* [PATCH 5.10 000/286] 5.10.237-rc1 review
@ 2025-04-29 16:38 Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 001/286] ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() Greg Kroah-Hartman
` (290 more replies)
0 siblings, 291 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie
This is the start of the stable review cycle for the 5.10.237 release.
There are 286 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 01 May 2025 16:10:15 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.237-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 5.10.237-rc1
Stanimir Varbanov <stanimir.varbanov@linaro.org>
media: venus: hfi_parser: Check for instance after hfi platform get
Colin Ian King <colin.king@canonical.com>
media: venus: Fix uninitialized variable count being checked for zero
Krzysztof Kozlowski <krzk@kernel.org>
soc: samsung: exynos-chipid: correct helpers __init annotation
Rob Herring <robh@kernel.org>
PCI: Fix use-after-free in pci_bus_release_domain_nr()
Hannes Reinecke <hare@kernel.org>
nvme: fixup scan failure for non-ANA multipath controllers
Thomas Bogendoerfer <tsbogend@alpha.franken.de>
MIPS: cm: Fix warning if MIPS_CM is disabled
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
xdp: Reset bpf_redirect_info before running a xdp's BPF prog.
Marek Behún <kabel@kernel.org>
crypto: atmel-sha204a - Set hwrng quality to lowest possible
Ian Abbott <abbotti@mev.co.uk>
comedi: jr3_pci: Fix synchronous deletion of timer
David Hildenbrand <david@redhat.com>
s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues
Meir Elisha <meir.elisha@volumez.com>
md/raid1: Add check for missing source disk in process_checks()
Igor Pylypiv <ipylypiv@google.com>
scsi: pm80xx: Set phy_attached to zero when device is gone
Ojaswin Mujoo <ojaswin@linux.ibm.com>
ext4: make block validity check resistent to sb bh corruption
Josh Poimboeuf <jpoimboe@kernel.org>
x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline
Josh Poimboeuf <jpoimboe@kernel.org>
x86/bugs: Use SBPB in write_ibpb() if applicable
Qiuxu Zhuo <qiuxu.zhuo@intel.com>
selftests/mincore: Allow read-ahead pages to reach the end of the file
Josh Poimboeuf <jpoimboe@kernel.org>
objtool: Stop UNRET validation on UD2
Hannes Reinecke <hare@kernel.org>
nvme: re-read ANA log page after ns scan completes
Jean-Marc Eurin <jmeurin@google.com>
ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls
Hannes Reinecke <hare@kernel.org>
nvme: requeue namespace scan on missed AENs
Ming Lei <ming.lei@redhat.com>
selftests: ublk: fix test_stripe_04
Xiaogang Chen <xiaogang.chen@amd.com>
udmabuf: fix a buf size overflow issue during udmabuf creation
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
KVM: s390: Don't use %pK through tracepoints
Oleg Nesterov <oleg@redhat.com>
sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP
Arnd Bergmann <arnd@arndb.de>
ntb: reduce stack usage in idt_scan_mws
Al Viro <viro@zeniv.linux.org.uk>
qibfs: fix _another_ leak
Josh Poimboeuf <jpoimboe@kernel.org>
objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior in wcd934x_slim_irq_handler()
Chenyuan Yang <chenyuan0y@gmail.com>
usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev()
Vinicius Costa Gomes <vinicius.gomes@intel.com>
dmaengine: dmatest: Fix dmatest waiting less when interrupted
Alexander Stein <alexander.stein@mailbox.org>
usb: host: max3421-hcd: Add missing spi_device_id table
Yu-Chun Lin <eleanor15x@gmail.com>
parisc: PDT: Fix missing prototype warning
Heiko Stuebner <heiko@sntech.de>
clk: check for disabled clock-provider in of_clk_get_hw_from_clkspec()
Herbert Xu <herbert@gondor.apana.org.au>
crypto: null - Use spin lock instead of mutex
Gregory CLEMENT <gregory.clement@bootlin.com>
MIPS: cm: Detect CM quirks from device tree
Oliver Neukum <oneukum@suse.com>
USB: VLI disk crashes if LPM is used
Miao Li <limiao@kylinos.cn>
usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive
Miao Li <limiao@kylinos.cn>
usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive
Frode Isaksen <frode@meta.com>
usb: dwc3: gadget: check that event count does not exceed event buffer length
Huacai Chen <chenhuacai@loongson.cn>
USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02)
Ralph Siemsen <ralph.siemsen@linaro.org>
usb: cdns3: Fix deadlock when using NCM gadget
Craig Hesling <craig@hesling.com>
USB: serial: simple: add OWON HDS200 series oscilloscope support
Adam Xue <zxue@semtech.com>
USB: serial: option: add Sierra Wireless EM9291
Michael Ehrenreich <michideep@gmail.com>
USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe
Ryo Takakura <ryotkkr98@gmail.com>
serial: sifive: lock port in startup()/shutdown() callbacks
Sean Christopherson <seanjc@google.com>
KVM: x86: Reset IRTE to host control if *new* route isn't postable
Alexander Usyskin <alexander.usyskin@intel.com>
mei: me: add panther lake H DID
Oliver Neukum <oneukum@suse.com>
USB: storage: quirk for ADATA Portable HDD CH94
Haoxiang Li <haoxiang_li2024@163.com>
mcb: fix a double free bug in chameleon_parse_gdd()
Sean Christopherson <seanjc@google.com>
KVM: SVM: Allocate IR data using atomic allocation
Halil Pasic <pasic@linux.ibm.com>
virtio_console: fix missing byte order handling for cols and rows
Sean Christopherson <seanjc@google.com>
iommu/amd: Return an error if vCPU affinity is set for non-vCPU IRTE
Cong Wang <xiyou.wangcong@gmail.com>
net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too
Cong Wang <xiyou.wangcong@gmail.com>
net_sched: hfsc: Fix a UAF vulnerability in class handling
Tung Nguyen <tung.quang.nguyen@est.tech>
tipc: fix NULL pointer dereference in tipc_mon_reinit_self()
Qingfang Deng <qingfang.deng@siflower.com.cn>
net: phy: leds: fix memory leak
Henry Martin <bsdhenrymartin@gmail.com>
cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate()
Arnd Bergmann <arnd@arndb.de>
dma/contiguous: avoid warning about unused size_bytes
Matthew Auld <matthew.auld@intel.com>
drm/amdgpu/dma_buf: fix page_link check
Ramesh Errabolu <Ramesh.Errabolu@amd.com>
drm/amdgpu: Remove amdgpu_device arg from free_sgt api (v2)
Lee Jones <lee.jones@linaro.org>
drm/amd/amdgpu/amdgpu_vram_mgr: Add missing descriptions for 'dev' and 'dir'
Mark Brown <broonie@kernel.org>
selftests/mm: generate a temporary mountpoint for cgroup filesystem
Ma Ke <make24@iscas.ac.cn>
PCI: Fix reference leak in pci_register_host_bridge()
Pali Rohár <pali@kernel.org>
PCI: Assign PCI domain IDs by ida_alloc()
Kai-Heng Feng <kai.heng.feng@canonical.com>
PCI: Coalesce host bridge contiguous apertures
Boqun Feng <boqun.feng@gmail.com>
PCI: Introduce domain_nr in pci_host_bridge
Alexandra Diupina <adiupina@astralinux.ru>
cifs: avoid NULL pointer dereference in dbg call
Enzo Matsumiya <ematsumiya@suse.de>
cifs: print TIDs as hex
Herve Codina <herve.codina@bootlin.com>
backlight: led_bl: Hold led_access lock when calling led_sysfs_disable()
Sergiu Cuciurean <sergiu.cuciurean@analog.com>
iio: adc: ad7768-1: Fix conversion result sign
Jonathan Cameron <Jonathan.Cameron@huawei.com>
iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check
Chenyuan Yang <chenyuan0y@gmail.com>
soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()
Sam Protsenko <semen.protsenko@linaro.org>
soc: samsung: exynos-chipid: Pass revision reg offsets
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
soc: samsung: exynos-chipid: avoid soc_device_to_device()
Krzysztof Kozlowski <krzk@kernel.org>
soc: samsung: exynos-chipid: convert to driver and merge exynos-asv
Krzysztof Kozlowski <krzk@kernel.org>
soc: samsung: exynos-chipid: initialize later - with arch_initcall
Marek Behún <kabel@kernel.org>
net: dsa: mv88e6xxx: fix VTU methods for 6320 family
Vikash Garodia <quic_vgarodia@quicinc.com>
media: venus: hfi_parser: refactor hfi packet parsing logic
Stanimir Varbanov <stanimir.varbanov@linaro.org>
media: venus: Get codecs and capabilities from hfi platform
Stanimir Varbanov <stanimir.varbanov@linaro.org>
media: venus: hfi_plat: Add codecs and capabilities ops
Stanimir Varbanov <stanimir.varbanov@linaro.org>
media: venus: Rename venus_caps to hfi_plat_caps
Stanimir Varbanov <stanimir.varbanov@linaro.org>
media: venus: Create hfi platform and move vpp/vsp there
Stanimir Varbanov <stanimir.varbanov@linaro.org>
media: venus: pm_helpers: Check instance state when calculate instance frequency
Stanimir Varbanov <stanimir.varbanov@linaro.org>
media: venus: hfi: Correct session init return error
Stanimir Varbanov <stanimir.varbanov@linaro.org>
media: venus: Limit HFI sessions to the maximum supported
Stanimir Varbanov <stanimir.varbanov@linaro.org>
media: venus: venc: Init the session only once in queue_setup
Murad Masimov <m.masimov@mt-integration.ru>
media: streamzap: fix race between device disconnection and urb callback
Sean Young <sean@mess.org>
media: streamzap: remove unused struct members
Sean Young <sean@mess.org>
media: streamzap: less chatter
Sean Young <sean@mess.org>
media: streamzap: no need for usb pid/vid in device name
Sean Young <sean@mess.org>
media: streamzap: remove unnecessary ir_raw_event_reset and handle
Douglas Raillard <douglas.raillard@arm.com>
tracing: Fix synth event printk format for str fields
Steven Rostedt (Google) <rostedt@goodmis.org>
tracing: Allow synthetic events to pass around stacktraces
Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
platform/x86: ISST: Correct command storage data length
Hans de Goede <hdegoede@redhat.com>
drivers: staging: rtl8723bs: Fix locking in rtw_scan_timeout_handler()
Kunwu Chan <chentao@kylinos.cn>
pmdomain: ti: Add a null pointer check to the omap_prm_domain_init
Miroslav Franc <mfranc@suse.cz>
s390/dasd: fix double module refcount decrement
Duoming Zhou <duoming@zju.edu.cn>
drivers: staging: rtl8723bs: Fix deadlock in rtw_surveydone_event_callback()
Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
mm: fix apply_to_existing_page_range()
Oleg Nesterov <oleg@redhat.com>
fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats
Chris Wilson <chris.p.wilson@intel.com>
drm/i915/gt: Cleanup partial engine discovery failures
Miaohe Lin <linmiaohe@huawei.com>
kernel/resource: fix kfree() of bootmem memory again
Abhishek Sahu <abhsahu@nvidia.com>
vfio/pci: fix memory leak during D3hot to D0 transition
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix flushing uninitialized delayed_work on cache_ctr error
Pei Li <peili.dev@gmail.com>
jfs: Fix shift-out-of-bounds in dbDiscardAG
WangYuli <wangyuli@uniontech.com>
MIPS: ds1287: Match ds1287_set_base_clock() function types
WangYuli <wangyuli@uniontech.com>
MIPS: cevt-ds1287: Add missing ds1287.h include
WangYuli <wangyuli@uniontech.com>
MIPS: dec: Declare which_prom() as static
Eric Dumazet <edumazet@google.com>
net: defer final 'struct net' free in netns dismantle
Guixin Liu <kanie@linux.alibaba.com>
scsi: ufs: bsg: Set bsg_queue to NULL after removal
Tuo Li <islituo@gmail.com>
scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan()
Ilya Maximets <i.maximets@ovn.org>
openvswitch: fix lockup on tx to unregistering netdev with carrier
Felix Huettner <felix.huettner@mail.schwarz>
net: openvswitch: fix race on port output
Chen Hanxiao <chenhx.fnst@fujitsu.com>
ipvs: properly dereference pe in ip_vs_add_service
Vlad Buslov <vladbu@nvidia.com>
net/mlx5e: Fix use-after-free of encap entry in neigh update handler
Xiaxi Shen <shenxiaxi26@gmail.com>
ext4: fix timer use-after-free on failed mount
Li Nan <linan122@huawei.com>
blk-iocost: do not WARN if iocg was already offlined
Yu Kuai <yukuai3@huawei.com>
blk-cgroup: support to track if policy is online
Hou Tao <houtao1@huawei.com>
bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers
Andrii Nakryiko <andrii@kernel.org>
bpf: avoid holding freeze_mutex during mmap operation
Paulo Alcantara <pc@manguebit.com>
smb: client: fix NULL ptr deref in crypto_aead_setkey()
Enzo Matsumiya <ematsumiya@suse.de>
smb: client: fix UAF in async decryption
Paulo Alcantara <pc@manguebit.com>
smb: client: fix potential UAF in cifs_stats_proc_show()
Paulo Alcantara <pc@manguebit.com>
smb: client: fix potential deadlock when releasing mids
Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
cifs: Fix UAF in cifs_demultiplex_thread()
Paulo Alcantara <pc@manguebit.com>
smb: client: fix use-after-free bug in cifs_debug_data_proc_show()
Paulo Alcantara <pc@manguebit.com>
smb: client: fix potential UAF in cifs_debug_files_proc_show()
WangYuli <wangyuli@uniontech.com>
nvmet-fc: Remove unused functions
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create'
Hersen Wu <hersenxs.wu@amd.com>
drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links
Kang Yang <quic_kangyang@quicinc.com>
wifi: ath10k: avoid NULL pointer error during sdio remove
Miaoqian Lin <linmq006@gmail.com>
phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node function
Nathan Lynch <nathanl@linux.ibm.com>
powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
Chunguang Xu <chunguang.xu@shopee.com>
nvme: avoid double free special payload
Ard Biesheuvel <ardb@kernel.org>
x86/pvh: Call C code via the kernel virtual mapping
Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type
Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error
Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: sockopt: fix getting IPV6_V6ONLY
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: only inc MPJoinAckHMacFailure for HMAC failures
Gang Yan <yangang@kylinos.cn>
mptcp: fix NULL pointer in can_accept_new_subflow
Kuniyuki Iwashima <kuniyu@amazon.com>
tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().
