_proto_msgbuf_detach()
brcmf_flowring_detach()
brcmf_msgbuf_delete_flowring()
brcmf_msgbuf_remove_flowring()
brcmf_flowring_delete()
brcmf_get_ifp()
brcmf_txfinalize()
Since brcmf_get_ip() can and actually will return NULL in this case the
call to brcmf_txfinalize() will result in a NULL pointer dereference inside
brcmf_txfinalize() when trying to update ifp->ndev->stats.tx_errors.
This will only happen if a flowring still has an skb.
Although the NULL pointer dereference has only been seen when trying to
update the tx statistic, all other uses of the ifp pointer have been
guarded as well with an early return if ifp is NULL.
Cc: stable@vger.kernel.org
Signed-off-by: Marcel Hamer <marcel.hamer@windriver.com>
Link: https://lore.kernel.org/all/b519e746-ddfd-421f-d897-7620d229e4b2@gmail.com/
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://patch.msgid.link/20250116132240.731039-1-marcel.hamer@windriver.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
@@ -545,6 +545,11 @@ void brcmf_txfinalize(struct brcmf_if *i
struct ethhdr *eh;
u16 type;
+ if (!ifp) {
+ brcmu_pkt_buf_free_skb(txp);
+ return;
+ }
+
eh = (struct ethhdr *)(txp->data);
type = ntohs(eh->h_proto);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 187/462] usb: gadget: f_tcm: Translate error to sense
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 186/462] wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 188/462] usb: gadget: f_tcm: Decrement command ref count on cleanup Greg Kroah-Hartman
` (278 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thinh Nguyen
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
commit 98fa00fd3ae43b857b4976984a135483d89d9281 upstream.
When respond with check_condition error status, clear from_transport
input so the target layer can translate the sense reason reported by
f_tcm.
Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT")
Cc: stable@vger.kernel.org
Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/b2a5577efe7abd0af0051229622cf7d3be5cdcd0.1733876548.git.Thinh.Nguyen@synopsys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_tcm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/function/f_tcm.c
+++ b/drivers/usb/gadget/function/f_tcm.c
@@ -1067,7 +1067,7 @@ static void usbg_cmd_work(struct work_st
out:
transport_send_check_condition_and_sense(se_cmd,
- TCM_UNSUPPORTED_SCSI_OPCODE, 1);
+ TCM_UNSUPPORTED_SCSI_OPCODE, 0);
}
static struct usbg_cmd *usbg_get_cmd(struct f_uas *fu,
@@ -1197,7 +1197,7 @@ static void bot_cmd_work(struct work_str
out:
transport_send_check_condition_and_sense(se_cmd,
- TCM_UNSUPPORTED_SCSI_OPCODE, 1);
+ TCM_UNSUPPORTED_SCSI_OPCODE, 0);
}
static int bot_submit_command(struct f_uas *fu,
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 188/462] usb: gadget: f_tcm: Decrement command ref count on cleanup
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 187/462] usb: gadget: f_tcm: Translate error to sense Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 189/462] usb: gadget: f_tcm: ep_autoconfig with fullspeed endpoint Greg Kroah-Hartman
` (277 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thinh Nguyen
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
commit 3b2a52e88ab0c9469eaadd4d4c8f57d072477820 upstream.
We submitted the command with TARGET_SCF_ACK_KREF, which requires
acknowledgment of command completion. If the command fails, make sure to
decrement the ref count.
Fixes: cff834c16d23 ("usb-gadget/tcm: Convert to TARGET_SCF_ACK_KREF I/O krefs")
Cc: stable@vger.kernel.org
Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/3c667b4d9c8b0b580346a69ff53616b6a74cfea2.1733876548.git.Thinh.Nguyen@synopsys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_tcm.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/gadget/function/f_tcm.c
+++ b/drivers/usb/gadget/function/f_tcm.c
@@ -973,6 +973,7 @@ static void usbg_data_write_cmpl(struct
return;
cleanup:
+ target_put_sess_cmd(se_cmd);
transport_generic_free_cmd(&cmd->se_cmd, 0);
}
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 189/462] usb: gadget: f_tcm: ep_autoconfig with fullspeed endpoint
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 188/462] usb: gadget: f_tcm: Decrement command ref count on cleanup Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 190/462] usb: gadget: f_tcm: Dont prepare BOT write request twice Greg Kroah-Hartman
` (276 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thinh Nguyen
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
commit 25224c1f07d31c261d04dfbc705a7a0f314a825d upstream.
Match usb endpoint using fullspeed endpoint descriptor to make sure the
wMaxPacketSize for fullspeed descriptors is automatically configured.
Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT")
Cc: stable@vger.kernel.org
Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/e4507bc824aed6e7c7f5a718392ab6a7c1480a7f.1733876548.git.Thinh.Nguyen@synopsys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_tcm.c | 30 +++++++++++++-----------------
1 file changed, 13 insertions(+), 17 deletions(-)
--- a/drivers/usb/gadget/function/f_tcm.c
+++ b/drivers/usb/gadget/function/f_tcm.c
@@ -2021,43 +2021,39 @@ static int tcm_bind(struct usb_configura
bot_intf_desc.bInterfaceNumber = iface;
uasp_intf_desc.bInterfaceNumber = iface;
fu->iface = iface;
- ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_bi_desc,
- &uasp_bi_ep_comp_desc);
+ ep = usb_ep_autoconfig(gadget, &uasp_fs_bi_desc);
if (!ep)
goto ep_fail;
fu->ep_in = ep;
- ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_bo_desc,
- &uasp_bo_ep_comp_desc);
+ ep = usb_ep_autoconfig(gadget, &uasp_fs_bo_desc);
if (!ep)
goto ep_fail;
fu->ep_out = ep;
- ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_status_desc,
- &uasp_status_in_ep_comp_desc);
+ ep = usb_ep_autoconfig(gadget, &uasp_fs_status_desc);
if (!ep)
goto ep_fail;
fu->ep_status = ep;
- ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_cmd_desc,
- &uasp_cmd_comp_desc);
+ ep = usb_ep_autoconfig(gadget, &uasp_fs_cmd_desc);
if (!ep)
goto ep_fail;
fu->ep_cmd = ep;
/* Assume endpoint addresses are the same for both speeds */
- uasp_bi_desc.bEndpointAddress = uasp_ss_bi_desc.bEndpointAddress;
- uasp_bo_desc.bEndpointAddress = uasp_ss_bo_desc.bEndpointAddress;
+ uasp_bi_desc.bEndpointAddress = uasp_fs_bi_desc.bEndpointAddress;
+ uasp_bo_desc.bEndpointAddress = uasp_fs_bo_desc.bEndpointAddress;
uasp_status_desc.bEndpointAddress =
- uasp_ss_status_desc.bEndpointAddress;
- uasp_cmd_desc.bEndpointAddress = uasp_ss_cmd_desc.bEndpointAddress;
+ uasp_fs_status_desc.bEndpointAddress;
+ uasp_cmd_desc.bEndpointAddress = uasp_fs_cmd_desc.bEndpointAddress;
- uasp_fs_bi_desc.bEndpointAddress = uasp_ss_bi_desc.bEndpointAddress;
- uasp_fs_bo_desc.bEndpointAddress = uasp_ss_bo_desc.bEndpointAddress;
- uasp_fs_status_desc.bEndpointAddress =
- uasp_ss_status_desc.bEndpointAddress;
- uasp_fs_cmd_desc.bEndpointAddress = uasp_ss_cmd_desc.bEndpointAddress;
+ uasp_ss_bi_desc.bEndpointAddress = uasp_fs_bi_desc.bEndpointAddress;
+ uasp_ss_bo_desc.bEndpointAddress = uasp_fs_bo_desc.bEndpointAddress;
+ uasp_ss_status_desc.bEndpointAddress =
+ uasp_fs_status_desc.bEndpointAddress;
+ uasp_ss_cmd_desc.bEndpointAddress = uasp_fs_cmd_desc.bEndpointAddress;
ret = usb_assign_descriptors(f, uasp_fs_function_desc,
uasp_hs_function_desc, uasp_ss_function_desc,
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 190/462] usb: gadget: f_tcm: Dont prepare BOT write request twice
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 189/462] usb: gadget: f_tcm: ep_autoconfig with fullspeed endpoint Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 191/462] soc: qcom: socinfo: Avoid out of bounds read of serial number Greg Kroah-Hartman
` (275 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thinh Nguyen
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
commit 94d9bf671ae314cacc2d7bf96bd233b4abc7cede upstream.
The duplicate kmalloc here is causing memory leak. The request
preparation in bot_send_write_request is also done in
usbg_prepare_w_request. Remove the duplicate work.
Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT")
Cc: stable@vger.kernel.org
Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/f4f26c3d586cde0d46f8c3bcb4e8ae32311b650d.1733876548.git.Thinh.Nguyen@synopsys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_tcm.c | 17 -----------------
1 file changed, 17 deletions(-)
--- a/drivers/usb/gadget/function/f_tcm.c
+++ b/drivers/usb/gadget/function/f_tcm.c
@@ -245,7 +245,6 @@ static int bot_send_write_request(struct
{
struct f_uas *fu = cmd->fu;
struct se_cmd *se_cmd = &cmd->se_cmd;
- struct usb_gadget *gadget = fuas_to_gadget(fu);
int ret;
init_completion(&cmd->write_complete);
@@ -256,22 +255,6 @@ static int bot_send_write_request(struct
return -EINVAL;
}
- if (!gadget->sg_supported) {
- cmd->data_buf = kmalloc(se_cmd->data_length, GFP_KERNEL);
- if (!cmd->data_buf)
- return -ENOMEM;
-
- fu->bot_req_out->buf = cmd->data_buf;
- } else {
- fu->bot_req_out->buf = NULL;
- fu->bot_req_out->num_sgs = se_cmd->t_data_nents;
- fu->bot_req_out->sg = se_cmd->t_data_sg;
- }
-
- fu->bot_req_out->complete = usbg_data_write_cmpl;
- fu->bot_req_out->length = se_cmd->data_length;
- fu->bot_req_out->context = cmd;
-
ret = usbg_prepare_w_request(cmd, fu->bot_req_out);
if (ret)
goto cleanup;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 191/462] soc: qcom: socinfo: Avoid out of bounds read of serial number
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 190/462] usb: gadget: f_tcm: Dont prepare BOT write request twice Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 192/462] serial: sh-sci: Drop __initdata macro for port_cfg Greg Kroah-Hartman
` (274 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Dmitry Baryshkov,
Bjorn Andersson
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Gerhold <stephan.gerhold@linaro.org>
commit 22cf4fae6660b6e1a583a41cbf84e3046ca9ccd0 upstream.
On MSM8916 devices, the serial number exposed in sysfs is constant and does
not change across individual devices. It's always:
db410c:/sys/devices/soc0$ cat serial_number
2644893864
The firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8), which does not
have support for the serial_num field in the socinfo struct. There is an
existing check to avoid exposing the serial number in that case, but it's
not correct: When checking the item_size returned by SMEM, we need to make
sure the *end* of the serial_num is within bounds, instead of comparing
with the *start* offset. The serial_number currently exposed on MSM8916
devices is just an out of bounds read of whatever comes after the socinfo
struct in SMEM.
Fix this by changing offsetof() to offsetofend(), so that the size of the
field is also taken into account.
Cc: stable@vger.kernel.org
Fixes: efb448d0a3fc ("soc: qcom: Add socinfo driver")
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/20241230-qcom-socinfo-serialno-oob-v1-1-9b7a890da3da@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/qcom/socinfo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/soc/qcom/socinfo.c
+++ b/drivers/soc/qcom/socinfo.c
@@ -510,7 +510,7 @@ static int qcom_socinfo_probe(struct pla
if (!qs->attr.soc_id || !qs->attr.revision)
return -ENOMEM;
- if (offsetof(struct socinfo, serial_num) <= item_size) {
+ if (offsetofend(struct socinfo, serial_num) <= item_size) {
qs->attr.serial_number = devm_kasprintf(&pdev->dev, GFP_KERNEL,
"%u",
le32_to_cpu(info->serial_num));
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 192/462] serial: sh-sci: Drop __initdata macro for port_cfg
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 191/462] soc: qcom: socinfo: Avoid out of bounds read of serial number Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 193/462] serial: sh-sci: Do not probe the serial port if its slot in sci_ports[] is in use Greg Kroah-Hartman
` (273 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Claudiu Beznea
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
commit eaeee4225dba30bef4d424bdf134a07b7f423e8b upstream.
The port_cfg object is used by serial_console_write(), which serves as
the write function for the earlycon device. Marking port_cfg as __initdata
causes it to be freed after kernel initialization, resulting in earlycon
becoming unavailable thereafter. Remove the __initdata macro from port_cfg
to resolve this issue.
Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support")
Cc: stable@vger.kernel.org
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Fixes: 0b0cced19ab15c9e ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support")
Link: https://lore.kernel.org/r/20250116182249.3828577-2-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/sh-sci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -3455,7 +3455,7 @@ sh_early_platform_init_buffer("earlyprin
early_serial_buf, ARRAY_SIZE(early_serial_buf));
#endif
#ifdef CONFIG_SERIAL_SH_SCI_EARLYCON
-static struct plat_sci_port port_cfg __initdata;
+static struct plat_sci_port port_cfg;
static int __init early_console_setup(struct earlycon_device *device,
int type)
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 193/462] serial: sh-sci: Do not probe the serial port if its slot in sci_ports[] is in use
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 192/462] serial: sh-sci: Drop __initdata macro for port_cfg Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 194/462] powerpc/pseries/eeh: Fix get PE state translation Greg Kroah-Hartman
` (272 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Claudiu Beznea
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
commit 9f7dea875cc7f9c1a56a5c688290634a59cd1420 upstream.
In the sh-sci driver, sci_ports[0] is used by earlycon. If the earlycon is
still active when sci_probe() is called and the new serial port is supposed
to map to sci_ports[0], return -EBUSY to prevent breaking the earlycon.
This situation should occurs in debug scenarios, and users should be
aware of the potential conflict.
Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support")
Cc: stable@vger.kernel.org
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Link: https://lore.kernel.org/r/20250116182249.3828577-4-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/sh-sci.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -164,6 +164,7 @@ struct sci_port {
static struct sci_port sci_ports[SCI_NPORTS];
static unsigned long sci_ports_in_use;
static struct uart_driver sci_uart_driver;
+static bool sci_uart_earlycon;
static inline struct sci_port *
to_sci_port(struct uart_port *uart)
@@ -3343,6 +3344,7 @@ static int sci_probe_single(struct platf
static int sci_probe(struct platform_device *dev)
{
struct plat_sci_port *p;
+ struct resource *res;
struct sci_port *sp;
unsigned int dev_id;
int ret;
@@ -3372,6 +3374,26 @@ static int sci_probe(struct platform_dev
}
sp = &sci_ports[dev_id];
+
+ /*
+ * In case:
+ * - the probed port alias is zero (as the one used by earlycon), and
+ * - the earlycon is still active (e.g., "earlycon keep_bootcon" in
+ * bootargs)
+ *
+ * defer the probe of this serial. This is a debug scenario and the user
+ * must be aware of it.
+ *
+ * Except when the probed port is the same as the earlycon port.
+ */
+
+ res = platform_get_resource(dev, IORESOURCE_MEM, 0);
+ if (!res)
+ return -ENODEV;
+
+ if (sci_uart_earlycon && sp == &sci_ports[0] && sp->port.mapbase != res->start)
+ return dev_err_probe(&dev->dev, -EBUSY, "sci_port[0] is used by earlycon!\n");
+
platform_set_drvdata(dev, sp);
ret = sci_probe_single(dev, dev_id, p, sp);
@@ -3470,6 +3492,7 @@ static int __init early_console_setup(st
port_cfg.type = type;
sci_ports[0].cfg = &port_cfg;
sci_ports[0].params = sci_probe_regmap(&port_cfg);
+ sci_uart_earlycon = true;
port_cfg.scscr = sci_serial_in(&sci_ports[0].port, SCSCR);
sci_serial_out(&sci_ports[0].port, SCSCR,
SCSCR_RE | SCSCR_TE | port_cfg.scscr);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 194/462] powerpc/pseries/eeh: Fix get PE state translation
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 193/462] serial: sh-sci: Do not probe the serial port if its slot in sci_ports[] is in use Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 195/462] dm-crypt: dont update io->sector after kcryptd_crypt_write_io_submit() Greg Kroah-Hartman
` (271 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ritesh Harjani (IBM),
Narayana Murty N, Madhavan Srinivasan
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Narayana Murty N <nnmlinux@linux.ibm.com>
commit 11b93559000c686ad7e5ab0547e76f21cc143844 upstream.
The PE Reset State "0" returned by RTAS calls
"ibm_read_slot_reset_[state|state2]" indicates that the reset is
deactivated and the PE is in a state where MMIO and DMA are allowed.
However, the current implementation of "pseries_eeh_get_state()" does
not reflect this, causing drivers to incorrectly assume that MMIO and
DMA operations cannot be resumed.
The userspace drivers as a part of EEH recovery using VFIO ioctls fail
to detect when the recovery process is complete. The VFIO_EEH_PE_GET_STATE
ioctl does not report the expected EEH_PE_STATE_NORMAL state, preventing
userspace drivers from functioning properly on pseries systems.
The patch addresses this issue by updating 'pseries_eeh_get_state()'
to include "EEH_STATE_MMIO_ENABLED" and "EEH_STATE_DMA_ENABLED" in
the result mask for PE Reset State "0". This ensures correct state
reporting to the callers, aligning the behavior with the PAPR specification
and fixing the bug in EEH recovery for VFIO user workflows.
Fixes: 00ba05a12b3c ("powerpc/pseries: Cleanup on pseries_eeh_get_state()")
Cc: stable@vger.kernel.org
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Narayana Murty N <nnmlinux@linux.ibm.com>
Link: https://lore.kernel.org/stable/20241212075044.10563-1-nnmlinux%40linux.ibm.com
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250116103954.17324-1-nnmlinux@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/pseries/eeh_pseries.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/arch/powerpc/platforms/pseries/eeh_pseries.c
+++ b/arch/powerpc/platforms/pseries/eeh_pseries.c
@@ -578,8 +578,10 @@ static int pseries_eeh_get_state(struct
switch(rets[0]) {
case 0:
- result = EEH_STATE_MMIO_ACTIVE |
- EEH_STATE_DMA_ACTIVE;
+ result = EEH_STATE_MMIO_ACTIVE |
+ EEH_STATE_DMA_ACTIVE |
+ EEH_STATE_MMIO_ENABLED |
+ EEH_STATE_DMA_ENABLED;
break;
case 1:
result = EEH_STATE_RESET_ACTIVE |
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 195/462] dm-crypt: dont update io->sector after kcryptd_crypt_write_io_submit()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 194/462] powerpc/pseries/eeh: Fix get PE state translation Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 196/462] dm-crypt: track tag_offset in convert_context Greg Kroah-Hartman
` (270 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hou Tao, Mikulas Patocka
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hou Tao <houtao1@huawei.com>
commit 9fdbbdbbc92b1474a87b89f8b964892a63734492 upstream.
The updates of io->sector are the leftovers when dm-crypt allocated
pages for partial write request. However, since commit cf2f1abfbd0db
("dm crypt: don't allocate pages for a partial request"), there is no
partial request anymore.
After the introduction of write request rb-tree, the updates of
io->sectors may interfere the insertion procedure, because ->sectors of
these write requests which have already been added in the rb-tree may be
changed during the insertion of new write request.
Fix it by removing these buggy updates of io->sectors. Considering these
updates only effect the write request rb-tree, the commit which
introduces the write request rb-tree is used as the fix tag.
Fixes: b3c5fd305249 ("dm crypt: sort writes")
Cc: stable@vger.kernel.org
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-crypt.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -2015,7 +2015,6 @@ static void kcryptd_crypt_write_continue
struct crypt_config *cc = io->cc;
struct convert_context *ctx = &io->ctx;
int crypt_finished;
- sector_t sector = io->sector;
blk_status_t r;
wait_for_completion(&ctx->restart);
@@ -2032,10 +2031,8 @@ static void kcryptd_crypt_write_continue
}
/* Encryption was already finished, submit io now */
- if (crypt_finished) {
+ if (crypt_finished)
kcryptd_crypt_write_io_submit(io, 0);
- io->sector = sector;
- }
crypt_dec_pending(io);
}
@@ -2046,14 +2043,13 @@ static void kcryptd_crypt_write_convert(
struct convert_context *ctx = &io->ctx;
struct bio *clone;
int crypt_finished;
- sector_t sector = io->sector;
blk_status_t r;
/*
* Prevent io from disappearing until this function completes.
*/
crypt_inc_pending(io);
- crypt_convert_init(cc, ctx, NULL, io->base_bio, sector);
+ crypt_convert_init(cc, ctx, NULL, io->base_bio, io->sector);
clone = crypt_alloc_buffer(io, io->base_bio->bi_iter.bi_size);
if (unlikely(!clone)) {
@@ -2070,8 +2066,6 @@ static void kcryptd_crypt_write_convert(
io->ctx.iter_in = clone->bi_iter;
}
- sector += bio_sectors(clone);
-
crypt_inc_pending(io);
r = crypt_convert(cc, ctx,
test_bit(DM_CRYPT_NO_WRITE_WORKQUEUE, &cc->flags), true);
@@ -2095,10 +2089,8 @@ static void kcryptd_crypt_write_convert(
}
/* Encryption was already finished, submit io now */
- if (crypt_finished) {
+ if (crypt_finished)
kcryptd_crypt_write_io_submit(io, 0);
- io->sector = sector;
- }
dec:
crypt_dec_pending(io);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 196/462] dm-crypt: track tag_offset in convert_context
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 195/462] dm-crypt: dont update io->sector after kcryptd_crypt_write_io_submit() Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 197/462] ALSA: hda/realtek: Enable headset mic on Positivo C6400 Greg Kroah-Hartman
` (269 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hou Tao, Mikulas Patocka
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hou Tao <houtao1@huawei.com>
commit 8b8f8037765757861f899ed3a2bfb34525b5c065 upstream.
dm-crypt uses tag_offset to index the integrity metadata for each crypt
sector. When the initial crypt_convert() returns BLK_STS_DEV_RESOURCE,
dm-crypt will try to continue the crypt/decrypt procedure in a kworker.
However, it resets tag_offset as zero instead of using the tag_offset
related with current sector. It may return unexpected data when using
random IV or return unexpected integrity related error.
Fix the problem by tracking tag_offset in per-IO convert_context.
Therefore, when the crypt/decrypt procedure continues in a kworker, it
could use the next tag_offset saved in convert_context.
Fixes: 8abec36d1274 ("dm crypt: do not wait for backlogged crypto request completion in softirq")
Cc: stable@vger.kernel.org
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-crypt.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -52,6 +52,7 @@ struct convert_context {
struct bio *bio_out;
struct bvec_iter iter_out;
atomic_t cc_pending;
+ unsigned int tag_offset;
u64 cc_sector;
union {
struct skcipher_request *req;
@@ -1218,6 +1219,7 @@ static void crypt_convert_init(struct cr
if (bio_out)
ctx->iter_out = bio_out->bi_iter;
ctx->cc_sector = sector + cc->iv_offset;
+ ctx->tag_offset = 0;
init_completion(&ctx->restart);
}
@@ -1543,7 +1545,6 @@ static void crypt_free_req(struct crypt_
static blk_status_t crypt_convert(struct crypt_config *cc,
struct convert_context *ctx, bool atomic, bool reset_pending)
{
- unsigned int tag_offset = 0;
unsigned int sector_step = cc->sector_size >> SECTOR_SHIFT;
int r;
@@ -1566,9 +1567,9 @@ static blk_status_t crypt_convert(struct
atomic_inc(&ctx->cc_pending);
if (crypt_integrity_aead(cc))
- r = crypt_convert_block_aead(cc, ctx, ctx->r.req_aead, tag_offset);
+ r = crypt_convert_block_aead(cc, ctx, ctx->r.req_aead, ctx->tag_offset);
else
- r = crypt_convert_block_skcipher(cc, ctx, ctx->r.req, tag_offset);
+ r = crypt_convert_block_skcipher(cc, ctx, ctx->r.req, ctx->tag_offset);
switch (r) {
/*
@@ -1588,8 +1589,8 @@ static blk_status_t crypt_convert(struct
* exit and continue processing in a workqueue
*/
ctx->r.req = NULL;
+ ctx->tag_offset++;
ctx->cc_sector += sector_step;
- tag_offset++;
return BLK_STS_DEV_RESOURCE;
}
} else {
@@ -1603,8 +1604,8 @@ static blk_status_t crypt_convert(struct
*/
case -EINPROGRESS:
ctx->r.req = NULL;
+ ctx->tag_offset++;
ctx->cc_sector += sector_step;
- tag_offset++;
continue;
/*
* The request was already processed (synchronously).
@@ -1612,7 +1613,7 @@ static blk_status_t crypt_convert(struct
case 0:
atomic_dec(&ctx->cc_pending);
ctx->cc_sector += sector_step;
- tag_offset++;
+ ctx->tag_offset++;
if (!atomic)
cond_resched();
continue;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 197/462] ALSA: hda/realtek: Enable headset mic on Positivo C6400
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 196/462] dm-crypt: track tag_offset in convert_context Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 198/462] scsi: qla2xxx: Move FCE Trace buffer allocation to user control Greg Kroah-Hartman
` (268 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Edson Juliano Drosdeck, Takashi Iwai
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
commit 1aec3ed2e3e1512aba15e7e790196a44efd5f0a7 upstream.
Positivo C6400 is equipped with ALC269VB, and it needs
ALC269VB_FIXUP_ASUS_ZENBOOK quirk to make its headset mic work.
Also must to limits the microphone boost.
Signed-off-by: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20250114170619.11510-1-edson.drosdeck@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9435,6 +9435,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x17aa, 0x511f, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD),
SND_PCI_QUIRK(0x17aa, 0x9e56, "Lenovo ZhaoYang CF4620Z", ALC286_FIXUP_SONY_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1849, 0x0269, "Positivo Master C6400", ALC269VB_FIXUP_ASUS_ZENBOOK),
SND_PCI_QUIRK(0x1849, 0x1233, "ASRock NUC Box 1100", ALC233_FIXUP_NO_AUDIO_JACK),
SND_PCI_QUIRK(0x1849, 0xa233, "Positivo Master C6300", ALC269_FIXUP_HEADSET_MIC),
SND_PCI_QUIRK(0x19e5, 0x3204, "Huawei MACH-WX9", ALC256_FIXUP_HUAWEI_MACH_WX9_PINS),
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 198/462] scsi: qla2xxx: Move FCE Trace buffer allocation to user control
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 197/462] ALSA: hda/realtek: Enable headset mic on Positivo C6400 Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 199/462] scsi: storvsc: Set correct data length for sending SCSI command without payload Greg Kroah-Hartman
` (267 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quinn Tran, Nilesh Javali,
Himanshu Madhani, Martin K. Petersen
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quinn Tran <qutran@marvell.com>
commit 841df27d619ee1f5ca6473e15227b39d6136562d upstream.
Currently FCE Tracing is enabled to log additional ELS events. Instead,
user will enable or disable this feature through debugfs.
Modify existing DFS knob to allow user to enable or disable this
feature.
echo [1 | 0] > /sys/kernel/debug/qla2xxx/qla2xxx_??/fce
cat /sys/kernel/debug/qla2xxx/qla2xxx_??/fce
Cc: stable@vger.kernel.org
Fixes: df613b96077c ("[SCSI] qla2xxx: Add Fibre Channel Event (FCE) tracing support.")
Signed-off-by: Quinn Tran <qutran@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Link: https://lore.kernel.org/r/20241115130313.46826-4-njavali@marvell.com
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/qla2xxx/qla_def.h | 2
drivers/scsi/qla2xxx/qla_dfs.c | 124 ++++++++++++++++++++++++++++++++--------
drivers/scsi/qla2xxx/qla_gbl.h | 3
drivers/scsi/qla2xxx/qla_init.c | 28 ++++++---
4 files changed, 126 insertions(+), 31 deletions(-)
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -3883,6 +3883,8 @@ struct qla_hw_data {
uint32_t npiv_supported :1;
uint32_t pci_channel_io_perm_failure :1;
uint32_t fce_enabled :1;
+ uint32_t user_enabled_fce :1;
+ uint32_t fce_dump_buf_alloced :1;
uint32_t fac_supported :1;
uint32_t chip_reset_done :1;
--- a/drivers/scsi/qla2xxx/qla_dfs.c
+++ b/drivers/scsi/qla2xxx/qla_dfs.c
@@ -365,27 +365,32 @@ qla2x00_dfs_fce_show(struct seq_file *s,
mutex_lock(&ha->fce_mutex);
- seq_puts(s, "FCE Trace Buffer\n");
- seq_printf(s, "In Pointer = %llx\n\n", (unsigned long long)ha->fce_wr);
- seq_printf(s, "Base = %llx\n\n", (unsigned long long) ha->fce_dma);
- seq_puts(s, "FCE Enable Registers\n");
- seq_printf(s, "%08x %08x %08x %08x %08x %08x\n",
- ha->fce_mb[0], ha->fce_mb[2], ha->fce_mb[3], ha->fce_mb[4],
- ha->fce_mb[5], ha->fce_mb[6]);
-
- fce = (uint32_t *) ha->fce;
- fce_start = (unsigned long long) ha->fce_dma;
- for (cnt = 0; cnt < fce_calc_size(ha->fce_bufs) / 4; cnt++) {
- if (cnt % 8 == 0)
- seq_printf(s, "\n%llx: ",
- (unsigned long long)((cnt * 4) + fce_start));
- else
- seq_putc(s, ' ');
- seq_printf(s, "%08x", *fce++);
+ if (ha->flags.user_enabled_fce) {
+ seq_puts(s, "FCE Trace Buffer\n");
+ seq_printf(s, "In Pointer = %llx\n\n", (unsigned long long)ha->fce_wr);
+ seq_printf(s, "Base = %llx\n\n", (unsigned long long)ha->fce_dma);
+ seq_puts(s, "FCE Enable Registers\n");
+ seq_printf(s, "%08x %08x %08x %08x %08x %08x\n",
+ ha->fce_mb[0], ha->fce_mb[2], ha->fce_mb[3], ha->fce_mb[4],
+ ha->fce_mb[5], ha->fce_mb[6]);
+
+ fce = (uint32_t *)ha->fce;
+ fce_start = (unsigned long long)ha->fce_dma;
+ for (cnt = 0; cnt < fce_calc_size(ha->fce_bufs) / 4; cnt++) {
+ if (cnt % 8 == 0)
+ seq_printf(s, "\n%llx: ",
+ (unsigned long long)((cnt * 4) + fce_start));
+ else
+ seq_putc(s, ' ');
+ seq_printf(s, "%08x", *fce++);
+ }
+
+ seq_puts(s, "\nEnd\n");
+ } else {
+ seq_puts(s, "FCE Trace is currently not enabled\n");
+ seq_puts(s, "\techo [ 1 | 0 ] > fce\n");
}
- seq_puts(s, "\nEnd\n");
-
mutex_unlock(&ha->fce_mutex);
return 0;
@@ -423,7 +428,7 @@ qla2x00_dfs_fce_release(struct inode *in
struct qla_hw_data *ha = vha->hw;
int rval;
- if (ha->flags.fce_enabled)
+ if (ha->flags.fce_enabled || !ha->fce)
goto out;
mutex_lock(&ha->fce_mutex);
@@ -444,11 +449,88 @@ out:
return single_release(inode, file);
}
+static ssize_t
+qla2x00_dfs_fce_write(struct file *file, const char __user *buffer,
+ size_t count, loff_t *pos)
+{
+ struct seq_file *s = file->private_data;
+ struct scsi_qla_host *vha = s->private;
+ struct qla_hw_data *ha = vha->hw;
+ char *buf;
+ int rc = 0;
+ unsigned long enable;
+
+ if (!IS_QLA25XX(ha) && !IS_QLA81XX(ha) && !IS_QLA83XX(ha) &&
+ !IS_QLA27XX(ha) && !IS_QLA28XX(ha)) {
+ ql_dbg(ql_dbg_user, vha, 0xd034,
+ "this adapter does not support FCE.");
+ return -EINVAL;
+ }
+
+ buf = memdup_user_nul(buffer, count);
+ if (IS_ERR(buf)) {
+ ql_dbg(ql_dbg_user, vha, 0xd037,
+ "fail to copy user buffer.");
+ return PTR_ERR(buf);
+ }
+
+ enable = kstrtoul(buf, 0, 0);
+ rc = count;
+
+ mutex_lock(&ha->fce_mutex);
+
+ if (enable) {
+ if (ha->flags.user_enabled_fce) {
+ mutex_unlock(&ha->fce_mutex);
+ goto out_free;
+ }
+ ha->flags.user_enabled_fce = 1;
+ if (!ha->fce) {
+ rc = qla2x00_alloc_fce_trace(vha);
+ if (rc) {
+ ha->flags.user_enabled_fce = 0;
+ mutex_unlock(&ha->fce_mutex);
+ goto out_free;
+ }
+
+ /* adjust fw dump buffer to take into account of this feature */
+ if (!ha->flags.fce_dump_buf_alloced)
+ qla2x00_alloc_fw_dump(vha);
+ }
+
+ if (!ha->flags.fce_enabled)
+ qla_enable_fce_trace(vha);
+
+ ql_dbg(ql_dbg_user, vha, 0xd045, "User enabled FCE .\n");
+ } else {
+ if (!ha->flags.user_enabled_fce) {
+ mutex_unlock(&ha->fce_mutex);
+ goto out_free;
+ }
+ ha->flags.user_enabled_fce = 0;
+ if (ha->flags.fce_enabled) {
+ qla2x00_disable_fce_trace(vha, NULL, NULL);
+ ha->flags.fce_enabled = 0;
+ }
+
+ qla2x00_free_fce_trace(ha);
+ /* no need to re-adjust fw dump buffer */
+
+ ql_dbg(ql_dbg_user, vha, 0xd04f, "User disabled FCE .\n");
+ }
+
+ mutex_unlock(&ha->fce_mutex);
+out_free:
+ kfree(buf);
+ return rc;
+}
+
static const struct file_operations dfs_fce_ops = {
.open = qla2x00_dfs_fce_open,
.read = seq_read,
.llseek = seq_lseek,
.release = qla2x00_dfs_fce_release,
+ .write = qla2x00_dfs_fce_write,
};
static int
@@ -534,8 +616,6 @@ qla2x00_dfs_setup(scsi_qla_host_t *vha)
if (!IS_QLA25XX(ha) && !IS_QLA81XX(ha) && !IS_QLA83XX(ha) &&
!IS_QLA27XX(ha) && !IS_QLA28XX(ha))
goto out;
- if (!ha->fce)
- goto out;
if (qla2x00_dfs_root)
goto create_dir;
--- a/drivers/scsi/qla2xxx/qla_gbl.h
+++ b/drivers/scsi/qla2xxx/qla_gbl.h
@@ -11,6 +11,9 @@
/*
* Global Function Prototypes in qla_init.c source file.
*/
+int qla2x00_alloc_fce_trace(scsi_qla_host_t *);
+void qla2x00_free_fce_trace(struct qla_hw_data *ha);
+void qla_enable_fce_trace(scsi_qla_host_t *);
extern int qla2x00_initialize_adapter(scsi_qla_host_t *);
extern int qla2100_pci_config(struct scsi_qla_host *);
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -2280,7 +2280,7 @@ exit:
return rval;
}
-static void qla_enable_fce_trace(scsi_qla_host_t *vha)
+void qla_enable_fce_trace(scsi_qla_host_t *vha)
{
int rval;
struct qla_hw_data *ha = vha->hw;
@@ -3263,25 +3263,24 @@ qla24xx_chip_diag(scsi_qla_host_t *vha)
return rval;
}
-static void
-qla2x00_alloc_fce_trace(scsi_qla_host_t *vha)
+int qla2x00_alloc_fce_trace(scsi_qla_host_t *vha)
{
dma_addr_t tc_dma;
void *tc;
struct qla_hw_data *ha = vha->hw;
if (!IS_FWI2_CAPABLE(ha))
- return;
+ return -EINVAL;
if (!IS_QLA25XX(ha) && !IS_QLA81XX(ha) && !IS_QLA83XX(ha) &&
!IS_QLA27XX(ha) && !IS_QLA28XX(ha))
- return;
+ return -EINVAL;
if (ha->fce) {
ql_dbg(ql_dbg_init, vha, 0x00bd,
"%s: FCE Mem is already allocated.\n",
__func__);
- return;
+ return -EIO;
}
/* Allocate memory for Fibre Channel Event Buffer. */
@@ -3291,7 +3290,7 @@ qla2x00_alloc_fce_trace(scsi_qla_host_t
ql_log(ql_log_warn, vha, 0x00be,
"Unable to allocate (%d KB) for FCE.\n",
FCE_SIZE / 1024);
- return;
+ return -ENOMEM;
}
ql_dbg(ql_dbg_init, vha, 0x00c0,
@@ -3300,6 +3299,16 @@ qla2x00_alloc_fce_trace(scsi_qla_host_t
ha->fce_dma = tc_dma;
ha->fce = tc;
ha->fce_bufs = FCE_NUM_BUFFERS;
+ return 0;
+}
+
+void qla2x00_free_fce_trace(struct qla_hw_data *ha)
+{
+ if (!ha->fce)
+ return;
+ dma_free_coherent(&ha->pdev->dev, FCE_SIZE, ha->fce, ha->fce_dma);
+ ha->fce = NULL;
+ ha->fce_dma = 0;
}
static void
@@ -3390,9 +3399,10 @@ qla2x00_alloc_fw_dump(scsi_qla_host_t *v
if (ha->tgt.atio_ring)
mq_size += ha->tgt.atio_q_length * sizeof(request_t);
- qla2x00_alloc_fce_trace(vha);
- if (ha->fce)
+ if (ha->fce) {
fce_size = sizeof(struct qla2xxx_fce_chain) + FCE_SIZE;
+ ha->flags.fce_dump_buf_alloced = 1;
+ }
qla2x00_alloc_eft_trace(vha);
if (ha->eft)
eft_size = EFT_SIZE;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 199/462] scsi: storvsc: Set correct data length for sending SCSI command without payload
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 198/462] scsi: qla2xxx: Move FCE Trace buffer allocation to user control Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 200/462] kbuild: Move -Wenum-enum-conversion to W=2 Greg Kroah-Hartman
` (266 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Roman Kisel, Michael Kelley,
Long Li, Martin K. Petersen
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <longli@microsoft.com>
commit 87c4b5e8a6b65189abd9ea5010ab308941f964a4 upstream.
In StorVSC, payload->range.len is used to indicate if this SCSI command
carries payload. This data is allocated as part of the private driver data
by the upper layer and may get passed to lower driver uninitialized.
