* [PATCH 6.1 045/150] media: xc2028: avoid use-after-free in load_firmware_cb()
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chi Zhiling, Hans Verkuil,
Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chi Zhiling <chizhiling@kylinos.cn>
[ Upstream commit 68594cec291ff9523b9feb3f43fd853dcddd1f60 ]
syzkaller reported use-after-free in load_firmware_cb() [1].
The reason is because the module allocated a struct tuner in tuner_probe(),
and then the module initialization failed, the struct tuner was released.
A worker which created during module initialization accesses this struct
tuner later, it caused use-after-free.
The process is as follows:
task-6504 worker_thread
tuner_probe <= alloc dvb_frontend [2]
...
request_firmware_nowait <= create a worker
...
tuner_remove <= free dvb_frontend
...
request_firmware_work_func <= the firmware is ready
load_firmware_cb <= but now the dvb_frontend has been freed
To fix the issue, check the dvd_frontend in load_firmware_cb(), if it is
null, report a warning and just return.
[1]:
==================================================================
BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0
Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504
Call trace:
load_firmware_cb+0x1310/0x17a0
request_firmware_work_func+0x128/0x220
process_one_work+0x770/0x1824
worker_thread+0x488/0xea0
kthread+0x300/0x430
ret_from_fork+0x10/0x20
Allocated by task 6504:
kzalloc
tuner_probe+0xb0/0x1430
i2c_device_probe+0x92c/0xaf0
really_probe+0x678/0xcd0
driver_probe_device+0x280/0x370
__device_attach_driver+0x220/0x330
bus_for_each_drv+0x134/0x1c0
__device_attach+0x1f4/0x410
device_initial_probe+0x20/0x30
bus_probe_device+0x184/0x200
device_add+0x924/0x12c0
device_register+0x24/0x30
i2c_new_device+0x4e0/0xc44
v4l2_i2c_new_subdev_board+0xbc/0x290
v4l2_i2c_new_subdev+0xc8/0x104
em28xx_v4l2_init+0x1dd0/0x3770
Freed by task 6504:
kfree+0x238/0x4e4
tuner_remove+0x144/0x1c0
i2c_device_remove+0xc8/0x290
__device_release_driver+0x314/0x5fc
device_release_driver+0x30/0x44
bus_remove_device+0x244/0x490
device_del+0x350/0x900
device_unregister+0x28/0xd0
i2c_unregister_device+0x174/0x1d0
v4l2_device_unregister+0x224/0x380
em28xx_v4l2_init+0x1d90/0x3770
The buggy address belongs to the object at ffff8000d7ca2000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 776 bytes inside of
2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800)
The buggy address belongs to the page:
page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0
flags: 0x7ff800000000100(slab)
raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
[2]
Actually, it is allocated for struct tuner, and dvb_frontend is inside.
Signed-off-by: Chi Zhiling <chizhiling@kylinos.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/tuners/xc2028.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/media/tuners/xc2028.c b/drivers/media/tuners/xc2028.c
index 5a967edceca93..352b8a3679b72 100644
--- a/drivers/media/tuners/xc2028.c
+++ b/drivers/media/tuners/xc2028.c
@@ -1361,9 +1361,16 @@ static void load_firmware_cb(const struct firmware *fw,
void *context)
{
struct dvb_frontend *fe = context;
- struct xc2028_data *priv = fe->tuner_priv;
+ struct xc2028_data *priv;
int rc;
+ if (!fe) {
+ pr_warn("xc2028: No frontend in %s\n", __func__);
+ return;
+ }
+
+ priv = fe->tuner_priv;
+
tuner_dbg("request_firmware_nowait(): %s\n", fw ? "OK" : "error");
if (!fw) {
tuner_err("Could not load firmware %s.\n", priv->fname);
--
2.43.0
^ permalink raw reply related
* [PATCH 6.1 044/150] media: uvcvideo: Fix the bandwdith quirk on USB 3.x
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Pecio, Ricardo Ribalda,
Laurent Pinchart, Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Pecio <michal.pecio@gmail.com>
[ Upstream commit 9e3d55fbd160b3ca376599a68b4cddfdc67d4153 ]
The bandwidth fixup quirk doesn't know that SuperSpeed exists and has
the same 8 service intervals per millisecond as High Speed, hence its
calculations are wrong.
Assume that all speeds from HS up use 8 intervals per millisecond.
No further changes are needed, updated code has been confirmed to work
with all speeds from FS to SS.
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://lore.kernel.org/r/20240414190040.2255a0bc@foxbook
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/uvc/uvc_video.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
index 7ca0760574598..aa0a879a9c64a 100644
--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -212,13 +212,13 @@ static void uvc_fixup_video_ctrl(struct uvc_streaming *stream,
* Compute a bandwidth estimation by multiplying the frame
* size by the number of video frames per second, divide the
* result by the number of USB frames (or micro-frames for
- * high-speed devices) per second and add the UVC header size
- * (assumed to be 12 bytes long).
+ * high- and super-speed devices) per second and add the UVC
+ * header size (assumed to be 12 bytes long).
*/
bandwidth = frame->wWidth * frame->wHeight / 8 * format->bpp;
bandwidth *= 10000000 / interval + 1;
bandwidth /= 1000;
- if (stream->dev->udev->speed == USB_SPEED_HIGH)
+ if (stream->dev->udev->speed >= USB_SPEED_HIGH)
bandwidth /= 8;
bandwidth += 12;
--
2.43.0
^ permalink raw reply related
* [PATCH 6.1 043/150] media: uvcvideo: Ignore empty TS packets
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, HungNien Chen, Sergey Senozhatsky,
Laurent Pinchart, Ricardo Ribalda, Tomasz Figa, Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
[ Upstream commit 5cd7c25f6f0576073b3d03bc4cfb1e8ca63a1195 ]
Some SunplusIT cameras took a borderline interpretation of the UVC 1.5
standard, and fill the PTS and SCR fields with invalid data if the
package does not contain data.
"STC must be captured when the first video data of a video frame is put
on the USB bus."
Some SunplusIT devices send, e.g.,
buffer: 0xa7755c00 len 000012 header:0x8c stc 00000000 sof 0000 pts 00000000
buffer: 0xa7755c00 len 000012 header:0x8c stc 00000000 sof 0000 pts 00000000
buffer: 0xa7755c00 len 000668 header:0x8c stc 73779dba sof 070c pts 7376d37a
While the UVC specification meant that the first two packets shouldn't
have had the SCR bit set in the header.
This borderline/buggy interpretation has been implemented in a variety
of devices, from directly SunplusIT and from other OEMs that rebrand
SunplusIT products. So quirking based on VID:PID will be problematic.
All the affected modules have the following extension unit:
VideoControl Interface Descriptor:
guidExtensionCode {82066163-7050-ab49-b8cc-b3855e8d221d}
But the vendor plans to use that GUID in the future and fix the bug,
this means that we should use heuristic to figure out the broken
packets.
This patch takes care of this.
lsusb of one of the affected cameras:
Bus 001 Device 003: ID 1bcf:2a01 Sunplus Innovation Technology Inc.
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.01
bDeviceClass 239 Miscellaneous Device
bDeviceSubClass 2 ?
bDeviceProtocol 1 Interface Association
bMaxPacketSize0 64
idVendor 0x1bcf Sunplus Innovation Technology Inc.
idProduct 0x2a01
bcdDevice 0.02
iManufacturer 1 SunplusIT Inc
iProduct 2 HanChen Wise Camera
iSerial 3 01.00.00
bNumConfigurations 1
Tested-by: HungNien Chen <hn.chen@sunplusit.com>
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Tomasz Figa <tfiga@chromium.org>
Link: https://lore.kernel.org/r/20240323-resend-hwtimestamp-v10-2-b08e590d97c7@chromium.org
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/uvc/uvc_video.c | 31 ++++++++++++++++++++++++++++++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
index a5ad3ff8bdbb9..7ca0760574598 100644
--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -476,6 +476,7 @@ uvc_video_clock_decode(struct uvc_streaming *stream, struct uvc_buffer *buf,
ktime_t time;
u16 host_sof;
u16 dev_sof;
+ u32 dev_stc;
switch (data[1] & (UVC_STREAM_PTS | UVC_STREAM_SCR)) {
case UVC_STREAM_PTS | UVC_STREAM_SCR:
@@ -522,6 +523,34 @@ uvc_video_clock_decode(struct uvc_streaming *stream, struct uvc_buffer *buf,
if (dev_sof == stream->clock.last_sof)
return;
+ dev_stc = get_unaligned_le32(&data[header_size - 6]);
+
+ /*
+ * STC (Source Time Clock) is the clock used by the camera. The UVC 1.5
+ * standard states that it "must be captured when the first video data
+ * of a video frame is put on the USB bus". This is generally understood
+ * as requiring devices to clear the payload header's SCR bit before
+ * the first packet containing video data.
+ *
+ * Most vendors follow that interpretation, but some (namely SunplusIT
+ * on some devices) always set the `UVC_STREAM_SCR` bit, fill the SCR
+ * field with 0's,and expect that the driver only processes the SCR if
+ * there is data in the packet.
+ *
+ * Ignore all the hardware timestamp information if we haven't received
+ * any data for this frame yet, the packet contains no data, and both
+ * STC and SOF are zero. This heuristics should be safe on compliant
+ * devices. This should be safe with compliant devices, as in the very
+ * unlikely case where a UVC 1.1 device would send timing information
+ * only before the first packet containing data, and both STC and SOF
+ * happen to be zero for a particular frame, we would only miss one
+ * clock sample from many and the clock recovery algorithm wouldn't
+ * suffer from this condition.
+ */
+ if (buf && buf->bytesused == 0 && len == header_size &&
+ dev_stc == 0 && dev_sof == 0)
+ return;
+
stream->clock.last_sof = dev_sof;
host_sof = usb_get_current_frame_number(stream->dev->udev);
@@ -560,7 +589,7 @@ uvc_video_clock_decode(struct uvc_streaming *stream, struct uvc_buffer *buf,
spin_lock_irqsave(&stream->clock.lock, flags);
sample = &stream->clock.samples[stream->clock.head];
- sample->dev_stc = get_unaligned_le32(&data[header_size - 6]);
+ sample->dev_stc = dev_stc;
sample->dev_sof = dev_sof;
sample->host_sof = host_sof;
sample->host_time = time;
--
2.43.0
^ permalink raw reply related
* [PATCH 6.1 042/150] drm/amd/display: Add null checker before passing variables
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harry Wentland, Hamza Mahfooz,
Alex Hung, Alex Deucher, Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Hung <alex.hung@amd.com>
[ Upstream commit 8092aa3ab8f7b737a34b71f91492c676a843043a ]
Checks null pointer before passing variables to functions.
This fixes 3 NULL_RETURNS issues reported by Coverity.
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Acked-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index 31bae620aeffc..6189685af1fda 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -2636,7 +2636,8 @@ static int dm_suspend(void *handle)
dm->cached_dc_state = dc_copy_state(dm->dc->current_state);
- dm_gpureset_toggle_interrupts(adev, dm->cached_dc_state, false);
+ if (dm->cached_dc_state)
+ dm_gpureset_toggle_interrupts(adev, dm->cached_dc_state, false);
amdgpu_dm_commit_zero_streams(dm->dc);
@@ -6388,7 +6389,8 @@ static void create_eml_sink(struct amdgpu_dm_connector *aconnector)
aconnector->dc_sink = aconnector->dc_link->local_sink ?
aconnector->dc_link->local_sink :
aconnector->dc_em_sink;
- dc_sink_retain(aconnector->dc_sink);
+ if (aconnector->dc_sink)
+ dc_sink_retain(aconnector->dc_sink);
}
}
@@ -7121,7 +7123,8 @@ static int amdgpu_dm_connector_get_modes(struct drm_connector *connector)
drm_add_modes_noedid(connector, 640, 480);
} else {
amdgpu_dm_connector_ddc_get_modes(connector, edid);
- amdgpu_dm_connector_add_common_modes(encoder, connector);
+ if (encoder)
+ amdgpu_dm_connector_add_common_modes(encoder, connector);
amdgpu_dm_connector_add_freesync_modes(connector, edid);
}
amdgpu_dm_fbc_init(connector);
--
2.43.0
^ permalink raw reply related
* [PATCH 6.1 041/150] drm/amd/display: Add NULL check for afb before dereferencing in amdgpu_dm_plane_handle_cursor_update
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Chung, Rodrigo Siqueira,
Roman Li, Hersen Wu, Alex Hung, Aurabindo Pillai, Harry Wentland,
Srinivasan Shanmugam, Alex Deucher, Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit 38e6f715b02b572f74677eb2f29d3b4bc6f1ddff ]
This commit adds a null check for the 'afb' variable in the
amdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was
assumed to be null, but was used later in the code without a null check.