Nathan Chancellor <nathan@kernel.org>
kbuild: Add '-fno-builtin-wcslen'
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpufreq: Reference count policy in cpufreq_update_limits()
Rolf Eike Beer <eb@emlix.com>
drm/sti: remove duplicate object names
Chris Bainbridge <chris.bainbridge@gmail.com>
drm/nouveau: prime: fix ttm_bo_delayed_delete oops
Denis Arefev <arefev@swemel.ru>
drm/amd/pm/powerplay/hwmgr/vega20_thermal: Prevent division by zero
Denis Arefev <arefev@swemel.ru>
drm/amd/pm/powerplay/hwmgr/smu7_thermal: Prevent division by zero
Denis Arefev <arefev@swemel.ru>
drm/amd/pm/powerplay: Prevent division by zero
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
drm/repaper: fix integer overflows in repeat functions
Thorsten Leemhuis <linux@leemhuis.info>
module: sign with sha512 instead of sha1 by default
Kan Liang <kan.liang@linux.intel.com>
perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX
Kan Liang <kan.liang@linux.intel.com>
perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR
Dapeng Mi <dapeng1.mi@linux.intel.com>
perf/x86/intel: Allow to update user space GPRs from PEBS records
Xiangsheng Hou <xiangsheng.hou@mediatek.com>
virtiofs: add filesystem context source name check
Steven Rostedt <rostedt@goodmis.org>
tracing: Fix filter string testing
Nathan Chancellor <nathan@kernel.org>
riscv: Avoid fortify warning in syscall_get_arguments()
Edward Adam Davis <eadavis@qq.com>
isofs: Prevent the use of too small fid
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
i2c: cros-ec-tunnel: defer probe if parent EC is not present
Vasiliy Kovalev <kovalev@altlinux.org>
hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key
Herbert Xu <herbert@gondor.apana.org.au>
crypto: caam/qi - Fix drv_ctx refcount bug
Johannes Kimmel <kernel@bareminimum.eu>
btrfs: correctly escape subvol in btrfs_show_options()
Li Lingfeng <lilingfeng3@huawei.com>
nfsd: decrease sc_count directly if fail to queue dl_recall
Eric Biggers <ebiggers@google.com>
nfs: add missing selections of CONFIG_CRC32
Jeff Layton <jlayton@kernel.org>
nfs: move nfs_fhandle_hash to common include file
Denis Arefev <arefev@swemel.ru>
asus-laptop: Fix an uninitialized variable
Andreas Gruenbacher <agruenba@redhat.com>
writeback: fix false warning in inode_to_wb()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS
WangYuli <wangyuli@uniontech.com>
riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break
WangYuli <wangyuli@uniontech.com>
riscv: KGDB: Do not inline arch_kgdb_breakpoint()
Jonas Gorski <jonas.gorski@gmail.com>
net: b53: enable BPDU reception for management port
Abdun Nihaal <abdun.nihaal@gmail.com>
cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path
Ilya Maximets <i.maximets@ovn.org>
net: openvswitch: fix nested key length validation in the set() action
Christopher S M Hall <christopher.s.hall@intel.com>
igc: cleanup PTP module if probe fails
Christopher S M Hall <christopher.s.hall@intel.com>
igc: handle the IGC_PTP_ENABLED flag correctly
Johannes Berg <johannes.berg@intel.com>
Revert "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()"
Dan Carpenter <dan.carpenter@linaro.org>
Bluetooth: btrtl: Prevent potential NULL dereference
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address
Shay Drory <shayd@nvidia.com>
RDMA/core: Silence oversized kvmalloc() warning
Chengchang Tang <tangchengchang@huawei.com>
RDMA/hns: Fix wrong maximum DMA segment size
Yue Haibing <yuehaibing@huawei.com>
RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe()
Miaoqian Lin <linmq006@gmail.com>
scsi: iscsi: Fix missing scsi_host_put() in error path
Abdun Nihaal <abdun.nihaal@gmail.com>
wifi: wl1251: fix memory leak in wl1251_tx_work
Remi Pommarel <repk@triplefau.lt>
wifi: mac80211: Purge vif txq in ieee80211_do_stop()
Remi Pommarel <repk@triplefau.lt>
wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()
Abdun Nihaal <abdun.nihaal@gmail.com>
wifi: at76c50x: fix use after free access in at76_disconnect
Kaixin Wang <kxwang23@m.fudan.edu.cn>
HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
Daniel Golle <daniel@makrotopia.org>
pwm: mediatek: always use bus clock for PWM on MT7622
Arseniy Krasnov <avkrasnov@salutedevices.com>
Bluetooth: hci_uart: Fix another race during initialization
Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions()
Stephan Gerhold <stephan.gerhold@linaro.org>
pinctrl: qcom: Clear latched interrupt status when changing IRQ type
Ma Ke <make24@iscas.ac.cn>
PCI: Fix reference leak in pci_alloc_child_bus()
Stanimir Varbanov <svarbanov@suse.de>
PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe()
Zijun Hu <quic_zijuhu@quicinc.com>
of/irq: Fix device node refcount leakages in of_irq_init()
Zijun Hu <quic_zijuhu@quicinc.com>
of/irq: Fix device node refcount leakage in API irq_of_parse_and_map()
Zijun Hu <quic_zijuhu@quicinc.com>
of/irq: Fix device node refcount leakages in of_irq_count()
Fedor Pchelkin <pchelkin@ispras.ru>
ntb: use 64-bit arithmetic for the MSI doorbell mask
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
gpio: zynq: Fix wakeup source leaks on device unbind
zhoumin <teczm@foxmail.com>
ftrace: Add cond_resched() to ftrace_graph_set_hash()
Mikulas Patocka <mpatocka@redhat.com>
dm-integrity: set ti->error on memory allocation failure
Tom Lendacky <thomas.lendacky@amd.com>
crypto: ccp - Fix check for the primary ASP device
Trevor Woerner <twoerner@gmail.com>
thermal/drivers/rockchip: Add missing rk3328 mapping entry
Ricardo Cañuelo Navarro <rcn@igalia.com>
sctp: detect and prevent references to a freed transport in sendmsg
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock
Ryan Roberts <ryan.roberts@arm.com>
sparc/mm: disable preemption in lazy mmu mode
Chen-Yu Tsai <wenst@chromium.org>
arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string
Wentao Liang <vulab@iscas.ac.cn>
mtd: rawnand: Add status chack in r852_ready()
Wentao Liang <vulab@iscas.ac.cn>
mtd: inftlcore: Add error check for inftl_read_oob()
T Pratham <t-pratham@ti.com>
lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets
Boqun Feng <boqun.feng@gmail.com>
locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class()
Chenyuan Yang <chenyuan0y@gmail.com>
mfd: ene-kb3930: Fix a potential NULL pointer dereference
Jan Kara <jack@suse.cz>
jbd2: remove wrong sb->s_sequence check
Manjunatha Venkatesh <manjunatha.venkatesh@nxp.com>
i3c: Add NULL pointer check in i3c_master_queue_ibi()
Si-Wei Liu <si-wei.liu@oracle.com>
vdpa/mlx5: Fix oversized null mkey longer than 32bit
Artem Sadovnikov <a.sadovnikov@ispras.ru>
ext4: fix off-by-one error in do_split
Alexey Klimov <alexey.klimov@linaro.org>
ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path
Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
wifi: mac80211: fix integer overflow in hwmp_route_info_get()
Alexandre Torgue <alexandre.torgue@foss.st.com>
clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup
Jiasheng Jiang <jiashengjiangcool@gmail.com>
mtd: Replace kcalloc() with devm_kcalloc()
Marek Behún <kabel@kernel.org>
net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family
Vikash Garodia <quic_vgarodia@quicinc.com>
media: venus: hfi_parser: add check to avoid out of bound access
Sakari Ailus <sakari.ailus@linux.intel.com>
media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO
Sakari Ailus <sakari.ailus@linux.intel.com>
media: i2c: ov7251: Set enable GPIO low in probe
Karina Yankevich <k.yankevich@omp.ru>
media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf()
Murad Masimov <m.masimov@mt-integration.ru>
media: streamzap: prevent processing IR data on URB failure
Kamal Dasu <kamal.dasu@broadcom.com>
mtd: rawnand: brcmnand: fix PM resume warning
Miquel Raynal <miquel.raynal@bootlin.com>
spi: cadence-qspi: Fix probe on AM62A LP SK
Douglas Anderson <dianders@chromium.org>
arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list
Douglas Anderson <dianders@chromium.org>
arm64: cputype: Add MIDR_CORTEX_A76AE
Jan Beulich <jbeulich@suse.com>
xenfs/xensyms: respect hypervisor's "next" indication
Yuan Can <yuancan@huawei.com>
media: siano: Fix error handling in smsdvb_module_init()
Matthew Majewski <mattwmajewski@gmail.com>
media: vim2m: print device name after registering device
Vikash Garodia <quic_vgarodia@quicinc.com>
media: venus: hfi: add check to handle incorrect queue size
Vikash Garodia <quic_vgarodia@quicinc.com>
media: venus: hfi: add a check to handle OOB in sfr region
Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
media: i2c: adv748x: Fix test pattern selection mask
Jann Horn <jannh@google.com>
ext4: don't treat fhandle lookup of ea_inode as FS corruption
Eric Biggers <ebiggers@google.com>
ext4: reject casefold inode flag without casefold feature
Willem de Bruijn <willemb@google.com>
bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags
Ben Dooks <ben.dooks@sifive.com>
bpf: Add endian modifiers to fix endian warnings
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
pwm: fsl-ftm: Handle clk_get_rate() returning 0
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
pwm: rcar: Improve register calculation
Geert Uytterhoeven <geert+renesas@glider.be>
pwm: rcar: Simplify multiplication/shift logic
Josh Poimboeuf <jpoimboe@kernel.org>
pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()
Fabien Parent <fparent@baylibre.com>
pwm: mediatek: Always use bus clock
Leonid Arapov <arapovl839@gmail.com>
fbdev: omapfb: Add 'plane' value check
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off
Philip Yang <Philip.Yang@amd.com>
drm/amdkfd: Fix pqm_destroy_queue race with GPU reset
David Yat Sin <David.YatSin@amd.com>
drm/amdkfd: clamp queue size to minimum
Luca Ceresoli <luca.ceresoli@bootlin.com>
drm/bridge: panel: forbid initializing a panel with unknown connector type
Andrew Wyatt <fewtarius@steamfork.org>
drm: panel-orientation-quirks: Add new quirk for GPD Win 2
Andrew Wyatt <fewtarius@steamfork.org>
drm: panel-orientation-quirks: Add support for AYANEO 2S
Abhinav Kumar <quic_abhinavk@quicinc.com>
drm: allow encoder mode_set even when connectors change for crtc
Arseniy Krasnov <avkrasnov@salutedevices.com>
Bluetooth: hci_uart: fix race during initialization
Gabriele Paoloni <gpaoloni@redhat.com>
tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER
Stanislav Fomichev <sdf@fomichev.me>
net: vlan: don't propagate flags on open
Icenowy Zheng <uwu@icenowy.me>
wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table
Kai Mäkisara <Kai.Makisara@kolumbus.fi>
scsi: st: Fix array overflow in st_setup()
Bhupesh <bhupesh@igalia.com>
ext4: ignore xattrs past end
Ojaswin Mujoo <ojaswin@linux.ibm.com>
ext4: protect ext4_release_dquot against freezing
Daniel Kral <d.kral@proxmox.com>
ahci: add PCI ID for Marvell 88SE9215 SATA Controller
Chao Yu <chao@kernel.org>
f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()
Niklas Cassel <cassel@kernel.org>
ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode
Edward Adam Davis <eadavis@qq.com>
jfs: add sanity check for agwidth in dbMount
Edward Adam Davis <eadavis@qq.com>
jfs: Prevent copying of nlink with value 0 from disk inode
Rand Deeb <rand.sec96@gmail.com>
fs/jfs: Prevent integer overflow in AG size calculation
Rand Deeb <rand.sec96@gmail.com>
fs/jfs: cast inactags to s64 to prevent potential overflow
Jason Xing <kerneljasonxing@gmail.com>
page_pool: avoid infinite loop to schedule delayed worker
Ricard Wanderlof <ricard2013@butoba.net>
ALSA: usb-audio: Fix CME quirk for UF series keyboards
Maxim Mikityanskiy <maxtram95@gmail.com>
ALSA: hda: intel: Fix Optimus when GPU has no sound
Tomasz Pakuła <forest10pl@gmail.com>
HID: pidff: Fix null pointer dereference in pidff_find_fields
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Do not send effect envelope if it's empty
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Convert infinite length from Linux API to PID standard
Kees Cook <kees@kernel.org>
xen/mcelog: Add __nonstring annotations for unterminated strings
Douglas Anderson <dianders@chromium.org>
arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD
Mark Rutland <mark.rutland@arm.com>
perf: arm_pmu: Don't disable counter in armpmu_add()
Max Grobecker <max@grobecker.info>
x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine
Zhongqiu Han <quic_zhonhan@quicinc.com>
pm: cpupower: bench: Prevent NULL dereference on malloc failure
Trond Myklebust <trond.myklebust@hammerspace.com>
umount: Allow superblock owners to force umount
Florian Westphal <fw@strlen.de>
nft_set_pipapo: fix incorrect avx2 match of 5th field octet
Arnaud Lecomte <contact@arnaud-lcm.com>
net: ppp: Add bound checking for skb data on ppp_sync_txmung
Daniel Wagner <wagi@kernel.org>
nvmet-fcloop: swap list_add_tail arguments
Wentao Liang <vulab@iscas.ac.cn>
ata: sata_sx4: Add error handling in pdc20621_i2c_read()
Hannes Reinecke <hare@suse.de>
ata: sata_sx4: Drop pointless VPRINTK() calls and convert the remaining ones
Jakub Kicinski <kuba@kernel.org>
net: tls: explicitly disallow disconnect
Cong Wang <xiyou.wangcong@gmail.com>
codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()
Tung Nguyen <tung.quang.nguyen@est.tech>
tipc: fix memory leak in tipc_link_xmit
Henry Martin <bsdhenrymartin@gmail.com>
ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe()
-------------
Diffstat:
Makefile | 7 +-
arch/arm/mach-exynos/Kconfig | 1 -
arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 +-
arch/arm64/include/asm/cputype.h | 4 +
arch/arm64/kernel/proton-pack.c | 1 +
arch/mips/dec/prom/init.c | 2 +-
arch/mips/include/asm/ds1287.h | 2 +-
arch/mips/include/asm/mips-cm.h | 22 +++
arch/mips/kernel/cevt-ds1287.c | 1 +
arch/mips/kernel/mips-cm.c | 14 ++
arch/parisc/kernel/pdt.c | 2 +
arch/powerpc/kernel/rtas.c | 4 +
arch/riscv/include/asm/kgdb.h | 9 +-
arch/riscv/include/asm/syscall.h | 7 +-
arch/riscv/kernel/kgdb.c | 6 +
arch/s390/kvm/trace-s390.h | 4 +-
arch/sparc/mm/tlb.c | 5 +-
arch/x86/entry/entry.S | 2 +-
arch/x86/events/intel/ds.c | 8 +-
arch/x86/events/intel/uncore_snbep.c | 49 ++-----
arch/x86/kernel/cpu/amd.c | 2 +-
arch/x86/kernel/cpu/bugs.c | 8 +-
arch/x86/kernel/e820.c | 17 ++-
arch/x86/kvm/svm/avic.c | 60 ++++----
arch/x86/kvm/vmx/posted_intr.c | 28 ++--
arch/x86/platform/pvh/head.S | 7 +-
block/blk-cgroup.c | 24 +++-
block/blk-iocost.c | 7 +-
crypto/crypto_null.c | 37 +++--
drivers/acpi/pptt.c | 4 +-
drivers/ata/ahci.c | 2 +
drivers/ata/libata-eh.c | 11 +-
drivers/ata/pata_pxa.c | 6 +
drivers/ata/sata_sx4.c | 118 ++++++---------
drivers/bluetooth/btrtl.c | 2 +
drivers/bluetooth/hci_ldisc.c | 19 ++-
drivers/bluetooth/hci_uart.h | 1 +
drivers/char/virtio_console.c | 7 +-
drivers/clk/clk.c | 4 +
drivers/clocksource/timer-stm32-lp.c | 4 +-
drivers/cpufreq/cpufreq.c | 8 ++
drivers/cpufreq/scpi-cpufreq.c | 13 +-
drivers/crypto/atmel-sha204a.c | 7 +-
drivers/crypto/caam/qi.c | 6 +-
drivers/crypto/ccp/sp-pci.c | 15 +-
drivers/dma-buf/udmabuf.c | 2 +-
drivers/dma/dmatest.c | 6 +-
drivers/gpio/gpio-zynq.c | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 9 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h | 3 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 6 +-
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 ++
.../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 +-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 +-
.../gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 2 +-
.../gpu/drm/amd/pm/powerplay/hwmgr/smu7_thermal.c | 4 +-
.../drm/amd/pm/powerplay/hwmgr/vega10_thermal.c | 4 +-
.../drm/amd/pm/powerplay/hwmgr/vega20_thermal.c | 2 +-
drivers/gpu/drm/drm_atomic_helper.c | 2 +-
drivers/gpu/drm/drm_panel.c | 5 +-
drivers/gpu/drm/drm_panel_orientation_quirks.c | 10 +-
drivers/gpu/drm/i915/gt/intel_engine_cs.c | 7 +-
drivers/gpu/drm/mediatek/mtk_dpi.c | 9 ++
drivers/gpu/drm/nouveau/nouveau_bo.c | 3 +
drivers/gpu/drm/nouveau/nouveau_gem.c | 3 -
drivers/gpu/drm/sti/Makefile | 2 -
drivers/gpu/drm/tiny/repaper.c | 4 +-
drivers/hid/usbhid/hid-pidff.c | 60 +++++---
drivers/hsi/clients/ssi_protocol.c | 1 +
drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 +
drivers/i3c/master.c | 3 +
drivers/iio/adc/ad7768-1.c | 5 +-
drivers/infiniband/core/umem_odp.c | 6 +-
drivers/infiniband/hw/hns/hns_roce_main.c | 2 +-
drivers/infiniband/hw/qib/qib_fs.c | 1 +
drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 +-
drivers/iommu/amd/iommu.c | 2 +-
drivers/mcb/mcb-parse.c | 2 +-
drivers/md/dm-cache-target.c | 24 ++--
drivers/md/dm-integrity.c | 3 +
drivers/md/raid1.c | 26 ++--
drivers/media/common/siano/smsdvb-main.c | 2 +
drivers/media/i2c/adv748x/adv748x.h | 2 +-
drivers/media/i2c/ov7251.c | 4 +-
drivers/media/platform/qcom/venus/Makefile | 3 +-
drivers/media/platform/qcom/venus/core.c | 17 ---
drivers/media/platform/qcom/venus/core.h | 41 +-----
drivers/media/platform/qcom/venus/helpers.c | 60 ++++----
drivers/media/platform/qcom/venus/helpers.h | 2 +-
drivers/media/platform/qcom/venus/hfi.c | 18 ++-
drivers/media/platform/qcom/venus/hfi_parser.c | 159 ++++++++++++++++-----
drivers/media/platform/qcom/venus/hfi_parser.h | 2 +-
drivers/media/platform/qcom/venus/hfi_platform.c | 49 +++++++
drivers/media/platform/qcom/venus/hfi_platform.h | 61 ++++++++
.../media/platform/qcom/venus/hfi_platform_v4.c | 60 ++++++++
drivers/media/platform/qcom/venus/hfi_venus.c | 18 ++-
drivers/media/platform/qcom/venus/pm_helpers.c | 12 +-
drivers/media/platform/qcom/venus/vdec.c | 8 +-
drivers/media/platform/qcom/venus/venc.c | 91 ++++++++----
drivers/media/rc/streamzap.c | 135 +++++++----------
drivers/media/test-drivers/vim2m.c | 6 +-
drivers/media/v4l2-core/v4l2-dv-timings.c | 4 +-
drivers/mfd/ene-kb3930.c | 2 +-
drivers/misc/mei/hw-me-regs.h | 1 +
drivers/misc/mei/pci-me.c | 1 +
drivers/misc/pci_endpoint_test.c | 6 +-
drivers/mtd/inftlcore.c | 9 +-
drivers/mtd/mtdpstore.c | 9 +-
drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +-
drivers/mtd/nand/raw/r852.c | 3 +
drivers/net/dsa/b53/b53_common.c | 10 ++
drivers/net/dsa/mv88e6xxx/chip.c | 25 +++-
drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 1 +
drivers/net/ethernet/intel/igc/igc_main.c | 1 +
drivers/net/ethernet/intel/igc/igc_ptp.c | 7 +
.../net/ethernet/mellanox/mlx5/core/en/rep/neigh.c | 15 +-
.../net/ethernet/mellanox/mlx5/core/en/rep/tc.c | 6 +-
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 33 ++++-
drivers/net/ethernet/mellanox/mlx5/core/en_tc.h | 3 +
drivers/net/phy/phy_led_triggers.c | 23 +--
drivers/net/ppp/ppp_synctty.c | 5 +
drivers/net/wireless/ath/ath10k/sdio.c | 5 +-
drivers/net/wireless/atmel/at76c50x-usb.c | 2 +-
drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 +
drivers/net/wireless/ti/wl1251/tx.c | 4 +-
drivers/ntb/hw/idt/ntb_hw_idt.c | 18 +--
drivers/ntb/ntb_transport.c | 2 +-
drivers/nvme/host/core.c | 10 ++
drivers/nvme/target/fc.c | 14 --
drivers/nvme/target/fcloop.c | 2 +-
drivers/of/irq.c | 13 +-
drivers/pci/controller/pcie-brcmstb.c | 13 +-
drivers/pci/pci.c | 107 ++++++++------
drivers/pci/probe.c | 60 ++++++--
drivers/pci/remove.c | 7 +
drivers/perf/arm_pmu.c | 8 +-
drivers/phy/tegra/xusb.c | 2 +-
drivers/pinctrl/qcom/pinctrl-msm.c | 12 +-
drivers/platform/x86/asus-laptop.c | 9 +-
.../x86/intel_speed_select_if/isst_if_common.c | 2 +-
drivers/pwm/pwm-fsl-ftm.c | 6 +
drivers/pwm/pwm-mediatek.c | 20 ++-
drivers/pwm/pwm-rcar.c | 24 ++--
drivers/s390/block/dasd.c | 5 +-
drivers/s390/virtio/virtio_ccw.c | 16 ++-
drivers/scsi/lpfc/lpfc_hbadisc.c | 2 +
drivers/scsi/pm8001/pm8001_sas.c | 1 +
drivers/scsi/scsi_transport_iscsi.c | 7 +-
drivers/scsi/st.c | 2 +-
drivers/scsi/ufs/ufs_bsg.c | 1 +
drivers/soc/samsung/Kconfig | 12 +-
drivers/soc/samsung/Makefile | 3 +-
drivers/soc/samsung/exynos-asv.c | 45 ++----
drivers/soc/samsung/exynos-asv.h | 2 +
drivers/soc/samsung/exynos-chipid.c | 139 +++++++++++++-----
drivers/soc/ti/omap_prm.c | 2 +
drivers/spi/spi-cadence-quadspi.c | 6 +
drivers/staging/comedi/drivers/jr3_pci.c | 15 +-
drivers/staging/rtl8723bs/core/rtw_mlme.c | 2 +
drivers/thermal/rockchip_thermal.c | 1 +
drivers/tty/serial/sifive.c | 6 +
drivers/usb/cdns3/gadget.c | 2 +
drivers/usb/core/quirks.c | 9 ++
drivers/usb/dwc3/gadget.c | 6 +
drivers/usb/gadget/udc/aspeed-vhub/dev.c | 3 +
drivers/usb/host/max3421-hcd.c | 7 +
drivers/usb/host/ohci-pci.c | 23 +++
drivers/usb/serial/ftdi_sio.c | 2 +
drivers/usb/serial/ftdi_sio_ids.h | 5 +
drivers/usb/serial/option.c | 3 +
drivers/usb/serial/usb-serial-simple.c | 7 +
drivers/usb/storage/unusual_uas.h | 7 +
drivers/vdpa/mlx5/core/mr.c | 7 +-
drivers/vfio/pci/vfio_pci.c | 13 ++
drivers/video/backlight/led_bl.c | 5 +-
drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 +-
drivers/xen/xenfs/xensyms.c | 4 +-
fs/Kconfig | 1 +
fs/btrfs/super.c | 3 +-
fs/cifs/cifs_debug.c | 6 +
fs/cifs/cifsglob.h | 9 ++
fs/cifs/cifsproto.h | 7 +-
fs/cifs/connect.c | 2 +-
fs/cifs/smb2misc.c | 11 +-
fs/cifs/smb2ops.c | 48 ++++---
fs/cifs/smb2pdu.c | 10 +-
fs/cifs/transport.c | 43 +++---
fs/ext4/block_validity.c | 5 +-
fs/ext4/inode.c | 76 +++++++---
fs/ext4/namei.c | 2 +-
fs/ext4/super.c | 19 ++-
fs/ext4/xattr.c | 11 +-
fs/f2fs/node.c | 9 +-
fs/fuse/virtio_fs.c | 3 +
fs/hfs/bnode.c | 6 +
fs/hfsplus/bnode.c | 6 +
fs/isofs/export.c | 2 +-
fs/jbd2/journal.c | 1 -
fs/jfs/jfs_dmap.c | 12 +-
fs/jfs/jfs_imap.c | 2 +-
fs/namespace.c | 3 +-
fs/nfs/Kconfig | 2 +-
fs/nfs/internal.h | 22 ---
fs/nfs/nfs4session.h | 4 -
fs/nfsd/Kconfig | 1 +
fs/nfsd/nfs4state.c | 2 +-
fs/nfsd/nfsfh.h | 7 -
fs/proc/array.c | 64 +++++----
include/linux/backing-dev.h | 1 +
include/linux/blk-cgroup.h | 1 +
include/linux/filter.h | 4 +
include/linux/nfs.h | 13 ++
include/linux/pci.h | 12 ++
include/linux/soc/samsung/exynos-chipid.h | 6 +-
include/net/net_namespace.h | 1 +
include/net/sctp/structs.h | 3 +-
include/uapi/linux/kfd_ioctl.h | 2 +
include/xen/interface/xen-mca.h | 2 +-
init/Kconfig | 3 +-
kernel/bpf/helpers.c | 11 +-
kernel/bpf/syscall.c | 17 ++-
kernel/dma/contiguous.c | 3 +-
kernel/locking/lockdep.c | 3 +
kernel/resource.c | 41 ++----
kernel/sched/cpufreq_schedutil.c | 18 ++-
kernel/trace/ftrace.c | 1 +
kernel/trace/trace.h | 4 +
kernel/trace/trace_events.c | 4 +-
kernel/trace/trace_events_filter.c | 4 +-
kernel/trace/trace_events_hist.c | 7 +-
kernel/trace/trace_events_synth.c | 82 ++++++++++-
kernel/trace/trace_synth.h | 1 +
lib/sg_split.c | 2 -
mm/memory.c | 4 +-
mm/vmscan.c | 2 +-
net/8021q/vlan_dev.c | 31 +---
net/bluetooth/hci_event.c | 5 +-
net/core/dev.c | 1 +
net/core/filter.c | 80 ++++++-----
net/core/net_namespace.c | 21 ++-
net/core/page_pool.c | 8 +-
net/ipv4/inet_connection_sock.c | 19 ++-
net/mac80211/iface.c | 3 +
net/mac80211/mesh_hwmp.c | 14 +-
net/mptcp/protocol.c | 45 ++++++
net/mptcp/subflow.c | 15 +-
net/netfilter/ipvs/ip_vs_ctl.c | 10 +-
net/netfilter/nft_set_pipapo_avx2.c | 3 +-
net/openvswitch/actions.c | 4 +-
net/openvswitch/flow_netlink.c | 3 +-
net/sched/sch_codel.c | 5 +-
net/sched/sch_fq_codel.c | 6 +-
net/sched/sch_hfsc.c | 23 ++-
net/sctp/socket.c | 22 +--
net/sctp/transport.c | 2 +
net/tipc/link.c | 1 +
net/tipc/monitor.c | 3 +-
net/tls/tls_main.c | 6 +
sound/pci/hda/hda_intel.c | 15 +-
sound/soc/codecs/wcd934x.c | 2 +-
sound/soc/qcom/qdsp6/q6asm-dai.c | 19 ++-
sound/usb/midi.c | 80 ++++++++++-
tools/objtool/check.c | 3 +
tools/power/cpupower/bench/parse.c | 4 +
tools/testing/selftests/mincore/mincore_selftest.c | 3 -
tools/testing/selftests/ublk/test_stripe_04.sh | 24 ++++
.../selftests/vm/charge_reserved_hugetlb.sh | 4 +-
.../selftests/vm/hugetlb_reparenting_test.sh | 2 +-
268 files changed, 2396 insertions(+), 1209 deletions(-)
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 001/286] ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 002/286] tipc: fix memory leak in tipc_link_xmit Greg Kroah-Hartman
` (289 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henry Martin, Damien Le Moal,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit ad320e408a8c95a282ab9c05cdf0c9b95e317985 ]
devm_ioremap() returns NULL on error. Currently, pxa_ata_probe() does
not check for this case, which can result in a NULL pointer dereference.