For example, the SCSI error handling mid layer may send TEST_UNIT_READY or
REQUEST_SENSE while reusing the buffer from a failed command. The private
data section may have stale data from the previous command.
If the SCSI command doesn't carry payload, the driver may use this value as
is for communicating with host, resulting in possible corruption.
Fix this by always initializing this value.
Fixes: be0cf6ca301c ("scsi: storvsc: Set the tablesize based on the information given by the host")
Cc: stable@kernel.org
Tested-by: Roman Kisel <romank@linux.microsoft.com>
Reviewed-by: Roman Kisel <romank@linux.microsoft.com>
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Signed-off-by: Long Li <longli@microsoft.com>
Link: https://lore.kernel.org/r/1737601642-7759-1-git-send-email-longli@linuxonhyperv.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/storvsc_drv.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1759,6 +1759,7 @@ static int storvsc_queuecommand(struct S
length = scsi_bufflen(scmnd);
payload = (struct vmbus_packet_mpb_array *)&cmd_request->mpb;
+ payload->range.len = 0;
payload_sz = 0;
if (sg_count) {
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 200/462] kbuild: Move -Wenum-enum-conversion to W=2
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 199/462] scsi: storvsc: Set correct data length for sending SCSI command without payload Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 201/462] x86/boot: Use -std=gnu11 to fix build with GCC 15 Greg Kroah-Hartman
` (265 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Arnd Bergmann,
Linus Torvalds
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 8f6629c004b193d23612641c3607e785819e97ab upstream.
-Wenum-enum-conversion was strengthened in clang-19 to warn for C, which
caused the kernel to move it to W=1 in commit 75b5ab134bb5 ("kbuild:
Move -Wenum-{compare-conditional,enum-conversion} into W=1") because
there were numerous instances that would break builds with -Werror.
Unfortunately, this is not a full solution, as more and more developers,
subsystems, and distributors are building with W=1 as well, so they
continue to see the numerous instances of this warning.
Since the move to W=1, there have not been many new instances that have
appeared through various build reports and the ones that have appeared
seem to be following similar existing patterns, suggesting that most
instances of this warning will not be real issues. The only alternatives
for silencing this warning are adding casts (which is generally seen as
an ugly practice) or refactoring the enums to macro defines or a unified
enum (which may be undesirable because of type safety in other parts of
the code).
Move the warning to W=2, where warnings that occur frequently but may be
relevant should reside.
Cc: stable@vger.kernel.org
Fixes: 75b5ab134bb5 ("kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1")
Link: https://lore.kernel.org/ZwRA9SOcOjjLJcpi@google.com/
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
| 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/scripts/Makefile.extrawarn
+++ b/scripts/Makefile.extrawarn
@@ -37,6 +37,10 @@ KBUILD_CFLAGS += -Wno-missing-field-init
KBUILD_CFLAGS += -Wno-sign-compare
KBUILD_CFLAGS += -Wno-type-limits
+ifdef CONFIG_CC_IS_CLANG
+KBUILD_CFLAGS += -Wno-enum-enum-conversion
+endif
+
KBUILD_CPPFLAGS += -DKBUILD_EXTRA_WARN1
else
@@ -54,7 +58,6 @@ KBUILD_CFLAGS += -Wno-tautological-const
KBUILD_CFLAGS += $(call cc-disable-warning, unaligned-access)
KBUILD_CFLAGS += $(call cc-disable-warning, cast-function-type-strict)
KBUILD_CFLAGS += -Wno-enum-compare-conditional
-KBUILD_CFLAGS += -Wno-enum-enum-conversion
endif
endif
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 201/462] x86/boot: Use -std=gnu11 to fix build with GCC 15
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 200/462] kbuild: Move -Wenum-enum-conversion to W=2 Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 202/462] iio: light: as73211: fix channel handling in only-color triggered buffer Greg Kroah-Hartman
` (264 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kostadin Shishmanov, Jakub Jelinek,
Nathan Chancellor, Dave Hansen, Ard Biesheuvel
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit ee2ab467bddfb2d7f68d996dbab94d7b88f8eaf7 upstream.
GCC 15 changed the default C standard version to C23, which should not
have impacted the kernel because it requests the gnu11 standard via
'-std=' in the main Makefile. However, the x86 compressed boot Makefile
uses its own set of KBUILD_CFLAGS without a '-std=' value (i.e., using
the default), resulting in errors from the kernel's definitions of bool,
true, and false in stddef.h, which are reserved keywords under C23.
./include/linux/stddef.h:11:9: error: expected identifier before ‘false’
11 | false = 0,
./include/linux/types.h:35:33: error: two or more data types in declaration specifiers
35 | typedef _Bool bool;
Set '-std=gnu11' in the x86 compressed boot Makefile to resolve the
error and consistently use the same C standard version for the entire
kernel.
Closes: https://lore.kernel.org/4OAhbllK7x4QJGpZjkYjtBYNLd_2whHx9oFiuZcGwtVR4hIzvduultkgfAIRZI3vQpZylu7Gl929HaYFRGeMEalWCpeMzCIIhLxxRhq4U-Y=@protonmail.com/
Closes: https://lore.kernel.org/Z4467umXR2PZ0M1H@tucnak/
Reported-by: Kostadin Shishmanov <kostadinshishmanov@protonmail.com>
Reported-by: Jakub Jelinek <jakub@redhat.com>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Cc:stable@vger.kernel.org
Link: https://lore.kernel.org/all/20250121-x86-use-std-consistently-gcc-15-v1-1-8ab0acf645cb%40kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/boot/compressed/Makefile | 1 +
1 file changed, 1 insertion(+)
--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -33,6 +33,7 @@ targets := vmlinux vmlinux.bin vmlinux.b
# avoid errors with '-march=i386', and future flags may depend on the target to
# be valid.
KBUILD_CFLAGS := -m$(BITS) -O2 $(CLANG_FLAGS)
+KBUILD_CFLAGS += -std=gnu11
KBUILD_CFLAGS += -fno-strict-aliasing -fPIE
KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING
cflags-$(CONFIG_X86_32) := -march=i386
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 202/462] iio: light: as73211: fix channel handling in only-color triggered buffer
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 201/462] x86/boot: Use -std=gnu11 to fix build with GCC 15 Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 203/462] soc: qcom: smem_state: fix missing of_node_put in error path Greg Kroah-Hartman
` (263 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Eggers, Javier Carrasco,
Jonathan Cameron
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
commit ab09c6cfe01b317f515bcd944668697241a54b9d upstream.
The channel index is off by one unit if AS73211_SCAN_MASK_ALL is not
set (optimized path for color channel readings), and it must be shifted
instead of leaving an empty channel for the temperature when it is off.
Once the channel index is fixed, the uninitialized channel must be set
to zero to avoid pushing uninitialized data.
Add available_scan_masks for all channels and only-color channels to let
the IIO core demux and repack the enabled channels.
Cc: stable@vger.kernel.org
Fixes: 403e5586b52e ("iio: light: as73211: New driver")
Tested-by: Christian Eggers <ceggers@arri.de>
Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Link: https://patch.msgid.link/20241214-iio_memset_scan_holes-v4-1-260b395b8ed5@gmail.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/as73211.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
--- a/drivers/iio/light/as73211.c
+++ b/drivers/iio/light/as73211.c
@@ -155,6 +155,12 @@ struct as73211_data {
BIT(AS73211_SCAN_INDEX_TEMP) | \
AS73211_SCAN_MASK_COLOR)
+static const unsigned long as73211_scan_masks[] = {
+ AS73211_SCAN_MASK_COLOR,
+ AS73211_SCAN_MASK_ALL,
+ 0
+};
+
static const struct iio_chan_spec as73211_channels[] = {
{
.type = IIO_TEMP,
@@ -603,9 +609,12 @@ static irqreturn_t as73211_trigger_handl
/* AS73211 starts reading at address 2 */
ret = i2c_master_recv(data->client,
- (char *)&scan.chan[1], 3 * sizeof(scan.chan[1]));
+ (char *)&scan.chan[0], 3 * sizeof(scan.chan[0]));
if (ret < 0)
goto done;
+
+ /* Avoid pushing uninitialized data */
+ scan.chan[3] = 0;
}
if (data_result) {
@@ -613,9 +622,15 @@ static irqreturn_t as73211_trigger_handl
* Saturate all channels (in case of overflows). Temperature channel
* is not affected by overflows.
*/
- scan.chan[1] = cpu_to_le16(U16_MAX);
- scan.chan[2] = cpu_to_le16(U16_MAX);
- scan.chan[3] = cpu_to_le16(U16_MAX);
+ if (*indio_dev->active_scan_mask == AS73211_SCAN_MASK_ALL) {
+ scan.chan[1] = cpu_to_le16(U16_MAX);
+ scan.chan[2] = cpu_to_le16(U16_MAX);
+ scan.chan[3] = cpu_to_le16(U16_MAX);
+ } else {
+ scan.chan[0] = cpu_to_le16(U16_MAX);
+ scan.chan[1] = cpu_to_le16(U16_MAX);
+ scan.chan[2] = cpu_to_le16(U16_MAX);
+ }
}
iio_push_to_buffers_with_timestamp(indio_dev, &scan, iio_get_time_ns(indio_dev));
@@ -685,6 +700,7 @@ static int as73211_probe(struct i2c_clie
indio_dev->channels = as73211_channels;
indio_dev->num_channels = ARRAY_SIZE(as73211_channels);
indio_dev->modes = INDIO_DIRECT_MODE;
+ indio_dev->available_scan_masks = as73211_scan_masks;
ret = i2c_smbus_read_byte_data(data->client, AS73211_REG_OSR);
if (ret < 0)
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 203/462] soc: qcom: smem_state: fix missing of_node_put in error path
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 202/462] iio: light: as73211: fix channel handling in only-color triggered buffer Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 204/462] media: mc: fix endpoint iteration Greg Kroah-Hartman
` (262 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Dmitry Baryshkov, Bjorn Andersson
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 70096b4990848229d0784c5e51dc3c7c072f1111 upstream.
If of_parse_phandle_with_args() succeeds, the OF node reference should
be dropped, regardless of number of phandle arguments.
Cc: stable@vger.kernel.org
Fixes: 9460ae2ff308 ("soc: qcom: Introduce common SMEM state machine code")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/20240822164853.231087-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/qcom/smem_state.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/soc/qcom/smem_state.c
+++ b/drivers/soc/qcom/smem_state.c
@@ -116,7 +116,8 @@ struct qcom_smem_state *qcom_smem_state_
if (args.args_count != 1) {
dev_err(dev, "invalid #qcom,smem-state-cells\n");
- return ERR_PTR(-EINVAL);
+ state = ERR_PTR(-EINVAL);
+ goto put;
}
state = of_node_to_state(args.np);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 204/462] media: mc: fix endpoint iteration
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 203/462] soc: qcom: smem_state: fix missing of_node_put in error path Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 205/462] media: ov5640: fix get_light_freq on auto Greg Kroah-Hartman
` (261 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cosmin Tanislav, Laurent Pinchart,
Sakari Ailus, Mauro Carvalho Chehab
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cosmin Tanislav <demonsingur@gmail.com>
commit fb2bd86270cd0ad004f4c614ba4f8c63a5720e25 upstream.
When creating links from a subdev to a sink, the current logic tries to
iterate over the endpoints of dev's fwnode.
This might not be correct when the subdev uses a different fwnode
compared to the dev's fwnode.
If, when registering, the subdev's fwnode is not set, the code inside
v4l2_async_register_subdev will set it to the dev's fwnode.
To fix this, just use the subdev's fwnode.
Signed-off-by: Cosmin Tanislav <demonsingur@gmail.com>
Fixes: 0d3c81e82da9 ("media: v4l2-mc: add v4l2_create_fwnode_links helpers")
Cc: stable@vger.kernel.org
Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/v4l2-core/v4l2-mc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/v4l2-core/v4l2-mc.c
+++ b/drivers/media/v4l2-core/v4l2-mc.c
@@ -321,7 +321,7 @@ int v4l2_create_fwnode_links_to_pad(stru
sink_sd = media_entity_to_v4l2_subdev(sink->entity);
- fwnode_graph_for_each_endpoint(dev_fwnode(src_sd->dev), endpoint) {
+ fwnode_graph_for_each_endpoint(src_sd->fwnode, endpoint) {
struct fwnode_handle *remote_ep;
int src_idx, sink_idx, ret;
struct media_pad *src;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 205/462] media: ov5640: fix get_light_freq on auto
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 204/462] media: mc: fix endpoint iteration Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 206/462] media: uvcvideo: Fix event flags in uvc_ctrl_send_events Greg Kroah-Hartman
` (260 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sam Bobrowicz, Michal Simek,
Sakari Ailus, Mauro Carvalho Chehab
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Bobrowicz <sam@elite-embedded.com>
commit 001d3753538d26ddcbef011f5643cfff58a7f672 upstream.
Light frequency was not properly returned when in auto
mode and the detected frequency was 60Hz.
Fixes: 19a81c1426c1 ("[media] add Omnivision OV5640 sensor driver")
Cc: stable@vger.kernel.org
Signed-off-by: Sam Bobrowicz <sam@elite-embedded.com>
Signed-off-by: Michal Simek <michal.simek@amd.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ov5640.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/i2c/ov5640.c
+++ b/drivers/media/i2c/ov5640.c
@@ -1380,6 +1380,7 @@ static int ov5640_get_light_freq(struct
light_freq = 50;
} else {
/* 60Hz */
+ light_freq = 60;
}
}
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 206/462] media: uvcvideo: Fix event flags in uvc_ctrl_send_events
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 205/462] media: ov5640: fix get_light_freq on auto Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 207/462] media: uvcvideo: Remove redundant NULL assignment Greg Kroah-Hartman
` (259 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricardo Ribalda, Laurent Pinchart,
Mauro Carvalho Chehab
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
commit c31cffd5ae2c3d7ef21d9008977a9d117ce7a64e upstream.
If there is an event that needs the V4L2_EVENT_CTRL_CH_FLAGS flag, all
the following events will have that flag, regardless if they need it or
not.
This is because we keep using the same variable all the time and we do
not reset its original value.
Cc: stable@vger.kernel.org
Fixes: 805e9b4a06bf ("[media] uvcvideo: Send control change events for slave ctrls when the master changes")
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://lore.kernel.org/r/20241114-uvc-roi-v15-1-64cfeb56b6f8@chromium.org
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/uvc/uvc_ctrl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -1400,13 +1400,13 @@ static void uvc_ctrl_send_events(struct
{
struct uvc_control_mapping *mapping;
struct uvc_control *ctrl;
- u32 changes = V4L2_EVENT_CTRL_CH_VALUE;
unsigned int i;
unsigned int j;
for (i = 0; i < xctrls_count; ++i) {
- ctrl = uvc_find_control(handle->chain, xctrls[i].id, &mapping);
+ u32 changes = V4L2_EVENT_CTRL_CH_VALUE;
+ ctrl = uvc_find_control(handle->chain, xctrls[i].id, &mapping);
if (ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS)
/* Notification will be sent from an Interrupt event. */
continue;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 207/462] media: uvcvideo: Remove redundant NULL assignment
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 206/462] media: uvcvideo: Fix event flags in uvc_ctrl_send_events Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 208/462] crypto: qce - fix goto jump in error path Greg Kroah-Hartman
` (258 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Hans de Goede,
Ricardo Ribalda, Mauro Carvalho Chehab
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
commit 04d3398f66d2d31c4b8caea88f051a4257b7a161 upstream.
ctrl->handle will only be different than NULL for controls that have
mappings. This is because that assignment is only done inside
uvc_ctrl_set() for mapped controls.
Cc: stable@vger.kernel.org
Fixes: e5225c820c05 ("media: uvcvideo: Send a control event when a Control Change interrupt arrives")
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Link: https://lore.kernel.org/r/20241203-uvc-fix-async-v6-2-26c867231118@chromium.org
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/uvc/uvc_ctrl.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -1367,10 +1367,8 @@ bool uvc_ctrl_status_event_async(struct
struct uvc_device *dev = chain->dev;
struct uvc_ctrl_work *w = &dev->async_ctrl;
- if (list_empty(&ctrl->info.mappings)) {
- ctrl->handle = NULL;
+ if (list_empty(&ctrl->info.mappings))
return false;
- }
w->data = data;
w->urb = urb;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 208/462] crypto: qce - fix goto jump in error path
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 207/462] media: uvcvideo: Remove redundant NULL assignment Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 209/462] crypto: qce - unregister previously registered algos " Greg Kroah-Hartman
` (257 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Neil Armstrong,
Herbert Xu
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
commit 5278275c1758a38199b43530adfc50098f4b41c7 upstream.
If qce_check_version() fails, we should jump to err_dma as we already
called qce_dma_request() a couple lines before.
Cc: stable@vger.kernel.org
Fixes: ec8f5d8f6f76 ("crypto: qce - Qualcomm crypto engine driver")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/qce/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/crypto/qce/core.c
+++ b/drivers/crypto/qce/core.c
@@ -219,7 +219,7 @@ static int qce_crypto_probe(struct platf
ret = qce_check_version(qce);
if (ret)
- goto err_clks;
+ goto err_dma;
spin_lock_init(&qce->lock);
tasklet_init(&qce->done_tasklet, qce_tasklet_req_done,
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 209/462] crypto: qce - unregister previously registered algos in error path
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 208/462] crypto: qce - fix goto jump in error path Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 210/462] nvmem: qcom-spmi-sdam: Set size in struct nvmem_config Greg Kroah-Hartman
` (256 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Neil Armstrong,
Herbert Xu
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
commit e80cf84b608725303113d6fe98bb727bf7b7a40d upstream.
If we encounter an error when registering alorithms with the crypto
framework, we just bail out and don't unregister the ones we
successfully registered in prior iterations of the loop.
Add code that goes back over the algos and unregisters them before
returning an error from qce_register_algs().
Cc: stable@vger.kernel.org
Fixes: ec8f5d8f6f76 ("crypto: qce - Qualcomm crypto engine driver")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/qce/core.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/drivers/crypto/qce/core.c
+++ b/drivers/crypto/qce/core.c
@@ -45,16 +45,19 @@ static void qce_unregister_algs(struct q
static int qce_register_algs(struct qce_device *qce)
{
const struct qce_algo_ops *ops;
- int i, ret = -ENODEV;
+ int i, j, ret = -ENODEV;
for (i = 0; i < ARRAY_SIZE(qce_ops); i++) {
ops = qce_ops[i];
ret = ops->register_algs(qce);
- if (ret)
- break;
+ if (ret) {
+ for (j = i - 1; j >= 0; j--)
+ ops->unregister_algs(qce);
+ return ret;
+ }
}
- return ret;
+ return 0;
}
static int qce_handle_request(struct crypto_async_request *async_req)
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 210/462] nvmem: qcom-spmi-sdam: Set size in struct nvmem_config
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 209/462] crypto: qce - unregister previously registered algos " Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 211/462] nvmem: core: improve range check for nvmem_cell_write() Greg Kroah-Hartman
` (255 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Weiss, Vladimir Zapolskiy,
Srinivas Kandagatla
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca.weiss@fairphone.com>
commit e88f516ea417c71bb3702603ac6af9e95338cfa6 upstream.
Let the nvmem core know what size the SDAM is, most notably this fixes
the size of /sys/bus/nvmem/devices/spmi_sdam*/nvmem being '0' and makes
user space work with that file.
~ # hexdump -C -s 64 /sys/bus/nvmem/devices/spmi_sdam2/nvmem
00000040 02 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000080
Fixes: 40ce9798794f ("nvmem: add QTI SDAM driver")
Cc: stable@vger.kernel.org
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Reviewed-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20241230141901.263976-6-srinivas.kandagatla@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvmem/qcom-spmi-sdam.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/nvmem/qcom-spmi-sdam.c
+++ b/drivers/nvmem/qcom-spmi-sdam.c
@@ -143,6 +143,7 @@ static int sdam_probe(struct platform_de
sdam->sdam_config.id = NVMEM_DEVID_AUTO;
sdam->sdam_config.owner = THIS_MODULE,
sdam->sdam_config.stride = 1;
+ sdam->sdam_config.size = sdam->size;
sdam->sdam_config.word_size = 1;
sdam->sdam_config.reg_read = sdam_read;
sdam->sdam_config.reg_write = sdam_write;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 211/462] nvmem: core: improve range check for nvmem_cell_write()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 210/462] nvmem: qcom-spmi-sdam: Set size in struct nvmem_config Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 212/462] vfio/platform: check the bounds of read/write syscalls Greg Kroah-Hartman
` (254 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jennifer Berringer,
Srinivas Kandagatla
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jennifer Berringer <jberring@redhat.com>
commit 31507fc2ad36e0071751a710449db19c85d82a7f upstream.
When __nvmem_cell_entry_write() is called for an nvmem cell that does
not need bit shifting, it requires that the len parameter exactly
matches the nvmem cell size. However, when the nvmem cell has a nonzero
bit_offset, it was skipping this check.
Accepting values of len larger than the cell size results in
nvmem_cell_prepare_write_buffer() trying to write past the end of a heap
buffer that it allocates. Add a check to avoid that problem and instead
return -EINVAL when len doesn't match the number of bits expected by the
nvmem cell when bit_offset is nonzero.
This check uses cell->nbits in order to allow providing the smaller size
to cells that are shifted into another byte by bit_offset. For example,
a cell with nbits=8 and nonzero bit_offset would have bytes=2 but should
accept a 1-byte write here, although no current callers depend on this.
Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers")
Cc: stable@vger.kernel.org
Signed-off-by: Jennifer Berringer <jberring@redhat.com>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20241230141901.263976-7-srinivas.kandagatla@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvmem/core.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/nvmem/core.c
+++ b/drivers/nvmem/core.c
@@ -1362,6 +1362,8 @@ int nvmem_cell_write(struct nvmem_cell *
return -EINVAL;
if (cell->bit_offset || cell->nbits) {
+ if (len != BITS_TO_BYTES(cell->nbits) && len != cell->bytes)
+ return -EINVAL;
buf = nvmem_cell_prepare_write_buffer(cell, buf, len);
if (IS_ERR(buf))
return PTR_ERR(buf);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 212/462] vfio/platform: check the bounds of read/write syscalls
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 211/462] nvmem: core: improve range check for nvmem_cell_write() Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:57 ` [PATCH 5.10 213/462] pnfs/flexfiles: retry getting layout segment for reads Greg Kroah-Hartman
` (253 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mostafa Saleh, Eric Auger,
Alex Williamson
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@redhat.com>
commit ce9ff21ea89d191e477a02ad7eabf4f996b80a69 upstream.
count and offset are passed from user space and not checked, only
offset is capped to 40 bits, which can be used to read/write out of
bounds of the device.
Fixes: 6e3f26456009 (“vfio/platform: read and write support for the device fd”)
Cc: stable@vger.kernel.org
Reported-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Mostafa Saleh <smostafa@google.com>
Tested-by: Mostafa Saleh <smostafa@google.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vfio/platform/vfio_platform_common.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/vfio/platform/vfio_platform_common.c
+++ b/drivers/vfio/platform/vfio_platform_common.c
@@ -410,6 +410,11 @@ static ssize_t vfio_platform_read_mmio(s
count = min_t(size_t, count, reg->size - off);
+ if (off >= reg->size)
+ return -EINVAL;
+
+ count = min_t(size_t, count, reg->size - off);
+
if (!reg->ioaddr) {
reg->ioaddr =
ioremap(reg->addr, reg->size);
@@ -489,6 +494,11 @@ static ssize_t vfio_platform_write_mmio(
if (off >= reg->size)
return -EINVAL;
+
+ count = min_t(size_t, count, reg->size - off);
+
+ if (off >= reg->size)
+ return -EINVAL;
count = min_t(size_t, count, reg->size - off);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 213/462] pnfs/flexfiles: retry getting layout segment for reads
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 212/462] vfio/platform: check the bounds of read/write syscalls Greg Kroah-Hartman
@ 2025-03-11 14:57 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 214/462] ocfs2: fix incorrect CPU endianness conversion causing mount failure Greg Kroah-Hartman
` (252 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mike Snitzer, Anna Schumaker
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Snitzer <snitzer@kernel.org>
commit eb3fabde15bccdf34f1c9b35a83aa4c0dacbb4ca upstream.
If ff_layout_pg_get_read()'s attempt to get a layout segment results
in -EAGAIN have ff_layout_pg_init_read() retry it after sleeping.
If "softerr" mount is used, use 'io_maxretrans' to limit the number of
attempts to get a layout segment.
This fixes a long-standing issue of O_DIRECT reads failing with
-EAGAIN (11) when using flexfiles Client Side Mirroring (CSM).
Cc: stable@vger.kernel.org
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/flexfilelayout/flexfilelayout.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
--- a/fs/nfs/flexfilelayout/flexfilelayout.c
+++ b/fs/nfs/flexfilelayout/flexfilelayout.c
@@ -840,6 +840,9 @@ ff_layout_pg_init_read(struct nfs_pageio
struct nfs4_pnfs_ds *ds;
u32 ds_idx;
+ if (NFS_SERVER(pgio->pg_inode)->flags &
+ (NFS_MOUNT_SOFT|NFS_MOUNT_SOFTERR))
+ pgio->pg_maxretrans = io_maxretrans;
retry:
ff_layout_pg_check_layout(pgio, req);
/* Use full layout for now */
@@ -853,6 +856,8 @@ retry:
if (!pgio->pg_lseg)
goto out_nolseg;
}
+ /* Reset wb_nio, since getting layout segment was successful */
+ req->wb_nio = 0;
ds = ff_layout_get_ds_for_read(pgio, &ds_idx);
if (!ds) {
@@ -869,14 +874,24 @@ retry:
pgm->pg_bsize = mirror->mirror_ds->ds_versions[0].rsize;
pgio->pg_mirror_idx = ds_idx;
-
- if (NFS_SERVER(pgio->pg_inode)->flags &
- (NFS_MOUNT_SOFT|NFS_MOUNT_SOFTERR))
- pgio->pg_maxretrans = io_maxretrans;
return;
out_nolseg:
- if (pgio->pg_error < 0)
- return;
+ if (pgio->pg_error < 0) {
+ if (pgio->pg_error != -EAGAIN)
+ return;
+ /* Retry getting layout segment if lower layer returned -EAGAIN */
+ if (pgio->pg_maxretrans && req->wb_nio++ > pgio->pg_maxretrans) {
+ if (NFS_SERVER(pgio->pg_inode)->flags & NFS_MOUNT_SOFTERR)
+ pgio->pg_error = -ETIMEDOUT;
+ else
+ pgio->pg_error = -EIO;
+ return;
+ }
+ pgio->pg_error = 0;
+ /* Sleep for 1 second before retrying */
+ ssleep(1);
+ goto retry;
+ }
out_mds:
trace_pnfs_mds_fallback_pg_init_read(pgio->pg_inode,
0, NFS4_MAX_UINT64, IOMODE_READ,
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 214/462] ocfs2: fix incorrect CPU endianness conversion causing mount failure
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2025-03-11 14:57 ` [PATCH 5.10 213/462] pnfs/flexfiles: retry getting layout segment for reads Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 215/462] ocfs2: handle a symlink read error correctly Greg Kroah-Hartman
` (251 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heming Zhao, Joseph Qi, Mark Fasheh,
Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao, Andrew Morton
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heming Zhao <heming.zhao@suse.com>
commit f921da2c34692dfec5f72b5ae347b1bea22bb369 upstream.
Commit 23aab037106d ("ocfs2: fix UBSAN warning in ocfs2_verify_volume()")
introduced a regression bug. The blksz_bits value is already converted to
CPU endian in the previous code; therefore, the code shouldn't use
le32_to_cpu() anymore.
Link: https://lkml.kernel.org/r/20250121112204.12834-1-heming.zhao@suse.com
Fixes: 23aab037106d ("ocfs2: fix UBSAN warning in ocfs2_verify_volume()")
Signed-off-by: Heming Zhao <heming.zhao@suse.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -2350,7 +2350,7 @@ static int ocfs2_verify_volume(struct oc
mlog(ML_ERROR, "found superblock with incorrect block "
"size bits: found %u, should be 9, 10, 11, or 12\n",
blksz_bits);
- } else if ((1 << le32_to_cpu(blksz_bits)) != blksz) {
+ } else if ((1 << blksz_bits) != blksz) {
mlog(ML_ERROR, "found superblock with incorrect block "
"size: found %u, should be %u\n", 1 << blksz_bits, blksz);
} else if (le16_to_cpu(di->id2.i_super.s_major_rev_level) !=
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 215/462] ocfs2: handle a symlink read error correctly
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 214/462] ocfs2: fix incorrect CPU endianness conversion causing mount failure Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 216/462] nilfs2: fix possible int overflows in nilfs_fiemap() Greg Kroah-Hartman
` (250 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle), Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Mark Tinguely, Andrew Morton
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
commit 2b4c2094da6d84e69b843dd3317902e977bf64bd upstream.
Patch series "Convert ocfs2 to use folios".
Mark did a conversion of ocfs2 to use folios and sent it to me as a
giant patch for review ;-)
So I've redone it as individual patches, and credited Mark for the patches
where his code is substantially the same. It's not a bad way to do it;
his patch had some bugs and my patches had some bugs. Hopefully all our
bugs were different from each other. And hopefully Mark likes all the
changes I made to his code!
This patch (of 23):
If we can't read the buffer, be sure to unlock the page before returning.
Link: https://lkml.kernel.org/r/20241205171653.3179945-1-willy@infradead.org
Link: https://lkml.kernel.org/r/20241205171653.3179945-2-willy@infradead.org
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Mark Tinguely <mark.tinguely@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/symlink.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/ocfs2/symlink.c
+++ b/fs/ocfs2/symlink.c
@@ -66,7 +66,7 @@ static int ocfs2_fast_symlink_readpage(s
if (status < 0) {
mlog_errno(status);
- return status;
+ goto out;
}
fe = (struct ocfs2_dinode *) bh->b_data;
@@ -77,9 +77,10 @@ static int ocfs2_fast_symlink_readpage(s
memcpy(kaddr, link, len + 1);
kunmap_atomic(kaddr);
SetPageUptodate(page);
+out:
unlock_page(page);
brelse(bh);
- return 0;
+ return status;
}
const struct address_space_operations ocfs2_fast_symlink_aops = {
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 216/462] nilfs2: fix possible int overflows in nilfs_fiemap()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 215/462] ocfs2: handle a symlink read error correctly Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 217/462] NFC: nci: Add bounds checking in nci_hci_create_pipe() Greg Kroah-Hartman
` (249 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikita Zhandarovich, Ryusuke Konishi,
Andrew Morton
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
commit 6438ef381c183444f7f9d1de18f22661cba1e946 upstream.
Since nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result
by being prepared to go through potentially maxblocks == INT_MAX blocks,
the value in n may experience an overflow caused by left shift of blkbits.
While it is extremely unlikely to occur, play it safe and cast right hand
expression to wider type to mitigate the issue.
Found by Linux Verification Center (linuxtesting.org) with static analysis
tool SVACE.
Link: https://lkml.kernel.org/r/20250124222133.5323-1-konishi.ryusuke@gmail.com
Fixes: 622daaff0a89 ("nilfs2: fiemap support")
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/inode.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -1263,7 +1263,7 @@ int nilfs_fiemap(struct inode *inode, st
if (size) {
if (phys && blkphy << blkbits == phys + size) {
/* The current extent goes on */
- size += n << blkbits;
+ size += (u64)n << blkbits;
} else {
/* Terminate the current extent */
ret = fiemap_fill_next_extent(
@@ -1276,14 +1276,14 @@ int nilfs_fiemap(struct inode *inode, st
flags = FIEMAP_EXTENT_MERGED;
logical = blkoff << blkbits;
phys = blkphy << blkbits;
- size = n << blkbits;
+ size = (u64)n << blkbits;
}
} else {
/* Start a new extent */
flags = FIEMAP_EXTENT_MERGED;
logical = blkoff << blkbits;
phys = blkphy << blkbits;
- size = n << blkbits;
+ size = (u64)n << blkbits;
}
blkoff += n;
}
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 217/462] NFC: nci: Add bounds checking in nci_hci_create_pipe()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 216/462] nilfs2: fix possible int overflows in nilfs_fiemap() Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 218/462] mtd: onenand: Fix uninitialized retlen in do_otp_read() Greg Kroah-Hartman
` (248 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Simon Horman,
Krzysztof Kozlowski, Jakub Kicinski
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
commit 110b43ef05342d5a11284cc8b21582b698b4ef1c upstream.
The "pipe" variable is a u8 which comes from the network. If it's more
than 127, then it results in memory corruption in the caller,
nci_hci_connect_gate().
Cc: stable@vger.kernel.org
Fixes: a1b0b9415817 ("NFC: nci: Create pipe on specific gate in nci_hci_connect_gate")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://patch.msgid.link/bcf5453b-7204-4297-9c20-4d8c7dacf586@stanley.mountain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/nfc/nci/hci.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/nfc/nci/hci.c
+++ b/net/nfc/nci/hci.c
@@ -548,6 +548,8 @@ static u8 nci_hci_create_pipe(struct nci
pr_debug("pipe created=%d\n", pipe);
+ if (pipe >= NCI_HCI_MAX_PIPES)
+ pipe = NCI_HCI_INVALID_PIPE;
return pipe;
}
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 218/462] mtd: onenand: Fix uninitialized retlen in do_otp_read()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 217/462] NFC: nci: Add bounds checking in nci_hci_create_pipe() Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 219/462] misc: fastrpc: Fix registered buffer page address Greg Kroah-Hartman
` (247 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ivan Stepchenko, Miquel Raynal
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Stepchenko <sid@itb.spb.ru>
commit 70a71f8151b9879b0950668ce3ad76263261fee0 upstream.
The function do_otp_read() does not set the output parameter *retlen,
which is expected to contain the number of bytes actually read.
As a result, in onenand_otp_walk(), the tmp_retlen variable remains
uninitialized after calling do_otp_walk() and used to change
the values of the buf, len and retlen variables.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 49dc08eeda70 ("[MTD] [OneNAND] fix numerous races")
Cc: stable@vger.kernel.org
Signed-off-by: Ivan Stepchenko <sid@itb.spb.ru>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/onenand/onenand_base.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mtd/nand/onenand/onenand_base.c
+++ b/drivers/mtd/nand/onenand/onenand_base.c
@@ -2916,6 +2916,7 @@ static int do_otp_read(struct mtd_info *
ret = ONENAND_IS_4KB_PAGE(this) ?
onenand_mlc_read_ops_nolock(mtd, from, &ops) :
onenand_read_ops_nolock(mtd, from, &ops);
+ *retlen = ops.retlen;
/* Exit OTP access mode */
this->command(mtd, ONENAND_CMD_RESET, 0, 0);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 219/462] misc: fastrpc: Fix registered buffer page address
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 218/462] mtd: onenand: Fix uninitialized retlen in do_otp_read() Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 220/462] net/ncsi: wait for the last response to Deselect Package before configuring channel Greg Kroah-Hartman
` (246 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Ekansh Gupta,
Srinivas Kandagatla
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ekansh Gupta <quic_ekangupt@quicinc.com>
commit 6ca4ea1f88a06a04ed7b2c9c6bf9f00833b68214 upstream.
For registered buffers, fastrpc driver sends the buffer information
to remote subsystem. There is a problem with current implementation
where the page address is being sent with an offset leading to
improper buffer address on DSP. This is leads to functional failures
as DSP expects base address in page information and extracts offset
information from remote arguments. Mask the offset and pass the base
page address to DSP.
This issue is observed is a corner case when some buffer which is registered
with fastrpc framework is passed with some offset by user and then the DSP
implementation tried to read the data. As DSP expects base address and takes
care of offsetting with remote arguments, passing an offsetted address will
result in some unexpected data read in DSP.
All generic usecases usually pass the buffer as it is hence is problem is
not usually observed. If someone tries to pass offsetted buffer and then
tries to compare data at HLOS and DSP end, then the ambiguity will be observed.
Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP")
Cc: stable@kernel.org
Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20250110134239.123603-3-srinivas.kandagatla@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/fastrpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -826,7 +826,7 @@ static int fastrpc_get_args(u32 kernel,
mmap_read_lock(current->mm);
vma = find_vma(current->mm, ctx->args[i].ptr);
if (vma)
- pages[i].addr += ctx->args[i].ptr -
+ pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) -
vma->vm_start;
mmap_read_unlock(current->mm);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 220/462] net/ncsi: wait for the last response to Deselect Package before configuring channel
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 219/462] misc: fastrpc: Fix registered buffer page address Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 221/462] ptp: Ensure info->enable callback is always set Greg Kroah-Hartman
` (245 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Fertser, Jakub Kicinski
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Fertser <fercerpav@gmail.com>
commit 6bb194d036c6e1b329dcdff459338cdd9a54802a upstream.
The NCSI state machine as it's currently implemented assumes that
transition to the next logical state is performed either explicitly by
calling `schedule_work(&ndp->work)` to re-queue itself or implicitly
after processing the predefined (ndp->pending_req_num) number of
replies. Thus to avoid the configuration FSM from advancing prematurely
and getting out of sync with the process it's essential to not skip
waiting for a reply.
This patch makes the code wait for reception of the Deselect Package
response for the last package probed before proceeding to channel
configuration.
Thanks go to Potin Lai and Cosmo Chou for the initial investigation and
testing.
Fixes: 8e13f70be05e ("net/ncsi: Probe single packages to avoid conflict")
Cc: stable@vger.kernel.org
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
Link: https://patch.msgid.link/20250116152900.8656-1-fercerpav@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ncsi/ncsi-manage.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/net/ncsi/ncsi-manage.c
+++ b/net/ncsi/ncsi-manage.c
@@ -1345,6 +1345,12 @@ static void ncsi_probe_channel(struct nc
nd->state = ncsi_dev_state_probe_package;
break;
case ncsi_dev_state_probe_package:
+ if (ndp->package_probe_id >= 8) {
+ /* Last package probed, finishing */
+ ndp->flags |= NCSI_DEV_PROBED;
+ break;
+ }
+
ndp->pending_req_num = 1;
nca.type = NCSI_PKT_CMD_SP;
@@ -1461,13 +1467,8 @@ static void ncsi_probe_channel(struct nc
if (ret)
goto error;
- /* Probe next package */
+ /* Probe next package after receiving response */
ndp->package_probe_id++;
- if (ndp->package_probe_id >= 8) {
- /* Probe finished */
- ndp->flags |= NCSI_DEV_PROBED;
- break;
- }
nd->state = ncsi_dev_state_probe_package;
ndp->active_package = NULL;
break;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 221/462] ptp: Ensure info->enable callback is always set
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 220/462] net/ncsi: wait for the last response to Deselect Package before configuring channel Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 222/462] MIPS: ftrace: Declare ftrace_get_parent_ra_addr() as static Greg Kroah-Hartman
` (244 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Richard Cochran, Michal Swiatkowski, Jakub Kicinski
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
commit fd53aa40e65f518453115b6f56183b0c201db26b upstream.