This could potentially lead to a null pointer dereference.
Fixes the below:
drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252)
Cc: Tom Chung <chiahsuan.chung@amd.com>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Cc: Roman Li <roman.li@amd.com>
Cc: Hersen Wu <hersenxs.wu@amd.com>
Cc: Alex Hung <alex.hung@amd.com>
Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
Cc: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
index cd6e99cf74a06..984a5affc5af1 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
@@ -1225,14 +1225,22 @@ void handle_cursor_update(struct drm_plane *plane,
{
struct amdgpu_device *adev = drm_to_adev(plane->dev);
struct amdgpu_framebuffer *afb = to_amdgpu_framebuffer(plane->state->fb);
- struct drm_crtc *crtc = afb ? plane->state->crtc : old_plane_state->crtc;
- struct dm_crtc_state *crtc_state = crtc ? to_dm_crtc_state(crtc->state) : NULL;
- struct amdgpu_crtc *amdgpu_crtc = to_amdgpu_crtc(crtc);
- uint64_t address = afb ? afb->address : 0;
+ struct drm_crtc *crtc;
+ struct dm_crtc_state *crtc_state;
+ struct amdgpu_crtc *amdgpu_crtc;
+ u64 address;
struct dc_cursor_position position = {0};
struct dc_cursor_attributes attributes;
int ret;
+ if (!afb)
+ return;
+
+ crtc = plane->state->crtc ? plane->state->crtc : old_plane_state->crtc;
+ crtc_state = crtc ? to_dm_crtc_state(crtc->state) : NULL;
+ amdgpu_crtc = to_amdgpu_crtc(crtc);
+ address = afb->address;
+
if (!plane->state->fb && !old_plane_state->fb)
return;
--
2.43.0
^ permalink raw reply related
* [PATCH 6.1 023/150] ACPI: SBS: manage alarm sysfs attribute through psy core
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Rafael J. Wysocki, Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
[ Upstream commit 6bad28cfc30988a845fb3f59a99f4b8a4ce8fe95 ]
Let the power supply core register the attribute.
This ensures that the attribute is created before the device is
announced to userspace, avoiding a race condition.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/sbs.c | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/drivers/acpi/sbs.c b/drivers/acpi/sbs.c
index e6a01a8df1b81..7c0eba1a37d87 100644
--- a/drivers/acpi/sbs.c
+++ b/drivers/acpi/sbs.c
@@ -77,7 +77,6 @@ struct acpi_battery {
u16 spec;
u8 id;
u8 present:1;
- u8 have_sysfs_alarm:1;
};
#define to_acpi_battery(x) power_supply_get_drvdata(x)
@@ -462,12 +461,18 @@ static ssize_t acpi_battery_alarm_store(struct device *dev,
return count;
}
-static const struct device_attribute alarm_attr = {
+static struct device_attribute alarm_attr = {
.attr = {.name = "alarm", .mode = 0644},
.show = acpi_battery_alarm_show,
.store = acpi_battery_alarm_store,
};
+static struct attribute *acpi_battery_attrs[] = {
+ &alarm_attr.attr,
+ NULL
+};
+ATTRIBUTE_GROUPS(acpi_battery);
+
/* --------------------------------------------------------------------------
Driver Interface
-------------------------------------------------------------------------- */
@@ -509,7 +514,10 @@ static int acpi_battery_read(struct acpi_battery *battery)
static int acpi_battery_add(struct acpi_sbs *sbs, int id)
{
struct acpi_battery *battery = &sbs->battery[id];
- struct power_supply_config psy_cfg = { .drv_data = battery, };
+ struct power_supply_config psy_cfg = {
+ .drv_data = battery,
+ .attr_grp = acpi_battery_groups,
+ };
int result;
battery->id = id;
@@ -539,10 +547,6 @@ static int acpi_battery_add(struct acpi_sbs *sbs, int id)
goto end;
}
- result = device_create_file(&battery->bat->dev, &alarm_attr);
- if (result)
- goto end;
- battery->have_sysfs_alarm = 1;
end:
pr_info("%s [%s]: Battery Slot [%s] (battery %s)\n",
ACPI_SBS_DEVICE_NAME, acpi_device_bid(sbs->device),
@@ -554,11 +558,8 @@ static void acpi_battery_remove(struct acpi_sbs *sbs, int id)
{
struct acpi_battery *battery = &sbs->battery[id];
- if (battery->bat) {
- if (battery->have_sysfs_alarm)
- device_remove_file(&battery->bat->dev, &alarm_attr);
+ if (battery->bat)
power_supply_unregister(battery->bat);
- }
}
static int acpi_charger_add(struct acpi_sbs *sbs)
--
2.43.0
^ permalink raw reply related
* [PATCH 6.1 040/150] media: amphion: Remove lock in s_ctrl callback
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Qian, Sebastian Fricke,
Hans Verkuil, Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Qian <ming.qian@nxp.com>
[ Upstream commit 065927b51eb1f042c3e026cebfd55e72ccc26093 ]
There is no need to add a lock in s_ctrl callback, it has been
synchronized by the ctrl_handler's lock, otherwise it may led to
a deadlock if the driver calls v4l2_ctrl_s_ctrl().
Signed-off-by: Ming Qian <ming.qian@nxp.com>
Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/amphion/vdec.c | 2 --
drivers/media/platform/amphion/venc.c | 2 --
2 files changed, 4 deletions(-)
diff --git a/drivers/media/platform/amphion/vdec.c b/drivers/media/platform/amphion/vdec.c
index dc35a87e628ec..2bfab4467b81c 100644
--- a/drivers/media/platform/amphion/vdec.c
+++ b/drivers/media/platform/amphion/vdec.c
@@ -145,7 +145,6 @@ static int vdec_op_s_ctrl(struct v4l2_ctrl *ctrl)
struct vdec_t *vdec = inst->priv;
int ret = 0;
- vpu_inst_lock(inst);
switch (ctrl->id) {
case V4L2_CID_MPEG_VIDEO_DEC_DISPLAY_DELAY_ENABLE:
vdec->params.display_delay_enable = ctrl->val;
@@ -157,7 +156,6 @@ static int vdec_op_s_ctrl(struct v4l2_ctrl *ctrl)
ret = -EINVAL;
break;
}
- vpu_inst_unlock(inst);
return ret;
}
diff --git a/drivers/media/platform/amphion/venc.c b/drivers/media/platform/amphion/venc.c
index 1df2b35c1a240..c9cfef16c5b92 100644
--- a/drivers/media/platform/amphion/venc.c
+++ b/drivers/media/platform/amphion/venc.c
@@ -528,7 +528,6 @@ static int venc_op_s_ctrl(struct v4l2_ctrl *ctrl)
struct venc_t *venc = inst->priv;
int ret = 0;
- vpu_inst_lock(inst);
switch (ctrl->id) {
case V4L2_CID_MPEG_VIDEO_H264_PROFILE:
venc->params.profile = ctrl->val;
@@ -589,7 +588,6 @@ static int venc_op_s_ctrl(struct v4l2_ctrl *ctrl)
ret = -EINVAL;
break;
}
- vpu_inst_unlock(inst);
return ret;
}
--
2.43.0
^ permalink raw reply related
* [PATCH 6.1 039/150] drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bob Zhou, Tim Huang, Alex Deucher,
Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bob Zhou <bob.zhou@amd.com>
[ Upstream commit 50151b7f1c79a09117837eb95b76c2de76841dab ]
Check return value and conduct null pointer handling to avoid null pointer dereference.
Signed-off-by: Bob Zhou <bob.zhou@amd.com>
Reviewed-by: Tim Huang <Tim.Huang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 29 ++++++++++++++++---
1 file changed, 25 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
index 2628f12e0eedc..f8333410cc3e4 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
@@ -3422,13 +3422,17 @@ static int vega10_find_dpm_states_clocks_in_dpm_table(struct pp_hwmgr *hwmgr, co
const struct vega10_power_state *vega10_ps =
cast_const_phw_vega10_power_state(states->pnew_state);
struct vega10_single_dpm_table *sclk_table = &(data->dpm_table.gfx_table);
- uint32_t sclk = vega10_ps->performance_levels
- [vega10_ps->performance_level_count - 1].gfx_clock;
struct vega10_single_dpm_table *mclk_table = &(data->dpm_table.mem_table);
- uint32_t mclk = vega10_ps->performance_levels
- [vega10_ps->performance_level_count - 1].mem_clock;
+ uint32_t sclk, mclk;
uint32_t i;
+ if (vega10_ps == NULL)
+ return -EINVAL;
+ sclk = vega10_ps->performance_levels
+ [vega10_ps->performance_level_count - 1].gfx_clock;
+ mclk = vega10_ps->performance_levels
+ [vega10_ps->performance_level_count - 1].mem_clock;
+
for (i = 0; i < sclk_table->count; i++) {
if (sclk == sclk_table->dpm_levels[i].value)
break;
@@ -3735,6 +3739,9 @@ static int vega10_generate_dpm_level_enable_mask(
cast_const_phw_vega10_power_state(states->pnew_state);
int i;
+ if (vega10_ps == NULL)
+ return -EINVAL;
+
PP_ASSERT_WITH_CODE(!vega10_trim_dpm_states(hwmgr, vega10_ps),
"Attempt to Trim DPM States Failed!",
return -1);
@@ -5002,6 +5009,8 @@ static int vega10_check_states_equal(struct pp_hwmgr *hwmgr,
vega10_psa = cast_const_phw_vega10_power_state(pstate1);
vega10_psb = cast_const_phw_vega10_power_state(pstate2);
+ if (vega10_psa == NULL || vega10_psb == NULL)
+ return -EINVAL;
/* If the two states don't even have the same number of performance levels
* they cannot be the same state.
@@ -5135,6 +5144,8 @@ static int vega10_set_sclk_od(struct pp_hwmgr *hwmgr, uint32_t value)
return -EINVAL;
vega10_ps = cast_phw_vega10_power_state(&ps->hardware);
+ if (vega10_ps == NULL)
+ return -EINVAL;
vega10_ps->performance_levels
[vega10_ps->performance_level_count - 1].gfx_clock =
@@ -5186,6 +5197,8 @@ static int vega10_set_mclk_od(struct pp_hwmgr *hwmgr, uint32_t value)
return -EINVAL;
vega10_ps = cast_phw_vega10_power_state(&ps->hardware);
+ if (vega10_ps == NULL)
+ return -EINVAL;
vega10_ps->performance_levels
[vega10_ps->performance_level_count - 1].mem_clock =
@@ -5427,6 +5440,9 @@ static void vega10_odn_update_power_state(struct pp_hwmgr *hwmgr)
return;
vega10_ps = cast_phw_vega10_power_state(&ps->hardware);
+ if (vega10_ps == NULL)
+ return;
+
max_level = vega10_ps->performance_level_count - 1;
if (vega10_ps->performance_levels[max_level].gfx_clock !=
@@ -5449,6 +5465,9 @@ static void vega10_odn_update_power_state(struct pp_hwmgr *hwmgr)
ps = (struct pp_power_state *)((unsigned long)(hwmgr->ps) + hwmgr->ps_size * (hwmgr->num_ps - 1));
vega10_ps = cast_phw_vega10_power_state(&ps->hardware);
+ if (vega10_ps == NULL)
+ return;
+
max_level = vega10_ps->performance_level_count - 1;
if (vega10_ps->performance_levels[max_level].gfx_clock !=
@@ -5639,6 +5658,8 @@ static int vega10_get_performance_level(struct pp_hwmgr *hwmgr, const struct pp_
return -EINVAL;
vega10_ps = cast_const_phw_vega10_power_state(state);
+ if (vega10_ps == NULL)
+ return -EINVAL;
i = index > vega10_ps->performance_level_count - 1 ?
vega10_ps->performance_level_count - 1 : index;
--
2.43.0
^ permalink raw reply related
* [PATCH 6.1 038/150] drm/amdgpu: Add lock around VF RLCG interface
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Victor Skvortsov, Zhigang Luo,
Alex Deucher, Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Skvortsov <victor.skvortsov@amd.com>
[ Upstream commit e864180ee49b4d30e640fd1e1d852b86411420c9 ]
flush_gpu_tlb may be called from another thread while
device_gpu_recover is running.
Both of these threads access registers through the VF
RLCG interface during VF Full Access. Add a lock around this interface
to prevent race conditions between these threads.