Add NULL check after devm_ioremap() to prevent this issue.
Fixes: 2dc6c6f15da9 ("[ARM] pata_pxa: DMA-capable PATA driver")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/pata_pxa.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/ata/pata_pxa.c b/drivers/ata/pata_pxa.c
index 41430f79663c1..3502bfb03c56c 100644
--- a/drivers/ata/pata_pxa.c
+++ b/drivers/ata/pata_pxa.c
@@ -223,10 +223,16 @@ static int pxa_ata_probe(struct platform_device *pdev)
ap->ioaddr.cmd_addr = devm_ioremap(&pdev->dev, cmd_res->start,
resource_size(cmd_res));
+ if (!ap->ioaddr.cmd_addr)
+ return -ENOMEM;
ap->ioaddr.ctl_addr = devm_ioremap(&pdev->dev, ctl_res->start,
resource_size(ctl_res));
+ if (!ap->ioaddr.ctl_addr)
+ return -ENOMEM;
ap->ioaddr.bmdma_addr = devm_ioremap(&pdev->dev, dma_res->start,
resource_size(dma_res));
+ if (!ap->ioaddr.bmdma_addr)
+ return -ENOMEM;
/*
* Adjust register offsets
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 002/286] tipc: fix memory leak in tipc_link_xmit
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 001/286] ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 003/286] codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Greg Kroah-Hartman
` (288 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tung Nguyen, Paolo Abeni,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tung Nguyen <tung.quang.nguyen@est.tech>
[ Upstream commit 69ae94725f4fc9e75219d2d69022029c5b24bc9a ]
In case the backlog transmit queue for system-importance messages is overloaded,
tipc_link_xmit() returns -ENOBUFS but the skb list is not purged. This leads to
memory leak and failure when a skb is allocated.
This commit fixes this issue by purging the skb list before tipc_link_xmit()
returns.
Fixes: 365ad353c256 ("tipc: reduce risk of user starvation during link congestion")
Signed-off-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Link: https://patch.msgid.link/20250403092431.514063-1-tung.quang.nguyen@est.tech
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/link.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/tipc/link.c b/net/tipc/link.c
index 5f849c7300283..336d1bb2cf6a3 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -1033,6 +1033,7 @@ int tipc_link_xmit(struct tipc_link *l, struct sk_buff_head *list,
if (unlikely(l->backlog[imp].len >= l->backlog[imp].limit)) {
if (imp == TIPC_SYSTEM_IMPORTANCE) {
pr_warn("%s<%s>, link overflow", link_rst_msg, l->name);
+ __skb_queue_purge(list);
return -ENOBUFS;
}
rc = link_schedule_user(l, hdr);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 003/286] codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 001/286] ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 002/286] tipc: fix memory leak in tipc_link_xmit Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 004/286] net: tls: explicitly disallow disconnect Greg Kroah-Hartman
` (287 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Cong Wang, Simon Horman,
Jamal Hadi Salim, Paolo Abeni, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
[ Upstream commit 342debc12183b51773b3345ba267e9263bdfaaef ]
After making all ->qlen_notify() callbacks idempotent, now it is safe to
remove the check of qlen!=0 from both fq_codel_dequeue() and
codel_qdisc_dequeue().
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM")
Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250403211636.166257-1-xiyou.wangcong@gmail.com
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_codel.c | 5 +----
net/sched/sch_fq_codel.c | 6 ++----
2 files changed, 3 insertions(+), 8 deletions(-)
diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c
index 30169b3adbbb0..d9eff03deada4 100644
--- a/net/sched/sch_codel.c
+++ b/net/sched/sch_codel.c
@@ -95,10 +95,7 @@ static struct sk_buff *codel_qdisc_dequeue(struct Qdisc *sch)
&q->stats, qdisc_pkt_len, codel_get_enqueue_time,
drop_func, dequeue_func);
- /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0,
- * or HTB crashes. Defer it for next round.
- */
- if (q->stats.drop_count && sch->q.qlen) {
+ if (q->stats.drop_count) {
qdisc_tree_reduce_backlog(sch, q->stats.drop_count, q->stats.drop_len);
q->stats.drop_count = 0;
q->stats.drop_len = 0;
diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
index 01d6eea5b0ce9..6adea8e7f1531 100644
--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c
@@ -314,10 +314,8 @@ static struct sk_buff *fq_codel_dequeue(struct Qdisc *sch)
}
qdisc_bstats_update(sch, skb);
flow->deficit -= qdisc_pkt_len(skb);
- /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0,
- * or HTB crashes. Defer it for next round.
- */
- if (q->cstats.drop_count && sch->q.qlen) {
+
+ if (q->cstats.drop_count) {
qdisc_tree_reduce_backlog(sch, q->cstats.drop_count,
q->cstats.drop_len);
q->cstats.drop_count = 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 004/286] net: tls: explicitly disallow disconnect
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 003/286] codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 005/286] ata: sata_sx4: Drop pointless VPRINTK() calls and convert the remaining ones Greg Kroah-Hartman
` (286 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b4cd76826045a1eb93c1,
Jakub Kicinski, Eric Dumazet, Sabrina Dubroca, Paolo Abeni,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 5071a1e606b30c0c11278d3c6620cd6a24724cf6 ]
syzbot discovered that it can disconnect a TLS socket and then
run into all sort of unexpected corner cases. I have a vague
recollection of Eric pointing this out to us a long time ago.
Supporting disconnect is really hard, for one thing if offload
is enabled we'd need to wait for all packets to be _acked_.
Disconnect is not commonly used, disallow it.
The immediate problem syzbot run into is the warning in the strp,
but that's just the easiest bug to trigger:
WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486
RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486
Call Trace:
<TASK>
tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363
tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043
inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678
sock_recvmsg_nosec net/socket.c:1023 [inline]
sock_recvmsg+0x109/0x280 net/socket.c:1045
__sys_recvfrom+0x202/0x380 net/socket.c:2237
Fixes: 3c4d7559159b ("tls: kernel TLS support")
Reported-by: syzbot+b4cd76826045a1eb93c1@syzkaller.appspotmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/20250404180334.3224206-1-kuba@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_main.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index ebf856cf821da..9d7b52370155b 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -623,6 +623,11 @@ static int tls_setsockopt(struct sock *sk, int level, int optname,
return do_tls_setsockopt(sk, optname, optval, optlen);
}
+static int tls_disconnect(struct sock *sk, int flags)
+{
+ return -EOPNOTSUPP;
+}
+
struct tls_context *tls_ctx_create(struct sock *sk)
{
struct inet_connection_sock *icsk = inet_csk(sk);
@@ -717,6 +722,7 @@ static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG],
prot[TLS_BASE][TLS_BASE] = *base;
prot[TLS_BASE][TLS_BASE].setsockopt = tls_setsockopt;
prot[TLS_BASE][TLS_BASE].getsockopt = tls_getsockopt;
+ prot[TLS_BASE][TLS_BASE].disconnect = tls_disconnect;
prot[TLS_BASE][TLS_BASE].close = tls_sk_proto_close;
prot[TLS_SW][TLS_BASE] = prot[TLS_BASE][TLS_BASE];
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 005/286] ata: sata_sx4: Drop pointless VPRINTK() calls and convert the remaining ones
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 004/286] net: tls: explicitly disallow disconnect Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 006/286] ata: sata_sx4: Add error handling in pdc20621_i2c_read() Greg Kroah-Hartman
` (285 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hannes Reinecke, Damien Le Moal,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hannes Reinecke <hare@suse.de>
[ Upstream commit bc21c1056d08525d9c5a5d74db4b8f14e6691991 ]
Drop pointless VPRINTK() calls for setting up SG tables
and convert the remaining calls to structured logging.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Stable-dep-of: 8d46a2708503 ("ata: sata_sx4: Add error handling in pdc20621_i2c_read()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/sata_sx4.c | 105 +++++++++++++----------------------------
1 file changed, 34 insertions(+), 71 deletions(-)
diff --git a/drivers/ata/sata_sx4.c b/drivers/ata/sata_sx4.c
index c95685f693a68..7b28334aa26a2 100644
--- a/drivers/ata/sata_sx4.c
+++ b/drivers/ata/sata_sx4.c
@@ -308,15 +308,9 @@ static inline void pdc20621_ata_sg(u8 *buf, unsigned int portno,
/* output ATA packet S/G table */
addr = PDC_20621_DIMM_BASE + PDC_20621_DIMM_DATA +
(PDC_DIMM_DATA_STEP * portno);
- VPRINTK("ATA sg addr 0x%x, %d\n", addr, addr);
+
buf32[dw] = cpu_to_le32(addr);
buf32[dw + 1] = cpu_to_le32(total_len | ATA_PRD_EOT);
-
- VPRINTK("ATA PSG @ %x == (0x%x, 0x%x)\n",
- PDC_20621_DIMM_BASE +
- (PDC_DIMM_WINDOW_STEP * portno) +
- PDC_DIMM_APKT_PRD,
- buf32[dw], buf32[dw + 1]);
}
static inline void pdc20621_host_sg(u8 *buf, unsigned int portno,
@@ -332,12 +326,6 @@ static inline void pdc20621_host_sg(u8 *buf, unsigned int portno,
buf32[dw] = cpu_to_le32(addr);
buf32[dw + 1] = cpu_to_le32(total_len | ATA_PRD_EOT);
-
- VPRINTK("HOST PSG @ %x == (0x%x, 0x%x)\n",
- PDC_20621_DIMM_BASE +
- (PDC_DIMM_WINDOW_STEP * portno) +
- PDC_DIMM_HPKT_PRD,
- buf32[dw], buf32[dw + 1]);
}
static inline unsigned int pdc20621_ata_pkt(struct ata_taskfile *tf,
@@ -351,7 +339,6 @@ static inline unsigned int pdc20621_ata_pkt(struct ata_taskfile *tf,
unsigned int dimm_sg = PDC_20621_DIMM_BASE +
(PDC_DIMM_WINDOW_STEP * portno) +
PDC_DIMM_APKT_PRD;
- VPRINTK("ENTER, dimm_sg == 0x%x, %d\n", dimm_sg, dimm_sg);
i = PDC_DIMM_ATA_PKT;
@@ -406,8 +393,6 @@ static inline void pdc20621_host_pkt(struct ata_taskfile *tf, u8 *buf,
unsigned int dimm_sg = PDC_20621_DIMM_BASE +
(PDC_DIMM_WINDOW_STEP * portno) +
PDC_DIMM_HPKT_PRD;
- VPRINTK("ENTER, dimm_sg == 0x%x, %d\n", dimm_sg, dimm_sg);
- VPRINTK("host_sg == 0x%x, %d\n", host_sg, host_sg);
dw = PDC_DIMM_HOST_PKT >> 2;
@@ -424,14 +409,6 @@ static inline void pdc20621_host_pkt(struct ata_taskfile *tf, u8 *buf,
buf32[dw + 1] = cpu_to_le32(host_sg);
buf32[dw + 2] = cpu_to_le32(dimm_sg);
buf32[dw + 3] = 0;
-
- VPRINTK("HOST PKT @ %x == (0x%x 0x%x 0x%x 0x%x)\n",
- PDC_20621_DIMM_BASE + (PDC_DIMM_WINDOW_STEP * portno) +
- PDC_DIMM_HOST_PKT,
- buf32[dw + 0],
- buf32[dw + 1],
- buf32[dw + 2],
- buf32[dw + 3]);
}
static void pdc20621_dma_prep(struct ata_queued_cmd *qc)
@@ -447,8 +424,6 @@ static void pdc20621_dma_prep(struct ata_queued_cmd *qc)
WARN_ON(!(qc->flags & ATA_QCFLAG_DMAMAP));
- VPRINTK("ata%u: ENTER\n", ap->print_id);
-
/* hard-code chip #0 */
mmio += PDC_CHIP0_OFS;
@@ -492,7 +467,8 @@ static void pdc20621_dma_prep(struct ata_queued_cmd *qc)
readl(dimm_mmio); /* MMIO PCI posting flush */
- VPRINTK("ata pkt buf ofs %u, prd size %u, mmio copied\n", i, sgt_len);
+ ata_port_dbg(ap, "ata pkt buf ofs %u, prd size %u, mmio copied\n",
+ i, sgt_len);
}
static void pdc20621_nodata_prep(struct ata_queued_cmd *qc)
@@ -504,8 +480,6 @@ static void pdc20621_nodata_prep(struct ata_queued_cmd *qc)
unsigned int portno = ap->port_no;
unsigned int i;
- VPRINTK("ata%u: ENTER\n", ap->print_id);
-
/* hard-code chip #0 */
mmio += PDC_CHIP0_OFS;
@@ -527,7 +501,7 @@ static void pdc20621_nodata_prep(struct ata_queued_cmd *qc)
readl(dimm_mmio); /* MMIO PCI posting flush */
- VPRINTK("ata pkt buf ofs %u, mmio copied\n", i);
+ ata_port_dbg(ap, "ata pkt buf ofs %u, mmio copied\n", i);
}
static enum ata_completion_errors pdc20621_qc_prep(struct ata_queued_cmd *qc)
@@ -633,8 +607,6 @@ static void pdc20621_packet_start(struct ata_queued_cmd *qc)
/* hard-code chip #0 */
mmio += PDC_CHIP0_OFS;
- VPRINTK("ata%u: ENTER\n", ap->print_id);
-
wmb(); /* flush PRD, pkt writes */
port_ofs = PDC_20621_DIMM_BASE + (PDC_DIMM_WINDOW_STEP * port_no);
@@ -645,7 +617,7 @@ static void pdc20621_packet_start(struct ata_queued_cmd *qc)
pdc20621_dump_hdma(qc);
pdc20621_push_hdma(qc, seq, port_ofs + PDC_DIMM_HOST_PKT);