The ioctl and sysfs handlers unconditionally call the ->enable callback.
Not all drivers implement that callback, leading to NULL dereferences.
Example of affected drivers: ptp_s390.c, ptp_vclock.c and ptp_mock.c.
Instead use a dummy callback if no better was specified by the driver.
Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Link: https://patch.msgid.link/20250123-ptp-enable-v1-1-b015834d3a47@weissschuh.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ptp/ptp_clock.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/ptp/ptp_clock.c
+++ b/drivers/ptp/ptp_clock.c
@@ -188,6 +188,11 @@ static void ptp_clock_release(struct dev
kfree(ptp);
}
+static int ptp_enable(struct ptp_clock_info *ptp, struct ptp_clock_request *request, int on)
+{
+ return -EOPNOTSUPP;
+}
+
static void ptp_aux_kworker(struct kthread_work *work)
{
struct ptp_clock *ptp = container_of(work, struct ptp_clock,
@@ -233,6 +238,9 @@ struct ptp_clock *ptp_clock_register(str
mutex_init(&ptp->pincfg_mux);
init_waitqueue_head(&ptp->tsev_wq);
+ if (!ptp->info->enable)
+ ptp->info->enable = ptp_enable;
+
if (ptp->info->do_aux_work) {
kthread_init_delayed_work(&ptp->aux_work, ptp_aux_kworker);
ptp->kworker = kthread_create_worker(0, "ptp%d", ptp->index);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 222/462] MIPS: ftrace: Declare ftrace_get_parent_ra_addr() as static
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 221/462] ptp: Ensure info->enable callback is always set Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 223/462] ocfs2: check dir i_size in ocfs2_find_entry Greg Kroah-Hartman
` (243 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, WangYuli, Masami Hiramatsu (Google),
Philippe Mathieu-Daudé, Thomas Bogendoerfer
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyuli@uniontech.com>
commit ddd068d81445b17ac0bed084dfeb9e58b4df3ddd upstream.
Declare ftrace_get_parent_ra_addr() as static to suppress clang
compiler warning that 'no previous prototype'. This function is
not intended to be called from other parts.
Fix follow error with clang-19:
arch/mips/kernel/ftrace.c:251:15: error: no previous prototype for function 'ftrace_get_parent_ra_addr' [-Werror,-Wmissing-prototypes]
251 | unsigned long ftrace_get_parent_ra_addr(unsigned long self_ra, unsigned long
| ^
arch/mips/kernel/ftrace.c:251:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
251 | unsigned long ftrace_get_parent_ra_addr(unsigned long self_ra, unsigned long
| ^
| static
1 error generated.
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/kernel/ftrace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/kernel/ftrace.c
+++ b/arch/mips/kernel/ftrace.c
@@ -260,7 +260,7 @@ int ftrace_disable_ftrace_graph_caller(v
#define S_R_SP (0xafb0 << 16) /* s{d,w} R, offset(sp) */
#define OFFSET_MASK 0xffff /* stack offset range: 0 ~ PT_SIZE */
-unsigned long ftrace_get_parent_ra_addr(unsigned long self_ra, unsigned long
+static unsigned long ftrace_get_parent_ra_addr(unsigned long self_ra, unsigned long
old_parent_ra, unsigned long parent_ra_addr, unsigned long fp)
{
unsigned long sp, ip, tmp;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 223/462] ocfs2: check dir i_size in ocfs2_find_entry
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 222/462] MIPS: ftrace: Declare ftrace_get_parent_ra_addr() as static Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 224/462] mptcp: prevent excessive coalescing on receive Greg Kroah-Hartman
` (242 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiacheng Xu,
syzbot+5a64828fcc4c2ad9b04f, Su Yue, Heming Zhao, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Andrew Morton
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Su Yue <glass.su@suse.com>
commit b0fce54b8c0d8e5f2b4c243c803c5996e73baee8 upstream.
syz reports an out of bounds read:
==================================================================
BUG: KASAN: slab-out-of-bounds in ocfs2_match fs/ocfs2/dir.c:334
[inline]
BUG: KASAN: slab-out-of-bounds in ocfs2_search_dirblock+0x283/0x6e0
fs/ocfs2/dir.c:367
Read of size 1 at addr ffff88804d8b9982 by task syz-executor.2/14802
CPU: 0 UID: 0 PID: 14802 Comm: syz-executor.2 Not tainted 6.13.0-rc4 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1
04/01/2014
Sched_ext: serialise (enabled+all), task: runnable_at=-10ms
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x229/0x350 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x164/0x530 mm/kasan/report.c:489
kasan_report+0x147/0x180 mm/kasan/report.c:602
ocfs2_match fs/ocfs2/dir.c:334 [inline]
ocfs2_search_dirblock+0x283/0x6e0 fs/ocfs2/dir.c:367
ocfs2_find_entry_id fs/ocfs2/dir.c:414 [inline]
ocfs2_find_entry+0x1143/0x2db0 fs/ocfs2/dir.c:1078
ocfs2_find_files_on_disk+0x18e/0x530 fs/ocfs2/dir.c:1981
ocfs2_lookup_ino_from_name+0xb6/0x110 fs/ocfs2/dir.c:2003
ocfs2_lookup+0x30a/0xd40 fs/ocfs2/namei.c:122
lookup_open fs/namei.c:3627 [inline]
open_last_lookups fs/namei.c:3748 [inline]
path_openat+0x145a/0x3870 fs/namei.c:3984
do_filp_open+0xe9/0x1c0 fs/namei.c:4014
do_sys_openat2+0x135/0x1d0 fs/open.c:1402
do_sys_open fs/open.c:1417 [inline]
__do_sys_openat fs/open.c:1433 [inline]
__se_sys_openat fs/open.c:1428 [inline]
__x64_sys_openat+0x15d/0x1c0 fs/open.c:1428
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf6/0x210 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f01076903ad
Code: c3 e8 a7 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89
f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f01084acfc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f01077cbf80 RCX: 00007f01076903ad
RDX: 0000000000105042 RSI: 0000000020000080 RDI: ffffffffffffff9c
RBP: 00007f01077cbf80 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000000001ff R11: 0000000000000246 R12: 0000000000000000
R13: 00007f01077cbf80 R14: 00007f010764fc90 R15: 00007f010848d000
</TASK>
==================================================================
And a general protection fault in ocfs2_prepare_dir_for_insert:
==================================================================
loop0: detected capacity change from 0 to 32768
JBD2: Ignoring recovery information on journal
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data
mode.
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 UID: 0 PID: 5096 Comm: syz-executor792 Not tainted
6.11.0-rc4-syzkaller-00002-gb0da640826ba #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:ocfs2_find_dir_space_id fs/ocfs2/dir.c:3406 [inline]
RIP: 0010:ocfs2_prepare_dir_for_insert+0x3309/0x5c70 fs/ocfs2/dir.c:4280
Code: 00 00 e8 2a 25 13 fe e9 ba 06 00 00 e8 20 25 13 fe e9 4f 01 00 00
e8 16 25 13 fe 49 8d 7f 08 49 8d 5f 09 48 89 f8 48 c1 e8 03 <42> 0f b6
04 20 84 c0 0f 85 bd 23 00 00 48 89 d8 48 c1 e8 03 42 0f
RSP: 0018:ffffc9000af9f020 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000009 RCX: ffff88801e27a440
RDX: 0000000000000000 RSI: 0000000000000400 RDI: 0000000000000008
RBP: ffffc9000af9f830 R08: ffffffff8380395b R09: ffffffff838090a7
R10: 0000000000000002 R11: ffff88801e27a440 R12: dffffc0000000000
R13: ffff88803c660878 R14: f700000000000088 R15: 0000000000000000
FS: 000055555a677380(0000) GS:ffff888020800000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000560bce569178 CR3: 000000001de5a000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ocfs2_mknod+0xcaf/0x2b40 fs/ocfs2/namei.c:292
vfs_mknod+0x36d/0x3b0 fs/namei.c:4088
do_mknodat+0x3ec/0x5b0
__do_sys_mknodat fs/namei.c:4166 [inline]
__se_sys_mknodat fs/namei.c:4163 [inline]
__x64_sys_mknodat+0xa7/0xc0 fs/namei.c:4163
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2dafda3a99
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89
f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08
0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8
64 89 01 48
RSP: 002b:00007ffe336a6658 EFLAGS: 00000246 ORIG_RAX:
0000000000000103
RAX: ffffffffffffffda RBX: 0000000000000000 RCX:
00007f2dafda3a99
RDX: 00000000000021c0 RSI: 0000000020000040 RDI:
00000000ffffff9c
RBP: 00007f2dafe1b5f0 R08: 0000000000004480 R09:
000055555a6784c0
R10: 0000000000000103 R11: 0000000000000246 R12:
00007ffe336a6680
R13: 00007ffe336a68a8 R14: 431bde82d7b634db R15:
00007f2dafdec03b
</TASK>
==================================================================
The two reports are all caused invalid negative i_size of dir inode. For
ocfs2, dir_inode can't be negative or zero.
Here add a check in which is called by ocfs2_check_dir_for_entry(). It
fixes the second report as ocfs2_check_dir_for_entry() must be called
before ocfs2_prepare_dir_for_insert(). Also set a up limit for dir with
OCFS2_INLINE_DATA_FL. The i_size can't be great than blocksize.
Link: https://lkml.kernel.org/r/20250106140640.92260-1-glass.su@suse.com
Reported-by: Jiacheng Xu <stitch@zju.edu.cn>
Link: https://lore.kernel.org/ocfs2-devel/17a04f01.1ae74.19436d003fc.Coremail.stitch@zju.edu.cn/T/#u
Reported-by: syzbot+5a64828fcc4c2ad9b04f@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/0000000000005894f3062018caf1@google.com/T/
Signed-off-by: Su Yue <glass.su@suse.com>
Reviewed-by: Heming Zhao <heming.zhao@suse.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/dir.c | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
--- a/fs/ocfs2/dir.c
+++ b/fs/ocfs2/dir.c
@@ -1067,26 +1067,39 @@ int ocfs2_find_entry(const char *name, i
{
struct buffer_head *bh;
struct ocfs2_dir_entry *res_dir = NULL;
+ int ret = 0;
if (ocfs2_dir_indexed(dir))
return ocfs2_find_entry_dx(name, namelen, dir, lookup);
+ if (unlikely(i_size_read(dir) <= 0)) {
+ ret = -EFSCORRUPTED;
+ mlog_errno(ret);
+ goto out;
+ }
/*
* The unindexed dir code only uses part of the lookup
* structure, so there's no reason to push it down further
* than this.
*/
- if (OCFS2_I(dir)->ip_dyn_features & OCFS2_INLINE_DATA_FL)
+ if (OCFS2_I(dir)->ip_dyn_features & OCFS2_INLINE_DATA_FL) {
+ if (unlikely(i_size_read(dir) > dir->i_sb->s_blocksize)) {
+ ret = -EFSCORRUPTED;
+ mlog_errno(ret);
+ goto out;
+ }
bh = ocfs2_find_entry_id(name, namelen, dir, &res_dir);
- else
+ } else {
bh = ocfs2_find_entry_el(name, namelen, dir, &res_dir);
+ }
if (bh == NULL)
return -ENOENT;
lookup->dl_leaf_bh = bh;
lookup->dl_entry = res_dir;
- return 0;
+out:
+ return ret;
}
/*
@@ -2013,6 +2026,7 @@ int ocfs2_lookup_ino_from_name(struct in
*
* Return 0 if the name does not exist
* Return -EEXIST if the directory contains the name
+ * Return -EFSCORRUPTED if found corruption
*
* Callers should have i_mutex + a cluster lock on dir
*/
@@ -2026,9 +2040,12 @@ int ocfs2_check_dir_for_entry(struct ino
trace_ocfs2_check_dir_for_entry(
(unsigned long long)OCFS2_I(dir)->ip_blkno, namelen, name);
- if (ocfs2_find_entry(name, namelen, dir, &lookup) == 0) {
+ ret = ocfs2_find_entry(name, namelen, dir, &lookup);
+ if (ret == 0) {
ret = -EEXIST;
mlog_errno(ret);
+ } else if (ret == -ENOENT) {
+ ret = 0;
}
ocfs2_free_dir_lookup_result(&lookup);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 224/462] mptcp: prevent excessive coalescing on receive
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 223/462] ocfs2: check dir i_size in ocfs2_find_entry Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 225/462] nfsd: clear acl_access/acl_default after releasing them Greg Kroah-Hartman
` (241 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 56b824eb49d6258aa0bad09a406ceac3f643cdae upstream.
Currently the skb size after coalescing is only limited by the skb
layout (the skb must not carry frag_list). A single coalesced skb
covering several MSS can potentially fill completely the receive
buffer. In such a case, the snd win will zero until the receive buffer
will be empty again, affecting tput badly.
Fixes: 8268ed4c9d19 ("mptcp: introduce and use mptcp_try_coalesce()")
Cc: stable@vger.kernel.org # please delay 2 weeks after 6.13-final release
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20241230-net-mptcp-rbuf-fixes-v1-3-8608af434ceb@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -125,6 +125,7 @@ static bool mptcp_try_coalesce(struct so
int delta;
if (MPTCP_SKB_CB(from)->offset ||
+ ((to->len + from->len) > (sk->sk_rcvbuf >> 3)) ||
!skb_try_coalesce(to, from, &fragstolen, &delta))
return false;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 225/462] nfsd: clear acl_access/acl_default after releasing them
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 224/462] mptcp: prevent excessive coalescing on receive Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 226/462] NFSD: fix hang in nfsd4_shutdown_callback Greg Kroah-Hartman
` (240 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Lingfeng, Rick Macklem,
Jeff Layton, Chuck Lever
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Lingfeng <lilingfeng3@huawei.com>
commit 7faf14a7b0366f153284db0ad3347c457ea70136 upstream.
If getting acl_default fails, acl_access and acl_default will be released
simultaneously. However, acl_access will still retain a pointer pointing
to the released posix_acl, which will trigger a WARNING in
nfs3svc_release_getacl like this:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 26 PID: 3199 at lib/refcount.c:28
refcount_warn_saturate+0xb5/0x170
Modules linked in:
CPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted
6.12.0-rc6-00079-g04ae226af01f-dirty #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.16.1-2.fc37 04/01/2014
RIP: 0010:refcount_warn_saturate+0xb5/0x170
Code: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75
e4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff <0f> 0b eb
cd 0f b6 1d 8a3
RSP: 0018:ffffc90008637cd8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde
RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380
RBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56
R10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001
R13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0
FS: 0000000000000000(0000) GS:ffff88871ed00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? refcount_warn_saturate+0xb5/0x170
? __warn+0xa5/0x140
? refcount_warn_saturate+0xb5/0x170
? report_bug+0x1b1/0x1e0
? handle_bug+0x53/0xa0
? exc_invalid_op+0x17/0x40
? asm_exc_invalid_op+0x1a/0x20
? tick_nohz_tick_stopped+0x1e/0x40
? refcount_warn_saturate+0xb5/0x170
? refcount_warn_saturate+0xb5/0x170
nfs3svc_release_getacl+0xc9/0xe0
svc_process_common+0x5db/0xb60
? __pfx_svc_process_common+0x10/0x10
? __rcu_read_unlock+0x69/0xa0
? __pfx_nfsd_dispatch+0x10/0x10
? svc_xprt_received+0xa1/0x120
? xdr_init_decode+0x11d/0x190
svc_process+0x2a7/0x330
svc_handle_xprt+0x69d/0x940
svc_recv+0x180/0x2d0
nfsd+0x168/0x200
? __pfx_nfsd+0x10/0x10
kthread+0x1a2/0x1e0
? kthread+0xf4/0x1e0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x34/0x60
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Kernel panic - not syncing: kernel: panic_on_warn set ...
Clear acl_access/acl_default after posix_acl_release is called to prevent
UAF from being triggered.
Fixes: a257cdd0e217 ("[PATCH] NFSD: Add server support for NFSv3 ACLs.")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/20241107014705.2509463-1-lilingfeng@huaweicloud.com/
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
Reviewed-by: Rick Macklem <rmacklem@uoguelph.ca>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs2acl.c | 2 ++
fs/nfsd/nfs3acl.c | 2 ++
2 files changed, 4 insertions(+)
--- a/fs/nfsd/nfs2acl.c
+++ b/fs/nfsd/nfs2acl.c
@@ -84,6 +84,8 @@ out:
fail:
posix_acl_release(resp->acl_access);
posix_acl_release(resp->acl_default);
+ resp->acl_access = NULL;
+ resp->acl_default = NULL;
goto out;
}
--- a/fs/nfsd/nfs3acl.c
+++ b/fs/nfsd/nfs3acl.c
@@ -76,6 +76,8 @@ out:
fail:
posix_acl_release(resp->acl_access);
posix_acl_release(resp->acl_default);
+ resp->acl_access = NULL;
+ resp->acl_default = NULL;
goto out;
}
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 226/462] NFSD: fix hang in nfsd4_shutdown_callback
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 225/462] nfsd: clear acl_access/acl_default after releasing them Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 227/462] HID: multitouch: Add NULL check in mt_input_configured Greg Kroah-Hartman
` (239 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dai Ngo, Jeff Layton, Chuck Lever
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dai Ngo <dai.ngo@oracle.com>
commit 036ac2778f7b28885814c6fbc07e156ad1624d03 upstream.
If nfs4_client is in courtesy state then there is no point to send
the callback. This causes nfsd4_shutdown_callback to hang since
cl_cb_inflight is not 0. This hang lasts about 15 minutes until TCP
notifies NFSD that the connection was dropped.
This patch modifies nfsd4_run_cb_work to skip the RPC call if
nfs4_client is in courtesy state.
Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
Fixes: 66af25799940 ("NFSD: add courteous server support for thread with only delegation")
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4callback.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c
@@ -1410,8 +1410,11 @@ nfsd4_run_cb_work(struct work_struct *wo
nfsd4_process_cb_update(cb);
clnt = clp->cl_cb_client;
- if (!clnt) {
- /* Callback channel broken, or client killed; give up: */
+ if (!clnt || clp->cl_state == NFSD4_COURTESY) {
+ /*
+ * Callback channel broken, client killed or
+ * nfs4_client in courtesy state; give up.
+ */
nfsd41_destroy_cb(cb);
return;
}
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 227/462] HID: multitouch: Add NULL check in mt_input_configured
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 226/462] NFSD: fix hang in nfsd4_shutdown_callback Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 228/462] ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu() Greg Kroah-Hartman
` (238 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Charles Han, Jiri Kosina,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charles Han <hanchunchao@inspur.com>
[ Upstream commit 9b8e2220d3a052a690b1d1b23019673e612494c5 ]
devm_kasprintf() can return a NULL pointer on failure,but this
returned value in mt_input_configured() is not checked.
Add NULL check in mt_input_configured(), to handle kernel NULL
pointer dereference error.
Fixes: 479439463529 ("HID: multitouch: Correct devm device reference for hidinput input_dev name")
Signed-off-by: Charles Han <hanchunchao@inspur.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-multitouch.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index f36ddcb4e2ef2..006af6e143073 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -1594,9 +1594,12 @@ static int mt_input_configured(struct hid_device *hdev, struct hid_input *hi)
break;
}
- if (suffix)
+ if (suffix) {
hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL,
"%s %s", hdev->name, suffix);
+ if (!hi->input->name)
+ return -ENOMEM;
+ }
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 228/462] ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 227/462] HID: multitouch: Add NULL check in mt_input_configured Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 229/462] vrf: use RCU protection in l3mdev_l3_out() Greg Kroah-Hartman
` (237 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Stephen Suryaputra,
David Ahern, Kuniyuki Iwashima, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 48145a57d4bbe3496e8e4880b23ea6b511e6e519 ]
ndisc_send_redirect() is called under RCU protection, not RTNL.
It must use dev_get_by_index_rcu() instead of __dev_get_by_index()
Fixes: 2f17becfbea5 ("vrf: check the original netdevice for generating redirect")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250207135841.1948589-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ndisc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 4f46b0a2e5680..c0a5552733177 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1607,7 +1607,7 @@ void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
bool ret;
if (netif_is_l3_master(skb->dev)) {
- dev = __dev_get_by_index(dev_net(skb->dev), IPCB(skb)->iif);
+ dev = dev_get_by_index_rcu(dev_net(skb->dev), IPCB(skb)->iif);
if (!dev)
return;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 229/462] vrf: use RCU protection in l3mdev_l3_out()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 228/462] ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu() Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 230/462] team: better TEAM_OPTION_TYPE_STRING validation Greg Kroah-Hartman
` (236 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David Ahern,
Kuniyuki Iwashima, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 6d0ce46a93135d96b7fa075a94a88fe0da8e8773 ]
l3mdev_l3_out() can be called without RCU being held:
raw_sendmsg()
ip_push_pending_frames()
ip_send_skb()
ip_local_out()
__ip_local_out()
l3mdev_ip_out()
Add rcu_read_lock() / rcu_read_unlock() pair to avoid
a potential UAF.
Fixes: a8e3e1a9f020 ("net: l3mdev: Add hook to output path")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250207135841.1948589-7-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/l3mdev.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/net/l3mdev.h b/include/net/l3mdev.h
index 031c661aa14df..bdfa9d414360c 100644
--- a/include/net/l3mdev.h
+++ b/include/net/l3mdev.h
@@ -198,10 +198,12 @@ struct sk_buff *l3mdev_l3_out(struct sock *sk, struct sk_buff *skb, u16 proto)
if (netif_is_l3_slave(dev)) {
struct net_device *master;
+ rcu_read_lock();
master = netdev_master_upper_dev_get_rcu(dev);
if (master && master->l3mdev_ops->l3mdev_l3_out)
skb = master->l3mdev_ops->l3mdev_l3_out(master, sk,
skb, proto);
+ rcu_read_unlock();
}
return skb;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 230/462] team: better TEAM_OPTION_TYPE_STRING validation
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 229/462] vrf: use RCU protection in l3mdev_l3_out() Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 231/462] arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array Greg Kroah-Hartman
` (235 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+1fcd957a82e3a1baa94d,
Eric Dumazet, Jiri Pirko, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 5bef3ac184b5626ea62385d6b82a1992b89d7940 ]
syzbot reported following splat [1]
Make sure user-provided data contains one nul byte.
[1]
BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:633 [inline]
BUG: KMSAN: uninit-value in string+0x3ec/0x5f0 lib/vsprintf.c:714
string_nocheck lib/vsprintf.c:633 [inline]
string+0x3ec/0x5f0 lib/vsprintf.c:714
vsnprintf+0xa5d/0x1960 lib/vsprintf.c:2843
__request_module+0x252/0x9f0 kernel/module/kmod.c:149
team_mode_get drivers/net/team/team_core.c:480 [inline]
team_change_mode drivers/net/team/team_core.c:607 [inline]
team_mode_option_set+0x437/0x970 drivers/net/team/team_core.c:1401
team_option_set drivers/net/team/team_core.c:375 [inline]
team_nl_options_set_doit+0x1339/0x1f90 drivers/net/team/team_core.c:2662
genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x1214/0x12c0 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2543
genl_rcv+0x40/0x60 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1348
netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1892
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:733
____sys_sendmsg+0x877/0xb60 net/socket.c:2573
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2627
__sys_sendmsg net/socket.c:2659 [inline]
__do_sys_sendmsg net/socket.c:2664 [inline]
__se_sys_sendmsg net/socket.c:2662 [inline]
__x64_sys_sendmsg+0x212/0x3c0 net/socket.c:2662
x64_sys_call+0x2ed6/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
Reported-by: syzbot+1fcd957a82e3a1baa94d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=1fcd957a82e3a1baa94d
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Link: https://patch.msgid.link/20250212134928.1541609-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/team/team.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
index 699076fbfb4d6..c05a60f23677c 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -2664,7 +2664,9 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info)
ctx.data.u32_val = nla_get_u32(attr_data);
break;
case TEAM_OPTION_TYPE_STRING:
- if (nla_len(attr_data) > TEAM_STRING_MAX_LEN) {
+ if (nla_len(attr_data) > TEAM_STRING_MAX_LEN ||
+ !memchr(nla_data(attr_data), '\0',
+ nla_len(attr_data))) {
err = -EINVAL;
goto team_put;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 231/462] arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 230/462] team: better TEAM_OPTION_TYPE_STRING validation Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 232/462] gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0 Greg Kroah-Hartman
` (234 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Radu Rendec, Will Deacon,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Radu Rendec <rrendec@redhat.com>
[ Upstream commit 875d742cf5327c93cba1f11e12b08d3cce7a88d2 ]
The loop that detects/populates cache information already has a bounds
check on the array size but does not account for cache levels with
separate data/instructions cache. Fix this by incrementing the index
for any populated leaf (instead of any populated level).
Fixes: 5d425c186537 ("arm64: kernel: add support for cpu cache information")
Signed-off-by: Radu Rendec <rrendec@redhat.com>
Link: https://lore.kernel.org/r/20250206174420.2178724-1-rrendec@redhat.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/cacheinfo.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/arch/arm64/kernel/cacheinfo.c b/arch/arm64/kernel/cacheinfo.c
index 97c42be71338a..1510f457b6154 100644
--- a/arch/arm64/kernel/cacheinfo.c
+++ b/arch/arm64/kernel/cacheinfo.c
@@ -87,16 +87,18 @@ int populate_cache_leaves(unsigned int cpu)
unsigned int level, idx;
enum cache_type type;
struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu);
- struct cacheinfo *this_leaf = this_cpu_ci->info_list;
+ struct cacheinfo *infos = this_cpu_ci->info_list;
for (idx = 0, level = 1; level <= this_cpu_ci->num_levels &&
- idx < this_cpu_ci->num_leaves; idx++, level++) {
+ idx < this_cpu_ci->num_leaves; level++) {
type = get_cache_type(level);
if (type == CACHE_TYPE_SEPARATE) {
- ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level);
- ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level);
+ if (idx + 1 >= this_cpu_ci->num_leaves)
+ break;
+ ci_leaf_init(&infos[idx++], CACHE_TYPE_DATA, level);
+ ci_leaf_init(&infos[idx++], CACHE_TYPE_INST, level);
} else {
- ci_leaf_init(this_leaf++, type, level);
+ ci_leaf_init(&infos[idx++], type, level);
}
}
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 232/462] gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 231/462] arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 233/462] gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ Greg Kroah-Hartman
` (233 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli, Markus Mayer,
Artur Weber, Linus Walleij, Bartosz Golaszewski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Artur Weber <aweber.kernel@gmail.com>
[ Upstream commit de1d0d160f64ee76df1d364d521b2faf465a091c ]
The GPIO lock/unlock functions clear/write a bit to the relevant
register for each bank. However, due to an oversight the bit that
was being written was based on the total GPIO number, not the index
of the GPIO within the relevant bank, causing it to fail for any
GPIO above 32 (thus any GPIO for banks above bank 0).
Fix lock/unlock for these banks by using the correct bit.
Fixes: bdb93c03c550 ("gpio: bcm281xx: Centralize register locking")
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Artur Weber <aweber.kernel@gmail.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-1-409135eab780@gmail.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-bcm-kona.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c
index 1e6b427f2c4a2..1cb663da85e76 100644
--- a/drivers/gpio/gpio-bcm-kona.c
+++ b/drivers/gpio/gpio-bcm-kona.c
@@ -93,11 +93,12 @@ static void bcm_kona_gpio_lock_gpio(struct bcm_kona_gpio *kona_gpio,
u32 val;
unsigned long flags;
int bank_id = GPIO_BANK(gpio);
+ int bit = GPIO_BIT(gpio);
raw_spin_lock_irqsave(&kona_gpio->lock, flags);
val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
- val |= BIT(gpio);
+ val |= BIT(bit);
bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
@@ -109,11 +110,12 @@ static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio,
u32 val;
unsigned long flags;
int bank_id = GPIO_BANK(gpio);
+ int bit = GPIO_BIT(gpio);
raw_spin_lock_irqsave(&kona_gpio->lock, flags);
val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
- val &= ~BIT(gpio);
+ val &= ~BIT(bit);
bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 233/462] gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 232/462] gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0 Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 234/462] gpio: bcm-kona: Add missing newline to dev_err format string Greg Kroah-Hartman
` (232 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli, Markus Mayer,
Artur Weber, Linus Walleij, Bartosz Golaszewski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Artur Weber <aweber.kernel@gmail.com>
[ Upstream commit 57f5db77a915cc29461a679a6bcae7097967be1a ]
The settings for all GPIOs are locked by default in bcm_kona_gpio_reset.
The settings for a GPIO are unlocked when requesting it as a GPIO, but
not when requesting it as an interrupt, causing the IRQ settings to not
get applied.
Fix this by making sure to unlock the right bits when an IRQ is requested.
To avoid a situation where an IRQ being released causes a lock despite
the same GPIO being used by a GPIO request or vice versa, add an unlock
counter and only lock if it reaches 0.
Fixes: 757651e3d60e ("gpio: bcm281xx: Add GPIO driver")
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Artur Weber <aweber.kernel@gmail.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-2-409135eab780@gmail.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-bcm-kona.c | 67 +++++++++++++++++++++++++++++-------
1 file changed, 55 insertions(+), 12 deletions(-)
diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c
index 1cb663da85e76..46c7d399780ae 100644
--- a/drivers/gpio/gpio-bcm-kona.c
+++ b/drivers/gpio/gpio-bcm-kona.c
@@ -76,6 +76,22 @@ struct bcm_kona_gpio {
struct bcm_kona_gpio_bank {
int id;
int irq;
+ /*
+ * Used to keep track of lock/unlock operations for each GPIO in the
+ * bank.
+ *
+ * All GPIOs are locked by default (see bcm_kona_gpio_reset), and the
+ * unlock count for all GPIOs is 0 by default. Each unlock increments
+ * the counter, and each lock decrements the counter.
+ *
+ * The lock function only locks the GPIO once its unlock counter is
+ * down to 0. This is necessary because the GPIO is unlocked in two
+ * places in this driver: once for requested GPIOs, and once for
+ * requested IRQs. Since it is possible for a GPIO to be requested
+ * as both a GPIO and an IRQ, we need to ensure that we don't lock it
+ * too early.
+ */
+ u8 gpio_unlock_count[GPIO_PER_BANK];
/* Used in the interrupt handler */
struct bcm_kona_gpio *kona_gpio;
};
@@ -94,14 +110,23 @@ static void bcm_kona_gpio_lock_gpio(struct bcm_kona_gpio *kona_gpio,
unsigned long flags;
int bank_id = GPIO_BANK(gpio);
int bit = GPIO_BIT(gpio);
+ struct bcm_kona_gpio_bank *bank = &kona_gpio->banks[bank_id];
- raw_spin_lock_irqsave(&kona_gpio->lock, flags);
+ if (bank->gpio_unlock_count[bit] == 0) {
+ dev_err(kona_gpio->gpio_chip.parent,
+ "Unbalanced locks for GPIO %u\n", gpio);
+ return;
+ }
- val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
- val |= BIT(bit);
- bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
+ if (--bank->gpio_unlock_count[bit] == 0) {
+ raw_spin_lock_irqsave(&kona_gpio->lock, flags);
- raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
+ val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
+ val |= BIT(bit);
+ bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
+
+ raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
+ }
}
static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio,
@@ -111,14 +136,19 @@ static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio,
unsigned long flags;
int bank_id = GPIO_BANK(gpio);
int bit = GPIO_BIT(gpio);
+ struct bcm_kona_gpio_bank *bank = &kona_gpio->banks[bank_id];
- raw_spin_lock_irqsave(&kona_gpio->lock, flags);
+ if (bank->gpio_unlock_count[bit] == 0) {
+ raw_spin_lock_irqsave(&kona_gpio->lock, flags);
- val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
- val &= ~BIT(bit);
- bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
+ val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
+ val &= ~BIT(bit);
+ bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
- raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
+ raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
+ }
+
+ ++bank->gpio_unlock_count[bit];
}
static int bcm_kona_gpio_get_dir(struct gpio_chip *chip, unsigned gpio)
@@ -369,6 +399,7 @@ static void bcm_kona_gpio_irq_mask(struct irq_data *d)
kona_gpio = irq_data_get_irq_chip_data(d);
reg_base = kona_gpio->reg_base;
+
raw_spin_lock_irqsave(&kona_gpio->lock, flags);
val = readl(reg_base + GPIO_INT_MASK(bank_id));
@@ -391,6 +422,7 @@ static void bcm_kona_gpio_irq_unmask(struct irq_data *d)
kona_gpio = irq_data_get_irq_chip_data(d);
reg_base = kona_gpio->reg_base;
+
raw_spin_lock_irqsave(&kona_gpio->lock, flags);
val = readl(reg_base + GPIO_INT_MSKCLR(bank_id));
@@ -488,15 +520,26 @@ static void bcm_kona_gpio_irq_handler(struct irq_desc *desc)
static int bcm_kona_gpio_irq_reqres(struct irq_data *d)
{
struct bcm_kona_gpio *kona_gpio = irq_data_get_irq_chip_data(d);
+ unsigned int gpio = d->hwirq;
+
+ /*
+ * We need to unlock the GPIO before any other operations are performed
+ * on the relevant GPIO configuration registers
+ */
+ bcm_kona_gpio_unlock_gpio(kona_gpio, gpio);
- return gpiochip_reqres_irq(&kona_gpio->gpio_chip, d->hwirq);
+ return gpiochip_reqres_irq(&kona_gpio->gpio_chip, gpio);
}
static void bcm_kona_gpio_irq_relres(struct irq_data *d)
{
struct bcm_kona_gpio *kona_gpio = irq_data_get_irq_chip_data(d);
+ unsigned int gpio = d->hwirq;
+
+ /* Once we no longer use it, lock the GPIO again */
+ bcm_kona_gpio_lock_gpio(kona_gpio, gpio);
- gpiochip_relres_irq(&kona_gpio->gpio_chip, d->hwirq);
+ gpiochip_relres_irq(&kona_gpio->gpio_chip, gpio);
}
static struct irq_chip bcm_gpio_irq_chip = {
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 234/462] gpio: bcm-kona: Add missing newline to dev_err format string
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 233/462] gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 235/462] xen: remove a confusing comment on auto-translated guest I/O Greg Kroah-Hartman
` (231 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli, Markus Mayer,
Artur Weber, Linus Walleij, Bartosz Golaszewski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Artur Weber <aweber.kernel@gmail.com>
[ Upstream commit 615279db222c3ac56d5c93716efd72b843295c1f ]
Add a missing newline to the format string of the "Couldn't get IRQ
for bank..." error message.
Fixes: 757651e3d60e ("gpio: bcm281xx: Add GPIO driver")
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Artur Weber <aweber.kernel@gmail.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-3-409135eab780@gmail.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-bcm-kona.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c
index 46c7d399780ae..3aff7f2f1c2a5 100644
--- a/drivers/gpio/gpio-bcm-kona.c
+++ b/drivers/gpio/gpio-bcm-kona.c
@@ -677,7 +677,7 @@ static int bcm_kona_gpio_probe(struct platform_device *pdev)
bank->irq = platform_get_irq(pdev, i);
bank->kona_gpio = kona_gpio;
if (bank->irq < 0) {
- dev_err(dev, "Couldn't get IRQ for bank %d", i);
+ dev_err(dev, "Couldn't get IRQ for bank %d\n", i);
ret = -ENOENT;
goto err_irq_domain;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 235/462] xen: remove a confusing comment on auto-translated guest I/O
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 234/462] gpio: bcm-kona: Add missing newline to dev_err format string Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 236/462] x86/xen: allow larger contiguous memory regions in PV guests Greg Kroah-Hartman
` (230 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Tesarik, Boris Ostrovsky,
Juergen Gross, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Tesarik <petr.tesarik.ext@huawei.com>
[ Upstream commit d826c9e61c99120f8996f8fed6417167e32eb922 ]
After removing the conditional return from xen_create_contiguous_region(),
the accompanying comment was left in place, but it now precedes an
unrelated conditional and confuses readers.
Fixes: 989513a735f5 ("xen: cleanup pvh leftovers from pv-only sources")
Signed-off-by: Petr Tesarik <petr.tesarik.ext@huawei.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Link: https://lore.kernel.org/r/20230802163151.1486-1-petrtesarik@huaweicloud.com
Signed-off-by: Juergen Gross <jgross@suse.com>
Stable-dep-of: e93ec87286bd ("x86/xen: allow larger contiguous memory regions in PV guests")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/xen/mmu_pv.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c
index cf2ade864c302..b9844ab6086ea 100644
--- a/arch/x86/xen/mmu_pv.c
+++ b/arch/x86/xen/mmu_pv.c
@@ -2274,12 +2274,6 @@ int xen_create_contiguous_region(phys_addr_t pstart, unsigned int order,
int success;
unsigned long vstart = (unsigned long)phys_to_virt(pstart);
- /*
- * Currently an auto-translated guest will not perform I/O, nor will
- * it require PAE page directories below 4GB. Therefore any calls to
- * this function are redundant and can be ignored.
- */
-
if (unlikely(order > MAX_CONTIG_ORDER))
return -ENOMEM;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 236/462] x86/xen: allow larger contiguous memory regions in PV guests
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 235/462] xen: remove a confusing comment on auto-translated guest I/O Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 237/462] media: cxd2841er: fix 64-bit division on gcc-9 Greg Kroah-Hartman
` (229 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Juergen Gross, Alan Robinson,
Jan Beulich, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Juergen Gross <jgross@suse.com>
[ Upstream commit e93ec87286bd1fd30b7389e7a387cfb259f297e3 ]
Today a PV guest (including dom0) can create 2MB contiguous memory
regions for DMA buffers at max. This has led to problems at least
with the megaraid_sas driver, which wants to allocate a 2.3MB DMA
buffer.
The limiting factor is the frame array used to do the hypercall for
making the memory contiguous, which has 512 entries and is just a
static array in mmu_pv.c.
In order to not waste memory for non-PV guests, put the initial
frame array into .init.data section and dynamically allocate an array
from the .init_after_bootmem hook of PV guests.
In case a contiguous memory area larger than the initially supported
2MB is requested, allocate a larger buffer for the frame list. Note
that such an allocation is tried only after memory management has been
initialized properly, which is tested via a flag being set in the
.init_after_bootmem hook.