Signed-off-by: Victor Skvortsov <victor.skvortsov@amd.com>
Reviewed-by: Zhigang Luo <zhigang.luo@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 6 ++++++
drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 2 ++
3 files changed, 9 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
index d4faa489bd5fa..4d1c2eb63090f 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -3631,6 +3631,7 @@ int amdgpu_device_init(struct amdgpu_device *adev,
mutex_init(&adev->grbm_idx_mutex);
mutex_init(&adev->mn_lock);
mutex_init(&adev->virt.vf_errors.lock);
+ mutex_init(&adev->virt.rlcg_reg_lock);
hash_init(adev->mn_hash);
mutex_init(&adev->psp.mutex);
mutex_init(&adev->notifier_lock);
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c
index 81549f1edfe01..5ee9211c503c4 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c
@@ -956,6 +956,9 @@ static u32 amdgpu_virt_rlcg_reg_rw(struct amdgpu_device *adev, u32 offset, u32 v
scratch_reg1 = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->scratch_reg1;
scratch_reg2 = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->scratch_reg2;
scratch_reg3 = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->scratch_reg3;
+
+ mutex_lock(&adev->virt.rlcg_reg_lock);
+
if (reg_access_ctrl->spare_int)
spare_int = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->spare_int;
@@ -1009,6 +1012,9 @@ static u32 amdgpu_virt_rlcg_reg_rw(struct amdgpu_device *adev, u32 offset, u32 v
}
ret = readl(scratch_reg0);
+
+ mutex_unlock(&adev->virt.rlcg_reg_lock);
+
return ret;
}
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h
index 2b9d806e23afb..dc6aaa4d67be7 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h
@@ -260,6 +260,8 @@ struct amdgpu_virt {
/* the ucode id to signal the autoload */
uint32_t autoload_ucode_id;
+
+ struct mutex rlcg_reg_lock;
};
struct amdgpu_video_codec_info;
--
2.43.0
^ permalink raw reply related
* [PATCH 6.1 037/150] drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Wang, Ma Jun, Alex Deucher,
Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Jun <Jun.Ma2@amd.com>
[ Upstream commit d19fb10085a49b77578314f69fff21562f7cd054 ]
Check the pointer value to fix potential null pointer
dereference
Acked-by: Yang Wang<kevinyang.wang@amd.com>
Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 7 +++++--
.../gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c | 14 ++++++++------
.../gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 7 +++++--
3 files changed, 18 insertions(+), 10 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
index 9f2f3f6a79adb..750b7527bdf83 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
@@ -3327,8 +3327,7 @@ static int smu7_apply_state_adjust_rules(struct pp_hwmgr *hwmgr,
const struct pp_power_state *current_ps)
{
struct amdgpu_device *adev = hwmgr->adev;
- struct smu7_power_state *smu7_ps =
- cast_phw_smu7_power_state(&request_ps->hardware);
+ struct smu7_power_state *smu7_ps;
uint32_t sclk;
uint32_t mclk;
struct PP_Clocks minimum_clocks = {0};
@@ -3345,6 +3344,10 @@ static int smu7_apply_state_adjust_rules(struct pp_hwmgr *hwmgr,
uint32_t latency;
bool latency_allowed = false;
+ smu7_ps = cast_phw_smu7_power_state(&request_ps->hardware);
+ if (!smu7_ps)
+ return -EINVAL;
+
data->battery_state = (PP_StateUILabel_Battery ==
request_ps->classification.ui_label);
data->mclk_ignore_signal = false;
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c
index b015a601b385a..eb744401e0567 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c
@@ -1065,16 +1065,18 @@ static int smu8_apply_state_adjust_rules(struct pp_hwmgr *hwmgr,
struct pp_power_state *prequest_ps,
const struct pp_power_state *pcurrent_ps)
{
- struct smu8_power_state *smu8_ps =
- cast_smu8_power_state(&prequest_ps->hardware);
-
- const struct smu8_power_state *smu8_current_ps =
- cast_const_smu8_power_state(&pcurrent_ps->hardware);
-
+ struct smu8_power_state *smu8_ps;
+ const struct smu8_power_state *smu8_current_ps;
struct smu8_hwmgr *data = hwmgr->backend;
struct PP_Clocks clocks = {0, 0, 0, 0};
bool force_high;
+ smu8_ps = cast_smu8_power_state(&prequest_ps->hardware);
+ smu8_current_ps = cast_const_smu8_power_state(&pcurrent_ps->hardware);
+
+ if (!smu8_ps || !smu8_current_ps)
+ return -EINVAL;
+
smu8_ps->need_dfs_bypass = true;
data->battery_state = (PP_StateUILabel_Battery == prequest_ps->classification.ui_label);
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
index d8cd23438b762..2628f12e0eedc 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
@@ -3263,8 +3263,7 @@ static int vega10_apply_state_adjust_rules(struct pp_hwmgr *hwmgr,
const struct pp_power_state *current_ps)
{
struct amdgpu_device *adev = hwmgr->adev;
- struct vega10_power_state *vega10_ps =
- cast_phw_vega10_power_state(&request_ps->hardware);
+ struct vega10_power_state *vega10_ps;
uint32_t sclk;
uint32_t mclk;
struct PP_Clocks minimum_clocks = {0};
@@ -3282,6 +3281,10 @@ static int vega10_apply_state_adjust_rules(struct pp_hwmgr *hwmgr,
uint32_t stable_pstate_sclk = 0, stable_pstate_mclk = 0;
uint32_t latency;
+ vega10_ps = cast_phw_vega10_power_state(&request_ps->hardware);
+ if (!vega10_ps)
+ return -EINVAL;
+
data->battery_state = (PP_StateUILabel_Battery ==
request_ps->classification.ui_label);
--
2.43.0
^ permalink raw reply related
* [PATCH 6.1 036/150] drm/amdgpu: Fix the null pointer dereference to ras_manager
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Jun, Lijo Lazar, Alex Deucher,
Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Jun <Jun.Ma2@amd.com>
[ Upstream commit 4c11d30c95576937c6c35e6f29884761f2dddb43 ]
Check ras_manager before using it
Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
index ee83d282b49a8..4b7b3278a05f1 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
@@ -1679,12 +1679,15 @@ static void amdgpu_ras_interrupt_process_handler(struct work_struct *work)
int amdgpu_ras_interrupt_dispatch(struct amdgpu_device *adev,
struct ras_dispatch_if *info)
{
- struct ras_manager *obj = amdgpu_ras_find_obj(adev, &info->head);
- struct ras_ih_data *data = &obj->ih_data;
+ struct ras_manager *obj;
+ struct ras_ih_data *data;
+ obj = amdgpu_ras_find_obj(adev, &info->head);
if (!obj)
return -EINVAL;
+ data = &obj->ih_data;
+
if (data->inuse == 0)
return 0;
--
2.43.0
^ permalink raw reply related
* Re: [Intel-wired-lan] [PATCH iwl-next v1] i40e: Add Energy Efficient Ethernet ability for X710 Base-T/KR/KX cards
From: Simon Horman @ 2024-08-12 16:06 UTC (permalink / raw)
To: Przemek Kitszel
Cc: Aleksandr Loktionov, anthony.l.nguyen, Arkadiusz Kubalewski,
intel-wired-lan, netdev
In-Reply-To: <4e3602d2-6c6e-4311-b4fc-b3f8e2ce4da5@intel.com>
On Mon, Aug 12, 2024 at 10:09:37AM +0200, Przemek Kitszel wrote:
> On 8/9/24 17:25, Simon Horman wrote:
> > On Thu, Aug 08, 2024 at 01:22:17PM +0200, Aleksandr Loktionov wrote:
> >
> > ...
> >
> > > diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
> > > index 1d0d2e5..cd7509f 100644
> > > --- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
> > > +++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
> > > @@ -5641,50 +5641,77 @@ static int i40e_get_module_eeprom(struct net_device *netdev,
> > > return 0;
> > > }
> > > +static void i40e_eee_capability_to_kedata_supported(__le16 eee_capability_,
> > > + unsigned long *supported)
> > > +{
> > > + const int eee_capability = le16_to_cpu(eee_capability_);
> >
> > Hi Aleksandr,
> >
> > Maybe u16 would be an appropriate type for eee_capability.
> > Also, using const seems excessive here.
> >
> > > + static const int lut[] = {
> > > + ETHTOOL_LINK_MODE_100baseT_Full_BIT,
> > > + ETHTOOL_LINK_MODE_1000baseT_Full_BIT,
> > > + ETHTOOL_LINK_MODE_10000baseT_Full_BIT,
> > > + ETHTOOL_LINK_MODE_1000baseKX_Full_BIT,
> > > + ETHTOOL_LINK_MODE_10000baseKX4_Full_BIT,
> > > + ETHTOOL_LINK_MODE_10000baseKR_Full_BIT,
> > > + ETHTOOL_LINK_MODE_40000baseKR4_Full_BIT,
> > > + };
> > > +
> > > + linkmode_zero(supported);
> > > + for (unsigned int i = ARRAY_SIZE(lut); i--; )
> > > + if (eee_capability & (1 << (i + 1)))
> >
> > Perhaps:
> >
> > if (eee_capability & BIT(i + 1))
>
> I would avoid any operations with @i other than using it as index:
> lut[i]. We have link mode bits in the table, why to compute that again?
>
> >
> > > + linkmode_set_bit(lut[i], supported);
> > > +}
> > > +
> > > static int i40e_get_eee(struct net_device *netdev, struct ethtool_keee *edata)
> > > {
> > > struct i40e_netdev_priv *np = netdev_priv(netdev);
> > > struct i40e_aq_get_phy_abilities_resp phy_cfg;
> > > struct i40e_vsi *vsi = np->vsi;
> > > struct i40e_pf *pf = vsi->back;
> > > struct i40e_hw *hw = &pf->hw;
> > > - int status = 0;
> > > + int status;
> >
> > This change seems unrelated to the subject of this patch.
> > If so, please remove.
>
> Hmm, it's remotely related, trivial, and makes code better;
> I intentionally said nothing about this during our internal review ;)
Ok, I would vote for it being a separate patch.
But I won't push this one any further.
^ permalink raw reply
* Re: [PATCH] dt-bindings: remoteproc: xlnx,zynqmp-r5fss: add missing "additionalProperties" on child nodes
From: Conor Dooley @ 2024-08-12 16:06 UTC (permalink / raw)
To: Krzysztof Kozlowski
Cc: Bjorn Andersson, Mathieu Poirier, Rob Herring,
Krzysztof Kozlowski, Conor Dooley, Michal Simek, Ben Levinsky,
Tanmay Shah, Radhey Shyam Pandey, linux-remoteproc, devicetree,
linux-arm-kernel, linux-kernel
In-Reply-To: <20240811153438.126457-1-krzysztof.kozlowski@linaro.org>
[-- Attachment #1: Type: text/plain, Size: 593 bytes --]
On Sun, Aug 11, 2024 at 05:34:38PM +0200, Krzysztof Kozlowski wrote:
> All nodes need an explicit additionalProperties or unevaluatedProperties
> unless a $ref has one that's false. Add missing additionalProperties
> to fix dt_binding_check warning:
>
> xlnx,zynqmp-r5fss.yaml: ^r(.*)@[0-9a-f]+$: Missing additionalProperties/unevaluatedProperties constraint
>
> Fixes: 9e1b2a0757d0 ("dt-bindings: remoteproc: Add Tightly Coupled Memory (TCM) bindings")
> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Acked-by: Conor Dooley <conor.dooley@microchip.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply
* [PATCH 6.1 035/150] drm/amdgpu/pm: Fix the null pointer dereference for smu7
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Jun, Yang Wang, Alex Deucher,
Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Jun <Jun.Ma2@amd.com>
[ Upstream commit c02c1960c93eede587576625a1221205a68a904f ]
optimize the code to avoid pass a null pointer (hwmgr->backend)
to function smu7_update_edc_leakage_table.
Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 50 +++++++++----------
1 file changed, 24 insertions(+), 26 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
index 5e9410117712c..9f2f3f6a79adb 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
@@ -2970,6 +2970,7 @@ static int smu7_update_edc_leakage_table(struct pp_hwmgr *hwmgr)
static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
{
+ struct amdgpu_device *adev = hwmgr->adev;
struct smu7_hwmgr *data;
int result = 0;
@@ -3006,40 +3007,37 @@ static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
/* Initalize Dynamic State Adjustment Rule Settings */
result = phm_initializa_dynamic_state_adjustment_rule_settings(hwmgr);
- if (0 == result) {
- struct amdgpu_device *adev = hwmgr->adev;
+ if (result)
+ goto fail;
- data->is_tlu_enabled = false;
+ data->is_tlu_enabled = false;
- hwmgr->platform_descriptor.hardwareActivityPerformanceLevels =
+ hwmgr->platform_descriptor.hardwareActivityPerformanceLevels =
SMU7_MAX_HARDWARE_POWERLEVELS;
- hwmgr->platform_descriptor.hardwarePerformanceLevels = 2;
- hwmgr->platform_descriptor.minimumClocksReductionPercentage = 50;
+ hwmgr->platform_descriptor.hardwarePerformanceLevels = 2;
+ hwmgr->platform_descriptor.minimumClocksReductionPercentage = 50;
- data->pcie_gen_cap = adev->pm.pcie_gen_mask;
- if (data->pcie_gen_cap & CAIL_PCIE_LINK_SPEED_SUPPORT_GEN3)
- data->pcie_spc_cap = 20;
- else
- data->pcie_spc_cap = 16;
- data->pcie_lane_cap = adev->pm.pcie_mlw_mask;
-
- hwmgr->platform_descriptor.vbiosInterruptId = 0x20000400; /* IRQ_SOURCE1_SW_INT */
-/* The true clock step depends on the frequency, typically 4.5 or 9 MHz. Here we use 5. */
- hwmgr->platform_descriptor.clockStep.engineClock = 500;
- hwmgr->platform_descriptor.clockStep.memoryClock = 500;
- smu7_thermal_parameter_init(hwmgr);
- } else {
- /* Ignore return value in here, we are cleaning up a mess. */
- smu7_hwmgr_backend_fini(hwmgr);
- }
+ data->pcie_gen_cap = adev->pm.pcie_gen_mask;
+ if (data->pcie_gen_cap & CAIL_PCIE_LINK_SPEED_SUPPORT_GEN3)
+ data->pcie_spc_cap = 20;
+ else
+ data->pcie_spc_cap = 16;
+ data->pcie_lane_cap = adev->pm.pcie_mlw_mask;
+
+ hwmgr->platform_descriptor.vbiosInterruptId = 0x20000400; /* IRQ_SOURCE1_SW_INT */
+ /* The true clock step depends on the frequency, typically 4.5 or 9 MHz. Here we use 5. */
+ hwmgr->platform_descriptor.clockStep.engineClock = 500;
+ hwmgr->platform_descriptor.clockStep.memoryClock = 500;
+ smu7_thermal_parameter_init(hwmgr);
result = smu7_update_edc_leakage_table(hwmgr);
- if (result) {
- smu7_hwmgr_backend_fini(hwmgr);
- return result;
- }
+ if (result)
+ goto fail;
return 0;
+fail:
+ smu7_hwmgr_backend_fini(hwmgr);
+ return result;
}
static int smu7_force_dpm_highest(struct pp_hwmgr *hwmgr)
--
2.43.0
^ permalink raw reply related
* Re: [PATCH iwl-next v1] i40e: Add Energy Efficient Ethernet ability for X710 Base-T/KR/KX cards
From: Simon Horman @ 2024-08-12 16:06 UTC (permalink / raw)
To: Przemek Kitszel
Cc: Aleksandr Loktionov, intel-wired-lan, anthony.l.nguyen, netdev,
Arkadiusz Kubalewski
In-Reply-To: <4e3602d2-6c6e-4311-b4fc-b3f8e2ce4da5@intel.com>
On Mon, Aug 12, 2024 at 10:09:37AM +0200, Przemek Kitszel wrote:
> On 8/9/24 17:25, Simon Horman wrote:
> > On Thu, Aug 08, 2024 at 01:22:17PM +0200, Aleksandr Loktionov wrote:
> >
> > ...
> >
> > > diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
> > > index 1d0d2e5..cd7509f 100644
> > > --- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
> > > +++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
> > > @@ -5641,50 +5641,77 @@ static int i40e_get_module_eeprom(struct net_device *netdev,
> > > return 0;
> > > }
> > > +static void i40e_eee_capability_to_kedata_supported(__le16 eee_capability_,
> > > + unsigned long *supported)
> > > +{
> > > + const int eee_capability = le16_to_cpu(eee_capability_);
> >
> > Hi Aleksandr,
> >
> > Maybe u16 would be an appropriate type for eee_capability.
> > Also, using const seems excessive here.
> >
> > > + static const int lut[] = {
> > > + ETHTOOL_LINK_MODE_100baseT_Full_BIT,
> > > + ETHTOOL_LINK_MODE_1000baseT_Full_BIT,
> > > + ETHTOOL_LINK_MODE_10000baseT_Full_BIT,
> > > + ETHTOOL_LINK_MODE_1000baseKX_Full_BIT,
> > > + ETHTOOL_LINK_MODE_10000baseKX4_Full_BIT,
> > > + ETHTOOL_LINK_MODE_10000baseKR_Full_BIT,
> > > + ETHTOOL_LINK_MODE_40000baseKR4_Full_BIT,
> > > + };
> > > +
> > > + linkmode_zero(supported);
> > > + for (unsigned int i = ARRAY_SIZE(lut); i--; )
> > > + if (eee_capability & (1 << (i + 1)))
> >
> > Perhaps:
> >
> > if (eee_capability & BIT(i + 1))
>
> I would avoid any operations with @i other than using it as index:
> lut[i]. We have link mode bits in the table, why to compute that again?
>
> >
> > > + linkmode_set_bit(lut[i], supported);
> > > +}
> > > +
> > > static int i40e_get_eee(struct net_device *netdev, struct ethtool_keee *edata)
> > > {
> > > struct i40e_netdev_priv *np = netdev_priv(netdev);
> > > struct i40e_aq_get_phy_abilities_resp phy_cfg;
> > > struct i40e_vsi *vsi = np->vsi;
> > > struct i40e_pf *pf = vsi->back;
> > > struct i40e_hw *hw = &pf->hw;
> > > - int status = 0;
> > > + int status;
> >
> > This change seems unrelated to the subject of this patch.
> > If so, please remove.
>
> Hmm, it's remotely related, trivial, and makes code better;
> I intentionally said nothing about this during our internal review ;)
Ok, I would vote for it being a separate patch.
But I won't push this one any further.
^ permalink raw reply
* [PATCH 6.1 034/150] drm/amdgpu/pm: Fix the param type of set_power_profile_mode
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Jun, Alex Deucher, Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Jun <Jun.Ma2@amd.com>
[ Upstream commit f683f24093dd94a831085fe0ea8e9dc4c6c1a2d1 ]
Function .set_power_profile_mode need an array as input
parameter. So define variable workload as an array to fix
the below coverity warning.
"Passing &workload to function hwmgr->hwmgr_func->set_power_profile_mode
which uses it as an array. This might corrupt or misinterpret adjacent
memory locations"
Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 8 ++++----
drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c | 8 ++++----
drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 16 ++++++++--------
3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
index 179e1c593a53f..f3668911a88fd 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
@@ -928,7 +928,7 @@ static int pp_dpm_switch_power_profile(void *handle,
enum PP_SMC_POWER_PROFILE type, bool en)
{
struct pp_hwmgr *hwmgr = handle;
- long workload;
+ long workload[1];
uint32_t index;
if (!hwmgr || !hwmgr->pm_en)
@@ -946,12 +946,12 @@ static int pp_dpm_switch_power_profile(void *handle,
hwmgr->workload_mask &= ~(1 << hwmgr->workload_prority[type]);
index = fls(hwmgr->workload_mask);
index = index > 0 && index <= Workload_Policy_Max ? index - 1 : 0;
- workload = hwmgr->workload_setting[index];
+ workload[0] = hwmgr->workload_setting[index];
} else {
hwmgr->workload_mask |= (1 << hwmgr->workload_prority[type]);
index = fls(hwmgr->workload_mask);
index = index <= Workload_Policy_Max ? index - 1 : 0;
- workload = hwmgr->workload_setting[index];
+ workload[0] = hwmgr->workload_setting[index];
}
if (type == PP_SMC_POWER_PROFILE_COMPUTE &&
@@ -961,7 +961,7 @@ static int pp_dpm_switch_power_profile(void *handle,
}
if (hwmgr->dpm_level != AMD_DPM_FORCED_LEVEL_MANUAL)
- hwmgr->hwmgr_func->set_power_profile_mode(hwmgr, &workload, 0);
+ hwmgr->hwmgr_func->set_power_profile_mode(hwmgr, workload, 0);
return 0;
}
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c
index 1d829402cd2e2..f4bd8e9357e22 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c
@@ -269,7 +269,7 @@ int psm_adjust_power_state_dynamic(struct pp_hwmgr *hwmgr, bool skip_display_set
struct pp_power_state *new_ps)
{
uint32_t index;
- long workload;
+ long workload[1];
if (hwmgr->not_vf) {
if (!skip_display_settings)
@@ -294,10 +294,10 @@ int psm_adjust_power_state_dynamic(struct pp_hwmgr *hwmgr, bool skip_display_set
if (hwmgr->dpm_level != AMD_DPM_FORCED_LEVEL_MANUAL) {
index = fls(hwmgr->workload_mask);
index = index > 0 && index <= Workload_Policy_Max ? index - 1 : 0;
- workload = hwmgr->workload_setting[index];
+ workload[0] = hwmgr->workload_setting[index];
- if (hwmgr->power_profile_mode != workload && hwmgr->hwmgr_func->set_power_profile_mode)
- hwmgr->hwmgr_func->set_power_profile_mode(hwmgr, &workload, 0);
+ if (hwmgr->power_profile_mode != workload[0] && hwmgr->hwmgr_func->set_power_profile_mode)
+ hwmgr->hwmgr_func->set_power_profile_mode(hwmgr, workload, 0);
}
return 0;
diff --git a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
index 1d0693dad8185..91f0646eb3ee0 100644
--- a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
@@ -1834,7 +1834,7 @@ static int smu_adjust_power_state_dynamic(struct smu_context *smu,
{
int ret = 0;
int index = 0;
- long workload;
+ long workload[1];
struct smu_dpm_context *smu_dpm_ctx = &(smu->smu_dpm);
if (!skip_display_settings) {
@@ -1874,10 +1874,10 @@ static int smu_adjust_power_state_dynamic(struct smu_context *smu,
smu_dpm_ctx->dpm_level != AMD_DPM_FORCED_LEVEL_PERF_DETERMINISM) {
index = fls(smu->workload_mask);
index = index > 0 && index <= WORKLOAD_POLICY_MAX ? index - 1 : 0;
- workload = smu->workload_setting[index];
+ workload[0] = smu->workload_setting[index];
- if (smu->power_profile_mode != workload)
- smu_bump_power_profile_mode(smu, &workload, 0);
+ if (smu->power_profile_mode != workload[0])
+ smu_bump_power_profile_mode(smu, workload, 0);
}
return ret;
@@ -1927,7 +1927,7 @@ static int smu_switch_power_profile(void *handle,
{
struct smu_context *smu = handle;
struct smu_dpm_context *smu_dpm_ctx = &(smu->smu_dpm);
- long workload;
+ long workload[1];
uint32_t index;
if (!smu->pm_enabled || !smu->adev->pm.dpm_enabled)
@@ -1940,17 +1940,17 @@ static int smu_switch_power_profile(void *handle,
smu->workload_mask &= ~(1 << smu->workload_prority[type]);
index = fls(smu->workload_mask);
index = index > 0 && index <= WORKLOAD_POLICY_MAX ? index - 1 : 0;
- workload = smu->workload_setting[index];
+ workload[0] = smu->workload_setting[index];
} else {
smu->workload_mask |= (1 << smu->workload_prority[type]);
index = fls(smu->workload_mask);
index = index <= WORKLOAD_POLICY_MAX ? index - 1 : 0;
- workload = smu->workload_setting[index];
+ workload[0] = smu->workload_setting[index];
}
if (smu_dpm_ctx->dpm_level != AMD_DPM_FORCED_LEVEL_MANUAL &&
smu_dpm_ctx->dpm_level != AMD_DPM_FORCED_LEVEL_PERF_DETERMINISM)
- smu_bump_power_profile_mode(smu, &workload, 0);
+ smu_bump_power_profile_mode(smu, workload, 0);
return 0;
}
--
2.43.0
^ permalink raw reply related
* [PATCH 6.1 033/150] btrfs: fix bitmap leak when loading free space cache on duplicate entry
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Filipe Manana,
David Sterba, Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 320d8dc612660da84c3b70a28658bb38069e5a9a ]
If we failed to link a free space entry because there's already a
conflicting entry for the same offset, we free the free space entry but
we don't free the associated bitmap that we had just allocated before.
Fix that by freeing the bitmap before freeing the entry.