- VPRINTK("queued ofs 0x%x (%u), seq %u\n",
+ ata_port_dbg(ap, "queued ofs 0x%x (%u), seq %u\n",
port_ofs + PDC_DIMM_HOST_PKT,
port_ofs + PDC_DIMM_HOST_PKT,
seq);
@@ -656,7 +628,7 @@ static void pdc20621_packet_start(struct ata_queued_cmd *qc)
writel(port_ofs + PDC_DIMM_ATA_PKT,
ap->ioaddr.cmd_addr + PDC_PKT_SUBMIT);
readl(ap->ioaddr.cmd_addr + PDC_PKT_SUBMIT);
- VPRINTK("submitted ofs 0x%x (%u), seq %u\n",
+ ata_port_dbg(ap, "submitted ofs 0x%x (%u), seq %u\n",
port_ofs + PDC_DIMM_ATA_PKT,
port_ofs + PDC_DIMM_ATA_PKT,
seq);
@@ -696,14 +668,12 @@ static inline unsigned int pdc20621_host_intr(struct ata_port *ap,
u8 status;
unsigned int handled = 0;
- VPRINTK("ENTER\n");
-
if ((qc->tf.protocol == ATA_PROT_DMA) && /* read */
(!(qc->tf.flags & ATA_TFLAG_WRITE))) {
/* step two - DMA from DIMM to host */
if (doing_hdma) {
- VPRINTK("ata%u: read hdma, 0x%x 0x%x\n", ap->print_id,
+ ata_port_dbg(ap, "read hdma, 0x%x 0x%x\n",
readl(mmio + 0x104), readl(mmio + PDC_HDMA_CTLSTAT));
/* get drive status; clear intr; complete txn */
qc->err_mask |= ac_err_mask(ata_wait_idle(ap));
@@ -714,7 +684,7 @@ static inline unsigned int pdc20621_host_intr(struct ata_port *ap,
/* step one - exec ATA command */
else {
u8 seq = (u8) (port_no + 1 + 4);
- VPRINTK("ata%u: read ata, 0x%x 0x%x\n", ap->print_id,
+ ata_port_dbg(ap, "read ata, 0x%x 0x%x\n",
readl(mmio + 0x104), readl(mmio + PDC_HDMA_CTLSTAT));
/* submit hdma pkt */
@@ -729,7 +699,7 @@ static inline unsigned int pdc20621_host_intr(struct ata_port *ap,
/* step one - DMA from host to DIMM */
if (doing_hdma) {
u8 seq = (u8) (port_no + 1);
- VPRINTK("ata%u: write hdma, 0x%x 0x%x\n", ap->print_id,
+ ata_port_dbg(ap, "write hdma, 0x%x 0x%x\n",
readl(mmio + 0x104), readl(mmio + PDC_HDMA_CTLSTAT));
/* submit ata pkt */
@@ -742,7 +712,7 @@ static inline unsigned int pdc20621_host_intr(struct ata_port *ap,
/* step two - execute ATA command */
else {
- VPRINTK("ata%u: write ata, 0x%x 0x%x\n", ap->print_id,
+ ata_port_dbg(ap, "write ata, 0x%x 0x%x\n",
readl(mmio + 0x104), readl(mmio + PDC_HDMA_CTLSTAT));
/* get drive status; clear intr; complete txn */
qc->err_mask |= ac_err_mask(ata_wait_idle(ap));
@@ -755,7 +725,7 @@ static inline unsigned int pdc20621_host_intr(struct ata_port *ap,
} else if (qc->tf.protocol == ATA_PROT_NODATA) {
status = ata_sff_busy_wait(ap, ATA_BUSY | ATA_DRQ, 1000);
- DPRINTK("BUS_NODATA (drv_stat 0x%X)\n", status);
+ ata_port_dbg(ap, "BUS_NODATA (drv_stat 0x%X)\n", status);
qc->err_mask |= ac_err_mask(status);
ata_qc_complete(qc);
handled = 1;
@@ -781,29 +751,21 @@ static irqreturn_t pdc20621_interrupt(int irq, void *dev_instance)
unsigned int handled = 0;
void __iomem *mmio_base;
- VPRINTK("ENTER\n");
-
- if (!host || !host->iomap[PDC_MMIO_BAR]) {
- VPRINTK("QUICK EXIT\n");
+ if (!host || !host->iomap[PDC_MMIO_BAR])
return IRQ_NONE;
- }
mmio_base = host->iomap[PDC_MMIO_BAR];
/* reading should also clear interrupts */
mmio_base += PDC_CHIP0_OFS;
mask = readl(mmio_base + PDC_20621_SEQMASK);
- VPRINTK("mask == 0x%x\n", mask);
- if (mask == 0xffffffff) {
- VPRINTK("QUICK EXIT 2\n");
+ if (mask == 0xffffffff)
return IRQ_NONE;
- }
+
mask &= 0xffff; /* only 16 tags possible */
- if (!mask) {
- VPRINTK("QUICK EXIT 3\n");
+ if (!mask)
return IRQ_NONE;
- }
spin_lock(&host->lock);
@@ -816,7 +778,8 @@ static irqreturn_t pdc20621_interrupt(int irq, void *dev_instance)
else
ap = host->ports[port_no];
tmp = mask & (1 << i);
- VPRINTK("seq %u, port_no %u, ap %p, tmp %x\n", i, port_no, ap, tmp);
+ if (ap)
+ ata_port_dbg(ap, "seq %u, tmp %x\n", i, tmp);
if (tmp && ap) {
struct ata_queued_cmd *qc;
@@ -829,10 +792,6 @@ static irqreturn_t pdc20621_interrupt(int irq, void *dev_instance)
spin_unlock(&host->lock);
- VPRINTK("mask == 0x%x\n", mask);
-
- VPRINTK("EXIT\n");
-
return IRQ_RETVAL(handled);
}
@@ -1272,7 +1231,7 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
/* Initialize Time Period Register */
writel(0xffffffff, mmio + PDC_TIME_PERIOD);
time_period = readl(mmio + PDC_TIME_PERIOD);
- VPRINTK("Time Period Register (0x40): 0x%x\n", time_period);
+ dev_dbg(host->dev, "Time Period Register (0x40): 0x%x\n", time_period);
/* Enable timer */
writel(PDC_TIMER_DEFAULT, mmio + PDC_TIME_CONTROL);
@@ -1287,7 +1246,7 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
*/
tcount = readl(mmio + PDC_TIME_COUNTER);
- VPRINTK("Time Counter Register (0x44): 0x%x\n", tcount);
+ dev_dbg(host->dev, "Time Counter Register (0x44): 0x%x\n", tcount);
/*
If SX4 is on PCI-X bus, after 3 seconds, the timer counter
@@ -1295,17 +1254,19 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
*/
if (tcount >= PCI_X_TCOUNT) {
ticks = (time_period - tcount);
- VPRINTK("Num counters 0x%x (%d)\n", ticks, ticks);
+ dev_dbg(host->dev, "Num counters 0x%x (%d)\n", ticks, ticks);
clock = (ticks / 300000);
- VPRINTK("10 * Internal clk = 0x%x (%d)\n", clock, clock);
+ dev_dbg(host->dev, "10 * Internal clk = 0x%x (%d)\n",
+ clock, clock);
clock = (clock * 33);
- VPRINTK("10 * Internal clk * 33 = 0x%x (%d)\n", clock, clock);
+ dev_dbg(host->dev, "10 * Internal clk * 33 = 0x%x (%d)\n",
+ clock, clock);
/* PLL F Param (bit 22:16) */
fparam = (1400000 / clock) - 2;
- VPRINTK("PLL F Param: 0x%x (%d)\n", fparam, fparam);
+ dev_dbg(host->dev, "PLL F Param: 0x%x (%d)\n", fparam, fparam);
/* OD param = 0x2 (bit 31:30), R param = 0x5 (bit 29:25) */
pci_status = (0x8a001824 | (fparam << 16));
@@ -1313,7 +1274,7 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
pci_status = PCI_PLL_INIT;
/* Initialize PLL. */
- VPRINTK("pci_status: 0x%x\n", pci_status);
+ dev_dbg(host->dev, "pci_status: 0x%x\n", pci_status);
writel(pci_status, mmio + PDC_CTL_STATUS);
readl(mmio + PDC_CTL_STATUS);
@@ -1325,15 +1286,16 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
printk(KERN_ERR "Detect Local DIMM Fail\n");
return 1; /* DIMM error */
}
- VPRINTK("Local DIMM Speed = %d\n", speed);
+ dev_dbg(host->dev, "Local DIMM Speed = %d\n", speed);
/* Programming DIMM0 Module Control Register (index_CID0:80h) */
size = pdc20621_prog_dimm0(host);
- VPRINTK("Local DIMM Size = %dMB\n", size);
+ dev_dbg(host->dev, "Local DIMM Size = %dMB\n", size);
/* Programming DIMM Module Global Control Register (index_CID0:88h) */
if (pdc20621_prog_dimm_global(host)) {
- printk(KERN_ERR "Programming DIMM Module Global Control Register Fail\n");
+ dev_err(host->dev,
+ "Programming DIMM Module Global Control Register Fail\n");
return 1;
}
@@ -1370,13 +1332,14 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
if (!pdc20621_i2c_read(host, PDC_DIMM0_SPD_DEV_ADDRESS,
PDC_DIMM_SPD_TYPE, &spd0)) {
- pr_err("Failed in i2c read: device=%#x, subaddr=%#x\n",
+ dev_err(host->dev,
+ "Failed in i2c read: device=%#x, subaddr=%#x\n",
PDC_DIMM0_SPD_DEV_ADDRESS, PDC_DIMM_SPD_TYPE);
return 1;
}
if (spd0 == 0x02) {
void *buf;
- VPRINTK("Start ECC initialization\n");
+ dev_dbg(host->dev, "Start ECC initialization\n");
addr = 0;
length = size * 1024 * 1024;
buf = kzalloc(ECC_ERASE_BUF_SZ, GFP_KERNEL);
@@ -1388,7 +1351,7 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
addr += ECC_ERASE_BUF_SZ;
}
kfree(buf);
- VPRINTK("Finish ECC initialization\n");
+ dev_dbg(host->dev, "Finish ECC initialization\n");
}
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 006/286] ata: sata_sx4: Add error handling in pdc20621_i2c_read()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 005/286] ata: sata_sx4: Drop pointless VPRINTK() calls and convert the remaining ones Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 007/286] nvmet-fcloop: swap list_add_tail arguments Greg Kroah-Hartman
` (284 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wentao Liang, Niklas Cassel,
Damien Le Moal, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
[ Upstream commit 8d46a27085039158eb5e253ab8a35a0e33b5e864 ]
The function pdc20621_prog_dimm0() calls the function pdc20621_i2c_read()
but does not handle the error if the read fails. This could lead to
process with invalid data. A proper implementation can be found in
/source/drivers/ata/sata_sx4.c, pdc20621_prog_dimm_global(). As mentioned
in its commit: bb44e154e25125bef31fa956785e90fccd24610b, the variable spd0
might be used uninitialized when pdc20621_i2c_read() fails.
Add error handling to pdc20621_i2c_read(). If a read operation fails,
an error message is logged via dev_err(), and return a negative error
code.
Add error handling to pdc20621_prog_dimm0() in pdc20621_dimm_init(), and
return a negative error code if pdc20621_prog_dimm0() fails.
Fixes: 4447d3515616 ("libata: convert the remaining SATA drivers to new init model")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/sata_sx4.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/drivers/ata/sata_sx4.c b/drivers/ata/sata_sx4.c
index 7b28334aa26a2..20b73e0d835a3 100644
--- a/drivers/ata/sata_sx4.c
+++ b/drivers/ata/sata_sx4.c
@@ -1124,9 +1124,14 @@ static int pdc20621_prog_dimm0(struct ata_host *host)
mmio += PDC_CHIP0_OFS;
for (i = 0; i < ARRAY_SIZE(pdc_i2c_read_data); i++)
- pdc20621_i2c_read(host, PDC_DIMM0_SPD_DEV_ADDRESS,
- pdc_i2c_read_data[i].reg,
- &spd0[pdc_i2c_read_data[i].ofs]);
+ if (!pdc20621_i2c_read(host, PDC_DIMM0_SPD_DEV_ADDRESS,
+ pdc_i2c_read_data[i].reg,
+ &spd0[pdc_i2c_read_data[i].ofs])) {
+ dev_err(host->dev,
+ "Failed in i2c read at index %d: device=%#x, reg=%#x\n",
+ i, PDC_DIMM0_SPD_DEV_ADDRESS, pdc_i2c_read_data[i].reg);
+ return -EIO;
+ }
data |= (spd0[4] - 8) | ((spd0[21] != 0) << 3) | ((spd0[3]-11) << 4);
data |= ((spd0[17] / 4) << 6) | ((spd0[5] / 2) << 7) |
@@ -1290,6 +1295,8 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
/* Programming DIMM0 Module Control Register (index_CID0:80h) */
size = pdc20621_prog_dimm0(host);
+ if (size < 0)
+ return size;
dev_dbg(host->dev, "Local DIMM Size = %dMB\n", size);
/* Programming DIMM Module Global Control Register (index_CID0:88h) */
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 007/286] nvmet-fcloop: swap list_add_tail arguments
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 006/286] ata: sata_sx4: Add error handling in pdc20621_i2c_read() Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 008/286] net: ppp: Add bound checking for skb data on ppp_sync_txmung Greg Kroah-Hartman
` (283 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Wagner, Hannes Reinecke,
Christoph Hellwig, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Wagner <wagi@kernel.org>
[ Upstream commit 2b5f0c5bc819af2b0759a8fcddc1b39102735c0f ]
The newly element to be added to the list is the first argument of
list_add_tail. This fix is missing dcfad4ab4d67 ("nvmet-fcloop: swap
the list_add_tail arguments").
Fixes: 437c0b824dbd ("nvme-fcloop: add target to host LS request support")
Signed-off-by: Daniel Wagner <wagi@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/fcloop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c
index f2c5136bf2b82..f1aaabc5bec7d 100644
--- a/drivers/nvme/target/fcloop.c
+++ b/drivers/nvme/target/fcloop.c
@@ -478,7 +478,7 @@ fcloop_t2h_xmt_ls_rsp(struct nvme_fc_local_port *localport,
if (targetport) {
tport = targetport->private;
spin_lock(&tport->lock);
- list_add_tail(&tport->ls_list, &tls_req->ls_list);
+ list_add_tail(&tls_req->ls_list, &tport->ls_list);
spin_unlock(&tport->lock);
schedule_work(&tport->ls_work);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 008/286] net: ppp: Add bound checking for skb data on ppp_sync_txmung
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 007/286] nvmet-fcloop: swap list_add_tail arguments Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 009/286] nft_set_pipapo: fix incorrect avx2 match of 5th field octet Greg Kroah-Hartman
` (282 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+29fc8991b0ecb186cf40,
Arnaud Lecomte, Paolo Abeni, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaud Lecomte <contact@arnaud-lcm.com>
[ Upstream commit aabc6596ffb377c4c9c8f335124b92ea282c9821 ]
Ensure we have enough data in linear buffer from skb before accessing
initial bytes. This prevents potential out-of-bounds accesses
when processing short packets.