Fixes: 9f40ec84a797 ("xen/swiotlb: add alignment check for dma buffers")
Signed-off-by: Juergen Gross <jgross@suse.com>
Tested-by: Alan Robinson <Alan.Robinson@fujitsu.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/xen/mmu_pv.c | 71 +++++++++++++++++++++++++++++++++++++------
1 file changed, 62 insertions(+), 9 deletions(-)
diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c
index b9844ab6086ea..b294ae8e44aa9 100644
--- a/arch/x86/xen/mmu_pv.c
+++ b/arch/x86/xen/mmu_pv.c
@@ -95,6 +95,51 @@ static pud_t level3_user_vsyscall[PTRS_PER_PUD] __page_aligned_bss;
*/
static DEFINE_SPINLOCK(xen_reservation_lock);
+/* Protected by xen_reservation_lock. */
+#define MIN_CONTIG_ORDER 9 /* 2MB */
+static unsigned int discontig_frames_order = MIN_CONTIG_ORDER;
+static unsigned long discontig_frames_early[1UL << MIN_CONTIG_ORDER] __initdata;
+static unsigned long *discontig_frames __refdata = discontig_frames_early;
+static bool discontig_frames_dyn;
+
+static int alloc_discontig_frames(unsigned int order)
+{
+ unsigned long *new_array, *old_array;
+ unsigned int old_order;
+ unsigned long flags;
+
+ BUG_ON(order < MIN_CONTIG_ORDER);
+ BUILD_BUG_ON(sizeof(discontig_frames_early) != PAGE_SIZE);
+
+ new_array = (unsigned long *)__get_free_pages(GFP_KERNEL,
+ order - MIN_CONTIG_ORDER);
+ if (!new_array)
+ return -ENOMEM;
+
+ spin_lock_irqsave(&xen_reservation_lock, flags);
+
+ old_order = discontig_frames_order;
+
+ if (order > discontig_frames_order || !discontig_frames_dyn) {
+ if (!discontig_frames_dyn)
+ old_array = NULL;
+ else
+ old_array = discontig_frames;
+
+ discontig_frames = new_array;
+ discontig_frames_order = order;
+ discontig_frames_dyn = true;
+ } else {
+ old_array = new_array;
+ }
+
+ spin_unlock_irqrestore(&xen_reservation_lock, flags);
+
+ free_pages((unsigned long)old_array, old_order - MIN_CONTIG_ORDER);
+
+ return 0;
+}
+
/*
* Note about cr3 (pagetable base) values:
*
@@ -791,6 +836,9 @@ static void __init xen_after_bootmem(void)
static_branch_enable(&xen_struct_pages_ready);
SetPagePinned(virt_to_page(level3_user_vsyscall));
xen_pgd_walk(&init_mm, xen_mark_pinned, FIXADDR_TOP);
+
+ if (alloc_discontig_frames(MIN_CONTIG_ORDER))
+ BUG();
}
static void xen_unpin_page(struct mm_struct *mm, struct page *page,
@@ -2149,10 +2197,6 @@ void __init xen_init_mmu_ops(void)
memset(dummy_mapping, 0xff, PAGE_SIZE);
}
-/* Protected by xen_reservation_lock. */
-#define MAX_CONTIG_ORDER 9 /* 2MB */
-static unsigned long discontig_frames[1<<MAX_CONTIG_ORDER];
-
#define VOID_PTE (mfn_pte(0, __pgprot(0)))
static void xen_zap_pfn_range(unsigned long vaddr, unsigned int order,
unsigned long *in_frames,
@@ -2269,18 +2313,25 @@ int xen_create_contiguous_region(phys_addr_t pstart, unsigned int order,
unsigned int address_bits,
dma_addr_t *dma_handle)
{
- unsigned long *in_frames = discontig_frames, out_frame;
+ unsigned long *in_frames, out_frame;
unsigned long flags;
int success;
unsigned long vstart = (unsigned long)phys_to_virt(pstart);
- if (unlikely(order > MAX_CONTIG_ORDER))
- return -ENOMEM;
+ if (unlikely(order > discontig_frames_order)) {
+ if (!discontig_frames_dyn)
+ return -ENOMEM;
+
+ if (alloc_discontig_frames(order))
+ return -ENOMEM;
+ }
memset((void *) vstart, 0, PAGE_SIZE << order);
spin_lock_irqsave(&xen_reservation_lock, flags);
+ in_frames = discontig_frames;
+
/* 1. Zap current PTEs, remembering MFNs. */
xen_zap_pfn_range(vstart, order, in_frames, NULL);
@@ -2304,12 +2355,12 @@ int xen_create_contiguous_region(phys_addr_t pstart, unsigned int order,
void xen_destroy_contiguous_region(phys_addr_t pstart, unsigned int order)
{
- unsigned long *out_frames = discontig_frames, in_frame;
+ unsigned long *out_frames, in_frame;
unsigned long flags;
int success;
unsigned long vstart;
- if (unlikely(order > MAX_CONTIG_ORDER))
+ if (unlikely(order > discontig_frames_order))
return;
vstart = (unsigned long)phys_to_virt(pstart);
@@ -2317,6 +2368,8 @@ void xen_destroy_contiguous_region(phys_addr_t pstart, unsigned int order)
spin_lock_irqsave(&xen_reservation_lock, flags);
+ out_frames = discontig_frames;
+
/* 1. Find start MFN of contiguous extent. */
in_frame = virt_to_mfn(vstart);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 237/462] media: cxd2841er: fix 64-bit division on gcc-9
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 236/462] x86/xen: allow larger contiguous memory regions in PV guests Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 238/462] media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread Greg Kroah-Hartman
` (228 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Naresh Kamboju,
Linux Kernel Functional Testing, Arnd Bergmann, Hans Verkuil,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 8d46603eeeb4c6abff1d2e49f2a6ae289dac765e ]
It appears that do_div() once more gets confused by a complex
expression that ends up not quite being constant despite
__builtin_constant_p() thinking it is:
ERROR: modpost: "__aeabi_uldivmod" [drivers/media/dvb-frontends/cxd2841er.ko] undefined!
Use div_u64() instead, forcing the expression to be evaluated
first, and making it a bit more readable.
Cc: Dan Carpenter <dan.carpenter@linaro.org>
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA5aHKt0sSVsYg@mail.gmail.com/
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA5aHKt0sSVsYg@mail.gmail.com/
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
[hverkuil: added Closes tags]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/dvb-frontends/cxd2841er.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/drivers/media/dvb-frontends/cxd2841er.c b/drivers/media/dvb-frontends/cxd2841er.c
index 493ba8b6b8f62..b2c251135ce1c 100644
--- a/drivers/media/dvb-frontends/cxd2841er.c
+++ b/drivers/media/dvb-frontends/cxd2841er.c
@@ -311,12 +311,8 @@ static int cxd2841er_set_reg_bits(struct cxd2841er_priv *priv,
static u32 cxd2841er_calc_iffreq_xtal(enum cxd2841er_xtal xtal, u32 ifhz)
{
- u64 tmp;
-
- tmp = (u64) ifhz * 16777216;
- do_div(tmp, ((xtal == SONY_XTAL_24000) ? 48000000 : 41000000));
-
- return (u32) tmp;
+ return div_u64(ifhz * 16777216ull,
+ (xtal == SONY_XTAL_24000) ? 48000000 : 41000000);
}
static u32 cxd2841er_calc_iffreq(u32 ifhz)
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 238/462] media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 237/462] media: cxd2841er: fix 64-bit division on gcc-9 Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 239/462] PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P Greg Kroah-Hartman
` (227 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5e248227c80a3be8e96a,
Edward Adam Davis, Hans Verkuil, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit 1221989555db711578a327a9367f1be46500cb48 ]
syzbot report a null-ptr-deref in vidtv_mux_stop_thread. [1]
If dvb->mux is not initialized successfully by vidtv_mux_init() in the
vidtv_start_streaming(), it will trigger null pointer dereference about mux
in vidtv_mux_stop_thread().
Adjust the timing of streaming initialization and check it before
stopping it.
[1]
KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f]
CPU: 0 UID: 0 PID: 5842 Comm: syz-executor248 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:vidtv_mux_stop_thread+0x26/0x80 drivers/media/test-drivers/vidtv/vidtv_mux.c:471
Code: 90 90 90 90 66 0f 1f 00 55 53 48 89 fb e8 82 2e c8 f9 48 8d bb 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 02 7e 3b 0f b6 ab 28 01 00 00 31 ff 89 ee e8
RSP: 0018:ffffc90003f2faa8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87cfb125
RDX: 0000000000000025 RSI: ffffffff87d120ce RDI: 0000000000000128
RBP: ffff888029b8d220 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: ffff888029b8d188
R13: ffffffff8f590aa0 R14: ffffc9000581c5c8 R15: ffff888029a17710
FS: 00007f7eef5156c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7eef5e635c CR3: 0000000076ca6000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
vidtv_stop_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:209 [inline]
vidtv_stop_feed+0x151/0x250 drivers/media/test-drivers/vidtv/vidtv_bridge.c:252
dmx_section_feed_stop_filtering+0x90/0x160 drivers/media/dvb-core/dvb_demux.c:1000
dvb_dmxdev_feed_stop.isra.0+0x1ee/0x270 drivers/media/dvb-core/dmxdev.c:486
dvb_dmxdev_filter_stop+0x22a/0x3a0 drivers/media/dvb-core/dmxdev.c:559
dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]
dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246
__fput+0x3f8/0xb60 fs/file_table.c:450
task_work_run+0x14e/0x250 kernel/task_work.c:239
get_signal+0x1d3/0x2610 kernel/signal.c:2790
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Reported-by: syzbot+5e248227c80a3be8e96a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5e248227c80a3be8e96a
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/test-drivers/vidtv/vidtv_bridge.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/media/test-drivers/vidtv/vidtv_bridge.c b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
index 3c281265a9ecc..60a7667ebff98 100644
--- a/drivers/media/test-drivers/vidtv/vidtv_bridge.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
@@ -189,10 +189,11 @@ static int vidtv_start_streaming(struct vidtv_dvb *dvb)
mux_args.mux_buf_sz = mux_buf_sz;
- dvb->streaming = true;
dvb->mux = vidtv_mux_init(dvb->fe[0], dev, &mux_args);
if (!dvb->mux)
return -ENOMEM;
+
+ dvb->streaming = true;
vidtv_mux_start_thread(dvb->mux);
dev_dbg_ratelimited(dev, "Started streaming\n");
@@ -203,6 +204,11 @@ static int vidtv_stop_streaming(struct vidtv_dvb *dvb)
{
struct device *dev = &dvb->pdev->dev;
+ if (!dvb->streaming) {
+ dev_warn_ratelimited(dev, "No streaming. Skipping.\n");
+ return 0;
+ }
+
dvb->streaming = false;
vidtv_mux_stop_thread(dvb->mux);
vidtv_mux_destroy(dvb->mux);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 239/462] PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 238/462] media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 240/462] vfio/pci: Enable iowrite64 and ioread64 for vfio pci Greg Kroah-Hartman
` (226 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Bjorn Helgaas,
Krzysztof Wilczyński, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit b198499c7d2508a76243b98e7cca992f6fd2b7f7 ]
Apparently the Raptor Lake-P reference firmware configures the PIO log size
correctly, but some vendor BIOSes, including at least ASUSTeK COMPUTER INC.
Zenbook UX3402VA_UX3402VA, do not.
Apply the quirk for Raptor Lake-P. This prevents kernel complaints like:
DPC: RP PIO log size 0 is invalid
and also enables the DPC driver to dump the RP PIO Log registers when DPC
is triggered.
Note that the bug report also mentions 8086:a76e, which has been already
added by 627c6db20703 ("PCI/DPC: Quirk PIO log size for Intel Raptor Lake
Root Ports").
Link: https://lore.kernel.org/r/20250102164315.7562-1-tiwai@suse.de
Link: https://bugzilla.suse.com/show_bug.cgi?id=1234623
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bhelgaas: commit log]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/quirks.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
index 7c65513e55c25..6564df6c9d0c1 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -5964,6 +5964,7 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2b, dpc_log_size);
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2d, dpc_log_size);
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2f, dpc_log_size);
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a31, dpc_log_size);
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa72f, dpc_log_size);
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa73f, dpc_log_size);
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa76e, dpc_log_size);
#endif
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 240/462] vfio/pci: Enable iowrite64 and ioread64 for vfio pci
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 239/462] PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 241/462] Grab mm lock before grabbing pt lock Greg Kroah-Hartman
` (225 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ramesh Thomas, Jason Gunthorpe,
Alex Williamson, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ramesh Thomas <ramesh.thomas@intel.com>
[ Upstream commit 2b938e3db335e3670475e31a722c2bee34748c5a ]
Definitions of ioread64 and iowrite64 macros in asm/io.h called by vfio
pci implementations are enclosed inside check for CONFIG_GENERIC_IOMAP.
They don't get defined if CONFIG_GENERIC_IOMAP is defined. Include
linux/io-64-nonatomic-lo-hi.h to define iowrite64 and ioread64 macros
when they are not defined. io-64-nonatomic-lo-hi.h maps the macros to
generic implementation in lib/iomap.c. The generic implementation does
64 bit rw if readq/writeq is defined for the architecture, otherwise it
would do 32 bit back to back rw.
Note that there are two versions of the generic implementation that
differs in the order the 32 bit words are written if 64 bit support is
not present. This is not the little/big endian ordering, which is
handled separately. This patch uses the lo followed by hi word ordering
which is consistent with current back to back implementation in the
vfio/pci code.
Signed-off-by: Ramesh Thomas <ramesh.thomas@intel.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Link: https://lore.kernel.org/r/20241210131938.303500-2-ramesh.thomas@intel.com
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/pci/vfio_pci_rdwr.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c
index a0b5fc8e46f4d..fdcc9dca14ca9 100644
--- a/drivers/vfio/pci/vfio_pci_rdwr.c
+++ b/drivers/vfio/pci/vfio_pci_rdwr.c
@@ -16,6 +16,7 @@
#include <linux/io.h>
#include <linux/vfio.h>
#include <linux/vgaarb.h>
+#include <linux/io-64-nonatomic-lo-hi.h>
#include "vfio_pci_private.h"
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 241/462] Grab mm lock before grabbing pt lock
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 240/462] vfio/pci: Enable iowrite64 and ioread64 for vfio pci Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 242/462] orangefs: fix a oob in orangefs_debug_write Greg Kroah-Hartman
` (224 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maksym Planeta, Juergen Gross,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maksym Planeta <maksym@exostellar.io>
[ Upstream commit 6d002348789bc16e9203e9818b7a3688787e3b29 ]
Function xen_pin_page calls xen_pte_lock, which in turn grab page
table lock (ptlock). When locking, xen_pte_lock expect mm->page_table_lock
to be held before grabbing ptlock, but this does not happen when pinning
is caused by xen_mm_pin_all.
This commit addresses lockdep warning below, which shows up when
suspending a Xen VM.
[ 3680.658422] Freezing user space processes
[ 3680.660156] Freezing user space processes completed (elapsed 0.001 seconds)
[ 3680.660182] OOM killer disabled.
[ 3680.660192] Freezing remaining freezable tasks
[ 3680.661485] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)
[ 3680.685254]
[ 3680.685265] ==================================
[ 3680.685269] WARNING: Nested lock was not taken
[ 3680.685274] 6.12.0+ #16 Tainted: G W
[ 3680.685279] ----------------------------------
[ 3680.685283] migration/0/19 is trying to lock:
[ 3680.685288] ffff88800bac33c0 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: xen_pin_page+0x175/0x1d0
[ 3680.685303]
[ 3680.685303] but this task is not holding:
[ 3680.685308] init_mm.page_table_lock
[ 3680.685311]
[ 3680.685311] stack backtrace:
[ 3680.685316] CPU: 0 UID: 0 PID: 19 Comm: migration/0 Tainted: G W 6.12.0+ #16
[ 3680.685324] Tainted: [W]=WARN
[ 3680.685328] Stopper: multi_cpu_stop+0x0/0x120 <- __stop_cpus.constprop.0+0x8c/0xd0
[ 3680.685339] Call Trace:
[ 3680.685344] <TASK>
[ 3680.685347] dump_stack_lvl+0x77/0xb0
[ 3680.685356] __lock_acquire+0x917/0x2310
[ 3680.685364] lock_acquire+0xce/0x2c0
[ 3680.685369] ? xen_pin_page+0x175/0x1d0
[ 3680.685373] _raw_spin_lock_nest_lock+0x2f/0x70
[ 3680.685381] ? xen_pin_page+0x175/0x1d0
[ 3680.685386] xen_pin_page+0x175/0x1d0
[ 3680.685390] ? __pfx_xen_pin_page+0x10/0x10
[ 3680.685394] __xen_pgd_walk+0x233/0x2c0
[ 3680.685401] ? stop_one_cpu+0x91/0x100
[ 3680.685405] __xen_pgd_pin+0x5d/0x250
[ 3680.685410] xen_mm_pin_all+0x70/0xa0
[ 3680.685415] xen_pv_pre_suspend+0xf/0x280
[ 3680.685420] xen_suspend+0x57/0x1a0
[ 3680.685428] multi_cpu_stop+0x6b/0x120
[ 3680.685432] ? update_cpumasks_hier+0x7c/0xa60
[ 3680.685439] ? __pfx_multi_cpu_stop+0x10/0x10
[ 3680.685443] cpu_stopper_thread+0x8c/0x140
[ 3680.685448] ? smpboot_thread_fn+0x20/0x1f0
[ 3680.685454] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 3680.685458] smpboot_thread_fn+0xed/0x1f0
[ 3680.685462] kthread+0xde/0x110
[ 3680.685467] ? __pfx_kthread+0x10/0x10
[ 3680.685471] ret_from_fork+0x2f/0x50
[ 3680.685478] ? __pfx_kthread+0x10/0x10
[ 3680.685482] ret_from_fork_asm+0x1a/0x30
[ 3680.685489] </TASK>
[ 3680.685491]
[ 3680.685491] other info that might help us debug this:
[ 3680.685497] 1 lock held by migration/0/19:
[ 3680.685500] #0: ffffffff8284df38 (pgd_lock){+.+.}-{3:3}, at: xen_mm_pin_all+0x14/0xa0
[ 3680.685512]
[ 3680.685512] stack backtrace:
[ 3680.685518] CPU: 0 UID: 0 PID: 19 Comm: migration/0 Tainted: G W 6.12.0+ #16
[ 3680.685528] Tainted: [W]=WARN
[ 3680.685531] Stopper: multi_cpu_stop+0x0/0x120 <- __stop_cpus.constprop.0+0x8c/0xd0
[ 3680.685538] Call Trace:
[ 3680.685541] <TASK>
[ 3680.685544] dump_stack_lvl+0x77/0xb0
[ 3680.685549] __lock_acquire+0x93c/0x2310
[ 3680.685554] lock_acquire+0xce/0x2c0
[ 3680.685558] ? xen_pin_page+0x175/0x1d0
[ 3680.685562] _raw_spin_lock_nest_lock+0x2f/0x70
[ 3680.685568] ? xen_pin_page+0x175/0x1d0
[ 3680.685572] xen_pin_page+0x175/0x1d0
[ 3680.685578] ? __pfx_xen_pin_page+0x10/0x10
[ 3680.685582] __xen_pgd_walk+0x233/0x2c0
[ 3680.685588] ? stop_one_cpu+0x91/0x100
[ 3680.685592] __xen_pgd_pin+0x5d/0x250
[ 3680.685596] xen_mm_pin_all+0x70/0xa0
[ 3680.685600] xen_pv_pre_suspend+0xf/0x280
[ 3680.685607] xen_suspend+0x57/0x1a0
[ 3680.685611] multi_cpu_stop+0x6b/0x120
[ 3680.685615] ? update_cpumasks_hier+0x7c/0xa60
[ 3680.685620] ? __pfx_multi_cpu_stop+0x10/0x10
[ 3680.685625] cpu_stopper_thread+0x8c/0x140
[ 3680.685629] ? smpboot_thread_fn+0x20/0x1f0
[ 3680.685634] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 3680.685638] smpboot_thread_fn+0xed/0x1f0
[ 3680.685642] kthread+0xde/0x110
[ 3680.685645] ? __pfx_kthread+0x10/0x10
[ 3680.685649] ret_from_fork+0x2f/0x50
[ 3680.685654] ? __pfx_kthread+0x10/0x10
[ 3680.685657] ret_from_fork_asm+0x1a/0x30
[ 3680.685662] </TASK>
[ 3680.685267] xen:grant_table: Grant tables using version 1 layout
[ 3680.685921] OOM killer enabled.
[ 3680.685934] Restarting tasks ... done.
Signed-off-by: Maksym Planeta <maksym@exostellar.io>
Reviewed-by: Juergen Gross <jgross@suse.com>
Message-ID: <20241204103516.3309112-1-maksym@exostellar.io>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/xen/mmu_pv.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c
index b294ae8e44aa9..a87eb84724c2a 100644
--- a/arch/x86/xen/mmu_pv.c
+++ b/arch/x86/xen/mmu_pv.c
@@ -807,6 +807,7 @@ void xen_mm_pin_all(void)
{
struct page *page;
+ spin_lock(&init_mm.page_table_lock);
spin_lock(&pgd_lock);
list_for_each_entry(page, &pgd_list, lru) {
@@ -817,6 +818,7 @@ void xen_mm_pin_all(void)
}
spin_unlock(&pgd_lock);
+ spin_unlock(&init_mm.page_table_lock);
}
static void __init xen_mark_pinned(struct mm_struct *mm, struct page *page,
@@ -914,6 +916,7 @@ void xen_mm_unpin_all(void)
{
struct page *page;
+ spin_lock(&init_mm.page_table_lock);
spin_lock(&pgd_lock);
list_for_each_entry(page, &pgd_list, lru) {
@@ -925,6 +928,7 @@ void xen_mm_unpin_all(void)
}
spin_unlock(&pgd_lock);
+ spin_unlock(&init_mm.page_table_lock);
}
static void xen_activate_mm(struct mm_struct *prev, struct mm_struct *next)
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 242/462] orangefs: fix a oob in orangefs_debug_write
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 241/462] Grab mm lock before grabbing pt lock Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 243/462] ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet 5V Greg Kroah-Hartman
` (223 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Marshall,
syzbot+fc519d7875f2d9186c1f, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Marshall <hubcap@omnibond.com>
[ Upstream commit f7c848431632598ff9bce57a659db6af60d75b39 ]
I got a syzbot report: slab-out-of-bounds Read in
orangefs_debug_write... several people suggested fixes,
I tested Al Viro's suggestion and made this patch.
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Reported-by: syzbot+fc519d7875f2d9186c1f@syzkaller.appspotmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/orangefs/orangefs-debugfs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
index 1b508f5433846..fa41db0884880 100644
--- a/fs/orangefs/orangefs-debugfs.c
+++ b/fs/orangefs/orangefs-debugfs.c
@@ -393,9 +393,9 @@ static ssize_t orangefs_debug_write(struct file *file,
* Thwart users who try to jamb a ridiculous number
* of bytes into the debug file...
*/
- if (count > ORANGEFS_MAX_DEBUG_STRING_LEN + 1) {
+ if (count > ORANGEFS_MAX_DEBUG_STRING_LEN) {
silly = count;
- count = ORANGEFS_MAX_DEBUG_STRING_LEN + 1;
+ count = ORANGEFS_MAX_DEBUG_STRING_LEN;
}
buf = kzalloc(ORANGEFS_MAX_DEBUG_STRING_LEN, GFP_KERNEL);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 243/462] ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet 5V
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 242/462] orangefs: fix a oob in orangefs_debug_write Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 244/462] batman-adv: fix panic during interface removal Greg Kroah-Hartman
` (222 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans de Goede, Mark Brown,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit 6917192378c1ce17ba31df51c4e0d8b1c97a453b ]
The Vexia EDU ATLA 10 tablet comes in 2 different versions with
significantly different mainboards. The only outward difference is that
the charging barrel on one is marked 5V and the other is marked 9V.
The 5V version mostly works with the BYTCR defaults, except that it is
missing a CHAN package in its ACPI tables and the default of using
SSP0-AIF2 is wrong, instead SSP0-AIF1 must be used. That and its jack
detect signal is not inverted as it usually is.
Add a DMI quirk for the 5V version to fix sound not working.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://patch.msgid.link/20250123132507.18434-1-hdegoede@redhat.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/boards/bytcr_rt5640.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
index 6fc6a1fcd935e..06559f2afe326 100644
--- a/sound/soc/intel/boards/bytcr_rt5640.c
+++ b/sound/soc/intel/boards/bytcr_rt5640.c
@@ -935,7 +935,22 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = {
BYT_RT5640_SSP0_AIF2 |
BYT_RT5640_MCLK_EN),
},
- { /* Vexia Edu Atla 10 tablet */
+ {
+ /* Vexia Edu Atla 10 tablet 5V version */
+ .matches = {
+ /* Having all 3 of these not set is somewhat unique */
+ DMI_MATCH(DMI_SYS_VENDOR, "To be filled by O.E.M."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "To be filled by O.E.M."),
+ DMI_MATCH(DMI_BOARD_NAME, "To be filled by O.E.M."),
+ /* Above strings are too generic, also match on BIOS date */
+ DMI_MATCH(DMI_BIOS_DATE, "05/14/2015"),
+ },
+ .driver_data = (void *)(BYTCR_INPUT_DEFAULTS |
+ BYT_RT5640_JD_NOT_INV |
+ BYT_RT5640_SSP0_AIF1 |
+ BYT_RT5640_MCLK_EN),
+ },
+ { /* Vexia Edu Atla 10 tablet 9V version */
.matches = {
DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"),
DMI_MATCH(DMI_BOARD_NAME, "Aptio CRB"),
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 244/462] batman-adv: fix panic during interface removal
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 243/462] ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet 5V Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 245/462] batman-adv: Ignore neighbor throughput metrics in error case Greg Kroah-Hartman
` (221 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Strohman, Sven Eckelmann,
Simon Wunderlich
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Strohman <andrew@andrewstrohman.com>
commit ccb7276a6d26d6f8416e315b43b45e15ee7f29e2 upstream.
Reference counting is used to ensure that
batadv_hardif_neigh_node and batadv_hard_iface
are not freed before/during
batadv_v_elp_throughput_metric_update work is
finished.
But there isn't a guarantee that the hard if will
remain associated with a soft interface up until
the work is finished.
This fixes a crash triggered by reboot that looks
like this:
Call trace:
batadv_v_mesh_free+0xd0/0x4dc [batman_adv]
batadv_v_elp_throughput_metric_update+0x1c/0xa4
process_one_work+0x178/0x398
worker_thread+0x2e8/0x4d0
kthread+0xd8/0xdc
ret_from_fork+0x10/0x20
(the batadv_v_mesh_free call is misleading,
and does not actually happen)
I was able to make the issue happen more reliably
by changing hardif_neigh->bat_v.metric_work work
to be delayed work. This allowed me to track down
and confirm the fix.
Cc: stable@vger.kernel.org
Fixes: c833484e5f38 ("batman-adv: ELP - compute the metric based on the estimated throughput")
Signed-off-by: Andy Strohman <andrew@andrewstrohman.com>
[sven@narfation.org: prevent entering batadv_v_elp_get_throughput without
soft_iface]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bat_v_elp.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/net/batman-adv/bat_v_elp.c
+++ b/net/batman-adv/bat_v_elp.c
@@ -66,12 +66,19 @@ static void batadv_v_elp_start_timer(str
static u32 batadv_v_elp_get_throughput(struct batadv_hardif_neigh_node *neigh)
{
struct batadv_hard_iface *hard_iface = neigh->if_incoming;
+ struct net_device *soft_iface = hard_iface->soft_iface;
struct ethtool_link_ksettings link_settings;
struct net_device *real_netdev;
struct station_info sinfo;
u32 throughput;
int ret;
+ /* don't query throughput when no longer associated with any
+ * batman-adv interface
+ */
+ if (!soft_iface)
+ return BATADV_THROUGHPUT_DEFAULT_VALUE;
+
/* if the user specified a customised value for this interface, then
* return it directly
*/
@@ -142,7 +149,7 @@ static u32 batadv_v_elp_get_throughput(s
default_throughput:
if (!(hard_iface->bat_v.flags & BATADV_WARNING_DEFAULT)) {
- batadv_info(hard_iface->soft_iface,
+ batadv_info(soft_iface,
"WiFi driver or ethtool info does not provide information about link speeds on interface %s, therefore defaulting to hardcoded throughput values of %u.%1u Mbps. Consider overriding the throughput manually or checking your driver.\n",
hard_iface->net_dev->name,
BATADV_THROUGHPUT_DEFAULT_VALUE / 10,
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 245/462] batman-adv: Ignore neighbor throughput metrics in error case
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 244/462] batman-adv: fix panic during interface removal Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 246/462] perf/x86/intel: Ensure LBRs are disabled when a CPU is starting Greg Kroah-Hartman
` (220 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sven Eckelmann, Simon Wunderlich
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit e7e34ffc976aaae4f465b7898303241b81ceefc3 upstream.
If a temporary error happened in the evaluation of the neighbor throughput
information, then the invalid throughput result should not be stored in the
throughtput EWMA.
Cc: stable@vger.kernel.org
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bat_v_elp.c | 50 ++++++++++++++++++++++++++++++---------------
1 file changed, 34 insertions(+), 16 deletions(-)
--- a/net/batman-adv/bat_v_elp.c
+++ b/net/batman-adv/bat_v_elp.c
@@ -59,11 +59,13 @@ static void batadv_v_elp_start_timer(str
/**
* batadv_v_elp_get_throughput() - get the throughput towards a neighbour
* @neigh: the neighbour for which the throughput has to be obtained
+ * @pthroughput: calculated throughput towards the given neighbour in multiples
+ * of 100kpbs (a value of '1' equals 0.1Mbps, '10' equals 1Mbps, etc).
*
- * Return: The throughput towards the given neighbour in multiples of 100kpbs
- * (a value of '1' equals 0.1Mbps, '10' equals 1Mbps, etc).
+ * Return: true when value behind @pthroughput was set
*/
-static u32 batadv_v_elp_get_throughput(struct batadv_hardif_neigh_node *neigh)
+static bool batadv_v_elp_get_throughput(struct batadv_hardif_neigh_node *neigh,
+ u32 *pthroughput)
{
struct batadv_hard_iface *hard_iface = neigh->if_incoming;
struct net_device *soft_iface = hard_iface->soft_iface;
@@ -77,14 +79,16 @@ static u32 batadv_v_elp_get_throughput(s
* batman-adv interface
*/
if (!soft_iface)
- return BATADV_THROUGHPUT_DEFAULT_VALUE;
+ return false;
/* if the user specified a customised value for this interface, then
* return it directly
*/
throughput = atomic_read(&hard_iface->bat_v.throughput_override);
- if (throughput != 0)
- return throughput;
+ if (throughput != 0) {
+ *pthroughput = throughput;
+ return true;
+ }
/* if this is a wireless device, then ask its throughput through
* cfg80211 API
@@ -111,19 +115,24 @@ static u32 batadv_v_elp_get_throughput(s
* possible to delete this neighbor. For now set
* the throughput metric to 0.
*/
- return 0;
+ *pthroughput = 0;
+ return true;
}
if (ret)
goto default_throughput;
- if (sinfo.filled & BIT(NL80211_STA_INFO_EXPECTED_THROUGHPUT))
- return sinfo.expected_throughput / 100;
+ if (sinfo.filled & BIT(NL80211_STA_INFO_EXPECTED_THROUGHPUT)) {
+ *pthroughput = sinfo.expected_throughput / 100;
+ return true;
+ }
/* try to estimate the expected throughput based on reported tx
* rates
*/
- if (sinfo.filled & BIT(NL80211_STA_INFO_TX_BITRATE))
- return cfg80211_calculate_bitrate(&sinfo.txrate) / 3;
+ if (sinfo.filled & BIT(NL80211_STA_INFO_TX_BITRATE)) {
+ *pthroughput = cfg80211_calculate_bitrate(&sinfo.txrate) / 3;
+ return true;
+ }
goto default_throughput;
}
@@ -143,8 +152,10 @@ static u32 batadv_v_elp_get_throughput(s
hard_iface->bat_v.flags &= ~BATADV_FULL_DUPLEX;
throughput = link_settings.base.speed;
- if (throughput && throughput != SPEED_UNKNOWN)
- return throughput * 10;
+ if (throughput && throughput != SPEED_UNKNOWN) {
+ *pthroughput = throughput * 10;
+ return true;
+ }
}
default_throughput:
@@ -158,7 +169,8 @@ default_throughput:
}
/* if none of the above cases apply, return the base_throughput */
- return BATADV_THROUGHPUT_DEFAULT_VALUE;
+ *pthroughput = BATADV_THROUGHPUT_DEFAULT_VALUE;
+ return true;
}
/**
@@ -170,15 +182,21 @@ void batadv_v_elp_throughput_metric_upda
{
struct batadv_hardif_neigh_node_bat_v *neigh_bat_v;
struct batadv_hardif_neigh_node *neigh;
+ u32 throughput;
+ bool valid;
neigh_bat_v = container_of(work, struct batadv_hardif_neigh_node_bat_v,
metric_work);
neigh = container_of(neigh_bat_v, struct batadv_hardif_neigh_node,
bat_v);
- ewma_throughput_add(&neigh->bat_v.throughput,
- batadv_v_elp_get_throughput(neigh));
+ valid = batadv_v_elp_get_throughput(neigh, &throughput);
+ if (!valid)
+ goto put_neigh;
+
+ ewma_throughput_add(&neigh->bat_v.throughput, throughput);
+put_neigh:
/* decrement refcounter to balance increment performed before scheduling
* this task
*/
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 246/462] perf/x86/intel: Ensure LBRs are disabled when a CPU is starting
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 245/462] batman-adv: Ignore neighbor throughput metrics in error case Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 247/462] usb: roles: set switch registered flag early on Greg Kroah-Hartman
` (219 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxim Levitsky, Sean Christopherson,
Peter Zijlstra (Intel)
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit c631a2de7ae48d50434bdc205d901423f8577c65 upstream.
Explicitly clear DEBUGCTL.LBR when a CPU is starting, prior to purging the
LBR MSRs themselves, as at least one system has been found to transfer
control to the kernel with LBRs enabled (it's unclear whether it's a BIOS
flaw or a CPU goof). Because the kernel preserves the original DEBUGCTL,
even when toggling LBRs, leaving DEBUGCTL.LBR as is results in running
with LBRs enabled at all times.
Closes: https://lore.kernel.org/all/c9d8269bff69f6359731d758e3b1135dedd7cc61.camel@redhat.com
Reported-by: Maxim Levitsky <mlevitsk@redhat.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20250131010721.470503-1-seanjc@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/core.c | 5 ++++-
arch/x86/include/asm/msr-index.h | 3 ++-
2 files changed, 6 insertions(+), 2 deletions(-)
--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -4078,8 +4078,11 @@ static void intel_pmu_cpu_starting(int c
init_debug_store_on_cpu(cpu);
/*
- * Deal with CPUs that don't clear their LBRs on power-up.
+ * Deal with CPUs that don't clear their LBRs on power-up, and that may
+ * even boot with LBRs enabled.
*/
+ if (!static_cpu_has(X86_FEATURE_ARCH_LBR) && x86_pmu.lbr_nr)
+ msr_clear_bit(MSR_IA32_DEBUGCTLMSR, DEBUGCTLMSR_LBR_BIT);
intel_pmu_lbr_reset();
cpuc->lbr_sel = NULL;
--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
@@ -326,7 +326,8 @@
#define MSR_IA32_PASID_VALID BIT_ULL(31)
/* DEBUGCTLMSR bits (others vary by model): */
-#define DEBUGCTLMSR_LBR (1UL << 0) /* last branch recording */
+#define DEBUGCTLMSR_LBR_BIT 0 /* last branch recording */
+#define DEBUGCTLMSR_LBR (1UL << DEBUGCTLMSR_LBR_BIT)
#define DEBUGCTLMSR_BTF_SHIFT 1
#define DEBUGCTLMSR_BTF (1UL << 1) /* single-step on branches */
#define DEBUGCTLMSR_TR (1UL << 6)
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 247/462] usb: roles: set switch registered flag early on
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 246/462] perf/x86/intel: Ensure LBRs are disabled when a CPU is starting Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 248/462] usb: gadget: udc: renesas_usb3: Fix compiler warning Greg Kroah-Hartman
` (218 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Elson Roy Serrao,
Heikki Krogerus
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Elson Roy Serrao <quic_eserrao@quicinc.com>
commit 634775a752a86784511018a108f3b530cc3399a7 upstream.
The role switch registration and set_role() can happen in parallel as they
are invoked independent of each other. There is a possibility that a driver
might spend significant amount of time in usb_role_switch_register() API
due to the presence of time intensive operations like component_add()
which operate under common mutex. This leads to a time window after
allocating the switch and before setting the registered flag where the set
role notifications are dropped. Below timeline summarizes this behavior
Thread1 | Thread2
usb_role_switch_register() |
| |
---> allocate switch |
| |
---> component_add() | usb_role_switch_set_role()
| | |
| | --> Drop role notifications
| | since sw->registered
| | flag is not set.
| |
--->Set registered flag.|
To avoid this, set the registered flag early on in the switch register
API.
Fixes: b787a3e78175 ("usb: roles: don't get/set_role() when usb_role_switch is unregistered")
Cc: stable <stable@kernel.org>
Signed-off-by: Elson Roy Serrao <quic_eserrao@quicinc.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20250206193950.22421-1-quic_eserrao@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/roles/class.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/usb/roles/class.c
+++ b/drivers/usb/roles/class.c
@@ -345,14 +345,15 @@ usb_role_switch_register(struct device *
dev_set_name(&sw->dev, "%s-role-switch",
desc->name ? desc->name : dev_name(parent));
+ sw->registered = true;
+
ret = device_register(&sw->dev);
if (ret) {
+ sw->registered = false;
put_device(&sw->dev);
return ERR_PTR(ret);
}
- sw->registered = true;
-
/* TODO: Symlinks for the host port and the device controller. */
return sw;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 248/462] usb: gadget: udc: renesas_usb3: Fix compiler warning
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 247/462] usb: roles: set switch registered flag early on Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 249/462] usb: dwc2: gadget: remove of_node reference upon udc_stop Greg Kroah-Hartman
` (217 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, kernel test robot, Guo Ren
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guo Ren <guoren@linux.alibaba.com>
commit 335a1fc1193481f8027f176649c72868172f6f8b upstream.
drivers/usb/gadget/udc/renesas_usb3.c: In function 'renesas_usb3_probe':
drivers/usb/gadget/udc/renesas_usb3.c:2638:73: warning: '%d'
directive output may be truncated writing between 1 and 11 bytes into a
region of size 6 [-Wformat-truncation=]
2638 | snprintf(usb3_ep->ep_name, sizeof(usb3_ep->ep_name), "ep%d", i);
^~~~~~~~~~~~~~~~~~~~~~~~ ^~ ^
Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller")
Cc: stable@vger.kernel.org
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202501201409.BIQPtkeB-lkp@intel.com/
Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
Link: https://lore.kernel.org/r/20250122081231.47594-1-guoren@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/renesas_usb3.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/gadget/udc/renesas_usb3.c
+++ b/drivers/usb/gadget/udc/renesas_usb3.c
@@ -306,7 +306,7 @@ struct renesas_usb3_request {
struct list_head queue;
};
-#define USB3_EP_NAME_SIZE 8
+#define USB3_EP_NAME_SIZE 16
struct renesas_usb3_ep {
struct usb_ep ep;
struct renesas_usb3 *usb3;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 249/462] usb: dwc2: gadget: remove of_node reference upon udc_stop
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 248/462] usb: gadget: udc: renesas_usb3: Fix compiler warning Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 250/462] USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI Greg Kroah-Hartman
` (216 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Fabrice Gasnier
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
commit 58cd423820d5b5610977e55e4acdd06628829ede upstream.