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/free-space-cache.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c
index 76d52d682b3b0..21d262da386d5 100644
--- a/fs/btrfs/free-space-cache.c
+++ b/fs/btrfs/free-space-cache.c
@@ -865,6 +865,7 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode,
spin_unlock(&ctl->tree_lock);
btrfs_err(fs_info,
"Duplicate entries in free space cache, dumping");
+ kmem_cache_free(btrfs_free_space_bitmap_cachep, e->bitmap);
kmem_cache_free(btrfs_free_space_cachep, e);
goto free_cache;
}
--
2.43.0
^ permalink raw reply related
* [PATCH 6.1 032/150] can: mcp251xfd: tef: update workaround for erratum DS80000789E 6 of mcp2518fd
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Althöfer, Thomas Kopp,
Marc Kleine-Budde, Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
[ Upstream commit 3a0a88fcbaf9e027ecca3fe8775be9700b4d6460 ]
This patch updates the workaround for a problem similar to erratum
DS80000789E 6 of the mcp2518fd, the other variants of the chip
family (mcp2517fd and mcp251863) are probably also affected.
Erratum DS80000789E 6 says "reading of the FIFOCI bits in the FIFOSTA
register for an RX FIFO may be corrupted". However observation shows
that this problem is not limited to RX FIFOs but also effects the TEF
FIFO.
In the bad case, the driver reads a too large head index. As the FIFO
is implemented as a ring buffer, this results in re-handling old CAN
transmit complete events.
Every transmit complete event contains with a sequence number that
equals to the sequence number of the corresponding TX request. This
way old TX complete events can be detected.
If the original driver detects a non matching sequence number, it
prints an info message and tries again later. As wrong sequence
numbers can be explained by the erratum DS80000789E 6, demote the info
message to debug level, streamline the code and update the comments.
Keep the behavior: If an old CAN TX complete event is detected, abort
the iteration and mark the number of valid CAN TX complete events as
processed in the chip by incrementing the FIFO's tail index.
Cc: Stefan Althöfer <Stefan.Althoefer@janztec.com>
Cc: Thomas Kopp <thomas.kopp@microchip.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 71 +++++++------------
1 file changed, 27 insertions(+), 44 deletions(-)
diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
index b33192964cf7d..902eb767426d1 100644
--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
+++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
@@ -60,56 +60,39 @@ static int mcp251xfd_check_tef_tail(const struct mcp251xfd_priv *priv)
return 0;
}
-static int
-mcp251xfd_handle_tefif_recover(const struct mcp251xfd_priv *priv, const u32 seq)
-{
- const struct mcp251xfd_tx_ring *tx_ring = priv->tx;
- u32 tef_sta;
- int err;
-
- err = regmap_read(priv->map_reg, MCP251XFD_REG_TEFSTA, &tef_sta);
- if (err)
- return err;
-
- if (tef_sta & MCP251XFD_REG_TEFSTA_TEFOVIF) {
- netdev_err(priv->ndev,
- "Transmit Event FIFO buffer overflow.\n");
- return -ENOBUFS;
- }
-
- netdev_info(priv->ndev,
- "Transmit Event FIFO buffer %s. (seq=0x%08x, tef_tail=0x%08x, tef_head=0x%08x, tx_head=0x%08x).\n",
- tef_sta & MCP251XFD_REG_TEFSTA_TEFFIF ?
- "full" : tef_sta & MCP251XFD_REG_TEFSTA_TEFNEIF ?
- "not empty" : "empty",
- seq, priv->tef->tail, priv->tef->head, tx_ring->head);
-
- /* The Sequence Number in the TEF doesn't match our tef_tail. */
- return -EAGAIN;
-}
-
static int
mcp251xfd_handle_tefif_one(struct mcp251xfd_priv *priv,
const struct mcp251xfd_hw_tef_obj *hw_tef_obj,
unsigned int *frame_len_ptr)
{
struct net_device_stats *stats = &priv->ndev->stats;
+ u32 seq, tef_tail_masked, tef_tail;
struct sk_buff *skb;
- u32 seq, seq_masked, tef_tail_masked, tef_tail;
- seq = FIELD_GET(MCP251XFD_OBJ_FLAGS_SEQ_MCP2518FD_MASK,
+ /* Use the MCP2517FD mask on the MCP2518FD, too. We only
+ * compare 7 bits, this is enough to detect old TEF objects.
+ */
+ seq = FIELD_GET(MCP251XFD_OBJ_FLAGS_SEQ_MCP2517FD_MASK,
hw_tef_obj->flags);
-
- /* Use the MCP2517FD mask on the MCP2518FD, too. We only
- * compare 7 bits, this should be enough to detect
- * net-yet-completed, i.e. old TEF objects.
- */
- seq_masked = seq &
- field_mask(MCP251XFD_OBJ_FLAGS_SEQ_MCP2517FD_MASK);
tef_tail_masked = priv->tef->tail &
field_mask(MCP251XFD_OBJ_FLAGS_SEQ_MCP2517FD_MASK);
- if (seq_masked != tef_tail_masked)
- return mcp251xfd_handle_tefif_recover(priv, seq);
+
+ /* According to mcp2518fd erratum DS80000789E 6. the FIFOCI
+ * bits of a FIFOSTA register, here the TX FIFO tail index
+ * might be corrupted and we might process past the TEF FIFO's
+ * head into old CAN frames.
+ *
+ * Compare the sequence number of the currently processed CAN
+ * frame with the expected sequence number. Abort with
+ * -EBADMSG if an old CAN frame is detected.
+ */
+ if (seq != tef_tail_masked) {
+ netdev_dbg(priv->ndev, "%s: chip=0x%02x ring=0x%02x\n", __func__,
+ seq, tef_tail_masked);
+ stats->tx_fifo_errors++;
+
+ return -EBADMSG;
+ }
tef_tail = mcp251xfd_get_tef_tail(priv);
skb = priv->can.echo_skb[tef_tail];
@@ -223,12 +206,12 @@ int mcp251xfd_handle_tefif(struct mcp251xfd_priv *priv)
unsigned int frame_len = 0;
err = mcp251xfd_handle_tefif_one(priv, &hw_tef_obj[i], &frame_len);
- /* -EAGAIN means the Sequence Number in the TEF
- * doesn't match our tef_tail. This can happen if we
- * read the TEF objects too early. Leave loop let the
- * interrupt handler call us again.
+ /* -EBADMSG means we're affected by mcp2518fd erratum
+ * DS80000789E 6., i.e. the Sequence Number in the TEF
+ * doesn't match our tef_tail. Don't process any
+ * further and mark processed frames as good.
*/
- if (err == -EAGAIN)
+ if (err == -EBADMSG)
goto out_netif_wake_queue;
if (err)
return err;
--
2.43.0
^ permalink raw reply related
* [PATCH 6.1 031/150] can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Althöfer, Thomas Kopp,
Marc Kleine-Budde, Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
[ Upstream commit b8e0ddd36ce9536ad7478dd27df06c9ae92370ba ]
This is a preparatory patch to work around a problem similar to
erratum DS80000789E 6 of the mcp2518fd, the other variants of the chip
family (mcp2517fd and mcp251863) are probably also affected.
Erratum DS80000789E 6 says "reading of the FIFOCI bits in the FIFOSTA
register for an RX FIFO may be corrupted". However observation shows
that this problem is not limited to RX FIFOs but also effects the TEF
FIFO.
When handling the TEF interrupt, the driver reads the FIFO header
index from the TEF FIFO STA register of the chip.
In the bad case, the driver reads a too large head index. In the
original code, the driver always trusted the read value, which caused
old CAN transmit complete events that were already processed to be
re-processed.
Instead of reading and trusting the head index, read the head index
and calculate the number of CAN frames that were supposedly received -
replace mcp251xfd_tef_ring_update() with mcp251xfd_get_tef_len().
The mcp251xfd_handle_tefif() function reads the CAN transmit complete
events from the chip, iterates over them and pushes them into the
network stack. The original driver already contains code to detect old
CAN transmit complete events, that will be updated in the next patch.
Cc: Stefan Althöfer <Stefan.Althoefer@janztec.com>
Cc: Thomas Kopp <thomas.kopp@microchip.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/can/spi/mcp251xfd/mcp251xfd-ring.c | 2 +
drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 54 +++++++++++++------
drivers/net/can/spi/mcp251xfd/mcp251xfd.h | 13 ++---
3 files changed, 43 insertions(+), 26 deletions(-)
diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c
index bf3f0f150199d..4d0246a0779a6 100644
--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c
+++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c
@@ -475,6 +475,8 @@ int mcp251xfd_ring_alloc(struct mcp251xfd_priv *priv)
clear_bit(MCP251XFD_FLAGS_FD_MODE, priv->flags);
}
+ tx_ring->obj_num_shift_to_u8 = BITS_PER_TYPE(tx_ring->obj_num) -
+ ilog2(tx_ring->obj_num);
tx_ring->obj_size = tx_obj_size;
rem = priv->rx_obj_num;
diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
index 237617b0c125f..b33192964cf7d 100644
--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
+++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
@@ -2,7 +2,7 @@
//
// mcp251xfd - Microchip MCP251xFD Family CAN controller driver
//
-// Copyright (c) 2019, 2020, 2021 Pengutronix,
+// Copyright (c) 2019, 2020, 2021, 2023 Pengutronix,
// Marc Kleine-Budde <kernel@pengutronix.de>
//
// Based on:
@@ -16,6 +16,11 @@
#include "mcp251xfd.h"
+static inline bool mcp251xfd_tx_fifo_sta_full(u32 fifo_sta)
+{
+ return !(fifo_sta & MCP251XFD_REG_FIFOSTA_TFNRFNIF);
+}
+
static inline int
mcp251xfd_tef_tail_get_from_chip(const struct mcp251xfd_priv *priv,
u8 *tef_tail)
@@ -120,28 +125,44 @@ mcp251xfd_handle_tefif_one(struct mcp251xfd_priv *priv,
return 0;
}
-static int mcp251xfd_tef_ring_update(struct mcp251xfd_priv *priv)
+static int
+mcp251xfd_get_tef_len(struct mcp251xfd_priv *priv, u8 *len_p)
{
const struct mcp251xfd_tx_ring *tx_ring = priv->tx;
- unsigned int new_head;
- u8 chip_tx_tail;
+ const u8 shift = tx_ring->obj_num_shift_to_u8;
+ u8 chip_tx_tail, tail, len;
+ u32 fifo_sta;
int err;
- err = mcp251xfd_tx_tail_get_from_chip(priv, &chip_tx_tail);
+ err = regmap_read(priv->map_reg, MCP251XFD_REG_FIFOSTA(priv->tx->fifo_nr),
+ &fifo_sta);
if (err)
return err;
- /* chip_tx_tail, is the next TX-Object send by the HW.
- * The new TEF head must be >= the old head, ...
+ if (mcp251xfd_tx_fifo_sta_full(fifo_sta)) {
+ *len_p = tx_ring->obj_num;
+ return 0;
+ }
+
+ chip_tx_tail = FIELD_GET(MCP251XFD_REG_FIFOSTA_FIFOCI_MASK, fifo_sta);
+
+ err = mcp251xfd_check_tef_tail(priv);
+ if (err)
+ return err;
+ tail = mcp251xfd_get_tef_tail(priv);
+
+ /* First shift to full u8. The subtraction works on signed
+ * values, that keeps the difference steady around the u8
+ * overflow. The right shift acts on len, which is an u8.
*/
- new_head = round_down(priv->tef->head, tx_ring->obj_num) + chip_tx_tail;
- if (new_head <= priv->tef->head)
- new_head += tx_ring->obj_num;
+ BUILD_BUG_ON(sizeof(tx_ring->obj_num) != sizeof(chip_tx_tail));
+ BUILD_BUG_ON(sizeof(tx_ring->obj_num) != sizeof(tail));
+ BUILD_BUG_ON(sizeof(tx_ring->obj_num) != sizeof(len));
- /* ... but it cannot exceed the TX head. */
- priv->tef->head = min(new_head, tx_ring->head);
+ len = (chip_tx_tail << shift) - (tail << shift);
+ *len_p = len >> shift;
- return mcp251xfd_check_tef_tail(priv);
+ return 0;
}
static inline int
@@ -182,13 +203,12 @@ int mcp251xfd_handle_tefif(struct mcp251xfd_priv *priv)
u8 tef_tail, len, l;
int err, i;
- err = mcp251xfd_tef_ring_update(priv);
+ err = mcp251xfd_get_tef_len(priv, &len);
if (err)
return err;
tef_tail = mcp251xfd_get_tef_tail(priv);
- len = mcp251xfd_get_tef_len(priv);
- l = mcp251xfd_get_tef_linear_len(priv);
+ l = mcp251xfd_get_tef_linear_len(priv, len);
err = mcp251xfd_tef_obj_read(priv, hw_tef_obj, tef_tail, l);
if (err)
return err;
@@ -223,6 +243,8 @@ int mcp251xfd_handle_tefif(struct mcp251xfd_priv *priv)
struct mcp251xfd_tx_ring *tx_ring = priv->tx;
int offset;
+ ring->head += len;
+
/* Increment the TEF FIFO tail pointer 'len' times in
* a single SPI message.