When ppp_sync_txmung receives an incoming package with an empty
payload:
(remote) gef➤ p *(struct pppoe_hdr *) (skb->head + skb->network_header)
$18 = {
type = 0x1,
ver = 0x1,
code = 0x0,
sid = 0x2,
length = 0x0,
tag = 0xffff8880371cdb96
}
from the skb struct (trimmed)
tail = 0x16,
end = 0x140,
head = 0xffff88803346f400 "4",
data = 0xffff88803346f416 ":\377",
truesize = 0x380,
len = 0x0,
data_len = 0x0,
mac_len = 0xe,
hdr_len = 0x0,
it is not safe to access data[2].
Reported-by: syzbot+29fc8991b0ecb186cf40@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=29fc8991b0ecb186cf40
Tested-by: syzbot+29fc8991b0ecb186cf40@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
Link: https://patch.msgid.link/20250408-bound-checking-ppp_txmung-v2-1-94bb6e1b92d0@arnaud-lcm.com
[pabeni@redhat.com: fixed subj typo]
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/ppp_synctty.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c
index 7174316362758..11725cab4912b 100644
--- a/drivers/net/ppp/ppp_synctty.c
+++ b/drivers/net/ppp/ppp_synctty.c
@@ -517,6 +517,11 @@ ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb)
unsigned char *data;
int islcp;
+ /* Ensure we can safely access protocol field and LCP code */
+ if (!pskb_may_pull(skb, 3)) {
+ kfree_skb(skb);
+ return NULL;
+ }
data = skb->data;
proto = get_unaligned_be16(data);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 009/286] nft_set_pipapo: fix incorrect avx2 match of 5th field octet
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 008/286] net: ppp: Add bound checking for skb data on ppp_sync_txmung Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 010/286] umount: Allow superblock owners to force umount Greg Kroah-Hartman
` (281 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, sontu mazumdar, Stefano Brivio,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit e042ed950d4e176379ba4c0722146cd96fb38aa2 ]
Given a set element like:
icmpv6 . dead:beef:00ff::1
The value of 'ff' is irrelevant, any address will be matched
as long as the other octets are the same.
This is because of too-early register clobbering:
ymm7 is reloaded with new packet data (pkt[9]) but it still holds data
of an earlier load that wasn't processed yet.
The existing tests in nft_concat_range.sh selftests do exercise this code
path, but do not trigger incorrect matching due to the network prefix
limitation.
Fixes: 7400b063969b ("nft_set_pipapo: Introduce AVX2-based lookup implementation")
Reported-by: sontu mazumdar <sontu21@gmail.com>
Closes: https://lore.kernel.org/netfilter/CANgxkqwnMH7fXra+VUfODT-8+qFLgskq3set1cAzqqJaV4iEZg@mail.gmail.com/T/#t
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_set_pipapo_avx2.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
index 13c7e22c93842..0a23d297084d4 100644
--- a/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -985,8 +985,9 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,
NFT_PIPAPO_AVX2_BUCKET_LOAD8(5, lt, 8, pkt[8], bsize);
NFT_PIPAPO_AVX2_AND(6, 2, 3);
+ NFT_PIPAPO_AVX2_AND(3, 4, 7);
NFT_PIPAPO_AVX2_BUCKET_LOAD8(7, lt, 9, pkt[9], bsize);
- NFT_PIPAPO_AVX2_AND(0, 4, 5);
+ NFT_PIPAPO_AVX2_AND(0, 3, 5);
NFT_PIPAPO_AVX2_BUCKET_LOAD8(1, lt, 10, pkt[10], bsize);
NFT_PIPAPO_AVX2_AND(2, 6, 7);
NFT_PIPAPO_AVX2_BUCKET_LOAD8(3, lt, 11, pkt[11], bsize);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 010/286] umount: Allow superblock owners to force umount
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 009/286] nft_set_pipapo: fix incorrect avx2 match of 5th field octet Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 011/286] pm: cpupower: bench: Prevent NULL dereference on malloc failure Greg Kroah-Hartman
` (280 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Eric W. Biederman,
Christian Brauner, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit e1ff7aa34dec7e650159fd7ca8ec6af7cc428d9f ]
Loosen the permission check on forced umount to allow users holding
CAP_SYS_ADMIN privileges in namespaces that are privileged with respect
to the userns that originally mounted the filesystem.
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Link: https://lore.kernel.org/r/12f212d4ef983714d065a6bb372fbb378753bf4c.1742315194.git.trond.myklebust@hammerspace.com
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/namespace.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index 7e67db7456b3d..2f97112657adc 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1716,6 +1716,7 @@ static inline bool may_mandlock(void)
static int can_umount(const struct path *path, int flags)
{
struct mount *mnt = real_mount(path->mnt);
+ struct super_block *sb = path->dentry->d_sb;
if (!may_mount())
return -EPERM;
@@ -1725,7 +1726,7 @@ static int can_umount(const struct path *path, int flags)
return -EINVAL;
if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
return -EINVAL;
- if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
+ if (flags & MNT_FORCE && !ns_capable(sb->s_user_ns, CAP_SYS_ADMIN))
return -EPERM;
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 011/286] pm: cpupower: bench: Prevent NULL dereference on malloc failure
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 010/286] umount: Allow superblock owners to force umount Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 012/286] x86/cpu: Dont clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Greg Kroah-Hartman
` (279 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhongqiu Han, Shuah Khan,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhongqiu Han <quic_zhonhan@quicinc.com>
[ Upstream commit 208baa3ec9043a664d9acfb8174b332e6b17fb69 ]
If malloc returns NULL due to low memory, 'config' pointer can be NULL.
Add a check to prevent NULL dereference.
Link: https://lore.kernel.org/r/20250219122715.3892223-1-quic_zhonhan@quicinc.com
Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/power/cpupower/bench/parse.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tools/power/cpupower/bench/parse.c b/tools/power/cpupower/bench/parse.c
index e63dc11fa3a53..48e25be6e1635 100644
--- a/tools/power/cpupower/bench/parse.c
+++ b/tools/power/cpupower/bench/parse.c
@@ -120,6 +120,10 @@ FILE *prepare_output(const char *dirname)
struct config *prepare_default_config()
{
struct config *config = malloc(sizeof(struct config));
+ if (!config) {
+ perror("malloc");
+ return NULL;
+ }
dprintf("loading defaults\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 012/286] x86/cpu: Dont clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 011/286] pm: cpupower: bench: Prevent NULL dereference on malloc failure Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 013/286] perf: arm_pmu: Dont disable counter in armpmu_add() Greg Kroah-Hartman
` (278 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Grobecker, Ingo Molnar,
linux-kernel, Borislav Petkov, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Grobecker <max@grobecker.info>
[ Upstream commit a4248ee16f411ac1ea7dfab228a6659b111e3d65 ]
When running in a virtual machine, we might see the original hardware CPU
vendor string (i.e. "AuthenticAMD"), but a model and family ID set by the
hypervisor. In case we run on AMD hardware and the hypervisor sets a model
ID < 0x14, the LAHF cpu feature is eliminated from the the list of CPU
capabilities present to circumvent a bug with some BIOSes in conjunction with
AMD K8 processors.
Parsing the flags list from /proc/cpuinfo seems to be happening mostly in
bash scripts and prebuilt Docker containers, as it does not need to have
additionals tools present – even though more reliable ways like using "kcpuid",
which calls the CPUID instruction instead of parsing a list, should be preferred.
Scripts, that use /proc/cpuinfo to determine if the current CPU is
"compliant" with defined microarchitecture levels like x86-64-v2 will falsely
claim the CPU is incapable of modern CPU instructions when "lahf_lm" is missing
in that flags list.
This can prevent some docker containers from starting or build scripts to create
unoptimized binaries.
Admittably, this is more a small inconvenience than a severe bug in the kernel
and the shoddy scripts that rely on parsing /proc/cpuinfo
should be fixed instead.
This patch adds an additional check to see if we're running inside a
virtual machine (X86_FEATURE_HYPERVISOR is present), which, to my
understanding, can't be present on a real K8 processor as it was introduced
only with the later/other Athlon64 models.
Example output with the "lahf_lm" flag missing in the flags list
(should be shown between "hypervisor" and "abm"):
$ cat /proc/cpuinfo
processor : 0
vendor_id : AuthenticAMD
cpu family : 15
model : 6
model name : Common KVM processor
stepping : 1
microcode : 0x1000065
cpu MHz : 2599.998
cache size : 512 KB
physical id : 0
siblings : 1
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx rdtscp
lm rep_good nopl cpuid extd_apicid tsc_known_freq pni
pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt
tsc_deadline_timer aes xsave avx f16c hypervisor abm
3dnowprefetch vmmcall bmi1 avx2 bmi2 xsaveopt
... while kcpuid shows the feature to be present in the CPU:
# kcpuid -d | grep lahf
lahf_lm - LAHF/SAHF available in 64-bit mode
[ mingo: Updated the comment a bit, incorporated Boris's review feedback. ]
Signed-off-by: Max Grobecker <max@grobecker.info>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: linux-kernel@vger.kernel.org
Cc: Borislav Petkov <bp@alien8.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/amd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index c10f7dcaa7b7c..5f0bdb53b0067 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -839,7 +839,7 @@ static void init_amd_k8(struct cpuinfo_x86 *c)
* (model = 0x14) and later actually support it.
* (AMD Erratum #110, docId: 25759).
*/
- if (c->x86_model < 0x14 && cpu_has(c, X86_FEATURE_LAHF_LM)) {
+ if (c->x86_model < 0x14 && cpu_has(c, X86_FEATURE_LAHF_LM) && !cpu_has(c, X86_FEATURE_HYPERVISOR)) {
clear_cpu_cap(c, X86_FEATURE_LAHF_LM);
if (!rdmsrl_amd_safe(0xc001100d, &value)) {
value &= ~BIT_64(32);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 013/286] perf: arm_pmu: Dont disable counter in armpmu_add()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 012/286] x86/cpu: Dont clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 014/286] arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD Greg Kroah-Hartman
` (277 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Rob Herring (Arm),
Anshuman Khandual, James Clark, Will Deacon, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit dcca27bc1eccb9abc2552aab950b18a9742fb8e7 ]
Currently armpmu_add() tries to handle a newly-allocated counter having
a stale associated event, but this should not be possible, and if this
were to happen the current mitigation is insufficient and potentially
expensive. It would be better to warn if we encounter the impossible
case.
Calls to pmu::add() and pmu::del() are serialized by the core perf code,
and armpmu_del() clears the relevant slot in pmu_hw_events::events[]
before clearing the bit in pmu_hw_events::used_mask such that the
counter can be reallocated. Thus when armpmu_add() allocates a counter
index from pmu_hw_events::used_mask, it should not be possible to observe
a stale even in pmu_hw_events::events[] unless either
pmu_hw_events::used_mask or pmu_hw_events::events[] have been corrupted.
If this were to happen, we'd end up with two events with the same
event->hw.idx, which would clash with each other during reprogramming,
deletion, etc, and produce bogus results. Add a WARN_ON_ONCE() for this
case so that we can detect if this ever occurs in practice.
That possiblity aside, there's no need to call arm_pmu::disable(event)
for the new event. The PMU reset code initialises the counter in a
disabled state, and armpmu_del() will disable the counter before it can
be reused. Remove the redundant disable.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Tested-by: James Clark <james.clark@linaro.org>
Link: https://lore.kernel.org/r/20250218-arm-brbe-v19-v20-2-4e9922fc2e8e@kernel.org
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/perf/arm_pmu.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/perf/arm_pmu.c b/drivers/perf/arm_pmu.c
index 7fd11ef5cb8a2..8568b5a78c45b 100644
--- a/drivers/perf/arm_pmu.c
+++ b/drivers/perf/arm_pmu.c
@@ -338,12 +338,10 @@ armpmu_add(struct perf_event *event, int flags)
if (idx < 0)
return idx;
- /*
- * If there is an event in the counter we are going to use then make
- * sure it is disabled.
- */
+ /* The newly-allocated counter should be empty */
+ WARN_ON_ONCE(hw_events->events[idx]);
+
event->hw.idx = idx;
- armpmu->disable(event);
hw_events->events[idx] = event;
hwc->state = PERF_HES_STOPPED | PERF_HES_UPTODATE;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 014/286] arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 013/286] perf: arm_pmu: Dont disable counter in armpmu_add() Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 015/286] xen/mcelog: Add __nonstring annotations for unterminated strings Greg Kroah-Hartman
` (276 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Douglas Anderson,
Trilok Soni, Catalin Marinas, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
[ Upstream commit 401c3333bb2396aa52e4121887a6f6a6e2f040bc ]
Add a definition for the Qualcomm Kryo 300-series Gold cores.
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Acked-by: Trilok Soni <quic_tsoni@quicinc.com>
Link: https://lore.kernel.org/r/20241219131107.v3.1.I18e0288742871393228249a768e5d56ea65d93dc@changeid
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
index d8305b4657d2e..5e292e08393d5 100644
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -110,6 +110,7 @@
#define QCOM_CPU_PART_KRYO 0x200
#define QCOM_CPU_PART_KRYO_2XX_GOLD 0x800
#define QCOM_CPU_PART_KRYO_2XX_SILVER 0x801
+#define QCOM_CPU_PART_KRYO_3XX_GOLD 0x802
#define QCOM_CPU_PART_KRYO_3XX_SILVER 0x803
#define QCOM_CPU_PART_KRYO_4XX_GOLD 0x804
#define QCOM_CPU_PART_KRYO_4XX_SILVER 0x805
@@ -167,6 +168,7 @@
#define MIDR_QCOM_KRYO MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO)
#define MIDR_QCOM_KRYO_2XX_GOLD MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_2XX_GOLD)
#define MIDR_QCOM_KRYO_2XX_SILVER MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_2XX_SILVER)
+#define MIDR_QCOM_KRYO_3XX_GOLD MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_3XX_GOLD)
#define MIDR_QCOM_KRYO_3XX_SILVER MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_3XX_SILVER)
#define MIDR_QCOM_KRYO_4XX_GOLD MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_4XX_GOLD)
#define MIDR_QCOM_KRYO_4XX_SILVER MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_4XX_SILVER)
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 015/286] xen/mcelog: Add __nonstring annotations for unterminated strings
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 014/286] arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 016/286] HID: pidff: Convert infinite length from Linux API to PID standard Greg Kroah-Hartman
` (275 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Juergen Gross, Stefano Stabellini,
Oleksandr Tyshchenko, xen-devel, Kees Cook, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit 1c3dfc7c6b0f551fdca3f7c1f1e4c73be8adb17d ]
When a character array without a terminating NUL character has a static
initializer, GCC 15's -Wunterminated-string-initialization will only
warn if the array lacks the "nonstring" attribute[1]. Mark the arrays
with __nonstring to and correctly identify the char array as "not a C
string" and thereby eliminate the warning.