In dwc2_hsotg_udc_start(), e.g. when binding composite driver, "of_node"
is set to hsotg->dev->of_node.
It causes errors when binding the gadget driver several times, on
stm32mp157c-ev1 board. Below error is seen:
"pin PA10 already requested by 49000000.usb-otg; cannot claim for gadget.0"
The first time, no issue is seen as when registering the driver, of_node
isn't NULL:
-> gadget_dev_desc_UDC_store
-> usb_gadget_register_driver_owner
-> driver_register
...
-> really_probe -> pinctrl_bind_pins (no effect)
Then dwc2_hsotg_udc_start() sets of_node.
The second time (stop the gadget, reconfigure it, then start it again),
of_node has been set, so the probing code tries to acquire pins for the
gadget. These pins are hold by the controller, hence the error.
So clear gadget.dev.of_node in udc_stop() routine to avoid the issue.
Fixes: 7d7b22928b90 ("usb: gadget: s3c-hsotg: Propagate devicetree to gadget drivers")
Cc: stable <stable@kernel.org>
Signed-off-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
Link: https://lore.kernel.org/r/20250124173325.2747710-1-fabrice.gasnier@foss.st.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc2/gadget.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/dwc2/gadget.c
+++ b/drivers/usb/dwc2/gadget.c
@@ -4581,6 +4581,7 @@ static int dwc2_hsotg_udc_stop(struct us
spin_lock_irqsave(&hsotg->lock, flags);
hsotg->driver = NULL;
+ hsotg->gadget.dev.of_node = NULL;
hsotg->gadget.speed = USB_SPEED_UNKNOWN;
hsotg->enabled = 0;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 250/462] USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 249/462] usb: dwc2: gadget: remove of_node reference upon udc_stop Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 251/462] usb: core: fix pipe creation for get_bMaxPacketSize0 Greg Kroah-Hartman
` (215 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Baoqi Zhang, Huacai Chen
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit e71f7f42e3c874ac3314b8f250e8416a706165af upstream.
LS7A EHCI controller doesn't have extended capabilities, so the EECP
(EHCI Extended Capabilities Pointer) field of HCCPARAMS register should
be 0x0, but it reads as 0xa0 now. This is a hardware flaw and will be
fixed in future, now just clear the EECP field to avoid error messages
on boot:
......
[ 0.581675] pci 0000:00:04.1: EHCI: unrecognized capability ff
[ 0.581699] pci 0000:00:04.1: EHCI: unrecognized capability ff
[ 0.581716] pci 0000:00:04.1: EHCI: unrecognized capability ff
[ 0.581851] pci 0000:00:04.1: EHCI: unrecognized capability ff
......
[ 0.581916] pci 0000:00:05.1: EHCI: unrecognized capability ff
[ 0.581951] pci 0000:00:05.1: EHCI: unrecognized capability ff
[ 0.582704] pci 0000:00:05.1: EHCI: unrecognized capability ff
[ 0.582799] pci 0000:00:05.1: EHCI: unrecognized capability ff
......
Cc: stable <stable@kernel.org>
Signed-off-by: Baoqi Zhang <zhangbaoqi@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Link: https://lore.kernel.org/r/20250202124935.480500-1-chenhuacai@loongson.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/pci-quirks.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/usb/host/pci-quirks.c
+++ b/drivers/usb/host/pci-quirks.c
@@ -948,6 +948,15 @@ static void quirk_usb_disable_ehci(struc
* booting from USB disk or using a usb keyboard
*/
hcc_params = readl(base + EHCI_HCC_PARAMS);
+
+ /* LS7A EHCI controller doesn't have extended capabilities, the
+ * EECP (EHCI Extended Capabilities Pointer) field of HCCPARAMS
+ * register should be 0x0 but it reads as 0xa0. So clear it to
+ * avoid error messages on boot.
+ */
+ if (pdev->vendor == PCI_VENDOR_ID_LOONGSON && pdev->device == 0x7a14)
+ hcc_params &= ~(0xffL << 8);
+
offset = (hcc_params >> 8) & 0xff;
while (offset && --count) {
pci_read_config_dword(pdev, offset, &cap);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 251/462] usb: core: fix pipe creation for get_bMaxPacketSize0
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 250/462] USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 252/462] USB: quirks: add USB_QUIRK_NO_LPM quirk for Teclast dist Greg Kroah-Hartman
` (214 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Stefan Eichenberger,
Alan Stern
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
commit 4aac0db5a0ebc599d4ad9bf5ebab78afa1f33e10 upstream.
When usb_control_msg is used in the get_bMaxPacketSize0 function, the
USB pipe does not include the endpoint device number. This can cause
failures when a usb hub port is reinitialized after encountering a bad
cable connection. As a result, the system logs the following error
messages:
usb usb2-port1: cannot reset (err = -32)
usb usb2-port1: Cannot enable. Maybe the USB cable is bad?
usb usb2-port1: attempt power cycle
usb 2-1: new high-speed USB device number 5 using ci_hdrc
usb 2-1: device descriptor read/8, error -71
The problem began after commit 85d07c556216 ("USB: core: Unite old
scheme and new scheme descriptor reads"). There
usb_get_device_descriptor was replaced with get_bMaxPacketSize0. Unlike
usb_get_device_descriptor, the get_bMaxPacketSize0 function uses the
macro usb_rcvaddr0pipe, which does not include the endpoint device
number. usb_get_device_descriptor, on the other hand, used the macro
usb_rcvctrlpipe, which includes the endpoint device number.
By modifying the get_bMaxPacketSize0 function to use usb_rcvctrlpipe
instead of usb_rcvaddr0pipe, the issue can be resolved. This change will
ensure that the endpoint device number is included in the USB pipe,
preventing reinitialization failures. If the endpoint has not set the
device number yet, it will still work because the device number is 0 in
udev.
Cc: stable <stable@kernel.org>
Fixes: 85d07c556216 ("USB: core: Unite old scheme and new scheme descriptor reads")
Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20250203105840.17539-1-eichest@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hub.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -4644,7 +4644,6 @@ void usb_ep0_reinit(struct usb_device *u
EXPORT_SYMBOL_GPL(usb_ep0_reinit);
#define usb_sndaddr0pipe() (PIPE_CONTROL << 30)
-#define usb_rcvaddr0pipe() ((PIPE_CONTROL << 30) | USB_DIR_IN)
static int hub_set_address(struct usb_device *udev, int devnum)
{
@@ -4745,7 +4744,7 @@ static int get_bMaxPacketSize0(struct us
for (i = 0; i < GET_MAXPACKET0_TRIES; ++i) {
/* Start with invalid values in case the transfer fails */
buf->bDescriptorType = buf->bMaxPacketSize0 = 0;
- rc = usb_control_msg(udev, usb_rcvaddr0pipe(),
+ rc = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
USB_REQ_GET_DESCRIPTOR, USB_DIR_IN,
USB_DT_DEVICE << 8, 0,
buf, size,
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 252/462] USB: quirks: add USB_QUIRK_NO_LPM quirk for Teclast dist
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 251/462] usb: core: fix pipe creation for get_bMaxPacketSize0 Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 253/462] USB: Add USB_QUIRK_NO_LPM quirk for sony xperia xz1 smartphone Greg Kroah-Hartman
` (213 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lei Huang, stable
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lei Huang <huanglei@kylinos.cn>
commit e169d96eecd447ff7fd7542ca5fa0911f5622054 upstream.
Teclast disk used on Huawei hisi platforms doesn't work well,
losing connectivity intermittently if LPM is enabled.
Add quirk disable LPM to resolve the issue.
Signed-off-by: Lei Huang <huanglei@kylinos.cn>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20250212093829.7379-1-huanglei814@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -520,6 +520,9 @@ static const struct usb_device_id usb_qu
/* Blackmagic Design UltraStudio SDI */
{ USB_DEVICE(0x1edb, 0xbd4f), .driver_info = USB_QUIRK_NO_LPM },
+ /* Teclast disk */
+ { USB_DEVICE(0x1f75, 0x0917), .driver_info = USB_QUIRK_NO_LPM },
+
/* Hauppauge HVR-950q */
{ USB_DEVICE(0x2040, 0x7200), .driver_info =
USB_QUIRK_CONFIG_INTF_STRINGS },
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 253/462] USB: Add USB_QUIRK_NO_LPM quirk for sony xperia xz1 smartphone
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 252/462] USB: quirks: add USB_QUIRK_NO_LPM quirk for Teclast dist Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 254/462] usb: gadget: f_midi: fix MIDI Streaming descriptor lengths Greg Kroah-Hartman
` (212 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Forest, Mathias Nyman
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 159daf1258227f44b26b5d38f4aa8f37b8cca663 upstream.
The fastboot tool for communicating with Android bootloaders does not
work reliably with this device if USB 2 Link Power Management (LPM)
is enabled.
Various fastboot commands are affected, including the
following, which usually reproduces the problem within two tries:
fastboot getvar kernel
getvar:kernel FAILED (remote: 'GetVar Variable Not found')
This issue was hidden on many systems up until commit 63a1f8454962
("xhci: stored cached port capability values in one place") as the xhci
driver failed to detect USB 2 LPM support if USB 3 ports were listed
before USB 2 ports in the "supported protocol capabilities".
Adding the quirk resolves the issue. No drawbacks are expected since
the device uses different USB product IDs outside of fastboot mode, and
since fastboot commands worked before, until LPM was enabled on the
tested system by the aforementioned commit.
Based on a patch from Forest <forestix@nom.one> from which most of the
code and commit message is taken.
Cc: stable <stable@kernel.org>
Reported-by: Forest <forestix@nom.one>
Closes: https://lore.kernel.org/hk8umj9lv4l4qguftdq1luqtdrpa1gks5l@sonic.net
Tested-by: Forest <forestix@nom.one>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20250206151836.51742-1-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -430,6 +430,9 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x0c45, 0x7056), .driver_info =
USB_QUIRK_IGNORE_REMOTE_WAKEUP },
+ /* Sony Xperia XZ1 Compact (lilac) smartphone in fastboot mode */
+ { USB_DEVICE(0x0fce, 0x0dde), .driver_info = USB_QUIRK_NO_LPM },
+
/* Action Semiconductor flash disk */
{ USB_DEVICE(0x10d6, 0x2200), .driver_info =
USB_QUIRK_STRING_FETCH_255 },
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 254/462] usb: gadget: f_midi: fix MIDI Streaming descriptor lengths
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 253/462] USB: Add USB_QUIRK_NO_LPM quirk for sony xperia xz1 smartphone Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 255/462] USB: hub: Ignore non-compliant devices with too many configs or interfaces Greg Kroah-Hartman
` (211 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, John Keeping, Takashi Iwai
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Keeping <jkeeping@inmusicbrands.com>
commit da1668997052ed1cb00322e1f3b63702615c9429 upstream.
While the MIDI jacks are configured correctly, and the MIDIStreaming
endpoint descriptors are filled with the correct information,
bNumEmbMIDIJack and bLength are set incorrectly in these descriptors.
This does not matter when the numbers of in and out ports are equal, but
when they differ the host will receive broken descriptors with
uninitialized stack memory leaking into the descriptor for whichever
value is smaller.
The precise meaning of "in" and "out" in the port counts is not clearly
defined and can be confusing. But elsewhere the driver consistently
uses this to match the USB meaning of IN and OUT viewed from the host,
so that "in" ports send data to the host and "out" ports receive data
from it.
Cc: stable <stable@kernel.org>
Fixes: c8933c3f79568 ("USB: gadget: f_midi: allow a dynamic number of input and output ports")
Signed-off-by: John Keeping <jkeeping@inmusicbrands.com>
Reviewed-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20250130195035.3883857-1-jkeeping@inmusicbrands.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_midi.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/usb/gadget/function/f_midi.c
+++ b/drivers/usb/gadget/function/f_midi.c
@@ -997,11 +997,11 @@ static int f_midi_bind(struct usb_config
}
/* configure the endpoint descriptors ... */
- ms_out_desc.bLength = USB_DT_MS_ENDPOINT_SIZE(midi->in_ports);
- ms_out_desc.bNumEmbMIDIJack = midi->in_ports;
+ ms_out_desc.bLength = USB_DT_MS_ENDPOINT_SIZE(midi->out_ports);
+ ms_out_desc.bNumEmbMIDIJack = midi->out_ports;
- ms_in_desc.bLength = USB_DT_MS_ENDPOINT_SIZE(midi->out_ports);
- ms_in_desc.bNumEmbMIDIJack = midi->out_ports;
+ ms_in_desc.bLength = USB_DT_MS_ENDPOINT_SIZE(midi->in_ports);
+ ms_in_desc.bNumEmbMIDIJack = midi->in_ports;
/* ... and add them to the list */
endpoint_descriptor_index = i;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 255/462] USB: hub: Ignore non-compliant devices with too many configs or interfaces
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 254/462] usb: gadget: f_midi: fix MIDI Streaming descriptor lengths Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 256/462] USB: cdc-acm: Fill in Renesas R-Car D3 USB Download mode quirk Greg Kroah-Hartman
` (210 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alan Stern, Robert Morris
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 2240fed37afbcdb5e8b627bc7ad986891100e05d upstream.
Robert Morris created a test program which can cause
usb_hub_to_struct_hub() to dereference a NULL or inappropriate
pointer:
Oops: general protection fault, probably for non-canonical address
0xcccccccccccccccc: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
CPU: 7 UID: 0 PID: 117 Comm: kworker/7:1 Not tainted 6.13.0-rc3-00017-gf44d154d6e3d #14
Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_hub_adjust_deviceremovable+0x78/0x110
...
Call Trace:
<TASK>
? die_addr+0x31/0x80
? exc_general_protection+0x1b4/0x3c0
? asm_exc_general_protection+0x26/0x30
? usb_hub_adjust_deviceremovable+0x78/0x110
hub_probe+0x7c7/0xab0
usb_probe_interface+0x14b/0x350
really_probe+0xd0/0x2d0
? __pfx___device_attach_driver+0x10/0x10
__driver_probe_device+0x6e/0x110
driver_probe_device+0x1a/0x90
__device_attach_driver+0x7e/0xc0
bus_for_each_drv+0x7f/0xd0
__device_attach+0xaa/0x1a0
bus_probe_device+0x8b/0xa0
device_add+0x62e/0x810
usb_set_configuration+0x65d/0x990
usb_generic_driver_probe+0x4b/0x70
usb_probe_device+0x36/0xd0
The cause of this error is that the device has two interfaces, and the
hub driver binds to interface 1 instead of interface 0, which is where
usb_hub_to_struct_hub() looks.
We can prevent the problem from occurring by refusing to accept hub
devices that violate the USB spec by having more than one
configuration or interface.
Reported-and-tested-by: Robert Morris <rtm@csail.mit.edu>
Cc: stable <stable@kernel.org>
Closes: https://lore.kernel.org/linux-usb/95564.1737394039@localhost/
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/c27f3bf4-63d8-4fb5-ac82-09e3cd19f61c@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hub.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1804,6 +1804,17 @@ static int hub_probe(struct usb_interfac
hdev = interface_to_usbdev(intf);
/*
+ * The USB 2.0 spec prohibits hubs from having more than one
+ * configuration or interface, and we rely on this prohibition.
+ * Refuse to accept a device that violates it.
+ */
+ if (hdev->descriptor.bNumConfigurations > 1 ||
+ hdev->actconfig->desc.bNumInterfaces > 1) {
+ dev_err(&intf->dev, "Invalid hub with more than one config or interface\n");
+ return -EINVAL;
+ }
+
+ /*
* Set default autosuspend delay as 0 to speedup bus suspend,
* based on the below considerations:
*
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 256/462] USB: cdc-acm: Fill in Renesas R-Car D3 USB Download mode quirk
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 255/462] USB: hub: Ignore non-compliant devices with too many configs or interfaces Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 257/462] usb: cdc-acm: Check control transfer buffer size before access Greg Kroah-Hartman
` (209 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Marek Vasut,
Geert Uytterhoeven
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marek.vasut+renesas@mailbox.org>
commit 7284922f3e4fa285dff1b8bb593aa9a0b8458f30 upstream.
Add Renesas R-Car D3 USB Download mode quirk and update comments
on all the other Renesas R-Car USB Download mode quirks to discern
them from each other. This follows R-Car Series, 3rd Generation
reference manual Rev.2.00 chapter 19.2.8 USB download mode .
Fixes: 6d853c9e4104 ("usb: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode")
Cc: stable <stable@kernel.org>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/20250209145708.106914-1-marek.vasut+renesas@mailbox.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-acm.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1723,13 +1723,16 @@ static const struct usb_device_id acm_id
{ USB_DEVICE(0x0870, 0x0001), /* Metricom GS Modem */
.driver_info = NO_UNION_NORMAL, /* has no union descriptor */
},
- { USB_DEVICE(0x045b, 0x023c), /* Renesas USB Download mode */
+ { USB_DEVICE(0x045b, 0x023c), /* Renesas R-Car H3 USB Download mode */
.driver_info = DISABLE_ECHO, /* Don't echo banner */
},
- { USB_DEVICE(0x045b, 0x0248), /* Renesas USB Download mode */
+ { USB_DEVICE(0x045b, 0x0247), /* Renesas R-Car D3 USB Download mode */
.driver_info = DISABLE_ECHO, /* Don't echo banner */
},
- { USB_DEVICE(0x045b, 0x024D), /* Renesas USB Download mode */
+ { USB_DEVICE(0x045b, 0x0248), /* Renesas R-Car M3-N USB Download mode */
+ .driver_info = DISABLE_ECHO, /* Don't echo banner */
+ },
+ { USB_DEVICE(0x045b, 0x024D), /* Renesas R-Car E3 USB Download mode */
.driver_info = DISABLE_ECHO, /* Don't echo banner */
},
{ USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 257/462] usb: cdc-acm: Check control transfer buffer size before access
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 256/462] USB: cdc-acm: Fill in Renesas R-Car D3 USB Download mode quirk Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 258/462] usb: cdc-acm: Fix handling of oversized fragments Greg Kroah-Hartman
` (208 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Jann Horn
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit e563b01208f4d1f609bcab13333b6c0e24ce6a01 upstream.
If the first fragment is shorter than struct usb_cdc_notification, we can't
calculate an expected_size. Log an error and discard the notification
instead of reading lengths from memory outside the received data, which can
lead to memory corruption when the expected_size decreases between
fragments, causing `expected_size - acm->nb_index` to wrap.
This issue has been present since the beginning of git history; however,
it only leads to memory corruption since commit ea2583529cd1
("cdc-acm: reassemble fragmented notifications").
A mitigating factor is that acm_ctrl_irq() can only execute after userspace
has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will
do that automatically depending on the USB device's vendor/product IDs and
its other interfaces.
Cc: stable <stable@kernel.org>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-acm.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -360,7 +360,7 @@ static void acm_process_notification(str
static void acm_ctrl_irq(struct urb *urb)
{
struct acm *acm = urb->context;
- struct usb_cdc_notification *dr = urb->transfer_buffer;
+ struct usb_cdc_notification *dr;
unsigned int current_size = urb->actual_length;
unsigned int expected_size, copy_size, alloc_size;
int retval;
@@ -387,9 +387,20 @@ static void acm_ctrl_irq(struct urb *urb
usb_mark_last_busy(acm->dev);
- if (acm->nb_index)
+ if (acm->nb_index == 0) {
+ /*
+ * The first chunk of a message must contain at least the
+ * notification header with the length field, otherwise we
+ * can't get an expected_size.
+ */
+ if (current_size < sizeof(struct usb_cdc_notification)) {
+ dev_dbg(&acm->control->dev, "urb too short\n");
+ goto exit;
+ }
+ dr = urb->transfer_buffer;
+ } else {
dr = (struct usb_cdc_notification *)acm->notification_buffer;
-
+ }
/* size = notification-header + (optional) data */
expected_size = sizeof(struct usb_cdc_notification) +
le16_to_cpu(dr->wLength);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 258/462] usb: cdc-acm: Fix handling of oversized fragments
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 257/462] usb: cdc-acm: Check control transfer buffer size before access Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 259/462] USB: serial: option: add MeiG Smart SLM828 Greg Kroah-Hartman
` (207 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Jann Horn
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 12e712964f41d05ae034989892de445781c46730 upstream.
If we receive an initial fragment of size 8 bytes which specifies a wLength
of 1 byte (so the reassembled message is supposed to be 9 bytes long), and
we then receive a second fragment of size 9 bytes (which is not supposed to
happen), we currently wrongly bypass the fragment reassembly code but still
pass the pointer to the acm->notification_buffer to
acm_process_notification().
Make this less wrong by always going through fragment reassembly when we
expect more fragments.
Before this patch, receiving an overlong fragment could lead to `newctrl`
in acm_process_notification() being uninitialized data (instead of data
coming from the device).
Cc: stable <stable@kernel.org>
Fixes: ea2583529cd1 ("cdc-acm: reassemble fragmented notifications")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-acm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -405,7 +405,7 @@ static void acm_ctrl_irq(struct urb *urb
expected_size = sizeof(struct usb_cdc_notification) +
le16_to_cpu(dr->wLength);
- if (current_size < expected_size) {
+ if (acm->nb_index != 0 || current_size < expected_size) {
/* notification is transmitted fragmented, reassemble */
if (acm->nb_size < expected_size) {
u8 *new_buffer;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 259/462] USB: serial: option: add MeiG Smart SLM828
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 258/462] usb: cdc-acm: Fix handling of oversized fragments Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 260/462] USB: serial: option: add Telit Cinterion FN990B compositions Greg Kroah-Hartman
` (206 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chester A. Unal, Johan Hovold
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chester A. Unal <chester.a.unal@arinc9.com>
commit db79e75460fc59b19f9c89d4b068e61cee59f37d upstream.
MeiG Smart SLM828 is an LTE-A CAT6 modem with the mPCIe form factor. The
"Cls=ff(vend.) Sub=10 Prot=02" and "Cls=ff(vend.) Sub=10 Prot=03"
interfaces respond to AT commands. Add these interfaces.
The product ID the modem uses is shared across multiple modems. Therefore,
add comments to describe which interface is used for which modem.
T: Bus=01 Lev=01 Prnt=05 Port=01 Cnt=01 Dev#= 6 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=2dee ProdID=4d22 Rev=05.04
S: Manufacturer=MEIG
S: Product=LTE-A Module
S: SerialNumber=4da7ec42
C: #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=10 Prot=01 Driver=(none)
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=10 Prot=02 Driver=(none)
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=10 Prot=03 Driver=(none)
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=10 Prot=04 Driver=(none)
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=10 Prot=05 Driver=qmi_wwan
E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
Link: https://lore.kernel.org/20250124-for-johan-meig-slm828-v2-1-6b4cd3f6344f@arinc9.com
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -621,7 +621,10 @@ static void option_instat_callback(struc
/* MeiG Smart Technology products */
#define MEIGSMART_VENDOR_ID 0x2dee
-/* MeiG Smart SRM815/SRM825L based on Qualcomm 315 */
+/*
+ * MeiG Smart SLM828, SRM815, and SRM825L use the same product ID. SLM828 is
+ * based on Qualcomm SDX12. SRM815 and SRM825L are based on Qualcomm 315.
+ */
#define MEIGSMART_PRODUCT_SRM825L 0x4d22
/* MeiG Smart SLM320 based on UNISOC UIS8910 */
#define MEIGSMART_PRODUCT_SLM320 0x4d41
@@ -2405,10 +2408,12 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, LUAT_PRODUCT_AIR720U, 0xff, 0, 0) },
{ USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SLM320, 0xff, 0, 0) },
{ USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SLM770A, 0xff, 0, 0) },
- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0, 0) },
- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x30) },
- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x40) },
- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x60) },
+ { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0, 0) }, /* MeiG Smart SRM815 */
+ { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0x10, 0x02) }, /* MeiG Smart SLM828 */
+ { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0x10, 0x03) }, /* MeiG Smart SLM828 */
+ { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x30) }, /* MeiG Smart SRM815 and SRM825L */
+ { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x40) }, /* MeiG Smart SRM825L */
+ { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x60) }, /* MeiG Smart SRM825L */
{ USB_DEVICE_INTERFACE_CLASS(0x1bbb, 0x0530, 0xff), /* TCL IK512 MBIM */
.driver_info = NCTRL(1) },
{ USB_DEVICE_INTERFACE_CLASS(0x1bbb, 0x0640, 0xff), /* TCL IK512 ECM */
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 260/462] USB: serial: option: add Telit Cinterion FN990B compositions
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 259/462] USB: serial: option: add MeiG Smart SLM828 Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 261/462] USB: serial: option: fix Telit Cinterion FN990A name Greg Kroah-Hartman
` (205 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Daniele Palmas,
Johan Hovold
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Porcedda <fabio.porcedda@gmail.com>
commit c979fb5ece2dc11cc9cc3d5c66f750e210bfdee2 upstream.
Add the following Telit Cinterion FN990B40 compositions:
0x10d0: rmnet + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
tty (diag) + DPL + QDSS (Qualcomm Debug SubSystem) + adb
T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 17 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10d0 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FN990
S: SerialNumber=43b38f19
C: #Ifs= 9 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10d1: MBIM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
tty (diag) + DPL + QDSS (Qualcomm Debug SubSystem) + adb
T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 16 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10d1 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FN990
S: SerialNumber=43b38f19
C: #Ifs=10 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 8 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10d2: RNDIS + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
tty (diag) + DPL + QDSS (Qualcomm Debug SubSystem) + adb
T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 18 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10d2 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FN990
S: SerialNumber=43b38f19
C: #Ifs=10 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 8 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10d3: ECM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
tty (diag) + DPL + QDSS (Qualcomm Debug SubSystem) + adb
T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 20 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10d3 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FN990
S: SerialNumber=43b38f19
C: #Ifs=10 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 8 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Cc: stable@vger.kernel.org
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Reviewed-by: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1406,6 +1406,22 @@ static const struct usb_device_id option
.driver_info = RSVD(0) | NCTRL(3) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c8, 0xff), /* Telit FE910C04 (rmnet) */
.driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) },
+ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d0, 0x60) }, /* Telit FN990B (rmnet) */
+ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d0, 0x40) },
+ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d0, 0x30),
+ .driver_info = NCTRL(5) },
+ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d1, 0x60) }, /* Telit FN990B (MBIM) */
+ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d1, 0x40) },
+ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d1, 0x30),
+ .driver_info = NCTRL(6) },
+ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d2, 0x60) }, /* Telit FN990B (RNDIS) */
+ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d2, 0x40) },
+ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d2, 0x30),
+ .driver_info = NCTRL(6) },
+ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d3, 0x60) }, /* Telit FN990B (ECM) */
+ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d3, 0x40) },
+ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d3, 0x30),
+ .driver_info = NCTRL(6) },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910),
.driver_info = NCTRL(0) | RSVD(1) | RSVD(3) },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM),
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 261/462] USB: serial: option: fix Telit Cinterion FN990A name
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 260/462] USB: serial: option: add Telit Cinterion FN990B compositions Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 262/462] USB: serial: option: drop MeiG Smart defines Greg Kroah-Hartman
` (204 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Johan Hovold
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Porcedda <fabio.porcedda@gmail.com>
commit 12606fe73f33647c5e79bf666833bf0b225e649d upstream.
The correct name for FN990 is FN990A so use it in order to avoid
confusion with FN990B.
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1370,15 +1370,15 @@ static const struct usb_device_id option
.driver_info = NCTRL(2) | RSVD(3) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1063, 0xff), /* Telit LN920 (ECM) */
.driver_info = NCTRL(0) | RSVD(1) },
- { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1070, 0xff), /* Telit FN990 (rmnet) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1070, 0xff), /* Telit FN990A (rmnet) */
.driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
- { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1071, 0xff), /* Telit FN990 (MBIM) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1071, 0xff), /* Telit FN990A (MBIM) */
.driver_info = NCTRL(0) | RSVD(1) },
- { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1072, 0xff), /* Telit FN990 (RNDIS) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1072, 0xff), /* Telit FN990A (RNDIS) */
.driver_info = NCTRL(2) | RSVD(3) },
- { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1073, 0xff), /* Telit FN990 (ECM) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1073, 0xff), /* Telit FN990A (ECM) */
.driver_info = NCTRL(0) | RSVD(1) },
- { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1075, 0xff), /* Telit FN990 (PCIe) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1075, 0xff), /* Telit FN990A (PCIe) */
.driver_info = RSVD(0) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1080, 0xff), /* Telit FE990 (rmnet) */
.driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 262/462] USB: serial: option: drop MeiG Smart defines
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 261/462] USB: serial: option: fix Telit Cinterion FN990A name Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 263/462] can: c_can: fix unbalanced runtime PM disable in error path Greg Kroah-Hartman
` (203 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chester A. Unal, Johan Hovold
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 6aa8a63c471eb6756aabd03f880feffe6a7af6c9 upstream.
Several MeiG Smart modems apparently use the same product id, making the
defines even less useful.
Drop them in favour of using comments consistently to make the id table
slightly less unwieldy.
Cc: stable@vger.kernel.org
Acked-by: Chester A. Unal <chester.a.unal@arinc9.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 28 ++++++++--------------------
1 file changed, 8 insertions(+), 20 deletions(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -619,18 +619,6 @@ static void option_instat_callback(struc
/* Luat Air72*U series based on UNISOC UIS8910 uses UNISOC's vendor ID */
#define LUAT_PRODUCT_AIR720U 0x4e00
-/* MeiG Smart Technology products */
-#define MEIGSMART_VENDOR_ID 0x2dee
-/*
- * MeiG Smart SLM828, SRM815, and SRM825L use the same product ID. SLM828 is
- * based on Qualcomm SDX12. SRM815 and SRM825L are based on Qualcomm 315.
- */
-#define MEIGSMART_PRODUCT_SRM825L 0x4d22
-/* MeiG Smart SLM320 based on UNISOC UIS8910 */
-#define MEIGSMART_PRODUCT_SLM320 0x4d41
-/* MeiG Smart SLM770A based on ASR1803 */
-#define MEIGSMART_PRODUCT_SLM770A 0x4d57
-
/* Device flags */
/* Highest interface number which can be used with NCTRL() and RSVD() */
@@ -2366,6 +2354,14 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0a05, 0xff) }, /* Fibocom FM650-CN (NCM mode) */
{ USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0a06, 0xff) }, /* Fibocom FM650-CN (RNDIS mode) */
{ USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0a07, 0xff) }, /* Fibocom FM650-CN (MBIM mode) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d41, 0xff, 0, 0) }, /* MeiG Smart SLM320 */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d57, 0xff, 0, 0) }, /* MeiG Smart SLM770A */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0, 0) }, /* MeiG Smart SRM815 */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0x10, 0x02) }, /* MeiG Smart SLM828 */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0x10, 0x03) }, /* MeiG Smart SLM828 */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0xff, 0x30) }, /* MeiG Smart SRM815 and SRM825L */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0xff, 0x40) }, /* MeiG Smart SRM825L */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0xff, 0x60) }, /* MeiG Smart SRM825L */
{ USB_DEVICE_INTERFACE_CLASS(0x2df3, 0x9d03, 0xff) }, /* LongSung M5710 */
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1404, 0xff) }, /* GosunCn GM500 RNDIS */
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1405, 0xff) }, /* GosunCn GM500 MBIM */
@@ -2422,14 +2418,6 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0, 0) },
{ USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, TOZED_PRODUCT_LT70C, 0xff, 0, 0) },
{ USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, LUAT_PRODUCT_AIR720U, 0xff, 0, 0) },
- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SLM320, 0xff, 0, 0) },
- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SLM770A, 0xff, 0, 0) },
- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0, 0) }, /* MeiG Smart SRM815 */
- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0x10, 0x02) }, /* MeiG Smart SLM828 */
- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0x10, 0x03) }, /* MeiG Smart SLM828 */
- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x30) }, /* MeiG Smart SRM815 and SRM825L */
- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x40) }, /* MeiG Smart SRM825L */
- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x60) }, /* MeiG Smart SRM825L */
{ USB_DEVICE_INTERFACE_CLASS(0x1bbb, 0x0530, 0xff), /* TCL IK512 MBIM */
.driver_info = NCTRL(1) },
{ USB_DEVICE_INTERFACE_CLASS(0x1bbb, 0x0640, 0xff), /* TCL IK512 ECM */
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 263/462] can: c_can: fix unbalanced runtime PM disable in error path
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 262/462] USB: serial: option: drop MeiG Smart defines Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 264/462] can: j1939: j1939_sk_send_loop(): fix unable to send messages with data length zero Greg Kroah-Hartman
` (202 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Vincent Mailhol,
Marc Kleine-Budde
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 257a2cd3eb578ee63d6bf90475dc4f4b16984139 upstream.
Runtime PM is enabled as one of the last steps of probe(), so all
earlier gotos to "exit_free_device" label were not correct and were
leading to unbalanced runtime PM disable depth.
Fixes: 6e2fe01dd6f9 ("can: c_can: move runtime PM enable/disable to c_can_platform")
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Link: https://patch.msgid.link/20250112-syscon-phandle-args-can-v1-1-314d9549906f@linaro.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/c_can/c_can_platform.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/net/can/c_can/c_can_platform.c
+++ b/drivers/net/can/c_can/c_can_platform.c
@@ -392,15 +392,16 @@ static int c_can_plat_probe(struct platf
if (ret) {
dev_err(&pdev->dev, "registering %s failed (err=%d)\n",
KBUILD_MODNAME, ret);
- goto exit_free_device;
+ goto exit_pm_runtime;
}
dev_info(&pdev->dev, "%s device registered (regs=%p, irq=%d)\n",
KBUILD_MODNAME, priv->base, dev->irq);
return 0;
-exit_free_device:
+exit_pm_runtime:
pm_runtime_disable(priv->device);
+exit_free_device:
free_c_can_dev(dev);
exit:
dev_err(&pdev->dev, "probe failed\n");
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 264/462] can: j1939: j1939_sk_send_loop(): fix unable to send messages with data length zero
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 263/462] can: c_can: fix unbalanced runtime PM disable in error path Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 265/462] alpha: make stack 16-byte aligned (most cases) Greg Kroah-Hartman
` (201 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Hölzl, Oleksij Rempel,
Marc Kleine-Budde
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Hölzl <alexander.hoelzl@gmx.net>
commit 44de577e61ed239db09f0da9d436866bef9b77dd upstream.
The J1939 standard requires the transmission of messages of length 0.
For example proprietary messages are specified with a data length of 0
to 1785. The transmission of such messages is not possible. Sending
results in no error being returned but no corresponding can frame
being generated.
Enable the transmission of zero length J1939 messages. In order to
facilitate this two changes are necessary:
1) If the transmission of a new message is requested from user space
the message is segmented in j1939_sk_send_loop(). Let the segmentation
take into account zero length messages, do not terminate immediately,
queue the corresponding skb.
2) j1939_session_skb_get_by_offset() selects the next skb to transmit
for a session. Take into account that there might be zero length skbs
in the queue.
Signed-off-by: Alexander Hölzl <alexander.hoelzl@gmx.net>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20250205174651.103238-1-alexander.hoelzl@gmx.net
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Cc: stable@vger.kernel.org
[mkl: commit message rephrased]
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/j1939/socket.c | 4 ++--
net/can/j1939/transport.c | 5 +++--
2 files changed, 5 insertions(+), 4 deletions(-)
--- a/net/can/j1939/socket.c
+++ b/net/can/j1939/socket.c
@@ -1055,7 +1055,7 @@ static int j1939_sk_send_loop(struct j19
todo_size = size;
- while (todo_size) {
+ do {
struct j1939_sk_buff_cb *skcb;
segment_size = min_t(size_t, J1939_MAX_TP_PACKET_SIZE,
@@ -1100,7 +1100,7 @@ static int j1939_sk_send_loop(struct j19
todo_size -= segment_size;
session->total_queued_size += segment_size;
- }
+ } while (todo_size);
switch (ret) {
case 0: /* OK */
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -378,8 +378,9 @@ sk_buff *j1939_session_skb_get_by_offset
skb_queue_walk(&session->skb_queue, do_skb) {
do_skcb = j1939_skb_to_cb(do_skb);
- if (offset_start >= do_skcb->offset &&
- offset_start < (do_skcb->offset + do_skb->len)) {
+ if ((offset_start >= do_skcb->offset &&
+ offset_start < (do_skcb->offset + do_skb->len)) ||
+ (offset_start == 0 && do_skcb->offset == 0 && do_skb->len == 0)) {
skb = do_skb;
}
}
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 265/462] alpha: make stack 16-byte aligned (most cases)
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 264/462] can: j1939: j1939_sk_send_loop(): fix unable to send messages with data length zero Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 266/462] efi: Avoid cold plugged memory for placing the kernel Greg Kroah-Hartman
` (200 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki, Magnus Lindholm,
Matt Turner, Ivan Kokshaysky
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Kokshaysky <ink@unseen.parts>
commit 0a0f7362b0367634a2d5cb7c96226afc116f19c9 upstream.
The problem is that GCC expects 16-byte alignment of the incoming stack
since early 2004, as Maciej found out [1]:
Having actually dug speculatively I can see that the psABI was changed in
GCC 3.5 with commit e5e10fb4a350 ("re PR target/14539 (128-bit long double
improperly aligned)") back in Mar 2004, when the stack pointer alignment
was increased from 8 bytes to 16 bytes, and arch/alpha/kernel/entry.S has
various suspicious stack pointer adjustments, starting with SP_OFF which
is not a whole multiple of 16.
Also, as Magnus noted, "ALPHA Calling Standard" [2] required the same:
D.3.1 Stack Alignment
This standard requires that stacks be octaword aligned at the time a
new procedure is invoked.