*
diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd.h b/drivers/net/can/spi/mcp251xfd/mcp251xfd.h
index b98ded7098a5a..78d12dda08a05 100644
--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd.h
+++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd.h
@@ -519,6 +519,7 @@ struct mcp251xfd_tef_ring {
/* u8 obj_num equals tx_ring->obj_num */
/* u8 obj_size equals sizeof(struct mcp251xfd_hw_tef_obj) */
+ /* u8 obj_num_shift_to_u8 equals tx_ring->obj_num_shift_to_u8 */
union mcp251xfd_write_reg_buf irq_enable_buf;
struct spi_transfer irq_enable_xfer;
@@ -537,6 +538,7 @@ struct mcp251xfd_tx_ring {
u8 nr;
u8 fifo_nr;
u8 obj_num;
+ u8 obj_num_shift_to_u8;
u8 obj_size;
struct mcp251xfd_tx_obj obj[MCP251XFD_TX_OBJ_NUM_MAX];
@@ -843,17 +845,8 @@ static inline u8 mcp251xfd_get_tef_tail(const struct mcp251xfd_priv *priv)
return priv->tef->tail & (priv->tx->obj_num - 1);
}
-static inline u8 mcp251xfd_get_tef_len(const struct mcp251xfd_priv *priv)
+static inline u8 mcp251xfd_get_tef_linear_len(const struct mcp251xfd_priv *priv, u8 len)
{
- return priv->tef->head - priv->tef->tail;
-}
-
-static inline u8 mcp251xfd_get_tef_linear_len(const struct mcp251xfd_priv *priv)
-{
- u8 len;
-
- len = mcp251xfd_get_tef_len(priv);
-
return min_t(u8, len, priv->tx->obj_num - mcp251xfd_get_tef_tail(priv));
}
--
2.43.0
^ permalink raw reply related
* [PATCH 6.1 022/150] ACPI: battery: create alarm sysfs attribute atomically
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Rafael J. Wysocki, Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
[ Upstream commit a231eed10ed5a290129fda36ad7bcc263c53ff7d ]
Let the power supply core register the attribute.
This ensures that the attribute is created before the device is
announced to userspace, avoid a race condition.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/battery.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c
index 084f156bdfbc4..088740fdea355 100644
--- a/drivers/acpi/battery.c
+++ b/drivers/acpi/battery.c
@@ -667,12 +667,18 @@ static ssize_t acpi_battery_alarm_store(struct device *dev,
return count;
}
-static const struct device_attribute alarm_attr = {
+static struct device_attribute alarm_attr = {
.attr = {.name = "alarm", .mode = 0644},
.show = acpi_battery_alarm_show,
.store = acpi_battery_alarm_store,
};
+static struct attribute *acpi_battery_attrs[] = {
+ &alarm_attr.attr,
+ NULL
+};
+ATTRIBUTE_GROUPS(acpi_battery);
+
/*
* The Battery Hooking API
*
@@ -809,7 +815,10 @@ static void __exit battery_hook_exit(void)
static int sysfs_add_battery(struct acpi_battery *battery)
{
- struct power_supply_config psy_cfg = { .drv_data = battery, };
+ struct power_supply_config psy_cfg = {
+ .drv_data = battery,
+ .attr_grp = acpi_battery_groups,
+ };
bool full_cap_broken = false;
if (!ACPI_BATTERY_CAPACITY_VALID(battery->full_charge_capacity) &&
@@ -854,7 +863,7 @@ static int sysfs_add_battery(struct acpi_battery *battery)
return result;
}
battery_hook_add_battery(battery);
- return device_create_file(&battery->bat->dev, &alarm_attr);
+ return 0;
}
static void sysfs_remove_battery(struct acpi_battery *battery)
@@ -865,7 +874,6 @@ static void sysfs_remove_battery(struct acpi_battery *battery)
return;
}
battery_hook_remove_battery(battery);
- device_remove_file(&battery->bat->dev, &alarm_attr);
power_supply_unregister(battery->bat);
battery->bat = NULL;
mutex_unlock(&battery->sysfs_lock);
--
2.43.0
^ permalink raw reply related
* [PATCH 6.1 000/150] 6.1.105-rc1 review
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
This is the start of the stable review cycle for the 6.1.105 release.
There are 150 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 14 Aug 2024 16:00:26 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.105-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.1.105-rc1
Filipe Manana <fdmanana@suse.com>
btrfs: fix double inode unlock for direct IO sync writes
Yang Yingliang <yangyingliang@huawei.com>
i2c: qcom-geni: fix missing clk_disable_unprepare() and geni_se_resources_off()
Florian Westphal <fw@strlen.de>
netfilter: nf_tables: prefer nft_chain_validate
Florian Westphal <fw@strlen.de>
netfilter: nf_tables: allow clone callbacks to sleep
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: bail out if stateful expression provides no .clone
Wayne Lin <wayne.lin@amd.com>
drm/amd/display: Defer handling mst up request in resume
Christoph Hellwig <hch@lst.de>
xfs: fix log recovery buffer allocation for the legacy h_size fixup
Bart Van Assche <bvanassche@acm.org>
block/mq-deadline: Fix the tag reservation code
Bart Van Assche <bvanassche@acm.org>
block: Call .limit_depth() after .hctx has been set
Miaohe Lin <linmiaohe@huawei.com>
mm/hugetlb: fix potential race in __update_and_free_hugetlb_folio()
Arnaldo Carvalho de Melo <acme@redhat.com>
tools headers arm64: Sync arm64's cputype.h with the kernel sources
Nicolas Dichtel <nicolas.dichtel@6wind.com>
ipv6: fix source address selection with route leak
Filipe Manana <fdmanana@suse.com>
btrfs: fix corruption after buffer fault in during direct IO append write
Yang Shi <yang@os.amperecomputing.com>
mm: huge_memory: use !CONFIG_64BIT to relax huge page alignment on 32 bit machines
Ivan Lipski <ivlipski@amd.com>
Revert "drm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update"
Jens Axboe <axboe@kernel.dk>
block: use the right type for stub rq_integrity_vec()
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: deny endp with signal + subflow + port
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: join: check backup support in signal endp
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: join: validate backup in MPJ
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: fix backup support in signal endpoints
Geliang Tang <geliang.tang@suse.com>
mptcp: export local_address
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: mib: count MPJ with backup flag
Thomas Zimmermann <tzimmermann@suse.de>
drm/mgag200: Bind I2C lifetime to DRM device
Thomas Zimmermann <tzimmermann@suse.de>
drm/mgag200: Set DDC timeout in milliseconds
Dragan Simic <dsimic@manjaro.org>
drm/lima: Mark simple_ondemand governor as softdep
Wayne Lin <Wayne.Lin@amd.com>
drm/dp_mst: Skip CSN if topology probing is not done yet
Lucas Stach <l.stach@pengutronix.de>
drm/bridge: analogix_dp: properly handle zero sized AUX transactions
Yang Yingliang <yangyingliang@huawei.com>
sched/smt: Fix unbalance sched_smt_present dec/inc
Yang Yingliang <yangyingliang@huawei.com>
sched/smt: Introduce sched_smt_present_inc/dec() helper
Andi Kleen <ak@linux.intel.com>
x86/mtrr: Check if fixed MTRRs exist before saving them
Qu Wenruo <wqu@suse.com>
btrfs: avoid using fixed char array size for tree names
Steve French <stfrench@microsoft.com>
smb3: fix setting SecurityFlags when encryption is required
Waiman Long <longman@redhat.com>
padata: Fix possible divide-by-0 panic in padata_mt_helper()
Tze-nan Wu <Tze-nan.Wu@mediatek.com>
tracing: Fix overflow in get_free_elt()
Hans de Goede <hdegoede@redhat.com>
power: supply: axp288_charger: Round constant_charge_voltage writes down
Hans de Goede <hdegoede@redhat.com>
power: supply: axp288_charger: Fix constant_charge_voltage writes
Shay Drory <shayd@nvidia.com>
genirq/irqdesc: Honor caller provided affinity in alloc_desc()
Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
irqchip/xilinx: Fix shift out of bounds
Andrey Konovalov <andreyknvl@gmail.com>
kcov: properly check for softirq context
Takashi Iwai <tiwai@suse.de>
ASoC: amd: yc: Add quirk entry for OMEN by HP Gaming Laptop 16-n0xxx
Mikulas Patocka <mpatocka@redhat.com>
parisc: fix a possible DMA corruption
George Kennedy <george.kennedy@oracle.com>
serial: core: check uartclk for zero to avoid divide by zero
Thomas Gleixner <tglx@linutronix.de>
timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex()
Justin Stitt <justinstitt@google.com>
ntp: Safeguard against time_constant overflow
Dan Williams <dan.j.williams@intel.com>
driver core: Fix uevent_show() vs driver detach race
Paul E. McKenney <paulmck@kernel.org>
clocksource: Fix brown-bag boolean thinko in cs_watchdog_read()
Feng Tang <feng.tang@intel.com>
clocksource: Scale the watchdog read retries automatically
Paul E. McKenney <paulmck@kernel.org>
torture: Enable clocksource watchdog with "tsc=watchdog"
Justin Stitt <justinstitt@google.com>
ntp: Clamp maxerror and esterror to operating range
Jason Wang <jasowang@redhat.com>
vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler
Thomas Gleixner <tglx@linutronix.de>
tick/broadcast: Move per CPU pointer access into the atomic section
Vamshi Gajjela <vamshigajjela@google.com>
scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic
Damien Le Moal <dlemoal@kernel.org>
scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES
Chris Wulff <crwulff@gmail.com>
usb: gadget: u_audio: Check return codes from usb_ep_enable and config_ep_by_speed.