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117178 [1]
Cc: Juergen Gross <jgross@suse.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>
Cc: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
Cc: xen-devel@lists.xenproject.org
Signed-off-by: Kees Cook <kees@kernel.org>
Acked-by: Juergen Gross <jgross@suse.com>
Message-ID: <20250310222234.work.473-kees@kernel.org>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/xen/interface/xen-mca.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/xen/interface/xen-mca.h b/include/xen/interface/xen-mca.h
index 7483a78d24251..20a3b320d1a58 100644
--- a/include/xen/interface/xen-mca.h
+++ b/include/xen/interface/xen-mca.h
@@ -371,7 +371,7 @@ struct xen_mce {
#define XEN_MCE_LOG_LEN 32
struct xen_mce_log {
- char signature[12]; /* "MACHINECHECK" */
+ char signature[12] __nonstring; /* "MACHINECHECK" */
unsigned len; /* = XEN_MCE_LOG_LEN */
unsigned next;
unsigned flags;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 016/286] HID: pidff: Convert infinite length from Linux API to PID standard
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 015/286] xen/mcelog: Add __nonstring annotations for unterminated strings Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 017/286] HID: pidff: Do not send effect envelope if its empty Greg Kroah-Hartman
` (274 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Makarenko Oleg, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 37e0591fe44dce39d1ebc7a82d5b6e4dba1582eb ]
Software uses 0 as de-facto infinite lenght on Linux FF apis (SDL),
Linux doesn't actually define anythi as of now, while USB PID defines
NULL (0xffff). Most PID devices do not expect a 0-length effect and
can't interpret it as infinite. This change fixes Force Feedback for
most PID compliant devices.
As most games depend on updating the values of already playing infinite
effects, this is crucial to ensure they will actually work.
Previously, users had to rely on third-party software to do this conversion
and make their PID devices usable.
Co-developed-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 07a9fe97d2e05..badcb5f28607e 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -21,6 +21,7 @@
#include "usbhid.h"
#define PID_EFFECTS_MAX 64
+#define PID_INFINITE 0xffff
/* Report usage table used to put reports into an array */
@@ -301,7 +302,12 @@ static void pidff_set_effect_report(struct pidff_device *pidff,
pidff->block_load[PID_EFFECT_BLOCK_INDEX].value[0];
pidff->set_effect_type->value[0] =
pidff->create_new_effect_type->value[0];
- pidff->set_effect[PID_DURATION].value[0] = effect->replay.length;
+
+ /* Convert infinite length from Linux API (0)
+ to PID standard (NULL) if needed */
+ pidff->set_effect[PID_DURATION].value[0] =
+ effect->replay.length == 0 ? PID_INFINITE : effect->replay.length;
+
pidff->set_effect[PID_TRIGGER_BUTTON].value[0] = effect->trigger.button;
pidff->set_effect[PID_TRIGGER_REPEAT_INT].value[0] =
effect->trigger.interval;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 017/286] HID: pidff: Do not send effect envelope if its empty
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 016/286] HID: pidff: Convert infinite length from Linux API to PID standard Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 018/286] HID: pidff: Fix null pointer dereference in pidff_find_fields Greg Kroah-Hartman
` (273 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 8876fc1884f5b39550c8387ff3176396c988541d ]
Envelope struct is always initialized, but the envelope itself is
optional as described in USB PID Device class definition 1.0.
5.1.1.1 Type Specific Block Offsets
...
4) Effects that do not use Condition Blocks use 1 Parameter Block and
an *optional* Envelope Block.
Sending out "empty" envelope breaks force feedback on some devices with
games that use SINE effect + offset to emulate constant force effect, as
well as generally breaking Constant/Periodic effects. One of the affected
brands is Moza Racing.
This change prevents the envelope from being sent if it contains all
0 values while keeping the old behavior of only sending it, if it differs
from the old one.
Changes in v6:
- Simplify the checks to make them clearer
- Fix possible null pointer dereference while calling
pidff_needs_set_envelope
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 42 +++++++++++++++++++---------------
1 file changed, 24 insertions(+), 18 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index badcb5f28607e..ba0d7cb15377e 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -262,10 +262,22 @@ static void pidff_set_envelope_report(struct pidff_device *pidff,
static int pidff_needs_set_envelope(struct ff_envelope *envelope,
struct ff_envelope *old)
{
- return envelope->attack_level != old->attack_level ||
- envelope->fade_level != old->fade_level ||
+ bool needs_new_envelope;
+ needs_new_envelope = envelope->attack_level != 0 ||
+ envelope->fade_level != 0 ||
+ envelope->attack_length != 0 ||
+ envelope->fade_length != 0;
+
+ if (!needs_new_envelope)
+ return false;
+
+ if (!old)
+ return needs_new_envelope;
+
+ return envelope->attack_level != old->attack_level ||
+ envelope->fade_level != old->fade_level ||
envelope->attack_length != old->attack_length ||
- envelope->fade_length != old->fade_length;
+ envelope->fade_length != old->fade_length;
}
/*
@@ -580,11 +592,9 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect,
pidff_set_effect_report(pidff, effect);
if (!old || pidff_needs_set_constant(effect, old))
pidff_set_constant_force_report(pidff, effect);
- if (!old ||
- pidff_needs_set_envelope(&effect->u.constant.envelope,
- &old->u.constant.envelope))
- pidff_set_envelope_report(pidff,
- &effect->u.constant.envelope);
+ if (pidff_needs_set_envelope(&effect->u.constant.envelope,
+ old ? &old->u.constant.envelope : NULL))
+ pidff_set_envelope_report(pidff, &effect->u.constant.envelope);
break;
case FF_PERIODIC:
@@ -619,11 +629,9 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect,
pidff_set_effect_report(pidff, effect);
if (!old || pidff_needs_set_periodic(effect, old))
pidff_set_periodic_report(pidff, effect);
- if (!old ||
- pidff_needs_set_envelope(&effect->u.periodic.envelope,
- &old->u.periodic.envelope))
- pidff_set_envelope_report(pidff,
- &effect->u.periodic.envelope);
+ if (pidff_needs_set_envelope(&effect->u.periodic.envelope,
+ old ? &old->u.periodic.envelope : NULL))
+ pidff_set_envelope_report(pidff, &effect->u.periodic.envelope);
break;
case FF_RAMP:
@@ -637,11 +645,9 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect,
pidff_set_effect_report(pidff, effect);
if (!old || pidff_needs_set_ramp(effect, old))
pidff_set_ramp_force_report(pidff, effect);
- if (!old ||
- pidff_needs_set_envelope(&effect->u.ramp.envelope,
- &old->u.ramp.envelope))
- pidff_set_envelope_report(pidff,
- &effect->u.ramp.envelope);
+ if (pidff_needs_set_envelope(&effect->u.ramp.envelope,
+ old ? &old->u.ramp.envelope : NULL))
+ pidff_set_envelope_report(pidff, &effect->u.ramp.envelope);
break;
case FF_SPRING:
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 018/286] HID: pidff: Fix null pointer dereference in pidff_find_fields
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 017/286] HID: pidff: Do not send effect envelope if its empty Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 019/286] ALSA: hda: intel: Fix Optimus when GPU has no sound Greg Kroah-Hartman
` (272 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nolan Nicholson, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <forest10pl@gmail.com>
[ Upstream commit 22a05462c3d0eee15154faf8d13c49e6295270a5 ]
This function triggered a null pointer dereference if used to search for
a report that isn't implemented on the device. This happened both for
optional and required reports alike.
The same logic was applied to pidff_find_special_field and although
pidff_init_fields should return an error earlier if one of the required
reports is missing, future modifications could change this logic and
resurface this possible null pointer dereference again.
LKML bug report:
https://lore.kernel.org/all/CAL-gK7f5=R0nrrQdPtaZZr1fd-cdAMbDMuZ_NLA8vM0SX+nGSw@mail.gmail.com
Reported-by: Nolan Nicholson <nolananicholson@gmail.com>
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/usbhid/hid-pidff.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -772,6 +772,11 @@ static int pidff_find_fields(struct pidf
{
int i, j, k, found;
+ if (!report) {
+ pr_debug("pidff_find_fields, null report\n");
+ return -1;
+ }
+
for (k = 0; k < count; k++) {
found = 0;
for (i = 0; i < report->maxfield; i++) {
@@ -885,6 +890,11 @@ static struct hid_field *pidff_find_spec
{
int i;
+ if (!report) {
+ pr_debug("pidff_find_special_field, null report\n");
+ return NULL;
+ }
+
for (i = 0; i < report->maxfield; i++) {
if (report->field[i]->logical == (HID_UP_PID | usage) &&
report->field[i]->report_count > 0) {
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 019/286] ALSA: hda: intel: Fix Optimus when GPU has no sound
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 018/286] HID: pidff: Fix null pointer dereference in pidff_find_fields Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 020/286] ALSA: usb-audio: Fix CME quirk for UF series keyboards Greg Kroah-Hartman
` (271 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxim Mikityanskiy, Takashi Iwai,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Mikityanskiy <maxtram95@gmail.com>
[ Upstream commit 2b360ba9a4936486380bc30d1eabceb40a714d98 ]
quirk_nvidia_hda() forcefully enables HDA controller on all NVIDIA GPUs,
because some buggy BIOSes leave it disabled. However, some dual-GPU
laptops do not have a functional HDA controller in DGPU, and BIOS
disables it on purpose. After quirk_nvidia_hda() reenables this dummy
HDA controller, attempting to probe it fails at azx_first_init(), which
is too late to cancel the probe, as it happens in azx_probe_continue().
The sna_hda_intel driver calls azx_free() and stops the chip, however,
it stays probed, and from the runtime PM point of view, the device
remains active (it was set as active by the PCI subsystem on probe). It
prevents vga_switcheroo from turning off the DGPU, because
pci_create_device_link() syncs power management for video and audio
devices.
Affected devices should be added to driver_denylist to prevent them from
probing early. This patch helps identify such devices by printing a
warning, and also forces the device to the suspended state to allow
vga_switcheroo turn off DGPU.
Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>
Link: https://patch.msgid.link/20250208214602.39607-2-maxtram95@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/hda_intel.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
index fad3e8853be02..407bbf9264ac4 100644
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -1399,8 +1399,21 @@ static void azx_free(struct azx *chip)
if (use_vga_switcheroo(hda)) {
if (chip->disabled && hda->probe_continued)
snd_hda_unlock_devices(&chip->bus);
- if (hda->vga_switcheroo_registered)
+ if (hda->vga_switcheroo_registered) {
vga_switcheroo_unregister_client(chip->pci);
+
+ /* Some GPUs don't have sound, and azx_first_init fails,
+ * leaving the device probed but non-functional. As long
+ * as it's probed, the PCI subsystem keeps its runtime
+ * PM status as active. Force it to suspended (as we
+ * actually stop the chip) to allow GPU to suspend via
+ * vga_switcheroo, and print a warning.
+ */
+ dev_warn(&pci->dev, "GPU sound probed, but not operational: please add a quirk to driver_denylist\n");
+ pm_runtime_disable(&pci->dev);
+ pm_runtime_set_suspended(&pci->dev);
+ pm_runtime_enable(&pci->dev);
+ }
}
if (bus->chip_init) {
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 020/286] ALSA: usb-audio: Fix CME quirk for UF series keyboards
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 019/286] ALSA: hda: intel: Fix Optimus when GPU has no sound Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 021/286] page_pool: avoid infinite loop to schedule delayed worker Greg Kroah-Hartman
` (270 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricard Wanderlof, Takashi Iwai,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricard Wanderlof <ricard2013@butoba.net>
[ Upstream commit c2820405ba55a38932aa2177f026b70064296663 ]
Fix quirk for CME master keyboards so it not only handles
sysex but also song position pointer, MIDI timing clock, start
and stop messages, and active sensing. All of these can be
output by the CME UF series master keyboards.
Tested with a CME UF6 in a desktop Linux environment as
well as on the Zynthian Raspberry Pi based platform.
Signed-off-by: Ricard Wanderlof <ricard2013@butoba.net>
Link: https://patch.msgid.link/20250313-cme-fix-v1-1-d404889e4de8@butoba.net
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/midi.c | 80 ++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 74 insertions(+), 6 deletions(-)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index f0a70e912bddc..b09b7b3c0110e 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -505,16 +505,84 @@ static void ch345_broken_sysex_input(struct snd_usb_midi_in_endpoint *ep,
/*
* CME protocol: like the standard protocol, but SysEx commands are sent as a
- * single USB packet preceded by a 0x0F byte.
+ * single USB packet preceded by a 0x0F byte, as are system realtime
+ * messages and MIDI Active Sensing.
+ * Also, multiple messages can be sent in the same packet.
*/
static void snd_usbmidi_cme_input(struct snd_usb_midi_in_endpoint *ep,
uint8_t *buffer, int buffer_length)
{
- if (buffer_length < 2 || (buffer[0] & 0x0f) != 0x0f)
- snd_usbmidi_standard_input(ep, buffer, buffer_length);
- else
- snd_usbmidi_input_data(ep, buffer[0] >> 4,
- &buffer[1], buffer_length - 1);
+ int remaining = buffer_length;
+
+ /*
+ * CME send sysex, song position pointer, system realtime
+ * and active sensing using CIN 0x0f, which in the standard
+ * is only intended for single byte unparsed data.
+ * So we need to interpret these here before sending them on.
+ * By default, we assume single byte data, which is true
+ * for system realtime (midi clock, start, stop and continue)
+ * and active sensing, and handle the other (known) cases
+ * separately.
+ * In contrast to the standard, CME does not split sysex
+ * into multiple 4-byte packets, but lumps everything together
+ * into one. In addition, CME can string multiple messages
+ * together in the same packet; pressing the Record button
+ * on an UF6 sends a sysex message directly followed
+ * by a song position pointer in the same packet.
+ * For it to have any reasonable meaning, a sysex message
+ * needs to be at least 3 bytes in length (0xf0, id, 0xf7),
+ * corresponding to a packet size of 4 bytes, and the ones sent
+ * by CME devices are 6 or 7 bytes, making the packet fragments
+ * 7 or 8 bytes long (six or seven bytes plus preceding CN+CIN byte).
+ * For the other types, the packet size is always 4 bytes,
+ * as per the standard, with the data size being 3 for SPP
+ * and 1 for the others.