However:
- the "normal" kernel stack is always misaligned by 8 bytes, thanks to
the odd number of 64-bit words in 'struct pt_regs', which is the very
first thing pushed onto the kernel thread stack;
- syscall, fault, interrupt etc. handlers may, or may not, receive aligned
stack depending on numerous factors.
Somehow we got away with it until recently, when we ended up with
a stack corruption in kernel/smp.c:smp_call_function_single() due to
its use of 32-byte aligned local data and the compiler doing clever
things allocating it on the stack.
This adds padding between the PAL-saved and kernel-saved registers
so that 'struct pt_regs' have an even number of 64-bit words.
This makes the stack properly aligned for most of the kernel
code, except two handlers which need special threatment.
Note: struct pt_regs doesn't belong in uapi/asm; this should be fixed,
but let's put this off until later.
Link: https://lore.kernel.org/rcu/alpine.DEB.2.21.2501130248010.18889@angie.orcam.me.uk/ [1]
Link: https://bitsavers.org/pdf/dec/alpha/Alpha_Calling_Standard_Rev_2.0_19900427.pdf [2]
Cc: stable@vger.kernel.org
Tested-by: Maciej W. Rozycki <macro@orcam.me.uk>
Tested-by: Magnus Lindholm <linmag7@gmail.com>
Tested-by: Matt Turner <mattst88@gmail.com>
Reviewed-by: Maciej W. Rozycki <macro@orcam.me.uk>
Signed-off-by: Ivan Kokshaysky <ink@unseen.parts>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/alpha/include/uapi/asm/ptrace.h | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/alpha/include/uapi/asm/ptrace.h
+++ b/arch/alpha/include/uapi/asm/ptrace.h
@@ -42,6 +42,8 @@ struct pt_regs {
unsigned long trap_a0;
unsigned long trap_a1;
unsigned long trap_a2;
+/* This makes the stack 16-byte aligned as GCC expects */
+ unsigned long __pad0;
/* These are saved by PAL-code: */
unsigned long ps;
unsigned long pc;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 266/462] efi: Avoid cold plugged memory for placing the kernel
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 265/462] alpha: make stack 16-byte aligned (most cases) Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 267/462] serial: 8250: Fix fifo underflow on flush Greg Kroah-Hartman
` (199 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ardb@kernel.org>
commit ba69e0750b0362870294adab09339a0c39c3beaf upstream.
UEFI 2.11 introduced EFI_MEMORY_HOT_PLUGGABLE to annotate system memory
regions that are 'cold plugged' at boot, i.e., hot pluggable memory that
is available from early boot, and described as system RAM by the
firmware.
Existing loaders and EFI applications running in the boot context will
happily use this memory for allocating data structures that cannot be
freed or moved at runtime, and this prevents the memory from being
unplugged. Going forward, the new EFI_MEMORY_HOT_PLUGGABLE attribute
should be tested, and memory annotated as such should be avoided for
such allocations.
In the EFI stub, there are a couple of occurrences where, instead of the
high-level AllocatePages() UEFI boot service, a low-level code sequence
is used that traverses the EFI memory map and carves out the requested
number of pages from a free region. This is needed, e.g., for allocating
as low as possible, or for allocating pages at random.
While AllocatePages() should presumably avoid special purpose memory and
cold plugged regions, this manual approach needs to incorporate this
logic itself, in order to prevent the kernel itself from ending up in a
hot unpluggable region, preventing it from being unplugged.
So add the EFI_MEMORY_HOTPLUGGABLE macro definition, and check for it
where appropriate.
Cc: stable@vger.kernel.org
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/efi/efi.c | 6 ++++--
drivers/firmware/efi/libstub/randomalloc.c | 3 +++
drivers/firmware/efi/libstub/relocate.c | 3 +++
include/linux/efi.h | 1 +
4 files changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -774,13 +774,15 @@ char * __init efi_md_typeattr_format(cha
EFI_MEMORY_WB | EFI_MEMORY_UCE | EFI_MEMORY_RO |
EFI_MEMORY_WP | EFI_MEMORY_RP | EFI_MEMORY_XP |
EFI_MEMORY_NV | EFI_MEMORY_SP | EFI_MEMORY_CPU_CRYPTO |
- EFI_MEMORY_RUNTIME | EFI_MEMORY_MORE_RELIABLE))
+ EFI_MEMORY_MORE_RELIABLE | EFI_MEMORY_HOT_PLUGGABLE |
+ EFI_MEMORY_RUNTIME))
snprintf(pos, size, "|attr=0x%016llx]",
(unsigned long long)attr);
else
snprintf(pos, size,
- "|%3s|%2s|%2s|%2s|%2s|%2s|%2s|%2s|%2s|%3s|%2s|%2s|%2s|%2s]",
+ "|%3s|%2s|%2s|%2s|%2s|%2s|%2s|%2s|%2s|%2s|%3s|%2s|%2s|%2s|%2s]",
attr & EFI_MEMORY_RUNTIME ? "RUN" : "",
+ attr & EFI_MEMORY_HOT_PLUGGABLE ? "HP" : "",
attr & EFI_MEMORY_MORE_RELIABLE ? "MR" : "",
attr & EFI_MEMORY_CPU_CRYPTO ? "CC" : "",
attr & EFI_MEMORY_SP ? "SP" : "",
--- a/drivers/firmware/efi/libstub/randomalloc.c
+++ b/drivers/firmware/efi/libstub/randomalloc.c
@@ -24,6 +24,9 @@ static unsigned long get_entry_num_slots
if (md->type != EFI_CONVENTIONAL_MEMORY)
return 0;
+ if (md->attribute & EFI_MEMORY_HOT_PLUGGABLE)
+ return 0;
+
if (efi_soft_reserve_enabled() &&
(md->attribute & EFI_MEMORY_SP))
return 0;
--- a/drivers/firmware/efi/libstub/relocate.c
+++ b/drivers/firmware/efi/libstub/relocate.c
@@ -62,6 +62,9 @@ efi_status_t efi_low_alloc_above(unsigne
if (desc->type != EFI_CONVENTIONAL_MEMORY)
continue;
+ if (desc->attribute & EFI_MEMORY_HOT_PLUGGABLE)
+ continue;
+
if (efi_soft_reserve_enabled() &&
(desc->attribute & EFI_MEMORY_SP))
continue;
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -125,6 +125,7 @@ typedef struct {
#define EFI_MEMORY_RO ((u64)0x0000000000020000ULL) /* read-only */
#define EFI_MEMORY_SP ((u64)0x0000000000040000ULL) /* soft reserved */
#define EFI_MEMORY_CPU_CRYPTO ((u64)0x0000000000080000ULL) /* supports encryption */
+#define EFI_MEMORY_HOT_PLUGGABLE BIT_ULL(20) /* supports unplugging at runtime */
#define EFI_MEMORY_RUNTIME ((u64)0x8000000000000000ULL) /* range requires runtime mapping */
#define EFI_MEMORY_DESCRIPTOR_VERSION 1
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 267/462] serial: 8250: Fix fifo underflow on flush
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 266/462] efi: Avoid cold plugged memory for placing the kernel Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 268/462] alpha: align stack for page fault and user unaligned trap handlers Greg Kroah-Hartman
` (198 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, John Keeping
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Keeping <jkeeping@inmusicbrands.com>
commit 9e512eaaf8f4008c44ede3dfc0fbc9d9c5118583 upstream.
When flushing the serial port's buffer, uart_flush_buffer() calls
kfifo_reset() but if there is an outstanding DMA transfer then the
completion function will consume data from the kfifo via
uart_xmit_advance(), underflowing and leading to ongoing DMA as the
driver tries to transmit another 2^32 bytes.
This is readily reproduced with serial-generic and amidi sending even
short messages as closing the device on exit will wait for the fifo to
drain and in the underflow case amidi hangs for 30 seconds on exit in
tty_wait_until_sent(). A trace of that gives:
kworker/1:1-84 [001] 51.769423: bprint: serial8250_tx_dma: tx_size=3 fifo_len=3
amidi-763 [001] 51.769460: bprint: uart_flush_buffer: resetting fifo
irq/21-fe530000-76 [000] 51.769474: bprint: __dma_tx_complete: tx_size=3
irq/21-fe530000-76 [000] 51.769479: bprint: serial8250_tx_dma: tx_size=4096 fifo_len=4294967293
irq/21-fe530000-76 [000] 51.781295: bprint: __dma_tx_complete: tx_size=4096
irq/21-fe530000-76 [000] 51.781301: bprint: serial8250_tx_dma: tx_size=4096 fifo_len=4294963197
irq/21-fe530000-76 [000] 51.793131: bprint: __dma_tx_complete: tx_size=4096
irq/21-fe530000-76 [000] 51.793135: bprint: serial8250_tx_dma: tx_size=4096 fifo_len=4294959101
irq/21-fe530000-76 [000] 51.804949: bprint: __dma_tx_complete: tx_size=4096
Since the port lock is held in when the kfifo is reset in
uart_flush_buffer() and in __dma_tx_complete(), adding a flush_buffer
hook to adjust the outstanding DMA byte count is sufficient to avoid the
kfifo underflow.
Fixes: 9ee4b83e51f74 ("serial: 8250: Add support for dmaengine")
Cc: stable <stable@kernel.org>
Signed-off-by: John Keeping <jkeeping@inmusicbrands.com>
Link: https://lore.kernel.org/r/20250208124148.1189191-1-jkeeping@inmusicbrands.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250.h | 2 ++
drivers/tty/serial/8250/8250_dma.c | 16 ++++++++++++++++
drivers/tty/serial/8250/8250_port.c | 9 +++++++++
3 files changed, 27 insertions(+)
--- a/drivers/tty/serial/8250/8250.h
+++ b/drivers/tty/serial/8250/8250.h
@@ -325,6 +325,7 @@ static inline int is_omap1510_8250(struc
#ifdef CONFIG_SERIAL_8250_DMA
extern int serial8250_tx_dma(struct uart_8250_port *);
+extern void serial8250_tx_dma_flush(struct uart_8250_port *);
extern int serial8250_rx_dma(struct uart_8250_port *);
extern void serial8250_rx_dma_flush(struct uart_8250_port *);
extern int serial8250_request_dma(struct uart_8250_port *);
@@ -341,6 +342,7 @@ static inline int serial8250_tx_dma(stru
{
return -1;
}
+static inline void serial8250_tx_dma_flush(struct uart_8250_port *p) { }
static inline int serial8250_rx_dma(struct uart_8250_port *p)
{
return -1;
--- a/drivers/tty/serial/8250/8250_dma.c
+++ b/drivers/tty/serial/8250/8250_dma.c
@@ -135,6 +135,22 @@ err:
return ret;
}
+void serial8250_tx_dma_flush(struct uart_8250_port *p)
+{
+ struct uart_8250_dma *dma = p->dma;
+
+ if (!dma->tx_running)
+ return;
+
+ /*
+ * kfifo_reset() has been called by the serial core, avoid
+ * advancing and underflowing in __dma_tx_complete().
+ */
+ dma->tx_size = 0;
+
+ dmaengine_terminate_async(dma->rxchan);
+}
+
int serial8250_rx_dma(struct uart_8250_port *p)
{
struct uart_8250_dma *dma = p->dma;
--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -2509,6 +2509,14 @@ static unsigned int npcm_get_divisor(str
return DIV_ROUND_CLOSEST(port->uartclk, 16 * baud + 2) - 2;
}
+static void serial8250_flush_buffer(struct uart_port *port)
+{
+ struct uart_8250_port *up = up_to_u8250p(port);
+
+ if (up->dma)
+ serial8250_tx_dma_flush(up);
+}
+
static unsigned int serial8250_do_get_divisor(struct uart_port *port,
unsigned int baud,
unsigned int *frac)
@@ -3209,6 +3217,7 @@ static const struct uart_ops serial8250_
.break_ctl = serial8250_break_ctl,
.startup = serial8250_startup,
.shutdown = serial8250_shutdown,
+ .flush_buffer = serial8250_flush_buffer,
.set_termios = serial8250_set_termios,
.set_ldisc = serial8250_set_ldisc,
.pm = serial8250_pm,
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 268/462] alpha: align stack for page fault and user unaligned trap handlers
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 267/462] serial: 8250: Fix fifo underflow on flush Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 269/462] gpio: stmpe: Check return value of stmpe_reg_read in stmpe_gpio_irq_sync_unlock Greg Kroah-Hartman
` (197 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki, Magnus Lindholm,
Matt Turner, Ivan Kokshaysky
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Kokshaysky <ink@unseen.parts>
commit 3b35a171060f846b08b48646b38c30b5d57d17ff upstream.
do_page_fault() and do_entUna() are special because they use
non-standard stack frame layout. Fix them manually.
Cc: stable@vger.kernel.org
Tested-by: Maciej W. Rozycki <macro@orcam.me.uk>
Tested-by: Magnus Lindholm <linmag7@gmail.com>
Tested-by: Matt Turner <mattst88@gmail.com>
Reviewed-by: Maciej W. Rozycki <macro@orcam.me.uk>
Suggested-by: Maciej W. Rozycki <macro@orcam.me.uk>
Signed-off-by: Ivan Kokshaysky <ink@unseen.parts>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/alpha/kernel/entry.S | 20 ++++++++++----------
arch/alpha/kernel/traps.c | 2 +-
arch/alpha/mm/fault.c | 4 ++--
3 files changed, 13 insertions(+), 13 deletions(-)
--- a/arch/alpha/kernel/entry.S
+++ b/arch/alpha/kernel/entry.S
@@ -199,8 +199,8 @@ CFI_END_OSF_FRAME entArith
CFI_START_OSF_FRAME entMM
SAVE_ALL
/* save $9 - $15 so the inline exception code can manipulate them. */
- subq $sp, 56, $sp
- .cfi_adjust_cfa_offset 56
+ subq $sp, 64, $sp
+ .cfi_adjust_cfa_offset 64
stq $9, 0($sp)
stq $10, 8($sp)
stq $11, 16($sp)
@@ -215,7 +215,7 @@ CFI_START_OSF_FRAME entMM
.cfi_rel_offset $13, 32
.cfi_rel_offset $14, 40
.cfi_rel_offset $15, 48
- addq $sp, 56, $19
+ addq $sp, 64, $19
/* handle the fault */
lda $8, 0x3fff
bic $sp, $8, $8
@@ -228,7 +228,7 @@ CFI_START_OSF_FRAME entMM
ldq $13, 32($sp)
ldq $14, 40($sp)
ldq $15, 48($sp)
- addq $sp, 56, $sp
+ addq $sp, 64, $sp
.cfi_restore $9
.cfi_restore $10
.cfi_restore $11
@@ -236,7 +236,7 @@ CFI_START_OSF_FRAME entMM
.cfi_restore $13
.cfi_restore $14
.cfi_restore $15
- .cfi_adjust_cfa_offset -56
+ .cfi_adjust_cfa_offset -64
/* finish up the syscall as normal. */
br ret_from_sys_call
CFI_END_OSF_FRAME entMM
@@ -383,8 +383,8 @@ entUnaUser:
.cfi_restore $0
.cfi_adjust_cfa_offset -256
SAVE_ALL /* setup normal kernel stack */
- lda $sp, -56($sp)
- .cfi_adjust_cfa_offset 56
+ lda $sp, -64($sp)
+ .cfi_adjust_cfa_offset 64
stq $9, 0($sp)
stq $10, 8($sp)
stq $11, 16($sp)
@@ -400,7 +400,7 @@ entUnaUser:
.cfi_rel_offset $14, 40
.cfi_rel_offset $15, 48
lda $8, 0x3fff
- addq $sp, 56, $19
+ addq $sp, 64, $19
bic $sp, $8, $8
jsr $26, do_entUnaUser
ldq $9, 0($sp)
@@ -410,7 +410,7 @@ entUnaUser:
ldq $13, 32($sp)
ldq $14, 40($sp)
ldq $15, 48($sp)
- lda $sp, 56($sp)
+ lda $sp, 64($sp)
.cfi_restore $9
.cfi_restore $10
.cfi_restore $11
@@ -418,7 +418,7 @@ entUnaUser:
.cfi_restore $13
.cfi_restore $14
.cfi_restore $15
- .cfi_adjust_cfa_offset -56
+ .cfi_adjust_cfa_offset -64
br ret_from_sys_call
CFI_END_OSF_FRAME entUna
--- a/arch/alpha/kernel/traps.c
+++ b/arch/alpha/kernel/traps.c
@@ -709,7 +709,7 @@ s_reg_to_mem (unsigned long s_reg)
static int unauser_reg_offsets[32] = {
R(r0), R(r1), R(r2), R(r3), R(r4), R(r5), R(r6), R(r7), R(r8),
/* r9 ... r15 are stored in front of regs. */
- -56, -48, -40, -32, -24, -16, -8,
+ -64, -56, -48, -40, -32, -24, -16, /* padding at -8 */
R(r16), R(r17), R(r18),
R(r19), R(r20), R(r21), R(r22), R(r23), R(r24), R(r25), R(r26),
R(r27), R(r28), R(gp),
--- a/arch/alpha/mm/fault.c
+++ b/arch/alpha/mm/fault.c
@@ -78,8 +78,8 @@ __load_new_mm_context(struct mm_struct *
/* Macro for exception fixup code to access integer registers. */
#define dpf_reg(r) \
- (((unsigned long *)regs)[(r) <= 8 ? (r) : (r) <= 15 ? (r)-16 : \
- (r) <= 18 ? (r)+10 : (r)-10])
+ (((unsigned long *)regs)[(r) <= 8 ? (r) : (r) <= 15 ? (r)-17 : \
+ (r) <= 18 ? (r)+11 : (r)-10])
asmlinkage void
do_page_fault(unsigned long address, unsigned long mmcsr,
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 269/462] gpio: stmpe: Check return value of stmpe_reg_read in stmpe_gpio_irq_sync_unlock
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 268/462] alpha: align stack for page fault and user unaligned trap handlers Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 270/462] partitions: mac: fix handling of bogus partition table Greg Kroah-Hartman
` (196 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Bartosz Golaszewski
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit b9644fbfbcab13da7f8b37bef7c51e5b8407d031 upstream.
The stmpe_reg_read function can fail, but its return value is not checked
in stmpe_gpio_irq_sync_unlock. This can lead to silent failures and
incorrect behavior if the hardware access fails.
This patch adds checks for the return value of stmpe_reg_read. If the
function fails, an error message is logged and the function returns
early to avoid further issues.
Fixes: b888fb6f2a27 ("gpio: stmpe: i2c transfer are forbiden in atomic context")
Cc: stable@vger.kernel.org # 4.16+
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Link: https://lore.kernel.org/r/20250212021849.275-1-vulab@iscas.ac.cn
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-stmpe.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/drivers/gpio/gpio-stmpe.c
+++ b/drivers/gpio/gpio-stmpe.c
@@ -191,7 +191,7 @@ static void stmpe_gpio_irq_sync_unlock(s
[REG_IE][CSB] = STMPE_IDX_IEGPIOR_CSB,
[REG_IE][MSB] = STMPE_IDX_IEGPIOR_MSB,
};
- int i, j;
+ int ret, i, j;
/*
* STMPE1600: to be able to get IRQ from pins,
@@ -199,8 +199,16 @@ static void stmpe_gpio_irq_sync_unlock(s
* GPSR or GPCR registers
*/
if (stmpe->partnum == STMPE1600) {
- stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_LSB]);
- stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_CSB]);
+ ret = stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_LSB]);
+ if (ret < 0) {
+ dev_err(stmpe->dev, "Failed to read GPMR_LSB: %d\n", ret);
+ goto err;
+ }
+ ret = stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_CSB]);
+ if (ret < 0) {
+ dev_err(stmpe->dev, "Failed to read GPMR_CSB: %d\n", ret);
+ goto err;
+ }
}
for (i = 0; i < CACHE_NR_REGS; i++) {
@@ -222,6 +230,7 @@ static void stmpe_gpio_irq_sync_unlock(s
}
}
+err:
mutex_unlock(&stmpe_gpio->irq_lock);
}
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 270/462] partitions: mac: fix handling of bogus partition table
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 269/462] gpio: stmpe: Check return value of stmpe_reg_read in stmpe_gpio_irq_sync_unlock Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 271/462] regmap-irq: Add missing kfree() Greg Kroah-Hartman
` (195 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jann Horn, Jens Axboe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 80e648042e512d5a767da251d44132553fe04ae0 upstream.
Fix several issues in partition probing:
- The bailout for a bad partoffset must use put_dev_sector(), since the
preceding read_part_sector() succeeded.
- If the partition table claims a silly sector size like 0xfff bytes
(which results in partition table entries straddling sector boundaries),
bail out instead of accessing out-of-bounds memory.
- We must not assume that the partition table contains proper NUL
termination - use strnlen() and strncmp() instead of strlen() and
strcmp().
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://lore.kernel.org/r/20250214-partition-mac-v1-1-c1c626dffbd5@google.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/partitions/mac.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
--- a/block/partitions/mac.c
+++ b/block/partitions/mac.c
@@ -51,13 +51,25 @@ int mac_partition(struct parsed_partitio
}
secsize = be16_to_cpu(md->block_size);
put_dev_sector(sect);
+
+ /*
+ * If the "block size" is not a power of 2, things get weird - we might
+ * end up with a partition straddling a sector boundary, so we wouldn't
+ * be able to read a partition entry with read_part_sector().
+ * Real block sizes are probably (?) powers of two, so just require
+ * that.
+ */
+ if (!is_power_of_2(secsize))
+ return -1;
datasize = round_down(secsize, 512);
data = read_part_sector(state, datasize / 512, §);
if (!data)
return -1;
partoffset = secsize % 512;
- if (partoffset + sizeof(*part) > datasize)
+ if (partoffset + sizeof(*part) > datasize) {
+ put_dev_sector(sect);
return -1;
+ }
part = (struct mac_partition *) (data + partoffset);
if (be16_to_cpu(part->signature) != MAC_PARTITION_MAGIC) {
put_dev_sector(sect);
@@ -110,8 +122,8 @@ int mac_partition(struct parsed_partitio
int i, l;
goodness++;
- l = strlen(part->name);
- if (strcmp(part->name, "/") == 0)
+ l = strnlen(part->name, sizeof(part->name));
+ if (strncmp(part->name, "/", sizeof(part->name)) == 0)
goodness++;
for (i = 0; i <= l - 4; ++i) {
if (strncasecmp(part->name + i, "root",
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 271/462] regmap-irq: Add missing kfree()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 270/462] partitions: mac: fix handling of bogus partition table Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 272/462] arm64: Handle .ARM.attributes section in linker scripts Greg Kroah-Hartman
` (194 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Mark Brown
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
commit 32ffed055dcee17f6705f545b069e44a66067808 upstream.
Add kfree() for "d->main_status_buf" to the error-handling path to prevent
a memory leak.
Fixes: a2d21848d921 ("regmap: regmap-irq: Add main status register support")
Cc: stable@vger.kernel.org # v5.1+
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Link: https://patch.msgid.link/20250205004343.14413-1-jiashengjiangcool@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/regmap/regmap-irq.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/base/regmap/regmap-irq.c
+++ b/drivers/base/regmap/regmap-irq.c
@@ -834,6 +834,7 @@ err_alloc:
kfree(d->wake_buf);
kfree(d->mask_buf_def);
kfree(d->mask_buf);
+ kfree(d->main_status_buf);
kfree(d->status_buf);
kfree(d->status_reg_buf);
kfree(d);
@@ -904,6 +905,7 @@ void regmap_del_irq_chip(int irq, struct
kfree(d->wake_buf);
kfree(d->mask_buf_def);
kfree(d->mask_buf);
+ kfree(d->main_status_buf);
kfree(d->status_reg_buf);
kfree(d->status_buf);
kfree(d);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 272/462] arm64: Handle .ARM.attributes section in linker scripts
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 271/462] regmap-irq: Add missing kfree() Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:58 ` [PATCH 5.10 273/462] mlxsw: Add return value check for mlxsw_sp_port_get_stats_raw() Greg Kroah-Hartman
` (193 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Will Deacon
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit ca0f4fe7cf7183bfbdc67ca2de56ae1fc3a8db2b upstream.
A recent LLVM commit [1] started generating an .ARM.attributes section
similar to the one that exists for 32-bit, which results in orphan
section warnings (or errors if CONFIG_WERROR is enabled) from the linker
because it is not handled in the arm64 linker scripts.
ld.lld: error: arch/arm64/kernel/vdso/vgettimeofday.o:(.ARM.attributes) is being placed in '.ARM.attributes'
ld.lld: error: arch/arm64/kernel/vdso/vgetrandom.o:(.ARM.attributes) is being placed in '.ARM.attributes'
ld.lld: error: vmlinux.a(lib/vsprintf.o):(.ARM.attributes) is being placed in '.ARM.attributes'
ld.lld: error: vmlinux.a(lib/win_minmax.o):(.ARM.attributes) is being placed in '.ARM.attributes'
ld.lld: error: vmlinux.a(lib/xarray.o):(.ARM.attributes) is being placed in '.ARM.attributes'
Discard the new sections in the necessary linker scripts to resolve the
warnings, as the kernel and vDSO do not need to retain it, similar to
the .note.gnu.property section.
Cc: stable@vger.kernel.org
Fixes: b3e5d80d0c48 ("arm64/build: Warn on orphan section placement")
Link: https://github.com/llvm/llvm-project/commit/ee99c4d4845db66c4daa2373352133f4b237c942 [1]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20250206-arm64-handle-arm-attributes-in-linker-script-v3-1-d53d169913eb@kernel.org
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/vdso/vdso.lds.S | 1 +
arch/arm64/kernel/vmlinux.lds.S | 1 +
2 files changed, 2 insertions(+)
--- a/arch/arm64/kernel/vdso/vdso.lds.S
+++ b/arch/arm64/kernel/vdso/vdso.lds.S
@@ -37,6 +37,7 @@ SECTIONS
*/
/DISCARD/ : {
*(.note.GNU-stack .note.gnu.property)
+ *(.ARM.attributes)
}
.note : { *(.note.*) } :text :note
--- a/arch/arm64/kernel/vmlinux.lds.S
+++ b/arch/arm64/kernel/vmlinux.lds.S
@@ -113,6 +113,7 @@ SECTIONS
/DISCARD/ : {
*(.interp .dynamic)
*(.dynsym .dynstr .hash .gnu.hash)
+ *(.ARM.attributes)
}
. = KIMAGE_VADDR;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 273/462] mlxsw: Add return value check for mlxsw_sp_port_get_stats_raw()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 272/462] arm64: Handle .ARM.attributes section in linker scripts Greg Kroah-Hartman
@ 2025-03-11 14:58 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 274/462] clocksource: Limit number of CPUs checked for clock synchronization Greg Kroah-Hartman
` (192 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wentao Liang, Petr Machata,
Jakub Kicinski
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit fee5d688940690cc845937459e340e4e02598e90 upstream.
Add a check for the return value of mlxsw_sp_port_get_stats_raw()
in __mlxsw_sp_port_get_stats(). If mlxsw_sp_port_get_stats_raw()
returns an error, exit the function to prevent further processing
with potentially invalid data.
Fixes: 614d509aa1e7 ("mlxsw: Move ethtool_ops to spectrum_ethtool.c")
Cc: stable@vger.kernel.org # 5.9+
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Link: https://patch.msgid.link/20250212152311.1332-1-vulab@iscas.ac.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlxsw/spectrum_ethtool.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_ethtool.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_ethtool.c
@@ -761,7 +761,9 @@ static void __mlxsw_sp_port_get_stats(st
err = mlxsw_sp_get_hw_stats_by_group(&hw_stats, &len, grp);
if (err)
return;
- mlxsw_sp_port_get_stats_raw(dev, grp, prio, ppcnt_pl);
+ err = mlxsw_sp_port_get_stats_raw(dev, grp, prio, ppcnt_pl);
+ if (err)
+ return;
for (i = 0; i < len; i++) {
data[data_index + i] = hw_stats[i].getter(ppcnt_pl);
if (!hw_stats[i].cells_bytes)
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 274/462] clocksource: Limit number of CPUs checked for clock synchronization
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2025-03-11 14:58 ` [PATCH 5.10 273/462] mlxsw: Add return value check for mlxsw_sp_port_get_stats_raw() Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 275/462] clocksource: Replace deprecated CPU-hotplug functions Greg Kroah-Hartman
` (191 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul E. McKenney, Thomas Gleixner,
Feng Tang, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul E. McKenney <paulmck@kernel.org>
[ Upstream commit fa218f1cce6ba40069c8daab8821de7e6be1cdd0 ]
Currently, if skew is detected on a clock marked CLOCK_SOURCE_VERIFY_PERCPU,
that clock is checked on all CPUs. This is thorough, but might not be
what you want on a system with a few tens of CPUs, let alone a few hundred
of them.
Therefore, by default check only up to eight randomly chosen CPUs. Also
provide a new clocksource.verify_n_cpus kernel boot parameter. A value of
-1 says to check all of the CPUs, and a non-negative value says to randomly
select that number of CPUs, without concern about selecting the same CPU
multiple times. However, make use of a cpumask so that a given CPU will be
checked at most once.
Suggested-by: Thomas Gleixner <tglx@linutronix.de> # For verify_n_cpus=1.
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Feng Tang <feng.tang@intel.com>
Link: https://lore.kernel.org/r/20210527190124.440372-3-paulmck@kernel.org
Stable-dep-of: 6bb05a33337b ("clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../admin-guide/kernel-parameters.txt | 10 +++
kernel/time/clocksource.c | 74 ++++++++++++++++++-
2 files changed, 82 insertions(+), 2 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 097ef49b3d3a0..88110e74b3f7a 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -583,6 +583,16 @@
unstable. Defaults to three retries, that is,
four attempts to read the clock under test.
+ clocksource.verify_n_cpus= [KNL]
+ Limit the number of CPUs checked for clocksources
+ marked with CLOCK_SOURCE_VERIFY_PERCPU that
+ are marked unstable due to excessive skew.
+ A negative value says to check all CPUs, while
+ zero says not to check any. Values larger than
+ nr_cpu_ids are silently truncated to nr_cpu_ids.
+ The actual CPUs are chosen randomly, with
+ no replacement if the same CPU is chosen twice.
+
clearcpuid=BITNUM[,BITNUM...] [X86]
Disable CPUID feature X for the kernel. See
arch/x86/include/asm/cpufeatures.h for the valid bit
diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
index 754e93edb2f79..00cf99cb74496 100644
--- a/kernel/time/clocksource.c
+++ b/kernel/time/clocksource.c
@@ -14,6 +14,8 @@
#include <linux/sched.h> /* for spin_unlock_irq() using preempt_count() m68k */
#include <linux/tick.h>
#include <linux/kthread.h>
+#include <linux/prandom.h>
+#include <linux/cpu.h>
#include "tick-internal.h"
#include "timekeeping_internal.h"
@@ -201,6 +203,8 @@ void clocksource_mark_unstable(struct clocksource *cs)
static ulong max_cswd_read_retries = 3;
module_param(max_cswd_read_retries, ulong, 0644);
+static int verify_n_cpus = 8;
+module_param(verify_n_cpus, int, 0644);
enum wd_read_status {
WD_READ_SUCCESS,
@@ -263,6 +267,55 @@ static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow,
static u64 csnow_mid;
static cpumask_t cpus_ahead;
static cpumask_t cpus_behind;
+static cpumask_t cpus_chosen;
+
+static void clocksource_verify_choose_cpus(void)
+{
+ int cpu, i, n = verify_n_cpus;
+
+ if (n < 0) {
+ /* Check all of the CPUs. */
+ cpumask_copy(&cpus_chosen, cpu_online_mask);
+ cpumask_clear_cpu(smp_processor_id(), &cpus_chosen);
+ return;
+ }
+
+ /* If no checking desired, or no other CPU to check, leave. */
+ cpumask_clear(&cpus_chosen);
+ if (n == 0 || num_online_cpus() <= 1)
+ return;
+
+ /* Make sure to select at least one CPU other than the current CPU. */
+ cpu = cpumask_next(-1, cpu_online_mask);
+ if (cpu == smp_processor_id())
+ cpu = cpumask_next(cpu, cpu_online_mask);
+ if (WARN_ON_ONCE(cpu >= nr_cpu_ids))
+ return;
+ cpumask_set_cpu(cpu, &cpus_chosen);
+
+ /* Force a sane value for the boot parameter. */
+ if (n > nr_cpu_ids)
+ n = nr_cpu_ids;
+
+ /*
+ * Randomly select the specified number of CPUs. If the same
+ * CPU is selected multiple times, that CPU is checked only once,
+ * and no replacement CPU is selected. This gracefully handles
+ * situations where verify_n_cpus is greater than the number of
+ * CPUs that are currently online.
+ */
+ for (i = 1; i < n; i++) {
+ cpu = prandom_u32() % nr_cpu_ids;
+ cpu = cpumask_next(cpu - 1, cpu_online_mask);
+ if (cpu >= nr_cpu_ids)
+ cpu = cpumask_next(-1, cpu_online_mask);
+ if (!WARN_ON_ONCE(cpu >= nr_cpu_ids))
+ cpumask_set_cpu(cpu, &cpus_chosen);
+ }
+
+ /* Don't verify ourselves. */
+ cpumask_clear_cpu(smp_processor_id(), &cpus_chosen);
+}
static void clocksource_verify_one_cpu(void *csin)
{
@@ -278,12 +331,22 @@ static void clocksource_verify_percpu(struct clocksource *cs)
int cpu, testcpu;
s64 delta;
+ if (verify_n_cpus == 0)
+ return;
cpumask_clear(&cpus_ahead);
cpumask_clear(&cpus_behind);
+ get_online_cpus();
preempt_disable();
+ clocksource_verify_choose_cpus();
+ if (cpumask_weight(&cpus_chosen) == 0) {
+ preempt_enable();
+ put_online_cpus();
+ pr_warn("Not enough CPUs to check clocksource '%s'.\n", cs->name);
+ return;
+ }
testcpu = smp_processor_id();
- pr_warn("Checking clocksource %s synchronization from CPU %d.\n", cs->name, testcpu);
- for_each_online_cpu(cpu) {
+ pr_warn("Checking clocksource %s synchronization from CPU %d to CPUs %*pbl.\n", cs->name, testcpu, cpumask_pr_args(&cpus_chosen));
+ for_each_cpu(cpu, &cpus_chosen) {
if (cpu == testcpu)
continue;
csnow_begin = cs->read(cs);
@@ -303,6 +366,7 @@ static void clocksource_verify_percpu(struct clocksource *cs)
cs_nsec_min = cs_nsec;
}
preempt_enable();
+ put_online_cpus();
if (!cpumask_empty(&cpus_ahead))
pr_warn(" CPUs %*pbl ahead of CPU %d for clocksource %s.\n",
cpumask_pr_args(&cpus_ahead), testcpu, cs->name);
@@ -427,6 +491,12 @@ static void clocksource_watchdog(struct timer_list *unused)
watchdog->name, wdnow, wdlast, watchdog->mask);
pr_warn(" '%s' cs_now: %llx cs_last: %llx mask: %llx\n",
cs->name, csnow, cslast, cs->mask);
+ if (curr_clocksource == cs)
+ pr_warn(" '%s' is current clocksource.\n", cs->name);
+ else if (curr_clocksource)
+ pr_warn(" '%s' (not '%s') is current clocksource.\n", curr_clocksource->name, cs->name);
+ else
+ pr_warn(" No current clocksource.\n");
__clocksource_unstable(cs);
continue;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 275/462] clocksource: Replace deprecated CPU-hotplug functions.
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 274/462] clocksource: Limit number of CPUs checked for clock synchronization Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 276/462] clocksource: Replace cpumask_weight() with cpumask_empty() Greg Kroah-Hartman
` (190 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Thomas Gleixner, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit 698429f9d0e54ce3964151adff886ee5fc59714b ]
The functions get_online_cpus() and put_online_cpus() have been
deprecated during the CPU hotplug rework. They map directly to
cpus_read_lock() and cpus_read_unlock().
Replace deprecated CPU-hotplug functions with the official version.
The behavior remains unchanged.
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20210803141621.780504-35-bigeasy@linutronix.de
Stable-dep-of: 6bb05a33337b ("clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/clocksource.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
index 00cf99cb74496..e44fb1e12a281 100644
--- a/kernel/time/clocksource.c
+++ b/kernel/time/clocksource.c
@@ -335,12 +335,12 @@ static void clocksource_verify_percpu(struct clocksource *cs)
return;
cpumask_clear(&cpus_ahead);
cpumask_clear(&cpus_behind);
- get_online_cpus();
+ cpus_read_lock();
preempt_disable();
clocksource_verify_choose_cpus();
if (cpumask_weight(&cpus_chosen) == 0) {
preempt_enable();
- put_online_cpus();
+ cpus_read_unlock();
pr_warn("Not enough CPUs to check clocksource '%s'.\n", cs->name);
return;
}
@@ -366,7 +366,7 @@ static void clocksource_verify_percpu(struct clocksource *cs)
cs_nsec_min = cs_nsec;
}
preempt_enable();
- put_online_cpus();
+ cpus_read_unlock();
if (!cpumask_empty(&cpus_ahead))
pr_warn(" CPUs %*pbl ahead of CPU %d for clocksource %s.\n",
cpumask_pr_args(&cpus_ahead), testcpu, cs->name);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 276/462] clocksource: Replace cpumask_weight() with cpumask_empty()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 275/462] clocksource: Replace deprecated CPU-hotplug functions Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 277/462] clocksource: Use pr_info() for "Checking clocksource synchronization" message Greg Kroah-Hartman
` (189 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yury Norov, Thomas Gleixner,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yury Norov <yury.norov@gmail.com>
[ Upstream commit 8afbcaf8690dac19ebf570a4e4fef9c59c75bf8e ]
clocksource_verify_percpu() calls cpumask_weight() to check if any bit of a
given cpumask is set.
This can be done more efficiently with cpumask_empty() because
cpumask_empty() stops traversing the cpumask as soon as it finds first set
bit, while cpumask_weight() counts all bits unconditionally.
Signed-off-by: Yury Norov <yury.norov@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20220210224933.379149-24-yury.norov@gmail.com
Stable-dep-of: 6bb05a33337b ("clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/clocksource.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
index e44fb1e12a281..658b90755dd72 100644
--- a/kernel/time/clocksource.c
+++ b/kernel/time/clocksource.c
@@ -338,7 +338,7 @@ static void clocksource_verify_percpu(struct clocksource *cs)
cpus_read_lock();
preempt_disable();
clocksource_verify_choose_cpus();
- if (cpumask_weight(&cpus_chosen) == 0) {
+ if (cpumask_empty(&cpus_chosen)) {
preempt_enable();
cpus_read_unlock();
pr_warn("Not enough CPUs to check clocksource '%s'.\n", cs->name);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 277/462] clocksource: Use pr_info() for "Checking clocksource synchronization" message
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 276/462] clocksource: Replace cpumask_weight() with cpumask_empty() Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 278/462] clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context Greg Kroah-Hartman
` (188 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Waiman Long, Thomas Gleixner,
Paul E. McKenney, John Stultz, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
[ Upstream commit 1f566840a82982141f94086061927a90e79440e5 ]
The "Checking clocksource synchronization" message is normally printed
when clocksource_verify_percpu() is called for a given clocksource if
both the CLOCK_SOURCE_UNSTABLE and CLOCK_SOURCE_VERIFY_PERCPU flags
are set.