Prashanth K <quic_prashk@quicinc.com>
usb: gadget: u_serial: Set start_delayed during suspend
Chris Wulff <crwulff@gmail.com>
usb: gadget: core: Check for unset descriptor
Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
USB: serial: debug: do not echo input by default
Oliver Neukum <oneukum@suse.com>
usb: vhci-hcd: Do not drop references before new references are gained
Takashi Iwai <tiwai@suse.de>
ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4
Dustin L. Howett <dustin@howett.net>
ALSA: hda/realtek: Add Framework Laptop 13 (Intel Core Ultra) to quirks
Steven 'Steve' Kendall <skend@chromium.org>
ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list
Takashi Iwai <tiwai@suse.de>
ALSA: line6: Fix racy access to midibuf
Ma Ke <make24@iscas.ac.cn>
drm/client: fix null pointer dereference in drm_client_modeset_probe
Fangzhi Zuo <Jerry.Zuo@amd.com>
drm/amd/display: Skip Recompute DSC Params if no Stream on Link
Jerome Brunet <jbrunet@baylibre.com>
ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Re-add ScratchAmp quirk entries
Stefan Wahren <wahrenst@gmx.net>
spi: spi-fsl-lpspi: Fix scldiv calculation
Gaosheng Cui <cuigaosheng1@huawei.com>
i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume
Gaosheng Cui <cuigaosheng1@huawei.com>
i2c: qcom-geni: Add missing clk_disable_unprepare in geni_i2c_runtime_resume
Neil Armstrong <neil.armstrong@linaro.org>
i2c: qcom-geni: add desc struct to prepare support for I2C Master Hub variant
Masami Hiramatsu (Google) <mhiramat@kernel.org>
kprobes: Fix to check symbol prefixes correctly
Menglong Dong <menglong8.dong@gmail.com>
bpf: kprobe: remove unused declaring of bpf_kprobe_override
Guenter Roeck <linux@roeck-us.net>
i2c: smbus: Send alert notifications to all devices if source not found
Curtis Malainey <cujomalainey@chromium.org>
ASoC: SOF: Remove libraries from topology lookups
Geert Uytterhoeven <geert+renesas@glider.be>
spi: spidev: Add missing spi_device_id for bh2228fv
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
ASoC: codecs: wsa883x: Correct Soundwire ports mask
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
ASoC: codecs: wsa883x: parse port-mapping information
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
ASoC: codecs: wsa881x: Correct Soundwire ports mask
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask
Guenter Roeck <linux@roeck-us.net>
i2c: smbus: Improve handling of stuck alerts
Mark Rutland <mark.rutland@arm.com>
arm64: errata: Expand speculative SSBS workaround (again)
Mark Rutland <mark.rutland@arm.com>
arm64: cputype: Add Cortex-A725 definitions
Mark Rutland <mark.rutland@arm.com>
arm64: cputype: Add Cortex-X1C definitions
Mark Rutland <mark.rutland@arm.com>
arm64: errata: Expand speculative SSBS workaround
Mark Rutland <mark.rutland@arm.com>
arm64: errata: Unify speculative SSBS errata logic
Mark Rutland <mark.rutland@arm.com>
arm64: cputype: Add Cortex-X925 definitions
Mark Rutland <mark.rutland@arm.com>
arm64: cputype: Add Cortex-A720 definitions
Mark Rutland <mark.rutland@arm.com>
arm64: cputype: Add Cortex-X3 definitions
Mark Rutland <mark.rutland@arm.com>
arm64: errata: Add workaround for Arm errata 3194386 and 3312417
Mark Rutland <mark.rutland@arm.com>
arm64: cputype: Add Neoverse-V3 definitions
Mark Rutland <mark.rutland@arm.com>
arm64: cputype: Add Cortex-X4 definitions
Mark Rutland <mark.rutland@arm.com>
arm64: barrier: Restore spec_bar() macro
Besar Wicaksono <bwicaksono@nvidia.com>
arm64: Add Neoverse-V2 part
Kemeng Shi <shikemeng@huaweicloud.com>
ext4: fix wrong unit use in ext4_mb_find_by_goal
Zheng Zucheng <zhengzucheng@huawei.com>
sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime
Huacai Chen <chenhuacai@kernel.org>
irqchip/loongarch-cpu: Fix return value of lpic_gsi_to_irq()
Arseniy Krasnov <avkrasnov@salutedevices.com>
irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to 'raw_spinlock_t'
Damien Le Moal <dlemoal@kernel.org>
scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
profiling: remove profile=sleep support
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Revert "bpftool: Mount bpffs when pinmaps path not under the bpffs"
Daniele Palmas <dnlplm@gmail.com>
bus: mhi: host: pci_generic: add support for Telit FE990 modem
Benjamin Coddington <bcodding@redhat.com>
SUNRPC: Fix a race to wake a sync task
Peter Oberparleiter <oberpar@linux.ibm.com>
s390/sclp: Prevent release of buffer in I/O
Kemeng Shi <shikemeng@huaweicloud.com>
jbd2: avoid memleak in jbd2_journal_write_metadata_buffer
Xiaxi Shen <shenxiaxi26@gmail.com>
ext4: fix uninitialized variable in ext4_inlinedir_to_tree
Chi Zhiling <chizhiling@kylinos.cn>
media: xc2028: avoid use-after-free in load_firmware_cb()
Michal Pecio <michal.pecio@gmail.com>
media: uvcvideo: Fix the bandwdith quirk on USB 3.x
Ricardo Ribalda <ribalda@chromium.org>
media: uvcvideo: Ignore empty TS packets
Alex Hung <alex.hung@amd.com>
drm/amd/display: Add null checker before passing variables
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update
Ming Qian <ming.qian@nxp.com>
media: amphion: Remove lock in s_ctrl callback
Bob Zhou <bob.zhou@amd.com>
drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr
Victor Skvortsov <victor.skvortsov@amd.com>
drm/amdgpu: Add lock around VF RLCG interface
Ma Jun <Jun.Ma2@amd.com>
drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules
Ma Jun <Jun.Ma2@amd.com>
drm/amdgpu: Fix the null pointer dereference to ras_manager
Ma Jun <Jun.Ma2@amd.com>
drm/amdgpu/pm: Fix the null pointer dereference for smu7
Ma Jun <Jun.Ma2@amd.com>
drm/amdgpu/pm: Fix the param type of set_power_profile_mode
Filipe Manana <fdmanana@suse.com>
btrfs: fix bitmap leak when loading free space cache on duplicate entry
Marc Kleine-Budde <mkl@pengutronix.de>
can: mcp251xfd: tef: update workaround for erratum DS80000789E 6 of mcp2518fd
Marc Kleine-Budde <mkl@pengutronix.de>
can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum
Johannes Berg <johannes.berg@intel.com>
wifi: nl80211: don't give key data to userspace
Roman Smirnov <r.smirnov@omp.ru>
udf: prevent integer overflow in udf_bitmap_free_blocks()
FUJITA Tomonori <fujita.tomonori@gmail.com>
PCI: Add Edimax Vendor ID to pci_ids.h
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Don't retry after unix_state_lock_nested() in unix_stream_connect().
Yonghong Song <yonghong.song@linux.dev>
selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT
Dragos Tatulea <dtatulea@nvidia.com>
net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink
Johannes Berg <johannes.berg@intel.com>
wifi: nl80211: disallow setting special AP channel widths
Thomas Weißschuh <linux@weissschuh.net>
ACPI: SBS: manage alarm sysfs attribute through psy core
Thomas Weißschuh <linux@weissschuh.net>
ACPI: battery: create alarm sysfs attribute atomically
Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
clocksource/drivers/sh_cmt: Address race condition for clock events
Frederic Weisbecker <frederic@kernel.org>
rcu: Fix rcu_barrier() VS post CPUHP_TEARDOWN_CPU invocation
Mikulas Patocka <mpatocka@redhat.com>
block: change rq_integrity_vec to respect the iterator
Yu Kuai <yukuai3@huawei.com>
md/raid5: avoid BUG_ON() while continue reshape after reassembling
Li Nan <linan122@huawei.com>
md: do not delete safemode_timer in mddev_suspend
Paul E. McKenney <paulmck@kernel.org>
rcutorture: Fix rcu_torture_fwd_cb_cr() data race
Csókás, Bence <csokas.bence@prolan.hu>
net: fec: Stop PPS on driver remove
James Chapman <jchapman@katalix.com>
l2tp: fix lockdep splat
Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()
Anton Khirnov <anton@khirnov.net>
Bluetooth: hci_sync: avoid dup filtering when passive scanning with adv monitor
Dmitry Antipov <dmantipov@yandex.ru>
Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()
Eric Dumazet <edumazet@google.com>
net: linkwatch: use system_unbound_wq
Nikolay Aleksandrov <razor@blackwall.org>
net: bridge: mcast: wait for previous gc cycles when removing port
Daniele Palmas <dnlplm@gmail.com>
net: usb: qmi_wwan: fix memory leak for not ip packets
Kuniyuki Iwashima <kuniyu@amazon.com>
sctp: Fix null-ptr-deref in reuseport_add_sock().
Peter Zijlstra <peterz@infradead.org>
x86/mm: Fix pti_clone_entry_text() for i386
Peter Zijlstra <peterz@infradead.org>
x86/mm: Fix pti_clone_pgtable() alignment assumption
Peter Zijlstra <peterz@infradead.org>
jump_label: Fix the fix, brown paper bags galore
Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
platform/x86/intel/ifs: Initialize union ifs_status to zero
Jithu Joseph <jithu.joseph@intel.com>
platform/x86/intel/ifs: Gen2 Scan test support
Yipeng Zou <zouyipeng@huawei.com>
irqchip/mbigen: Fix mbigen node address layout
-------------
Diffstat:
Documentation/admin-guide/cifs/usage.rst | 2 +-
Documentation/admin-guide/kernel-parameters.txt | 10 +-
Documentation/arm64/silicon-errata.rst | 36 +++++
Makefile | 4 +-
arch/arm64/Kconfig | 38 +++++
arch/arm64/include/asm/barrier.h | 4 +
arch/arm64/include/asm/cputype.h | 16 ++
arch/arm64/kernel/cpu_errata.c | 31 ++++
arch/arm64/kernel/cpufeature.c | 12 ++
arch/arm64/kernel/proton-pack.c | 12 ++
arch/arm64/tools/cpucaps | 1 +
arch/parisc/Kconfig | 1 +
arch/parisc/include/asm/cache.h | 11 +-
arch/x86/kernel/cpu/mtrr/mtrr.c | 2 +-
arch/x86/mm/pti.c | 8 +-
block/blk-mq.c | 6 +-
block/mq-deadline.c | 20 ++-
drivers/acpi/battery.c | 16 +-
drivers/acpi/sbs.c | 23 +--
drivers/base/core.c | 13 +-
drivers/base/module.c | 4 +
drivers/bus/mhi/host/pci_generic.c | 3 +
drivers/clocksource/sh_cmt.c | 13 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 7 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 6 +
drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 2 +
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 +-
.../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 3 +
drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 8 +-
drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c | 8 +-
.../gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 55 +++----
.../gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c | 14 +-
.../gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 36 ++++-
drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 16 +-
drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c | 5 +-
drivers/gpu/drm/display/drm_dp_mst_topology.c | 11 ++
drivers/gpu/drm/drm_client_modeset.c | 5 +
drivers/gpu/drm/lima/lima_drv.c | 1 +
drivers/gpu/drm/mgag200/mgag200_i2c.c | 8 +-
drivers/i2c/busses/i2c-qcom-geni.c | 63 +++++++-
drivers/i2c/i2c-smbus.c | 64 +++++++-
drivers/irqchip/irq-loongarch-cpu.c | 6 +-
drivers/irqchip/irq-mbigen.c | 20 ++-
drivers/irqchip/irq-meson-gpio.c | 14 +-
drivers/irqchip/irq-xilinx-intc.c | 2 +-
drivers/md/md.c | 1 -
drivers/md/raid5.c | 20 ++-
drivers/media/platform/amphion/vdec.c | 2 -
drivers/media/platform/amphion/venc.c | 2 -
drivers/media/tuners/xc2028.c | 9 +-
drivers/media/usb/uvc/uvc_video.c | 37 ++++-
drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c | 2 +
drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 125 ++++++++-------
drivers/net/can/spi/mcp251xfd/mcp251xfd.h | 13 +-
drivers/net/dsa/bcm_sf2.c | 4 +-
drivers/net/ethernet/freescale/fec_ptp.c | 3 +
drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 3 +
drivers/net/usb/qmi_wwan.c | 1 +
drivers/nvme/host/pci.c | 6 +-
drivers/platform/x86/intel/ifs/ifs.h | 28 +++-
drivers/platform/x86/intel/ifs/runtest.c | 31 +++-
drivers/power/supply/axp288_charger.c | 24 +--
drivers/s390/char/sclp_sd.c | 10 +-
drivers/scsi/mpi3mr/mpi3mr_os.c | 11 ++
drivers/scsi/mpt3sas/mpt3sas_base.c | 20 ++-
drivers/spi/spi-fsl-lpspi.c | 6 +-
drivers/spi/spidev.c | 1 +
drivers/tty/serial/serial_core.c | 8 +
drivers/ufs/core/ufshcd.c | 11 +-
drivers/usb/gadget/function/u_audio.c | 42 ++++-
drivers/usb/gadget/function/u_serial.c | 1 +
drivers/usb/gadget/udc/core.c | 10 +-
drivers/usb/serial/usb_debug.c | 7 +
drivers/usb/usbip/vhci_hcd.c | 9 +-
drivers/vhost/vdpa.c | 8 +-
fs/btrfs/ctree.h | 1 +
fs/btrfs/file.c | 60 +++++--
fs/btrfs/free-space-cache.c | 1 +
fs/btrfs/print-tree.c | 2 +-
fs/ext4/inline.c | 6 +-
fs/ext4/mballoc.c | 3 +-
fs/jbd2/journal.c | 1 +
fs/smb/client/cifs_debug.c | 2 +-
fs/smb/client/cifsglob.h | 8 +-
fs/smb/client/smb2pdu.c | 3 +
fs/udf/balloc.c | 36 ++---
fs/xfs/xfs_log_recover.c | 20 ++-
include/linux/blk-integrity.h | 16 +-
include/linux/clocksource.h | 14 +-
include/linux/pci_ids.h | 2 +
include/linux/profile.h | 1 -
include/linux/trace_events.h | 1 -
include/net/ip6_route.h | 22 ++-
include/net/netfilter/nf_tables.h | 4 +-
include/trace/events/intel_ifs.h | 16 +-
kernel/irq/irqdesc.c | 1 +
kernel/jump_label.c | 4 +-
kernel/kcov.c | 15 +-
kernel/kprobes.c | 4 +-
kernel/padata.c | 7 +
kernel/profile.c | 11 +-
kernel/rcu/rcutorture.c | 2 +-
kernel/rcu/tree.c | 10 +-
kernel/sched/core.c | 27 +++-
kernel/sched/cputime.c | 6 +
kernel/sched/stats.c | 10 --
kernel/time/clocksource-wdtest.c | 13 +-
kernel/time/clocksource.c | 10 +-
kernel/time/ntp.c | 9 +-
kernel/time/tick-broadcast.c | 3 +-
kernel/time/timekeeping.c | 2 +-
kernel/trace/tracing_map.c | 6 +-
mm/huge_memory.c | 2 +-
mm/hugetlb.c | 14 +-
net/bluetooth/hci_sync.c | 14 ++
net/bluetooth/l2cap_core.c | 1 +
net/bridge/br_multicast.c | 4 +-
net/core/link_watch.c | 4 +-
net/ipv6/ip6_output.c | 1 +
net/ipv6/route.c | 2 +-
net/l2tp/l2tp_core.c | 15 +-
net/mptcp/mib.c | 2 +
net/mptcp/mib.h | 2 +
net/mptcp/pm.c | 12 ++
net/mptcp/pm_netlink.c | 39 +++--
net/mptcp/pm_userspace.c | 18 +++
net/mptcp/protocol.h | 4 +
net/mptcp/subflow.c | 9 ++
net/netfilter/nf_tables_api.c | 172 +++------------------
net/netfilter/nft_connlimit.c | 4 +-
net/netfilter/nft_counter.c | 4 +-
net/netfilter/nft_dynset.c | 2 +-
net/netfilter/nft_last.c | 4 +-
net/netfilter/nft_limit.c | 14 +-
net/netfilter/nft_quota.c | 4 +-
net/sctp/input.c | 19 ++-
net/sunrpc/sched.c | 4 +-
net/unix/af_unix.c | 34 ++--
net/wireless/nl80211.c | 37 ++++-
sound/pci/hda/patch_hdmi.c | 2 +
sound/pci/hda/patch_realtek.c | 1 +
sound/soc/amd/yc/acp6x-mach.c | 7 +
sound/soc/codecs/wcd938x-sdw.c | 4 +-
sound/soc/codecs/wsa881x.c | 2 +-
sound/soc/codecs/wsa883x.c | 10 +-
sound/soc/meson/axg-fifo.c | 26 ++--
sound/soc/sof/mediatek/mt8195/mt8195.c | 2 +-
sound/usb/line6/driver.c | 5 +
sound/usb/quirks-table.h | 4 +
tools/arch/arm64/include/asm/cputype.h | 6 +
tools/bpf/bpftool/prog.c | 4 -
.../testing/selftests/bpf/prog_tests/send_signal.c | 3 +-
tools/testing/selftests/net/mptcp/mptcp_join.sh | 75 +++++++--
tools/testing/selftests/rcutorture/bin/torture.sh | 6 +-
155 files changed, 1360 insertions(+), 703 deletions(-)
^ permalink raw reply
* [PATCH 6.1 009/150] net: bridge: mcast: wait for previous gc cycles when removing port
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+263426984509be19c9a0,
Nikolay Aleksandrov, Jakub Kicinski, Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <razor@blackwall.org>
[ Upstream commit 92c4ee25208d0f35dafc3213cdf355fbe449e078 ]
syzbot hit a use-after-free[1] which is caused because the bridge doesn't
make sure that all previous garbage has been collected when removing a
port. What happens is:
CPU 1 CPU 2
start gc cycle remove port
acquire gc lock first
wait for lock
call br_multicasg_gc() directly
acquire lock now but free port
the port can be freed
while grp timers still
running
Make sure all previous gc cycles have finished by using flush_work before
freeing the port.