It is an informational message and so pr_info() is the correct choice.
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
Acked-by: John Stultz <jstultz@google.com>
Link: https://lore.kernel.org/all/20250125015442.3740588-1-longman@redhat.com
Stable-dep-of: 6bb05a33337b ("clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/clocksource.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
index 658b90755dd72..21dfee6c0d936 100644
--- a/kernel/time/clocksource.c
+++ b/kernel/time/clocksource.c
@@ -345,7 +345,8 @@ static void clocksource_verify_percpu(struct clocksource *cs)
return;
}
testcpu = smp_processor_id();
- pr_warn("Checking clocksource %s synchronization from CPU %d to CPUs %*pbl.\n", cs->name, testcpu, cpumask_pr_args(&cpus_chosen));
+ pr_info("Checking clocksource %s synchronization from CPU %d to CPUs %*pbl.\n",
+ cs->name, testcpu, cpumask_pr_args(&cpus_chosen));
for_each_cpu(cpu, &cpus_chosen) {
if (cpu == testcpu)
continue;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 278/462] clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 277/462] clocksource: Use pr_info() for "Checking clocksource synchronization" message Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 279/462] net: treat possible_net_t net pointer as an RCU one and add read_pnet_rcu() Greg Kroah-Hartman
` (187 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Waiman Long, Thomas Gleixner, Paul E. McKenney, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
[ Upstream commit 6bb05a33337b2c842373857b63de5c9bf1ae2a09 ]
The following bug report happened with a PREEMPT_RT kernel:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2012, name: kwatchdog
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
get_random_u32+0x4f/0x110
clocksource_verify_choose_cpus+0xab/0x1a0
clocksource_verify_percpu.part.0+0x6b/0x330
clocksource_watchdog_kthread+0x193/0x1a0
It is due to the fact that clocksource_verify_choose_cpus() is invoked with
preemption disabled. This function invokes get_random_u32() to obtain
random numbers for choosing CPUs. The batched_entropy_32 local lock and/or
the base_crng.lock spinlock in driver/char/random.c will be acquired during
the call. In PREEMPT_RT kernel, they are both sleeping locks and so cannot
be acquired in atomic context.
Fix this problem by using migrate_disable() to allow smp_processor_id() to
be reliably used without introducing atomic context. preempt_disable() is
then called after clocksource_verify_choose_cpus() but before the
clocksource measurement is being run to avoid introducing unexpected
latency.
Fixes: 7560c02bdffb ("clocksource: Check per-CPU clock synchronization when marked unstable")
Suggested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: https://lore.kernel.org/all/20250131173323.891943-2-longman@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/clocksource.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
index 21dfee6c0d936..b22508c5d2d96 100644
--- a/kernel/time/clocksource.c
+++ b/kernel/time/clocksource.c
@@ -336,10 +336,10 @@ static void clocksource_verify_percpu(struct clocksource *cs)
cpumask_clear(&cpus_ahead);
cpumask_clear(&cpus_behind);
cpus_read_lock();
- preempt_disable();
+ migrate_disable();
clocksource_verify_choose_cpus();
if (cpumask_empty(&cpus_chosen)) {
- preempt_enable();
+ migrate_enable();
cpus_read_unlock();
pr_warn("Not enough CPUs to check clocksource '%s'.\n", cs->name);
return;
@@ -347,6 +347,7 @@ static void clocksource_verify_percpu(struct clocksource *cs)
testcpu = smp_processor_id();
pr_info("Checking clocksource %s synchronization from CPU %d to CPUs %*pbl.\n",
cs->name, testcpu, cpumask_pr_args(&cpus_chosen));
+ preempt_disable();
for_each_cpu(cpu, &cpus_chosen) {
if (cpu == testcpu)
continue;
@@ -367,6 +368,7 @@ static void clocksource_verify_percpu(struct clocksource *cs)
cs_nsec_min = cs_nsec;
}
preempt_enable();
+ migrate_enable();
cpus_read_unlock();
if (!cpumask_empty(&cpus_ahead))
pr_warn(" CPUs %*pbl ahead of CPU %d for clocksource %s.\n",
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 279/462] net: treat possible_net_t net pointer as an RCU one and add read_pnet_rcu()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 278/462] clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 280/462] net: add dev_net_rcu() helper Greg Kroah-Hartman
` (186 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Pirko, Simon Horman,
David S. Miller, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Pirko <jiri@nvidia.com>
[ Upstream commit 2034d90ae41ae93e30d492ebcf1f06f97a9cfba6 ]
Make the net pointer stored in possible_net_t structure annotated as
an RCU pointer. Change the access helpers to treat it as such.
Introduce read_pnet_rcu() helper to allow caller to dereference
the net pointer under RCU read lock.
Signed-off-by: Jiri Pirko <jiri@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: dd205fcc33d9 ("ipv4: use RCU protection in rt_is_expired()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/net_namespace.h | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index c41e922fdd97e..0dfcf2f0ef62a 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -320,21 +320,30 @@ static inline int check_net(const struct net *net)
typedef struct {
#ifdef CONFIG_NET_NS
- struct net *net;
+ struct net __rcu *net;
#endif
} possible_net_t;
static inline void write_pnet(possible_net_t *pnet, struct net *net)
{
#ifdef CONFIG_NET_NS
- pnet->net = net;
+ rcu_assign_pointer(pnet->net, net);
#endif
}
static inline struct net *read_pnet(const possible_net_t *pnet)
{
#ifdef CONFIG_NET_NS
- return pnet->net;
+ return rcu_dereference_protected(pnet->net, true);
+#else
+ return &init_net;
+#endif
+}
+
+static inline struct net *read_pnet_rcu(possible_net_t *pnet)
+{
+#ifdef CONFIG_NET_NS
+ return rcu_dereference(pnet->net);
#else
return &init_net;
#endif
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 280/462] net: add dev_net_rcu() helper
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 279/462] net: treat possible_net_t net pointer as an RCU one and add read_pnet_rcu() Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 281/462] ipv4: use RCU protection in rt_is_expired() Greg Kroah-Hartman
` (185 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 482ad2a4ace2740ca0ff1cbc8f3c7f862f3ab507 ]
dev->nd_net can change, readers should either
use rcu_read_lock() or RTNL.
We currently use a generic helper, dev_net() with
no debugging support. We probably have many hidden bugs.
Add dev_net_rcu() helper for callers using rcu_read_lock()
protection.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250205155120.1676781-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: dd205fcc33d9 ("ipv4: use RCU protection in rt_is_expired()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netdevice.h | 6 ++++++
include/net/net_namespace.h | 2 +-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 3380668478e8a..06b37f45b67c9 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -2361,6 +2361,12 @@ struct net *dev_net(const struct net_device *dev)
return read_pnet(&dev->nd_net);
}
+static inline
+struct net *dev_net_rcu(const struct net_device *dev)
+{
+ return read_pnet_rcu(&dev->nd_net);
+}
+
static inline
void dev_net_set(struct net_device *dev, struct net *net)
{
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index 0dfcf2f0ef62a..3cf6a5c17b84c 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -340,7 +340,7 @@ static inline struct net *read_pnet(const possible_net_t *pnet)
#endif
}
-static inline struct net *read_pnet_rcu(possible_net_t *pnet)
+static inline struct net *read_pnet_rcu(const possible_net_t *pnet)
{
#ifdef CONFIG_NET_NS
return rcu_dereference(pnet->net);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 281/462] ipv4: use RCU protection in rt_is_expired()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 280/462] net: add dev_net_rcu() helper Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 282/462] ipv4: use RCU protection in inet_select_addr() Greg Kroah-Hartman
` (184 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit dd205fcc33d92d54eee4d7f21bb073af9bd5ce2b ]
rt_is_expired() must use RCU protection to make
sure the net structure it reads does not disappear.
Fixes: e84f84f27647 ("netns: place rt_genid into struct net")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250205155120.1676781-6-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/route.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index c34386a9d99b4..a2a7f2597e201 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -423,7 +423,13 @@ static inline int ip_rt_proc_init(void)
static inline bool rt_is_expired(const struct rtable *rth)
{
- return rth->rt_genid != rt_genid_ipv4(dev_net(rth->dst.dev));
+ bool res;
+
+ rcu_read_lock();
+ res = rth->rt_genid != rt_genid_ipv4(dev_net_rcu(rth->dst.dev));
+ rcu_read_unlock();
+
+ return res;
}
void rt_cache_flush(struct net *net)
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 282/462] ipv4: use RCU protection in inet_select_addr()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 281/462] ipv4: use RCU protection in rt_is_expired() Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 283/462] ipv6: use RCU protection in ip6_default_advmss() Greg Kroah-Hartman
` (183 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 719817cd293e4fa389e1f69c396f3f816ed5aa41 ]
inet_select_addr() must use RCU protection to make
sure the net structure it reads does not disappear.
Fixes: c4544c724322 ("[NETNS]: Process inet_select_addr inside a namespace.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250205155120.1676781-7-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/devinet.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 6918b3ced6713..2dc94109fc0ea 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1317,10 +1317,11 @@ __be32 inet_select_addr(const struct net_device *dev, __be32 dst, int scope)
__be32 addr = 0;
unsigned char localnet_scope = RT_SCOPE_HOST;
struct in_device *in_dev;
- struct net *net = dev_net(dev);
+ struct net *net;
int master_idx;
rcu_read_lock();
+ net = dev_net_rcu(dev);
in_dev = __in_dev_get_rcu(dev);
if (!in_dev)
goto no_in_dev;
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 283/462] ipv6: use RCU protection in ip6_default_advmss()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 282/462] ipv4: use RCU protection in inet_select_addr() Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 284/462] ndisc: use RCU protection in ndisc_alloc_skb() Greg Kroah-Hartman
` (182 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 3c8ffcd248da34fc41e52a46e51505900115fc2a ]
ip6_default_advmss() needs rcu protection to make
sure the net structure it reads does not disappear.
Fixes: 5578689a4e3c ("[NETNS][IPV6] route6 - make route6 per namespace")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250205155120.1676781-11-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index d7d600cb15a8d..178c56f6f6185 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -3056,13 +3056,18 @@ static unsigned int ip6_default_advmss(const struct dst_entry *dst)
{
struct net_device *dev = dst->dev;
unsigned int mtu = dst_mtu(dst);
- struct net *net = dev_net(dev);
+ struct net *net;
mtu -= sizeof(struct ipv6hdr) + sizeof(struct tcphdr);
+ rcu_read_lock();
+
+ net = dev_net_rcu(dev);
if (mtu < net->ipv6.sysctl.ip6_rt_min_advmss)
mtu = net->ipv6.sysctl.ip6_rt_min_advmss;
+ rcu_read_unlock();
+
/*
* Maximal non-jumbo IPv6 payload is IPV6_MAXPLEN and
* corresponding MSS is IPV6_MAXPLEN - tcp_header_size.
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 284/462] ndisc: use RCU protection in ndisc_alloc_skb()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 283/462] ipv6: use RCU protection in ip6_default_advmss() Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 285/462] neighbour: delete redundant judgment statements Greg Kroah-Hartman
` (181 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David Ahern,
Kuniyuki Iwashima, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 628e6d18930bbd21f2d4562228afe27694f66da9 ]
ndisc_alloc_skb() can be called without RTNL or RCU being held.
Add RCU protection to avoid possible UAF.
Fixes: de09334b9326 ("ndisc: Introduce ndisc_alloc_skb() helper.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250207135841.1948589-3-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ndisc.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index c0a5552733177..2361f4af49e8f 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -417,15 +417,11 @@ static struct sk_buff *ndisc_alloc_skb(struct net_device *dev,
{
int hlen = LL_RESERVED_SPACE(dev);
int tlen = dev->needed_tailroom;
- struct sock *sk = dev_net(dev)->ipv6.ndisc_sk;
struct sk_buff *skb;
skb = alloc_skb(hlen + sizeof(struct ipv6hdr) + len + tlen, GFP_ATOMIC);
- if (!skb) {
- ND_PRINTK(0, err, "ndisc: %s failed to allocate an skb\n",
- __func__);
+ if (!skb)
return NULL;
- }
skb->protocol = htons(ETH_P_IPV6);
skb->dev = dev;
@@ -436,7 +432,9 @@ static struct sk_buff *ndisc_alloc_skb(struct net_device *dev,
/* Manually assign socket ownership as we avoid calling
* sock_alloc_send_pskb() to bypass wmem buffer limits
*/
- skb_set_owner_w(skb, sk);
+ rcu_read_lock();
+ skb_set_owner_w(skb, dev_net_rcu(dev)->ipv6.ndisc_sk);
+ rcu_read_unlock();
return skb;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 285/462] neighbour: delete redundant judgment statements
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 284/462] ndisc: use RCU protection in ndisc_alloc_skb() Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 286/462] neighbour: use RCU protection in __neigh_notify() Greg Kroah-Hartman
` (180 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Zetao, Petr Machata,
David S. Miller, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Zetao <lizetao1@huawei.com>
[ Upstream commit c25bdd2ac8cf7da70a226f1a66cdce7af15ff86f ]
The initial value of err is -ENOBUFS, and err is guaranteed to be
less than 0 before all goto errout. Therefore, on the error path
of errout, there is no need to repeatedly judge that err is less than 0,
and delete redundant judgments to make the code more concise.
Signed-off-by: Li Zetao <lizetao1@huawei.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: becbd5850c03 ("neighbour: use RCU protection in __neigh_notify()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/neighbour.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index c187eb951083b..bd017b220cfed 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -3387,8 +3387,7 @@ static void __neigh_notify(struct neighbour *n, int type, int flags,
rtnl_notify(skb, net, 0, RTNLGRP_NEIGH, NULL, GFP_ATOMIC);
return;
errout:
- if (err < 0)
- rtnl_set_sk_err(net, RTNLGRP_NEIGH, err);
+ rtnl_set_sk_err(net, RTNLGRP_NEIGH, err);
}
void neigh_app_ns(struct neighbour *n)
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 286/462] neighbour: use RCU protection in __neigh_notify()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 285/462] neighbour: delete redundant judgment statements Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 287/462] arp: use RCU protection in arp_xmit() Greg Kroah-Hartman
` (179 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David Ahern,
Kuniyuki Iwashima, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit becbd5850c03ed33b232083dd66c6e38c0c0e569 ]
__neigh_notify() can be called without RTNL or RCU protection.
Use RCU protection to avoid potential UAF.
Fixes: 426b5303eb43 ("[NETNS]: Modify the neighbour table code so it handles multiple network namespaces")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250207135841.1948589-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/neighbour.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index bd017b220cfed..f04ba63e98515 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -3369,10 +3369,12 @@ static const struct seq_operations neigh_stat_seq_ops = {
static void __neigh_notify(struct neighbour *n, int type, int flags,
u32 pid)
{
- struct net *net = dev_net(n->dev);
struct sk_buff *skb;
int err = -ENOBUFS;
+ struct net *net;
+ rcu_read_lock();
+ net = dev_net_rcu(n->dev);
skb = nlmsg_new(neigh_nlmsg_size(), GFP_ATOMIC);
if (skb == NULL)
goto errout;
@@ -3385,9 +3387,11 @@ static void __neigh_notify(struct neighbour *n, int type, int flags,
goto errout;
}
rtnl_notify(skb, net, 0, RTNLGRP_NEIGH, NULL, GFP_ATOMIC);
- return;
+ goto out;
errout:
rtnl_set_sk_err(net, RTNLGRP_NEIGH, err);
+out:
+ rcu_read_unlock();
}
void neigh_app_ns(struct neighbour *n)
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 287/462] arp: use RCU protection in arp_xmit()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 286/462] neighbour: use RCU protection in __neigh_notify() Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 288/462] openvswitch: use RCU protection in ovs_vport_cmd_fill_info() Greg Kroah-Hartman
` (178 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David Ahern,
Kuniyuki Iwashima, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a42b69f692165ec39db42d595f4f65a4c8f42e44 ]
arp_xmit() can be called without RTNL or RCU protection.
Use RCU protection to avoid potential UAF.
Fixes: 29a26a568038 ("netfilter: Pass struct net into the netfilter hooks")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250207135841.1948589-5-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/arp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 8ae9bd6f91c19..6879e0b70c769 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -637,10 +637,12 @@ static int arp_xmit_finish(struct net *net, struct sock *sk, struct sk_buff *skb
*/
void arp_xmit(struct sk_buff *skb)
{
+ rcu_read_lock();
/* Send it off, maybe filter it using firewalling first. */
NF_HOOK(NFPROTO_ARP, NF_ARP_OUT,
- dev_net(skb->dev), NULL, skb, NULL, skb->dev,
+ dev_net_rcu(skb->dev), NULL, skb, NULL, skb->dev,
arp_xmit_finish);
+ rcu_read_unlock();
}
EXPORT_SYMBOL(arp_xmit);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 288/462] openvswitch: use RCU protection in ovs_vport_cmd_fill_info()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 287/462] arp: use RCU protection in arp_xmit() Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 289/462] ndisc: extend RCU protection in ndisc_send_skb() Greg Kroah-Hartman
` (177 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 90b2f49a502fa71090d9f4fe29a2f51fe5dff76d ]
ovs_vport_cmd_fill_info() can be called without RTNL or RCU.
Use RCU protection and dev_net_rcu() to avoid potential UAF.
Fixes: 9354d4520342 ("openvswitch: reliable interface indentification in port dumps")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250207135841.1948589-6-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/datapath.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index b625ab5e9a430..b493931433e99 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -1980,6 +1980,7 @@ static int ovs_vport_cmd_fill_info(struct vport *vport, struct sk_buff *skb,
{
struct ovs_header *ovs_header;
struct ovs_vport_stats vport_stats;
+ struct net *net_vport;
int err;
ovs_header = genlmsg_put(skb, portid, seq, &dp_vport_genl_family,
@@ -1996,12 +1997,15 @@ static int ovs_vport_cmd_fill_info(struct vport *vport, struct sk_buff *skb,
nla_put_u32(skb, OVS_VPORT_ATTR_IFINDEX, vport->dev->ifindex))
goto nla_put_failure;
- if (!net_eq(net, dev_net(vport->dev))) {
- int id = peernet2id_alloc(net, dev_net(vport->dev), gfp);
+ rcu_read_lock();
+ net_vport = dev_net_rcu(vport->dev);
+ if (!net_eq(net, net_vport)) {
+ int id = peernet2id_alloc(net, net_vport, GFP_ATOMIC);
if (nla_put_s32(skb, OVS_VPORT_ATTR_NETNSID, id))
- goto nla_put_failure;
+ goto nla_put_failure_unlock;
}
+ rcu_read_unlock();
ovs_vport_get_stats(vport, &vport_stats);
if (nla_put_64bit(skb, OVS_VPORT_ATTR_STATS,
@@ -2019,6 +2023,8 @@ static int ovs_vport_cmd_fill_info(struct vport *vport, struct sk_buff *skb,
genlmsg_end(skb, ovs_header);
return 0;
+nla_put_failure_unlock:
+ rcu_read_unlock();
nla_put_failure:
err = -EMSGSIZE;
error:
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 289/462] ndisc: extend RCU protection in ndisc_send_skb()
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 288/462] openvswitch: use RCU protection in ovs_vport_cmd_fill_info() Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 290/462] drm/tidss: Fix issue in irq handling causing irq-flood issue Greg Kroah-Hartman
` (176 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David Ahern,
Kuniyuki Iwashima, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit ed6ae1f325d3c43966ec1b62ac1459e2b8e45640 ]
ndisc_send_skb() can be called without RTNL or RCU held.
Acquire rcu_read_lock() earlier, so that we can use dev_net_rcu()
and avoid a potential UAF.
Fixes: 1762f7e88eb3 ("[NETNS][IPV6] ndisc - make socket control per namespace")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250207135841.1948589-8-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ndisc.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 2361f4af49e8f..43ad4e5db5941 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -471,16 +471,20 @@ static void ndisc_send_skb(struct sk_buff *skb,
const struct in6_addr *daddr,
const struct in6_addr *saddr)
{
+ struct icmp6hdr *icmp6h = icmp6_hdr(skb);
struct dst_entry *dst = skb_dst(skb);
- struct net *net = dev_net(skb->dev);
- struct sock *sk = net->ipv6.ndisc_sk;
struct inet6_dev *idev;
+ struct net *net;
+ struct sock *sk;
int err;
- struct icmp6hdr *icmp6h = icmp6_hdr(skb);
u8 type;
type = icmp6h->icmp6_type;
+ rcu_read_lock();
+
+ net = dev_net_rcu(skb->dev);
+ sk = net->ipv6.ndisc_sk;
if (!dst) {
struct flowi6 fl6;
int oif = skb->dev->ifindex;
@@ -488,6 +492,7 @@ static void ndisc_send_skb(struct sk_buff *skb,
icmpv6_flow_init(sk, &fl6, type, saddr, daddr, oif);
dst = icmp6_dst_alloc(skb->dev, &fl6);
if (IS_ERR(dst)) {
+ rcu_read_unlock();
kfree_skb(skb);
return;
}
@@ -502,7 +507,6 @@ static void ndisc_send_skb(struct sk_buff *skb,
ip6_nd_hdr(skb, saddr, daddr, inet6_sk(sk)->hop_limit, skb->len);
- rcu_read_lock();
idev = __in6_dev_get(dst->dev);
IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len);
--
2.39.5
^ permalink raw reply related [flat|nested] 472+ messages in thread
* [PATCH 5.10 290/462] drm/tidss: Fix issue in irq handling causing irq-flood issue
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 289/462] ndisc: extend RCU protection in ndisc_send_skb() Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 291/462] drm/tidss: Clear the interrupt status for interrupts being disabled Greg Kroah-Hartman
` (175 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bin Liu, Devarsh Thakkar,
Jonathan Cormier, Aradhya Bhatia, Tomi Valkeinen
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
commit 44b6730ab53ef04944fbaf6da0e77397531517b7 upstream.
It has been observed that sometimes DSS will trigger an interrupt and
the top level interrupt (DISPC_IRQSTATUS) is not zero, but the VP and
VID level interrupt-statuses are zero.
As the top level irqstatus is supposed to tell whether we have VP/VID
interrupts, the thinking of the driver authors was that this particular
case could never happen. Thus the driver only clears the DISPC_IRQSTATUS
bits which has corresponding interrupts in VP/VID status. So when this
issue happens, the driver will not clear DISPC_IRQSTATUS, and we get an
interrupt flood.
It is unclear why the issue happens. It could be a race issue in the
driver, but no such race has been found. It could also be an issue with
the HW. However a similar case can be easily triggered by manually
writing to DISPC_IRQSTATUS_RAW. This will forcibly set a bit in the
DISPC_IRQSTATUS and trigger an interrupt, and as the driver never clears
the bit, we get an interrupt flood.
To fix the issue, always clear DISPC_IRQSTATUS. The concern with this
solution is that if the top level irqstatus is the one that triggers the
interrupt, always clearing DISPC_IRQSTATUS might leave some interrupts
unhandled if VP/VID interrupt statuses have bits set. However, testing
shows that if any of the irqstatuses is set (i.e. even if
DISPC_IRQSTATUS == 0, but a VID irqstatus has a bit set), we will get an
interrupt.
Co-developed-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Co-developed-by: Devarsh Thakkar <devarsht@ti.com>
Signed-off-by: Devarsh Thakkar <devarsht@ti.com>
Co-developed-by: Jonathan Cormier <jcormier@criticallink.com>
Signed-off-by: Jonathan Cormier <jcormier@criticallink.com>
Fixes: 32a1795f57ee ("drm/tidss: New driver for TI Keystone platform Display SubSystem")
Cc: stable@vger.kernel.org
Tested-by: Jonathan Cormier <jcormier@criticallink.com>
Reviewed-by: Aradhya Bhatia <aradhya.bhatia@linux.dev>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241021-tidss-irq-fix-v1-1-82ddaec94e4a@ideasonboard.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/tidss/tidss_dispc.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
--- a/drivers/gpu/drm/tidss/tidss_dispc.c
+++ b/drivers/gpu/drm/tidss/tidss_dispc.c
@@ -676,24 +676,20 @@ static
void dispc_k3_clear_irqstatus(struct dispc_device *dispc, dispc_irq_t clearmask)
{
unsigned int i;
- u32 top_clear = 0;
for (i = 0; i < dispc->feat->num_vps; ++i) {
- if (clearmask & DSS_IRQ_VP_MASK(i)) {
+ if (clearmask & DSS_IRQ_VP_MASK(i))
dispc_k3_vp_write_irqstatus(dispc, i, clearmask);
- top_clear |= BIT(i);
- }
}
for (i = 0; i < dispc->feat->num_planes; ++i) {
- if (clearmask & DSS_IRQ_PLANE_MASK(i)) {
+ if (clearmask & DSS_IRQ_PLANE_MASK(i))
dispc_k3_vid_write_irqstatus(dispc, i, clearmask);
- top_clear |= BIT(4 + i);
- }
}
if (dispc->feat->subrev == DISPC_K2G)
return;
- dispc_write(dispc, DISPC_IRQSTATUS, top_clear);
+ /* always clear the top level irqstatus */
+ dispc_write(dispc, DISPC_IRQSTATUS, dispc_read(dispc, DISPC_IRQSTATUS));
/* Flush posted writes */
dispc_read(dispc, DISPC_IRQSTATUS);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 291/462] drm/tidss: Clear the interrupt status for interrupts being disabled
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 290/462] drm/tidss: Fix issue in irq handling causing irq-flood issue Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 292/462] kdb: Do not assume write() callback available Greg Kroah-Hartman
` (174 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Cormier, Devarsh Thakkar,
Aradhya Bhatia, Tomi Valkeinen
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Devarsh Thakkar <devarsht@ti.com>
commit 361a2ebb5cad211732ec3c5d962de49b21895590 upstream.
The driver does not touch the irqstatus register when it is disabling
interrupts. This might cause an interrupt to trigger for an interrupt
that was just disabled.
To fix the issue, clear the irqstatus registers right after disabling
the interrupts.
Fixes: 32a1795f57ee ("drm/tidss: New driver for TI Keystone platform Display SubSystem")
Cc: stable@vger.kernel.org
Reported-by: Jonathan Cormier <jcormier@criticallink.com>
Closes: https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1394222/am625-issue-about-tidss-rcu_preempt-self-detected-stall-on-cpu/5424479#5424479
Signed-off-by: Devarsh Thakkar <devarsht@ti.com>
[Tomi: mostly rewrote the patch]
Reviewed-by: Jonathan Cormier <jcormier@criticallink.com>
Tested-by: Jonathan Cormier <jcormier@criticallink.com>
Reviewed-by: Aradhya Bhatia <aradhya.bhatia@linux.dev>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241021-tidss-irq-fix-v1-5-82ddaec94e4a@ideasonboard.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/tidss/tidss_dispc.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/tidss/tidss_dispc.c
+++ b/drivers/gpu/drm/tidss/tidss_dispc.c
@@ -596,7 +596,7 @@ void dispc_k2g_set_irqenable(struct disp
{
dispc_irq_t old_mask = dispc_k2g_read_irqenable(dispc);
- /* clear the irqstatus for newly enabled irqs */
+ /* clear the irqstatus for irqs that will be enabled */
dispc_k2g_clear_irqstatus(dispc, (mask ^ old_mask) & mask);
dispc_k2g_vp_set_irqenable(dispc, 0, mask);
@@ -604,6 +604,9 @@ void dispc_k2g_set_irqenable(struct disp
dispc_write(dispc, DISPC_IRQENABLE_SET, (1 << 0) | (1 << 7));
+ /* clear the irqstatus for irqs that were disabled */
+ dispc_k2g_clear_irqstatus(dispc, (mask ^ old_mask) & old_mask);
+
/* flush posted write */
dispc_k2g_read_irqenable(dispc);
}
@@ -735,7 +738,7 @@ static void dispc_k3_set_irqenable(struc
old_mask = dispc_k3_read_irqenable(dispc);
- /* clear the irqstatus for newly enabled irqs */
+ /* clear the irqstatus for irqs that will be enabled */
dispc_k3_clear_irqstatus(dispc, (old_mask ^ mask) & mask);
for (i = 0; i < dispc->feat->num_vps; ++i) {
@@ -760,6 +763,9 @@ static void dispc_k3_set_irqenable(struc
if (main_disable)
dispc_write(dispc, DISPC_IRQENABLE_CLR, main_disable);
+ /* clear the irqstatus for irqs that were disabled */
+ dispc_k3_clear_irqstatus(dispc, (old_mask ^ mask) & old_mask);
+
/* Flush posted writes */
dispc_read(dispc, DISPC_IRQENABLE_SET);
}
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 292/462] kdb: Do not assume write() callback available
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 291/462] drm/tidss: Clear the interrupt status for interrupts being disabled Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 293/462] x86/static-call: Remove early_boot_irqs_disabled check to fix Xen PVH dom0 Greg Kroah-Hartman
` (173 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Ogness, Petr Mladek,
Douglas Anderson, Daniel Thompson, Sergey Senozhatsky,
Brian Norris
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Ogness <john.ogness@linutronix.de>
commit 6d3e0d8cc63221dec670d0ee92ac57961581e975 upstream.
It is allowed for consoles to not provide a write() callback. For
example ttynull does this.
Check if a write() callback is available before using it.
Signed-off-by: John Ogness <john.ogness@linutronix.de>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Link: https://lore.kernel.org/r/20230717194607.145135-2-john.ogness@linutronix.de
Cc: Brian Norris <briannorris@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/debug/kdb/kdb_io.c | 2 ++
1 file changed, 2 insertions(+)
--- a/kernel/debug/kdb/kdb_io.c
+++ b/kernel/debug/kdb/kdb_io.c
@@ -577,6 +577,8 @@ static void kdb_msg_write(const char *ms
continue;
if (c == dbg_io_ops->cons)
continue;
+ if (!c->write)
+ continue;
/*
* Set oops_in_progress to encourage the console drivers to
* disregard their internal spin locks: in the current calling
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 293/462] x86/static-call: Remove early_boot_irqs_disabled check to fix Xen PVH dom0
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 292/462] kdb: Do not assume write() callback available Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 294/462] alpha: replace hardcoded stack offsets with autogenerated ones Greg Kroah-Hartman
` (172 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Zenla, Peter Zijlstra,
Andrew Cooper, Borislav Petkov (AMD), Juergen Gross
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Cooper <andrew.cooper3@citrix.com>
commit 5cc2db37124bb33914996d6fdbb2ddb3811f2945 upstream.
__static_call_update_early() has a check for early_boot_irqs_disabled, but
is used before early_boot_irqs_disabled is set up in start_kernel().
Xen PV has always special cased early_boot_irqs_disabled, but Xen PVH does
not and falls over the BUG when booting as dom0.
It is very suspect that early_boot_irqs_disabled starts as 0, becomes 1 for
a time, then becomes 0 again, but as this needs backporting to fix a
breakage in a security fix, dropping the BUG_ON() is the far safer option.
Fixes: 0ef8047b737d ("x86/static-call: provide a way to do very early static-call updates")
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219620
Reported-by: Alex Zenla <alex@edera.dev>
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Juergen Gross <jgross@suse.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Alex Zenla <alex@edera.dev>
Link: https://lore.kernel.org/r/20241221211046.6475-1-andrew.cooper3@citrix.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/static_call.c | 1 -
1 file changed, 1 deletion(-)
--- a/arch/x86/kernel/static_call.c
+++ b/arch/x86/kernel/static_call.c
@@ -113,7 +113,6 @@ EXPORT_SYMBOL_GPL(arch_static_call_trans
noinstr void __static_call_update_early(void *tramp, void *func)
{
BUG_ON(system_state != SYSTEM_BOOTING);
- BUG_ON(!early_boot_irqs_disabled);
BUG_ON(static_call_initialized);
__text_gen_insn(tramp, JMP32_INSN_OPCODE, tramp, func, JMP32_INSN_SIZE);
sync_core();
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 294/462] alpha: replace hardcoded stack offsets with autogenerated ones
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 293/462] x86/static-call: Remove early_boot_irqs_disabled check to fix Xen PVH dom0 Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 295/462] nilfs2: do not output warnings when clearing dirty buffers Greg Kroah-Hartman
` (171 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki, Matt Turner,
Ivan Kokshaysky
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Kokshaysky <ink@unseen.parts>
commit 77b823fa619f97d16409ca37ad4f7936e28c5f83 upstream.
This allows the assembly in entry.S to automatically keep in sync with
changes in the stack layout (struct pt_regs and struct switch_stack).
Cc: stable@vger.kernel.org
Tested-by: Maciej W. Rozycki <macro@orcam.me.uk>
Tested-by: Matt Turner <mattst88@gmail.com>
Reviewed-by: Maciej W. Rozycki <macro@orcam.me.uk>
Signed-off-by: Ivan Kokshaysky <ink@unseen.parts>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/alpha/kernel/asm-offsets.c | 2 ++
arch/alpha/kernel/entry.S | 4 ----
2 files changed, 2 insertions(+), 4 deletions(-)
--- a/arch/alpha/kernel/asm-offsets.c
+++ b/arch/alpha/kernel/asm-offsets.c
@@ -32,7 +32,9 @@ void foo(void)
DEFINE(CRED_EGID, offsetof(struct cred, egid));
BLANK();
+ DEFINE(SP_OFF, offsetof(struct pt_regs, ps));
DEFINE(SIZEOF_PT_REGS, sizeof(struct pt_regs));
+ DEFINE(SWITCH_STACK_SIZE, sizeof(struct switch_stack));
DEFINE(PT_PTRACED, PT_PTRACED);
DEFINE(CLONE_VM, CLONE_VM);
DEFINE(CLONE_UNTRACED, CLONE_UNTRACED);
--- a/arch/alpha/kernel/entry.S
+++ b/arch/alpha/kernel/entry.S
@@ -15,10 +15,6 @@
.set noat
.cfi_sections .debug_frame
-/* Stack offsets. */
-#define SP_OFF 184
-#define SWITCH_STACK_SIZE 320
-
.macro CFI_START_OSF_FRAME func
.align 4
.globl \func
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 295/462] nilfs2: do not output warnings when clearing dirty buffers
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 294/462] alpha: replace hardcoded stack offsets with autogenerated ones Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 296/462] nilfs2: do not force clear folio if buffer is referenced Greg Kroah-Hartman
` (170 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrew Morton, Ryusuke Konishi
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
commit 299910dcb4525ac0274f3efa9527876315ba4f67 upstream.
After detecting file system corruption and degrading to a read-only mount,
dirty folios and buffers in the page cache are cleared, and a large number
of warnings are output at that time, often filling up the kernel log.
In this case, since the degrading to a read-only mount is output to the
kernel log, these warnings are not very meaningful, and are rather a
nuisance in system management and debugging.
The related nilfs2-specific page/folio routines have a silent argument
that suppresses the warning output, but since it is not currently used
meaningfully, remove both the silent argument and the warning output.
[konishi.ryusuke@gmail.com: adjusted for page/folio conversion]
Link: https://lkml.kernel.org/r/20240816090128.4561-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: ca76bb226bf4 ("nilfs2: do not force clear folio if buffer is referenced")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/inode.c | 4 ++--
fs/nilfs2/mdt.c | 6 +++---
fs/nilfs2/page.c | 20 +++-----------------
fs/nilfs2/page.h | 4 ++--
4 files changed, 10 insertions(+), 24 deletions(-)
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -162,7 +162,7 @@ static int nilfs_writepages(struct addre
int err = 0;
if (sb_rdonly(inode->i_sb)) {
- nilfs_clear_dirty_pages(mapping, false);
+ nilfs_clear_dirty_pages(mapping);
return -EROFS;
}
@@ -185,7 +185,7 @@ static int nilfs_writepage(struct page *
* have dirty pages that try to be flushed in background.
* So, here we simply discard this dirty page.
*/
- nilfs_clear_dirty_page(page, false);
+ nilfs_clear_dirty_page(page);
unlock_page(page);
return -EROFS;
}
--- a/fs/nilfs2/mdt.c
+++ b/fs/nilfs2/mdt.c
@@ -410,7 +410,7 @@ nilfs_mdt_write_page(struct page *page,
* have dirty pages that try to be flushed in background.
* So, here we simply discard this dirty page.
*/
- nilfs_clear_dirty_page(page, false);
+ nilfs_clear_dirty_page(page);
unlock_page(page);
return -EROFS;
}
@@ -631,10 +631,10 @@ void nilfs_mdt_restore_from_shadow_map(s
if (mi->mi_palloc_cache)
nilfs_palloc_clear_cache(inode);
- nilfs_clear_dirty_pages(inode->i_mapping, true);
+ nilfs_clear_dirty_pages(inode->i_mapping);
nilfs_copy_back_pages(inode->i_mapping, shadow->inode->i_mapping);
- nilfs_clear_dirty_pages(ii->i_assoc_inode->i_mapping, true);
+ nilfs_clear_dirty_pages(ii->i_assoc_inode->i_mapping);
nilfs_copy_back_pages(ii->i_assoc_inode->i_mapping,
NILFS_I(shadow->inode)->i_assoc_inode->i_mapping);
--- a/fs/nilfs2/page.c
+++ b/fs/nilfs2/page.c
@@ -354,9 +354,8 @@ repeat:
/**
* nilfs_clear_dirty_pages - discard dirty pages in address space
* @mapping: address space with dirty pages for discarding
- * @silent: suppress [true] or print [false] warning messages
*/
-void nilfs_clear_dirty_pages(struct address_space *mapping, bool silent)
+void nilfs_clear_dirty_pages(struct address_space *mapping)
{
struct pagevec pvec;
unsigned int i;
@@ -377,7 +376,7 @@ void nilfs_clear_dirty_pages(struct addr
* was acquired. Skip processing in that case.