[1]
BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861
Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699
CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861
call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1843 [inline]
__run_timers+0x74b/0xaf0 kernel/time/timer.c:2417
__run_timer_base kernel/time/timer.c:2428 [inline]
__run_timer_base kernel/time/timer.c:2421 [inline]
run_timer_base+0x111/0x190 kernel/time/timer.c:2437
Reported-by: syzbot+263426984509be19c9a0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=263426984509be19c9a0
Fixes: e12cec65b554 ("net: bridge: mcast: destroy all entries via gc")
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20240802080730.3206303-1-razor@blackwall.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_multicast.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 9765f9f9bf7ff..3cd2b648408d6 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1890,16 +1890,14 @@ void br_multicast_del_port(struct net_bridge_port *port)
{
struct net_bridge *br = port->br;
struct net_bridge_port_group *pg;
- HLIST_HEAD(deleted_head);
struct hlist_node *n;
/* Take care of the remaining groups, only perm ones should be left */
spin_lock_bh(&br->multicast_lock);
hlist_for_each_entry_safe(pg, n, &port->mglist, mglist)
br_multicast_find_del_pg(br, pg);
- hlist_move_list(&br->mcast_gc_list, &deleted_head);
spin_unlock_bh(&br->multicast_lock);
- br_multicast_gc(&deleted_head);
+ flush_work(&br->mcast_gc_work);
br_multicast_port_ctx_deinit(&port->multicast_ctx);
free_percpu(port->mcast_stats);
}
--
2.43.0
^ permalink raw reply related
* [PATCH 6.1 008/150] net: usb: qmi_wwan: fix memory leak for not ip packets
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniele Palmas, Bjørn Mork,
David S. Miller, Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniele Palmas <dnlplm@gmail.com>
[ Upstream commit 7ab107544b777c3bd7feb9fe447367d8edd5b202 ]
Free the unused skb when not ip packets arrive.
Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support")
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Acked-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/qmi_wwan.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 46e0e1f1c20e0..ee0ea3d0f50ee 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -200,6 +200,7 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
break;
default:
/* not ip - do not know what to do */
+ kfree_skb(skbn);
goto skip;
}
--
2.43.0
^ permalink raw reply related
* [PATCH 6.1 007/150] sctp: Fix null-ptr-deref in reuseport_add_sock().
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+e6979a5d2f10ecb700e4,
Kuniyuki Iwashima, Xin Long, Jakub Kicinski, Sasha Levin
In-Reply-To: <20240812160125.139701076@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 9ab0faa7f9ffe31296dbb9bbe6f76c72c14eea18 ]
syzbot reported a null-ptr-deref while accessing sk2->sk_reuseport_cb in
reuseport_add_sock(). [0]
The repro first creates a listener with SO_REUSEPORT. Then, it creates
another listener on the same port and concurrently closes the first
listener.
The second listen() calls reuseport_add_sock() with the first listener as
sk2, where sk2->sk_reuseport_cb is not expected to be cleared concurrently,
but the close() does clear it by reuseport_detach_sock().
The problem is SCTP does not properly synchronise reuseport_alloc(),
reuseport_add_sock(), and reuseport_detach_sock().
The caller of reuseport_alloc() and reuseport_{add,detach}_sock() must
provide synchronisation for sockets that are classified into the same
reuseport group.
Otherwise, such sockets form multiple identical reuseport groups, and
all groups except one would be silently dead.
1. Two sockets call listen() concurrently
2. No socket in the same group found in sctp_ep_hashtable[]
3. Two sockets call reuseport_alloc() and form two reuseport groups
4. Only one group hit first in __sctp_rcv_lookup_endpoint() receives
incoming packets
Also, the reported null-ptr-deref could occur.
TCP/UDP guarantees that would not happen by holding the hash bucket lock.
Let's apply the locking strategy to __sctp_hash_endpoint() and
__sctp_unhash_endpoint().
[0]:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 UID: 0 PID: 10230 Comm: syz-executor119 Not tainted 6.10.0-syzkaller-12585-g301927d2d2eb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:reuseport_add_sock+0x27e/0x5e0 net/core/sock_reuseport.c:350
Code: 00 0f b7 5d 00 bf 01 00 00 00 89 de e8 1b a4 ff f7 83 fb 01 0f 85 a3 01 00 00 e8 6d a0 ff f7 49 8d 7e 12 48 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 4b 02 00 00 41 0f b7 5e 12 49 8d 7e 14
RSP: 0018:ffffc9000b947c98 EFLAGS: 00010202
RAX: 0000000000000002 RBX: ffff8880252ddf98 RCX: ffff888079478000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000012
RBP: 0000000000000001 R08: ffffffff8993e18d R09: 1ffffffff1fef385
R10: dffffc0000000000 R11: fffffbfff1fef386 R12: ffff8880252ddac0
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f24e45b96c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffcced5f7b8 CR3: 00000000241be000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__sctp_hash_endpoint net/sctp/input.c:762 [inline]
sctp_hash_endpoint+0x52a/0x600 net/sctp/input.c:790
sctp_listen_start net/sctp/socket.c:8570 [inline]
sctp_inet_listen+0x767/0xa20 net/sctp/socket.c:8625
__sys_listen_socket net/socket.c:1883 [inline]
__sys_listen+0x1b7/0x230 net/socket.c:1894
__do_sys_listen net/socket.c:1902 [inline]
__se_sys_listen net/socket.c:1900 [inline]
__x64_sys_listen+0x5a/0x70 net/socket.c:1900
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f24e46039b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f24e45b9228 EFLAGS: 00000246 ORIG_RAX: 0000000000000032
RAX: ffffffffffffffda RBX: 00007f24e468e428 RCX: 00007f24e46039b9
RDX: 00007f24e46039b9 RSI: 0000000000000003 RDI: 0000000000000004
RBP: 00007f24e468e420 R08: 00007f24e45b96c0 R09: 00007f24e45b96c0
R10: 00007f24e45b96c0 R11: 0000000000000246 R12: 00007f24e468e42c
R13: 00007f24e465a5dc R14: 0020000000000001 R15: 00007ffcced5f7d8
</TASK>
Modules linked in:
Fixes: 6ba845740267 ("sctp: process sk_reuseport in sctp_get_port_local")
Reported-by: syzbot+e6979a5d2f10ecb700e4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e6979a5d2f10ecb700e4
Tested-by: syzbot+e6979a5d2f10ecb700e4@syzkaller.appspotmail.com
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20240731234624.94055-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/input.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 4f43afa8678f9..4ee9374dcfb92 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -748,15 +748,19 @@ static int __sctp_hash_endpoint(struct sctp_endpoint *ep)
struct sock *sk = ep->base.sk;
struct net *net = sock_net(sk);
struct sctp_hashbucket *head;
+ int err = 0;
ep->hashent = sctp_ep_hashfn(net, ep->base.bind_addr.port);
head = &sctp_ep_hashtable[ep->hashent];
+ write_lock(&head->lock);
if (sk->sk_reuseport) {
bool any = sctp_is_ep_boundall(sk);
struct sctp_endpoint *ep2;
struct list_head *list;
- int cnt = 0, err = 1;
+ int cnt = 0;
+
+ err = 1;
list_for_each(list, &ep->base.bind_addr.address_list)
cnt++;
@@ -774,24 +778,24 @@ static int __sctp_hash_endpoint(struct sctp_endpoint *ep)
if (!err) {
err = reuseport_add_sock(sk, sk2, any);
if (err)
- return err;
+ goto out;
break;
} else if (err < 0) {
- return err;
+ goto out;
}
}
if (err) {
err = reuseport_alloc(sk, any);
if (err)
- return err;
+ goto out;
}
}
- write_lock(&head->lock);
hlist_add_head(&ep->node, &head->chain);
+out:
write_unlock(&head->lock);
- return 0;
+ return err;
}
/* Add an endpoint to the hash. Local BH-safe. */
@@ -816,10 +820,9 @@ static void __sctp_unhash_endpoint(struct sctp_endpoint *ep)
head = &sctp_ep_hashtable[ep->hashent];
+ write_lock(&head->lock);
if (rcu_access_pointer(sk->sk_reuseport_cb))
reuseport_detach_sock(sk);
-
- write_lock(&head->lock);
hlist_del_init(&ep->node);
write_unlock(&head->lock);
}
--
2.43.0
^ permalink raw reply related
* Re: [PATCH 0/6] dt-bindings: add serial-peripheral-props.yaml
From: Conor Dooley @ 2024-08-12 16:05 UTC (permalink / raw)
To: Krzysztof Kozlowski
Cc: Rob Herring, Greg Kroah-Hartman, Jiri Slaby, Krzysztof Kozlowski,
Conor Dooley, Marcel Holtmann, Luiz Augusto von Dentz,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Matthias Brugger, AngeloGioacchino Del Regno, Linus Walleij,
Johan Hovold, Liam Girdwood, Mark Brown, Daniel Kaehn,
linux-serial, linux-kernel, devicetree, linux-bluetooth, netdev,
linux-mediatek, linux-arm-kernel, linux-sound
In-Reply-To: <20240811-dt-bindings-serial-peripheral-props-v1-0-1dba258b7492@linaro.org>
[-- Attachment #1: Type: text/plain, Size: 739 bytes --]
On Sun, Aug 11, 2024 at 08:17:03PM +0200, Krzysztof Kozlowski wrote:
> Hi,
>
> Add serial-peripheral-props.yaml for devices being connected over
> serial/UART.
>
> Maybe the schema should be rather called serial-common-props.yaml? Or
> serial-device-common-props.yaml?
>
> Dependencies/merging - Devicetree tree?
> =======================================
> Entire patchset should be taken via one tree, preferably Rob's
> Devicetree because of context/hunk dependencies and dependency on
> introduced serial-peripheral-props.yaml file.
The whole idea seems reasonable to me, but I question whether it is
worth tagging it if Rob's gonna be the one applying it.
Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.