*/
if (likely(page->mapping == mapping))
- nilfs_clear_dirty_page(page, silent);
+ nilfs_clear_dirty_page(page);
unlock_page(page);
}
@@ -389,19 +388,11 @@ void nilfs_clear_dirty_pages(struct addr
/**
* nilfs_clear_dirty_page - discard dirty page
* @page: dirty page that will be discarded
- * @silent: suppress [true] or print [false] warning messages
*/
-void nilfs_clear_dirty_page(struct page *page, bool silent)
+void nilfs_clear_dirty_page(struct page *page)
{
- struct inode *inode = page->mapping->host;
- struct super_block *sb = inode->i_sb;
-
BUG_ON(!PageLocked(page));
- if (!silent)
- nilfs_warn(sb, "discard dirty page: offset=%lld, ino=%lu",
- page_offset(page), inode->i_ino);
-
ClearPageUptodate(page);
ClearPageMappedToDisk(page);
ClearPageChecked(page);
@@ -417,11 +408,6 @@ void nilfs_clear_dirty_page(struct page
bh = head = page_buffers(page);
do {
lock_buffer(bh);
- if (!silent)
- nilfs_warn(sb,
- "discard dirty block: blocknr=%llu, size=%zu",
- (u64)bh->b_blocknr, bh->b_size);
-
set_mask_bits(&bh->b_state, clear_bits, 0);
unlock_buffer(bh);
} while (bh = bh->b_this_page, bh != head);
--- a/fs/nilfs2/page.h
+++ b/fs/nilfs2/page.h
@@ -41,8 +41,8 @@ void nilfs_page_bug(struct page *);
int nilfs_copy_dirty_pages(struct address_space *, struct address_space *);
void nilfs_copy_back_pages(struct address_space *, struct address_space *);
-void nilfs_clear_dirty_page(struct page *, bool);
-void nilfs_clear_dirty_pages(struct address_space *, bool);
+void nilfs_clear_dirty_page(struct page *page);
+void nilfs_clear_dirty_pages(struct address_space *mapping);
void nilfs_mapping_init(struct address_space *mapping, struct inode *inode);
unsigned int nilfs_page_count_clean_buffers(struct page *, unsigned int,
unsigned int);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 296/462] nilfs2: do not force clear folio if buffer is referenced
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 295/462] nilfs2: do not output warnings when clearing dirty buffers Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 297/462] nilfs2: protect access to buffers with no active references Greg Kroah-Hartman
` (169 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Morton, Ryusuke Konishi,
syzbot+b2b14916b77acf8626d7, syzbot+d98fd19acd08b36ff422
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
commit ca76bb226bf47ff04c782cacbd299f12ddee1ec1 upstream.
Patch series "nilfs2: protect busy buffer heads from being force-cleared".
This series fixes the buffer head state inconsistency issues reported by
syzbot that occurs when the filesystem is corrupted and falls back to
read-only, and the associated buffer head use-after-free issue.
This patch (of 2):
Syzbot has reported that after nilfs2 detects filesystem corruption and
falls back to read-only, inconsistencies in the buffer state may occur.
One of the inconsistencies is that when nilfs2 calls mark_buffer_dirty()
to set a data or metadata buffer as dirty, but it detects that the buffer
is not in the uptodate state:
WARNING: CPU: 0 PID: 6049 at fs/buffer.c:1177 mark_buffer_dirty+0x2e5/0x520
fs/buffer.c:1177
...
Call Trace:
<TASK>
nilfs_palloc_commit_alloc_entry+0x4b/0x160 fs/nilfs2/alloc.c:598
nilfs_ifile_create_inode+0x1dd/0x3a0 fs/nilfs2/ifile.c:73
nilfs_new_inode+0x254/0x830 fs/nilfs2/inode.c:344
nilfs_mkdir+0x10d/0x340 fs/nilfs2/namei.c:218
vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257
do_mkdirat+0x264/0x3a0 fs/namei.c:4280
__do_sys_mkdirat fs/namei.c:4295 [inline]
__se_sys_mkdirat fs/namei.c:4293 [inline]
__x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The other is when nilfs_btree_propagate(), which propagates the dirty
state to the ancestor nodes of a b-tree that point to a dirty buffer,
detects that the origin buffer is not dirty, even though it should be:
WARNING: CPU: 0 PID: 5245 at fs/nilfs2/btree.c:2089
nilfs_btree_propagate+0xc79/0xdf0 fs/nilfs2/btree.c:2089
...
Call Trace:
<TASK>
nilfs_bmap_propagate+0x75/0x120 fs/nilfs2/bmap.c:345
nilfs_collect_file_data+0x4d/0xd0 fs/nilfs2/segment.c:587
nilfs_segctor_apply_buffers+0x184/0x340 fs/nilfs2/segment.c:1006
nilfs_segctor_scan_file+0x28c/0xa50 fs/nilfs2/segment.c:1045
nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1216 [inline]
nilfs_segctor_collect fs/nilfs2/segment.c:1540 [inline]
nilfs_segctor_do_construct+0x1c28/0x6b90 fs/nilfs2/segment.c:2115
nilfs_segctor_construct+0x181/0x6b0 fs/nilfs2/segment.c:2479
nilfs_segctor_thread_construct fs/nilfs2/segment.c:2587 [inline]
nilfs_segctor_thread+0x69e/0xe80 fs/nilfs2/segment.c:2701
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Both of these issues are caused by the callbacks that handle the
page/folio write requests, forcibly clear various states, including the
working state of the buffers they hold, at unexpected times when they
detect read-only fallback.
Fix these issues by checking if the buffer is referenced before clearing
the page/folio state, and skipping the clear if it is.
[konishi.ryusuke@gmail.com: adjusted for page/folio conversion]
Link: https://lkml.kernel.org/r/20250107200202.6432-1-konishi.ryusuke@gmail.com
Link: https://lkml.kernel.org/r/20250107200202.6432-2-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+b2b14916b77acf8626d7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b2b14916b77acf8626d7
Reported-by: syzbot+d98fd19acd08b36ff422@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=d98fd19acd08b36ff422
Fixes: 8c26c4e2694a ("nilfs2: fix issue with flush kernel thread after remount in RO mode because of driver's internal error or metadata corruption")
Tested-by: syzbot+b2b14916b77acf8626d7@syzkaller.appspotmail.com
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/page.c | 35 +++++++++++++++++++++++++++++------
1 file changed, 29 insertions(+), 6 deletions(-)
--- a/fs/nilfs2/page.c
+++ b/fs/nilfs2/page.c
@@ -388,24 +388,44 @@ void nilfs_clear_dirty_pages(struct addr
/**
* nilfs_clear_dirty_page - discard dirty page
* @page: dirty page that will be discarded
+ *
+ * nilfs_clear_dirty_page() clears working states including dirty state for
+ * the page and its buffers. If the page has buffers, clear only if it is
+ * confirmed that none of the buffer heads are busy (none have valid
+ * references and none are locked).
*/
void nilfs_clear_dirty_page(struct page *page)
{
BUG_ON(!PageLocked(page));
- ClearPageUptodate(page);
- ClearPageMappedToDisk(page);
- ClearPageChecked(page);
-
if (page_has_buffers(page)) {
- struct buffer_head *bh, *head;
+ struct buffer_head *bh, *head = page_buffers(page);
const unsigned long clear_bits =
(BIT(BH_Uptodate) | BIT(BH_Dirty) | BIT(BH_Mapped) |
BIT(BH_Async_Write) | BIT(BH_NILFS_Volatile) |
BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected) |
BIT(BH_Delay));
+ bool busy, invalidated = false;
- bh = head = page_buffers(page);
+recheck_buffers:
+ busy = false;
+ bh = head;
+ do {
+ if (atomic_read(&bh->b_count) | buffer_locked(bh)) {
+ busy = true;
+ break;
+ }
+ } while (bh = bh->b_this_page, bh != head);
+
+ if (busy) {
+ if (invalidated)
+ return;
+ invalidate_bh_lrus();
+ invalidated = true;
+ goto recheck_buffers;
+ }
+
+ bh = head;
do {
lock_buffer(bh);
set_mask_bits(&bh->b_state, clear_bits, 0);
@@ -413,6 +433,9 @@ void nilfs_clear_dirty_page(struct page
} while (bh = bh->b_this_page, bh != head);
}
+ ClearPageUptodate(page);
+ ClearPageMappedToDisk(page);
+ ClearPageChecked(page);
__nilfs_clear_page_dirty(page);
}
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 297/462] nilfs2: protect access to buffers with no active references
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 296/462] nilfs2: do not force clear folio if buffer is referenced Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 298/462] can: ems_pci: move ASIX AX99100 ids to pci_ids.h Greg Kroah-Hartman
` (168 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrew Morton, Ryusuke Konishi
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
commit 367a9bffabe08c04f6d725032cce3d891b2b9e1a upstream.
nilfs_lookup_dirty_data_buffers(), which iterates through the buffers
attached to dirty data folios/pages, accesses the attached buffers without
locking the folios/pages.
For data cache, nilfs_clear_folio_dirty() may be called asynchronously
when the file system degenerates to read only, so
nilfs_lookup_dirty_data_buffers() still has the potential to cause use
after free issues when buffers lose the protection of their dirty state
midway due to this asynchronous clearing and are unintentionally freed by
try_to_free_buffers().
Eliminate this race issue by adjusting the lock section in this function.
[konishi.ryusuke@gmail.com: adjusted for page/folio conversion]
Link: https://lkml.kernel.org/r/20250107200202.6432-3-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Fixes: 8c26c4e2694a ("nilfs2: fix issue with flush kernel thread after remount in RO mode because of driver's internal error or metadata corruption")
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/segment.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/nilfs2/segment.c
+++ b/fs/nilfs2/segment.c
@@ -732,7 +732,6 @@ static size_t nilfs_lookup_dirty_data_bu
}
if (!page_has_buffers(page))
create_empty_buffers(page, i_blocksize(inode), 0);
- unlock_page(page);
bh = head = page_buffers(page);
do {
@@ -742,11 +741,14 @@ static size_t nilfs_lookup_dirty_data_bu
list_add_tail(&bh->b_assoc_buffers, listp);
ndirties++;
if (unlikely(ndirties >= nlimit)) {
+ unlock_page(page);
pagevec_release(&pvec);
cond_resched();
return ndirties;
}
} while (bh = bh->b_this_page, bh != head);
+
+ unlock_page(page);
}
pagevec_release(&pvec);
cond_resched();
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 298/462] can: ems_pci: move ASIX AX99100 ids to pci_ids.h
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 297/462] nilfs2: protect access to buffers with no active references Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 299/462] serial: 8250_pci: add support for ASIX AX99100 Greg Kroah-Hartman
` (167 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiaqing Zhao, Andy Shevchenko,
Bjorn Helgaas, Marc Kleine-Budde, Tomita Moeko
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
commit 3029ad91335353a70feb42acd24d580d70ab258b upstream.
Move PCI Vendor and Device ID of ASIX AX99100 PCIe to Multi I/O
Controller to pci_ids.h for its serial and parallel port driver
support in subsequent patches.
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Marc Kleine-Budde <mkl@pengutronix.de>
Link: https://lore.kernel.org/r/20230724083933.3173513-3-jiaqing.zhao@linux.intel.com
[Moeko: Drop changes in drivers/net/can/sja1000/ems_pci.c]
Signed-off-by: Tomita Moeko <tomitamoeko@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/pci_ids.h | 4 ++++
1 file changed, 4 insertions(+)
--- a/include/linux/pci_ids.h
+++ b/include/linux/pci_ids.h
@@ -1765,6 +1765,10 @@
#define PCI_SUBDEVICE_ID_AT_2700FX 0x2701
#define PCI_SUBDEVICE_ID_AT_2701FX 0x2703
+#define PCI_VENDOR_ID_ASIX 0x125b
+#define PCI_DEVICE_ID_ASIX_AX99100 0x9100
+#define PCI_DEVICE_ID_ASIX_AX99100_LB 0x9110
+
#define PCI_VENDOR_ID_ESS 0x125d
#define PCI_DEVICE_ID_ESS_ESS1968 0x1968
#define PCI_DEVICE_ID_ESS_ESS1978 0x1978
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 299/462] serial: 8250_pci: add support for ASIX AX99100
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 298/462] can: ems_pci: move ASIX AX99100 ids to pci_ids.h Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 300/462] parport_pc: " Greg Kroah-Hartman
` (166 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiaqing Zhao, Andy Shevchenko,
Tomita Moeko
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
commit 0b32216557ce3b2a468d1282d99b428bf72ff532 upstream.
Each of the 4 PCI functions on ASIX AX99100 PCIe to Multi I/O
Controller can be configured as a single-port serial port controller.
The subvendor id is 0x1000 when configured as serial port and MSI
interrupts are supported.
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20230724083933.3173513-4-jiaqing.zhao@linux.intel.com
Signed-off-by: Tomita Moeko <tomitamoeko@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_pci.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -65,6 +65,8 @@ static const struct pci_device_id pci_us
0xA000, 0x1000) },
{ PCI_DEVICE_SUB(PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9922,
0xA000, 0x1000) },
+ { PCI_DEVICE_SUB(PCI_VENDOR_ID_ASIX, PCI_DEVICE_ID_ASIX_AX99100,
+ 0xA000, 0x1000) },
{ PCI_DEVICE_SUB(PCI_VENDOR_ID_HP_3PAR, PCI_DEVICE_ID_HPE_PCI_SERIAL,
PCI_ANY_ID, PCI_ANY_ID) },
{ }
@@ -5785,6 +5787,14 @@ static const struct pci_device_id serial
{ PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9865,
0xA000, 0x3004,
0, 0, pbn_b0_bt_4_115200 },
+
+ /*
+ * ASIX AX99100 PCIe to Multi I/O Controller
+ */
+ { PCI_VENDOR_ID_ASIX, PCI_DEVICE_ID_ASIX_AX99100,
+ 0xA000, 0x1000,
+ 0, 0, pbn_b0_1_115200 },
+
/* Intel CE4100 */
{ PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CE4100_UART,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 300/462] parport_pc: add support for ASIX AX99100
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 299/462] serial: 8250_pci: add support for ASIX AX99100 Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 301/462] netdevsim: print human readable IP address Greg Kroah-Hartman
` (165 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiaqing Zhao, Andy Shevchenko,
Sudip Mukherjee, Tomita Moeko
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
commit 16aae4c64600a6319a6f10dbff833fa198bf9599 upstream.
The PCI function 2 on ASIX AX99100 PCIe to Multi I/O Controller can be
configured as a single-port parallel port controller. The subvendor id
is 0x2000 when configured as parallel port. It supports IEEE-1284 EPP /
ECP with its ECR on BAR1.
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Link: https://lore.kernel.org/r/20230724083933.3173513-5-jiaqing.zhao@linux.intel.com
Signed-off-by: Tomita Moeko <tomitamoeko@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/parport/parport_pc.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/parport/parport_pc.c
+++ b/drivers/parport/parport_pc.c
@@ -2611,6 +2611,7 @@ enum parport_pc_pci_cards {
netmos_9815,
netmos_9901,
netmos_9865,
+ asix_ax99100,
quatech_sppxp100,
wch_ch382l,
brainboxes_uc146,
@@ -2676,6 +2677,7 @@ static struct parport_pc_pci {
/* netmos_9815 */ { 2, { { 0, 1 }, { 2, 3 }, } },
/* netmos_9901 */ { 1, { { 0, -1 }, } },
/* netmos_9865 */ { 1, { { 0, -1 }, } },
+ /* asix_ax99100 */ { 1, { { 0, 1 }, } },
/* quatech_sppxp100 */ { 1, { { 0, 1 }, } },
/* wch_ch382l */ { 1, { { 2, -1 }, } },
/* brainboxes_uc146 */ { 1, { { 3, -1 }, } },
@@ -2766,6 +2768,9 @@ static const struct pci_device_id parpor
0xA000, 0x1000, 0, 0, netmos_9865 },
{ PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9865,
0xA000, 0x2000, 0, 0, netmos_9865 },
+ /* ASIX AX99100 PCIe to Multi I/O Controller */
+ { PCI_VENDOR_ID_ASIX, PCI_DEVICE_ID_ASIX_AX99100,
+ 0xA000, 0x2000, 0, 0, asix_ax99100 },
/* Quatech SPPXP-100 Parallel port PCI ExpressCard */
{ PCI_VENDOR_ID_QUATECH, PCI_DEVICE_ID_QUATECH_SPPXP_100,
PCI_ANY_ID, PCI_ANY_ID, 0, 0, quatech_sppxp100 },
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 301/462] netdevsim: print human readable IP address
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 300/462] parport_pc: " Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 302/462] selftests: rtnetlink: update netdevsim ipsec output format Greg Kroah-Hartman
` (164 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Hangbin Liu,
Jakub Kicinski, Harshit Mogalapalli
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
commit c71bc6da6198a6d88df86094f1052bb581951d65 upstream.
Currently, IPSec addresses are printed in hexadecimal format, which is
not user-friendly. e.g.
# cat /sys/kernel/debug/netdevsim/netdevsim0/ports/0/ipsec
SA count=2 tx=20
sa[0] rx ipaddr=0x00000000 00000000 00000000 0100a8c0
sa[0] spi=0x00000101 proto=0x32 salt=0x0adecc3a crypt=1
sa[0] key=0x3167608a ca4f1397 43565909 941fa627
sa[1] tx ipaddr=0x00000000 00000000 00000000 00000000
sa[1] spi=0x00000100 proto=0x32 salt=0x0adecc3a crypt=1
sa[1] key=0x3167608a ca4f1397 43565909 941fa627
This patch updates the code to print the IPSec address in a human-readable
format for easier debug. e.g.
# cat /sys/kernel/debug/netdevsim/netdevsim0/ports/0/ipsec
SA count=4 tx=40
sa[0] tx ipaddr=0.0.0.0
sa[0] spi=0x00000100 proto=0x32 salt=0x0adecc3a crypt=1
sa[0] key=0x3167608a ca4f1397 43565909 941fa627
sa[1] rx ipaddr=192.168.0.1
sa[1] spi=0x00000101 proto=0x32 salt=0x0adecc3a crypt=1
sa[1] key=0x3167608a ca4f1397 43565909 941fa627
sa[2] tx ipaddr=::
sa[2] spi=0x00000100 proto=0x32 salt=0x0adecc3a crypt=1
sa[2] key=0x3167608a ca4f1397 43565909 941fa627
sa[3] rx ipaddr=2000::1
sa[3] spi=0x00000101 proto=0x32 salt=0x0adecc3a crypt=1
sa[3] key=0x3167608a ca4f1397 43565909 941fa627
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20241010040027.21440-2-liuhangbin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/netdevsim/ipsec.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/net/netdevsim/ipsec.c
+++ b/drivers/net/netdevsim/ipsec.c
@@ -39,10 +39,14 @@ static ssize_t nsim_dbg_netdev_ops_read(
if (!sap->used)
continue;
- p += scnprintf(p, bufsize - (p - buf),
- "sa[%i] %cx ipaddr=0x%08x %08x %08x %08x\n",
- i, (sap->rx ? 'r' : 't'), sap->ipaddr[0],
- sap->ipaddr[1], sap->ipaddr[2], sap->ipaddr[3]);
+ if (sap->xs->props.family == AF_INET6)
+ p += scnprintf(p, bufsize - (p - buf),
+ "sa[%i] %cx ipaddr=%pI6c\n",
+ i, (sap->rx ? 'r' : 't'), &sap->ipaddr);
+ else
+ p += scnprintf(p, bufsize - (p - buf),
+ "sa[%i] %cx ipaddr=%pI4\n",
+ i, (sap->rx ? 'r' : 't'), &sap->ipaddr[3]);
p += scnprintf(p, bufsize - (p - buf),
"sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n",
i, be32_to_cpu(sap->xs->id.spi),
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 302/462] selftests: rtnetlink: update netdevsim ipsec output format
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 301/462] netdevsim: print human readable IP address Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 303/462] f2fs: fix to wait dio completion Greg Kroah-Hartman
` (163 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hangbin Liu, Stanislav Fomichev,
Jakub Kicinski, Harshit Mogalapalli
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
commit 3ec920bb978ccdc68a7dfb304d303d598d038cb1 upstream.
After the netdevsim update to use human-readable IP address formats for
IPsec, we can now use the source and destination IPs directly in testing.
Here is the result:
# ./rtnetlink.sh -t kci_test_ipsec_offload
PASS: ipsec_offload
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Link: https://patch.msgid.link/20241010040027.21440-4-liuhangbin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/rtnetlink.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/tools/testing/selftests/net/rtnetlink.sh
+++ b/tools/testing/selftests/net/rtnetlink.sh
@@ -813,10 +813,10 @@ kci_test_ipsec_offload()
# does driver have correct offload info
diff $sysfsf - << EOF
SA count=2 tx=3
-sa[0] tx ipaddr=0x00000000 00000000 00000000 00000000
+sa[0] tx ipaddr=$dstip
sa[0] spi=0x00000009 proto=0x32 salt=0x61626364 crypt=1
sa[0] key=0x34333231 38373635 32313039 36353433
-sa[1] rx ipaddr=0x00000000 00000000 00000000 037ba8c0
+sa[1] rx ipaddr=$srcip
sa[1] spi=0x00000009 proto=0x32 salt=0x61626364 crypt=1
sa[1] key=0x34333231 38373635 32313039 36353433
EOF
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 303/462] f2fs: fix to wait dio completion
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 302/462] selftests: rtnetlink: update netdevsim ipsec output format Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 304/462] x86/i8253: Disable PIT timer 0 when not in use Greg Kroah-Hartman
` (162 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Alva Lan
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
commit 96cfeb0389530ae32ade8a48ae3ae1ac3b6c009d upstream.
It should wait all existing dio write IOs before block removal,
otherwise, previous direct write IO may overwrite data in the
block which may be reused by other inode.
Cc: stable@vger.kernel.org
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/file.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -957,6 +957,13 @@ int f2fs_setattr(struct dentry *dentry,
return err;
}
+ /*
+ * wait for inflight dio, blocks should be removed after
+ * IO completion.
+ */
+ if (attr->ia_size < old_size)
+ inode_dio_wait(inode);
+
down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
down_write(&F2FS_I(inode)->i_mmap_sem);
@@ -1777,6 +1784,12 @@ static long f2fs_fallocate(struct file *
if (ret)
goto out;
+ /*
+ * wait for inflight dio, blocks should be removed after IO
+ * completion.
+ */
+ inode_dio_wait(inode);
+
if (mode & FALLOC_FL_PUNCH_HOLE) {
if (offset >= inode->i_size)
goto out;
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 304/462] x86/i8253: Disable PIT timer 0 when not in use
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 303/462] f2fs: fix to wait dio completion Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 15:39 ` [EXTERNAL] " David Woodhouse
2025-03-11 14:59 ` [PATCH 5.10 305/462] Revert "btrfs: avoid monopolizing a core when activating a swap file" Greg Kroah-Hartman
` (161 subsequent siblings)
465 siblings, 1 reply; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Woodhouse, Thomas Gleixner,
Michael Kelley
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
commit 70e6b7d9ae3c63df90a7bba7700e8d5c300c3c60 upstream.
Leaving the PIT interrupt running can cause noticeable steal time for
virtual guests. The VMM generally has a timer which toggles the IRQ input
to the PIC and I/O APIC, which takes CPU time away from the guest. Even
on real hardware, running the counter may use power needlessly (albeit
not much).
Make sure it's turned off if it isn't going to be used.
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Michael Kelley <mhkelley@outlook.com>
Link: https://lore.kernel.org/all/20240802135555.564941-1-dwmw2@infradead.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/i8253.c | 11 +++++++++--
drivers/clocksource/i8253.c | 13 +++++++++----
include/linux/i8253.h | 1 +
3 files changed, 19 insertions(+), 6 deletions(-)
--- a/arch/x86/kernel/i8253.c
+++ b/arch/x86/kernel/i8253.c
@@ -8,6 +8,7 @@
#include <linux/timex.h>
#include <linux/i8253.h>
+#include <asm/hypervisor.h>
#include <asm/apic.h>
#include <asm/hpet.h>
#include <asm/time.h>
@@ -39,9 +40,15 @@ static bool __init use_pit(void)
bool __init pit_timer_init(void)
{
- if (!use_pit())
+ if (!use_pit()) {
+ /*
+ * Don't just ignore the PIT. Ensure it's stopped, because
+ * VMMs otherwise steal CPU time just to pointlessly waggle
+ * the (masked) IRQ.
+ */
+ clockevent_i8253_disable();
return false;
-
+ }
clockevent_i8253_init(true);
global_clock_event = &i8253_clockevent;
return true;
--- a/drivers/clocksource/i8253.c
+++ b/drivers/clocksource/i8253.c
@@ -108,11 +108,8 @@ int __init clocksource_i8253_init(void)
#endif
#ifdef CONFIG_CLKEVT_I8253
-static int pit_shutdown(struct clock_event_device *evt)
+void clockevent_i8253_disable(void)
{
- if (!clockevent_state_oneshot(evt) && !clockevent_state_periodic(evt))
- return 0;
-
raw_spin_lock(&i8253_lock);
outb_p(0x30, PIT_MODE);
@@ -123,6 +120,14 @@ static int pit_shutdown(struct clock_eve
}
raw_spin_unlock(&i8253_lock);
+}
+
+static int pit_shutdown(struct clock_event_device *evt)
+{
+ if (!clockevent_state_oneshot(evt) && !clockevent_state_periodic(evt))
+ return 0;
+
+ clockevent_i8253_disable();
return 0;
}
--- a/include/linux/i8253.h
+++ b/include/linux/i8253.h
@@ -24,6 +24,7 @@ extern raw_spinlock_t i8253_lock;
extern bool i8253_clear_counter_on_shutdown;
extern struct clock_event_device i8253_clockevent;
extern void clockevent_i8253_init(bool oneshot);
+extern void clockevent_i8253_disable(void);
extern void setup_pit_timer(void);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 305/462] Revert "btrfs: avoid monopolizing a core when activating a swap file"
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 304/462] x86/i8253: Disable PIT timer 0 when not in use Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 306/462] btrfs: avoid monopolizing a core when activating a swap file Greg Kroah-Hartman
` (160 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Koichiro Den
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Koichiro Den <koichiro.den@canonical.com>
This reverts commit a1c3a19446a440c68e80e9c34c5f308ff58aac88.
The backport for linux-5.10.y, commit a1c3a19446a4 ("btrfs: avoid
monopolizing a core when activating a swap file"), inserted
cond_resched() in the wrong location.
Revert it now; a subsequent commit will re-backport the original patch.
Fixes: a1c3a19446a4 ("btrfs: avoid monopolizing a core when activating a swap file") # linux-5.10.y
Signed-off-by: Koichiro Den <koichiro.den@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 2 --
1 file changed, 2 deletions(-)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -7127,8 +7127,6 @@ noinline int can_nocow_extent(struct ino
ret = -EAGAIN;
goto out;
}
-
- cond_resched();
}
btrfs_release_path(path);
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 306/462] btrfs: avoid monopolizing a core when activating a swap file
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 305/462] Revert "btrfs: avoid monopolizing a core when activating a swap file" Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 307/462] pps: Fix a use-after-free Greg Kroah-Hartman
` (159 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Filipe Manana,
David Sterba, Koichiro Den
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 2c8507c63f5498d4ee4af404a8e44ceae4345056 upstream.
This commit re-attempts the backport of the change to the linux-5.10.y
branch. Commit a1c3a19446a4 ("btrfs: avoid monopolizing a core when
activating a swap file") on this branch was reverted.
During swap activation we iterate over the extents of a file and we can
have many thousands of them, so we can end up in a busy loop monopolizing
a core. Avoid this by doing a voluntary reschedule after processing each
extent.
CC: stable@vger.kernel.org # 5.4+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Koichiro Den <koichiro.den@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -10422,6 +10422,8 @@ static int btrfs_swap_activate(struct sw
}
start += len;
+
+ cond_resched();
}
if (bsi.block_len)
^ permalink raw reply [flat|nested] 472+ messages in thread
* [PATCH 5.10 307/462] pps: Fix a use-after-free
2025-03-11 14:54 [PATCH 5.10 000/462] 5.10.235-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2025-03-11 14:59 ` [PATCH 5.10 306/462] btrfs: avoid monopolizing a core when activating a swap file Greg Kroah-Hartman
@ 2025-03-11 14:59 ` Greg Kroah-Hartman
2025-03-11 14:59 ` [PATCH 5.10 308/462] ima: Fix use-after-free on a dentrys dname.name Greg Kroah-Hartman
` (158 subsequent siblings)
465 siblings, 0 replies; 472+ messages in thread
From: Greg Kroah-Hartman @ 2025-03-11 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Calvin Owens, Michal Schmidt
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Calvin Owens <calvin@wbinvd.org>
commit c79a39dc8d060b9e64e8b0fa9d245d44befeefbe upstream.
On a board running ntpd and gpsd, I'm seeing a consistent use-after-free
in sys_exit() from gpsd when rebooting:
pps pps1: removed
------------[ cut here ]------------
kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called.
WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150
CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1
Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : kobject_put+0x120/0x150
lr : kobject_put+0x120/0x150
sp : ffffffc0803d3ae0
x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001
x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440
x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600
x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20
x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
kobject_put+0x120/0x150
cdev_put+0x20/0x3c
__fput+0x2c4/0x2d8
____fput+0x1c/0x38
task_work_run+0x70/0xfc
do_exit+0x2a0/0x924
do_group_exit+0x34/0x90
get_signal+0x7fc/0x8c0
do_signal+0x128/0x13b4
do_notify_resume+0xdc/0x160
el0_svc+0xd4/0xf8
el0t_64_sync_handler+0x140/0x14c
el0t_64_sync+0x190/0x194
---[ end trace 0000000000000000 ]---
...followed by more symptoms of corruption, with similar stacks:
refcount_t: underflow; use-after-free.
kernel BUG at lib/list_debug.c:62!
Kernel panic - not syncing: Oops - BUG: Fatal exception
This happens because pps_device_destruct() frees the pps_device with the
embedded cdev immediately after calling cdev_del(), but, as the comment
above cdev_del() notes, fops for previously opened cdevs are still
callable even after cdev_del() returns. I think this bug has always
been there: I can't explain why it suddenly started happening every time
I reboot this particular board.
In commit d953e0e837e6 ("pps: Fix a use-after free bug when
unregistering a source."), George Spelvin suggested removing the
embedded cdev. That seems like the simplest way to fix this, so I've
implemented his suggestion, using __register_chrdev() with pps_idr
becoming the source of truth for which minor corresponds to which
device.
But now that pps_idr defines userspace visibility instead of cdev_add(),
we need to be sure the pps->dev refcount can't reach zero while
userspace can still find it again. So, the idr_remove() call moves to
pps_unregister_cdev(), and pps_idr now holds a reference to pps->dev.
pps_core: source serial1 got cdev (251:1)
<...>
pps pps1: removed
pps_core: unregistering pps1
pps_core: deallocating pps1
Fixes: d953e0e837e6 ("pps: Fix a use-after free bug when unregistering a source.")
Cc: stable@vger.kernel.org
Signed-off-by: Calvin Owens <calvin@wbinvd.org>
Reviewed-by: Michal Schmidt <mschmidt@redhat.com>
Link: https://lore.kernel.org/r/a17975fd5ae99385791929e563f72564edbcf28f.1731383727.git.calvin@wbinvd.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pps/clients/pps-gpio.c | 4 -
drivers/pps/clients/pps-ktimer.c | 4 -
drivers/pps/clients/pps-ldisc.c | 6 -
drivers/pps/clients/pps_parport.c | 4 -
drivers/pps/kapi.c | 10 +-
drivers/pps/kc.c | 10 +-
drivers/pps/pps.c | 127 +++++++++++++++++++-------------------
include/linux/pps_kernel.h | 3
8 files changed, 86 insertions(+), 82 deletions(-)
--- a/drivers/pps/clients/pps-gpio.c
+++ b/drivers/pps/clients/pps-gpio.c
@@ -232,8 +232,8 @@ static int pps_gpio_probe(struct platfor
return -EINVAL;
}
- dev_info(data->pps->dev, "Registered IRQ %d as PPS source\n",
- data->irq);
+ dev_dbg(&data->pps->dev, "Registered IRQ %d as PPS source\n",
+ data->irq);
return 0;
}
--- a/drivers/pps/clients/pps-ktimer.c
+++ b/drivers/pps/clients/pps-ktimer.c
@@ -56,7 +56,7 @@ static struct pps_source_info pps_ktimer
static void __exit pps_ktimer_exit(void)
{
- dev_info(pps->dev, "ktimer PPS source unregistered\n");
+ dev_dbg(&pps->dev, "ktimer PPS source unregistered\n");
del_timer_sync(&ktimer);
pps_unregister_source(pps);
@@ -74,7 +74,7 @@ static int __init pps_ktimer_init(void)
timer_setup(&ktimer, pps_ktimer_event, 0);
mod_timer(&ktimer, jiffies + HZ);
- dev_info(pps->dev, "ktimer PPS source registered\n");
+ dev_dbg(&pps->dev, "ktimer PPS source registered\n");
return 0;
}
--- a/drivers/pps/clients/pps-ldisc.c
+++ b/drivers/pps/clients/pps-ldisc.c
@@ -34,7 +34,7 @@ static void pps_tty_dcd_change(struct tt
pps_event(pps, &ts, status ? PPS_CAPTUREASSERT :
PPS_CAPTURECLEAR, NULL);
- dev_dbg(pps->dev, "PPS %s at %lu\n",
+ dev_dbg(&pps->dev, "PPS %s at %lu\n",
status ? "assert" : "clear", jiffies);
}
@@ -71,7 +71,7 @@ static int pps_tty_open(struct tty_struc
goto err_unregister;
}
- dev_info(pps->dev, "source \"%s\" added\n", info.path);
+ dev_dbg(&pps->dev, "source \"%s\" added\n", info.path);
return 0;
@@ -91,7 +91,7 @@ static void pps_tty_close(struct tty_str
if (WARN_ON(!pps))
return;
- dev_info(pps->dev, "removed\n");
+ dev_info(&pps->dev, "removed\n");
pps_unregister_source(pps);
}
--- a/drivers/pps/clients/pps_parport.c
+++ b/drivers/pps/clients/pps_parport.c
@@ -83,7 +83,7 @@ static void parport_irq(void *handle)
/* check the signal (no signal means the pulse is lost this time) */
if (!signal_is_set(port)) {
local_irq_restore(flags);
- dev_err(dev->pps->dev, "lost the signal\n");
+ dev_err(&dev->pps->dev, "lost the signal\n");
goto out_assert;
}
@@ -100,7 +100,7 @@ static void parport_irq(void *handle)
/* timeout */
dev->cw_err++;
if (dev->cw_err >= CLEAR_WAIT_MAX_ERRORS) {
- dev_err(dev->pps->dev, "disabled clear edge capture after %d"
+ dev_err(&dev->pps->dev, "disabled clear edge capture after %d"
" timeouts\n", dev->cw_err);
dev->cw = 0;
dev->cw_err = 0;
--- a/drivers/pps/kapi.c
+++ b/drivers/pps/kapi.c
@@ -41,7 +41,7 @@ static void pps_add_offset(struct pps_kt
static void pps_echo_client_default(struct pps_device *pps, int event,
void *data)
{
- dev_info(pps->dev, "echo %s %s\n",
+ dev_info(&pps->dev, "echo %s %s\n",
event & PPS_CAPTUREASSERT ? "assert" : "",
event & PPS_CAPTURECLEAR ? "clear" : "");
}
@@ -112,7 +112,7 @@ struct pps_device *pps_register_source(s
goto kfree_pps;
}
- dev_info(pps->dev, "new PPS source %s\n", info->name);
+ dev_dbg(&pps->dev, "new PPS source %s\n", info->name);
return pps;
@@ -166,7 +166,7 @@ void pps_event(struct pps_device *pps, s
/* check event type */
BUG_ON((event & (PPS_CAPTUREASSERT | PPS_CAPTURECLEAR)) == 0);
- dev_dbg(pps->dev, "PPS event at %lld.%09ld\n",
+ dev_dbg(&pps->dev, "PPS event at %lld.%09ld\n",
(s64)ts->ts_real.tv_sec, ts->ts_real.tv_nsec);
timespec_to_pps_ktime(&ts_real, ts->ts_real);
@@ -188,7 +188,7 @@ void pps_event(struct pps_device *pps, s
/* Save the time stamp */
pps->assert_tu = ts_real;
pps->assert_sequence++;
- dev_dbg(pps->dev, "capture assert seq #%u\n",
+ dev_dbg(&pps->dev, "capture assert seq #%u\n",
pps->assert_sequence);
captured = ~0;
@@ -202,7 +202,7 @@ void pps_event(struct pps_device *pps, s
/* Save the time stamp */
pps->clear_tu = ts_real;
pps->clear_sequence++;
- dev_dbg(pps->dev, "capture clear seq #%u\n",
+ dev_dbg(&pps->dev, "capture clear seq #%u\n",
pps->clear_sequence);
captured = ~0;
--- a/drivers/pps/kc.c
+++ b/drivers/pps/kc.c
@@ -43,11 +43,11 @@ int pps_kc_bind(struct pps_device *pps,
pps_kc_hardpps_mode = 0;
pps_kc_hardpps_dev = NULL;
spin_unlock_irq(&pps_kc_hardpps_lock);
- dev_info(pps->dev, "unbound kernel"
+ dev_info(&pps->dev, "unbound kernel"
" consumer\n");
} else {
spin_unlock_irq(&pps_kc_hardpps_lock);
- dev_err(pps->dev, "selected kernel consumer"
+ dev_err(&pps->dev, "selected kernel consumer"
" is not bound\n");
return -EINVAL;
}
@@ -57,11 +57,11 @@ int pps_kc_bind(struct pps_device *pps,
pps_kc_hardpps_mode = bind_args->edge;
pps_kc_hardpps_dev = pps;
spin_unlock_irq(&pps_kc_hardpps_lock);
- dev_info(pps->dev, "bound kernel consumer: "
+ dev_info(&pps->dev, "bound kernel consumer: "
"edge=0x%x\n", bind_args->edge);
} else {
spin_unlock_irq(&pps_kc_hardpps_lock);
- dev_err(pps->dev, "another kernel consumer"
+ dev_err(&pps->dev, "another kernel consumer"
" is already bound\n");
return -EINVAL;
}
@@ -83,7 +83,7 @@ void pps_kc_remove(struct pps_device *pp
pps_kc_hardpps_mode = 0;
pps_kc_hardpps_dev = NULL;
spin_unlock_irq(&pps_kc_hardpps_lock);
- dev_info(pps->dev, "unbound kernel consumer"
+ dev_info(&pps->dev, "unbound kernel consumer"
" on device removal\n");
} else
spin_unlock_irq(&pps_kc_hardpps_lock);
--- a/drivers/pps/pps.c
+++ b/drivers/pps/pps.c
@@ -25,7 +25,7 @@
* Local variables
*/
-static dev_t pps_devt;
+static int pps_major;
static struct class *pps_class;
static DEFINE_MUTEX(pps_idr_lock);
@@ -62,7 +62,7 @@ static int pps_cdev_pps_fetch(struct pps
else {
unsigned long ticks;
- dev_dbg(pps->dev, "