+ * Thus all packet fragments are at least 4 bytes long, so we can
+ * skip anything that is shorter; this also conveniantly skips
+ * packets with size 0, which CME devices continuously send when
+ * they have nothing better to do.
+ * Another quirk is that sometimes multiple messages are sent
+ * in the same packet. This has been observed for midi clock
+ * and active sensing i.e. 0x0f 0xf8 0x00 0x00 0x0f 0xfe 0x00 0x00,
+ * but also multiple note ons/offs, and control change together
+ * with MIDI clock. Similarly, some sysex messages are followed by
+ * the song position pointer in the same packet, and occasionally
+ * additionally by a midi clock or active sensing.
+ * We handle this by looping over all data and parsing it along the way.
+ */
+ while (remaining >= 4) {
+ int source_length = 4; /* default */
+
+ if ((buffer[0] & 0x0f) == 0x0f) {
+ int data_length = 1; /* default */
+
+ if (buffer[1] == 0xf0) {
+ /* Sysex: Find EOX and send on whole message. */
+ /* To kick off the search, skip the first
+ * two bytes (CN+CIN and SYSEX (0xf0).
+ */
+ uint8_t *tmp_buf = buffer + 2;
+ int tmp_length = remaining - 2;
+
+ while (tmp_length > 1 && *tmp_buf != 0xf7) {
+ tmp_buf++;
+ tmp_length--;
+ }
+ data_length = tmp_buf - buffer;
+ source_length = data_length + 1;
+ } else if (buffer[1] == 0xf2) {
+ /* Three byte song position pointer */
+ data_length = 3;
+ }
+ snd_usbmidi_input_data(ep, buffer[0] >> 4,
+ &buffer[1], data_length);
+ } else {
+ /* normal channel events */
+ snd_usbmidi_standard_input(ep, buffer, source_length);
+ }
+ buffer += source_length;
+ remaining -= source_length;
+ }
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 021/286] page_pool: avoid infinite loop to schedule delayed worker
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 020/286] ALSA: usb-audio: Fix CME quirk for UF series keyboards Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 022/286] fs/jfs: cast inactags to s64 to prevent potential overflow Greg Kroah-Hartman
` (269 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Xing, Mina Almasry,
Paolo Abeni, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Xing <kerneljasonxing@gmail.com>
[ Upstream commit 43130d02baa137033c25297aaae95fd0edc41654 ]
We noticed the kworker in page_pool_release_retry() was waken
up repeatedly and infinitely in production because of the
buggy driver causing the inflight less than 0 and warning
us in page_pool_inflight()[1].
Since the inflight value goes negative, it means we should
not expect the whole page_pool to get back to work normally.
This patch mitigates the adverse effect by not rescheduling
the kworker when detecting the inflight negative in
page_pool_release_retry().
[1]
[Mon Feb 10 20:36:11 2025] ------------[ cut here ]------------
[Mon Feb 10 20:36:11 2025] Negative(-51446) inflight packet-pages
...
[Mon Feb 10 20:36:11 2025] Call Trace:
[Mon Feb 10 20:36:11 2025] page_pool_release_retry+0x23/0x70
[Mon Feb 10 20:36:11 2025] process_one_work+0x1b1/0x370
[Mon Feb 10 20:36:11 2025] worker_thread+0x37/0x3a0
[Mon Feb 10 20:36:11 2025] kthread+0x11a/0x140
[Mon Feb 10 20:36:11 2025] ? process_one_work+0x370/0x370
[Mon Feb 10 20:36:11 2025] ? __kthread_cancel_work+0x40/0x40
[Mon Feb 10 20:36:11 2025] ret_from_fork+0x35/0x40
[Mon Feb 10 20:36:11 2025] ---[ end trace ebffe800f33e7e34 ]---
Note: before this patch, the above calltrace would flood the
dmesg due to repeated reschedule of release_dw kworker.
Signed-off-by: Jason Xing <kerneljasonxing@gmail.com>
Reviewed-by: Mina Almasry <almasrymina@google.com>
Link: https://patch.msgid.link/20250214064250.85987-1-kerneljasonxing@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/page_pool.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/core/page_pool.c b/net/core/page_pool.c
index 08fbf4049c108..a11809b3149b4 100644
--- a/net/core/page_pool.c
+++ b/net/core/page_pool.c
@@ -485,7 +485,13 @@ static void page_pool_release_retry(struct work_struct *wq)
int inflight;
inflight = page_pool_release(pool);
- if (!inflight)
+ /* In rare cases, a driver bug may cause inflight to go negative.
+ * Don't reschedule release if inflight is 0 or negative.
+ * - If 0, the page_pool has been destroyed
+ * - if negative, we will never recover
+ * in both cases no reschedule is necessary.
+ */
+ if (inflight <= 0)
return;
/* Periodic warning */
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 022/286] fs/jfs: cast inactags to s64 to prevent potential overflow
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 021/286] page_pool: avoid infinite loop to schedule delayed worker Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 023/286] fs/jfs: Prevent integer overflow in AG size calculation Greg Kroah-Hartman
` (268 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rand Deeb, Dave Kleikamp,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rand Deeb <rand.sec96@gmail.com>
[ Upstream commit 70ca3246ad201b53a9f09380b3f29d8bac320383 ]
The expression "inactags << bmp->db_agl2size" in the function
dbFinalizeBmap() is computed using int operands. Although the
values (inactags and db_agl2size) are derived from filesystem
parameters and are usually small, there is a theoretical risk that
the shift could overflow a 32-bit int if extreme values occur.
According to the C standard, shifting a signed 32-bit int can lead
to undefined behavior if the result exceeds its range. In our
case, an overflow could miscalculate free blocks, potentially
leading to erroneous filesystem accounting.
To ensure the arithmetic is performed in 64-bit space, we cast
"inactags" to s64 before shifting. This defensive fix prevents any
risk of overflow and complies with kernel coding best practices.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index ef220709c7f51..389dafd23d15e 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -3728,8 +3728,8 @@ void dbFinalizeBmap(struct inode *ipbmap)
* system size is not a multiple of the group size).
*/
inactfree = (inactags && ag_rem) ?
- ((inactags - 1) << bmp->db_agl2size) + ag_rem
- : inactags << bmp->db_agl2size;
+ (((s64)inactags - 1) << bmp->db_agl2size) + ag_rem
+ : ((s64)inactags << bmp->db_agl2size);
/* determine how many free blocks are in the active
* allocation groups plus the average number of free blocks
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 023/286] fs/jfs: Prevent integer overflow in AG size calculation
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 022/286] fs/jfs: cast inactags to s64 to prevent potential overflow Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 024/286] jfs: Prevent copying of nlink with value 0 from disk inode Greg Kroah-Hartman
` (267 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rand Deeb, Dave Kleikamp,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rand Deeb <rand.sec96@gmail.com>
[ Upstream commit 7fcbf789629cdb9fbf4e2172ce31136cfed11e5e ]
The JFS filesystem calculates allocation group (AG) size using 1 <<
l2agsize in dbExtendFS(). When l2agsize exceeds 31 (possible with >2TB
aggregates on 32-bit systems), this 32-bit shift operation causes undefined
behavior and improper AG sizing.
On 32-bit architectures:
- Left-shifting 1 by 32+ bits results in 0 due to integer overflow
- This creates invalid AG sizes (0 or garbage values) in
sbi->bmap->db_agsize
- Subsequent block allocations would reference invalid AG structures
- Could lead to:
- Filesystem corruption during extend operations
- Kernel crashes due to invalid memory accesses
- Security vulnerabilities via malformed on-disk structures
Fix by casting to s64 before shifting:
bmp->db_agsize = (s64)1 << l2agsize;
This ensures 64-bit arithmetic even on 32-bit architectures. The cast
matches the data type of db_agsize (s64) and follows similar patterns in
JFS block calculation code.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 389dafd23d15e..3cc10f9bf9f8b 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -3465,7 +3465,7 @@ int dbExtendFS(struct inode *ipbmap, s64 blkno, s64 nblocks)
oldl2agsize = bmp->db_agl2size;
bmp->db_agl2size = l2agsize;
- bmp->db_agsize = 1 << l2agsize;
+ bmp->db_agsize = (s64)1 << l2agsize;
/* compute new number of AG */
agno = bmp->db_numag;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 024/286] jfs: Prevent copying of nlink with value 0 from disk inode
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 023/286] fs/jfs: Prevent integer overflow in AG size calculation Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 025/286] jfs: add sanity check for agwidth in dbMount Greg Kroah-Hartman
` (266 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+355da3b3a74881008e8f,
Edward Adam Davis, Dave Kleikamp, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit b61e69bb1c049cf507e3c654fa3dc1568231bd07 ]
syzbot report a deadlock in diFree. [1]
When calling "ioctl$LOOP_SET_STATUS64", the offset value passed in is 4,
which does not match the mounted loop device, causing the mapping of the
mounted loop device to be invalidated.
When creating the directory and creating the inode of iag in diReadSpecial(),
read the page of fixed disk inode (AIT) in raw mode in read_metapage(), the
metapage data it returns is corrupted, which causes the nlink value of 0 to be
assigned to the iag inode when executing copy_from_dinode(), which ultimately
causes a deadlock when entering diFree().
To avoid this, first check the nlink value of dinode before setting iag inode.
[1]
WARNING: possible recursive locking detected
6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted
--------------------------------------------
syz-executor301/5309 is trying to acquire lock:
ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889
but task is already holding lock:
ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&(imap->im_aglock[index]));
lock(&(imap->im_aglock[index]));
*** DEADLOCK ***
May be due to missing lock nesting notation
5 locks held by syz-executor301/5309:
#0: ffff8880422a4420 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515
#1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:850 [inline]
#1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:4026
#2: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630
#3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2460 [inline]
#3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
#3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocAG+0x4b7/0x1e50 fs/jfs/jfs_imap.c:1669
#4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2477 [inline]
#4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
#4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocAG+0x869/0x1e50 fs/jfs/jfs_imap.c:1669
stack backtrace:
CPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037
check_deadlock kernel/locking/lockdep.c:3089 [inline]
validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891
__lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889
jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156
evict+0x4e8/0x9b0 fs/inode.c:725
diFreeSpecial fs/jfs/jfs_imap.c:552 [inline]
duplicateIXtree+0x3c6/0x550 fs/jfs/jfs_imap.c:3022
diNewIAG fs/jfs/jfs_imap.c:2597 [inline]
diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
diAllocAG+0x17dc/0x1e50 fs/jfs/jfs_imap.c:1669
diAlloc+0x1d2/0x1630 fs/jfs/jfs_imap.c:1590
ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56
jfs_mkdir+0x1c5/0xba0 fs/jfs/namei.c:225
vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257
do_mkdirat+0x264/0x3a0 fs/namei.c:4280
__do_sys_mkdirat fs/namei.c:4295 [inline]
__se_sys_mkdirat fs/namei.c:4293 [inline]
__x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Reported-by: syzbot+355da3b3a74881008e8f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=355da3b3a74881008e8f
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_imap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index da3a1c27d3498..84e2c67c9070f 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -458,7 +458,7 @@ struct inode *diReadSpecial(struct super_block *sb, ino_t inum, int secondary)
dp += inum % 8; /* 8 inodes per 4K page */
/* copy on-disk inode to in-memory inode */
- if ((copy_from_dinode(dp, ip)) != 0) {
+ if ((copy_from_dinode(dp, ip) != 0) || (ip->i_nlink == 0)) {
/* handle bad return by returning NULL for ip */
set_nlink(ip, 1); /* Don't want iput() deleting it */
iput(ip);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 025/286] jfs: add sanity check for agwidth in dbMount
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 024/286] jfs: Prevent copying of nlink with value 0 from disk inode Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 026/286] ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Greg Kroah-Hartman
` (265 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edward Adam Davis, Dave Kleikamp,
Sasha Levin, syzbot+7c808908291a569281a9
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit ddf2846f22e8575d6b4b6a66f2100f168b8cd73d ]
The width in dmapctl of the AG is zero, it trigger a divide error when
calculating the control page level in dbAllocAG.
To avoid this issue, add a check for agwidth in dbAllocAG.
Reported-and-tested-by: syzbot+7c808908291a569281a9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7c808908291a569281a9
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 3cc10f9bf9f8b..8f4c55c711ba0 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -204,6 +204,10 @@ int dbMount(struct inode *ipbmap)
bmp->db_aglevel = le32_to_cpu(dbmp_le->dn_aglevel);
bmp->db_agheight = le32_to_cpu(dbmp_le->dn_agheight);
bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
+ if (!bmp->db_agwidth) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG ||
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 026/286] ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 025/286] jfs: add sanity check for agwidth in dbMount Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 027/286] f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Greg Kroah-Hartman
` (264 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Pemberton, Damien Le Moal,
Niklas Cassel, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
[ Upstream commit 91ec84f8eaddbc93d7c62e363d68aeb7b89879c7 ]
atapi_eh_request_sense() currently uses ATAPI DMA if the SATA controller
has ATA_FLAG_PIO_DMA (PIO cmds via DMA) set.
However, ATA_FLAG_PIO_DMA is a flag that can be set by a low-level driver
on a port at initialization time, before any devices are scanned.
If a controller detects a connected device that only supports PIO, we set
the flag ATA_DFLAG_PIO.
Modify atapi_eh_request_sense() to not use ATAPI DMA if the connected
device only supports PIO.
Reported-by: Philip Pemberton <lists@philpem.me.uk>
Closes: https://lore.kernel.org/linux-ide/c6722ee8-5e21-4169-af59-cbbae9edc02f@philpem.me.uk/
Tested-by: Philip Pemberton <lists@philpem.me.uk>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Link: https://lore.kernel.org/r/20250221015422.20687-2-cassel@kernel.org
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/libata-eh.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
index 48130b2543966..e700024a8b482 100644
--- a/drivers/ata/libata-eh.c
+++ b/drivers/ata/libata-eh.c
@@ -1479,8 +1479,15 @@ unsigned int atapi_eh_request_sense(struct ata_device *dev,
tf.flags |= ATA_TFLAG_ISADDR | ATA_TFLAG_DEVICE;
tf.command = ATA_CMD_PACKET;
- /* is it pointless to prefer PIO for "safety reasons"? */
- if (ap->flags & ATA_FLAG_PIO_DMA) {
+ /*
+ * Do not use DMA if the connected device only supports PIO, even if the
+ * port prefers PIO commands via DMA.
+ *
+ * Ideally, we should call atapi_check_dma() to check if it is safe for
+ * the LLD to use DMA for REQUEST_SENSE, but we don't have a qc.
+ * Since we can't check the command, perhaps we should only use pio?
+ */
+ if ((ap->flags & ATA_FLAG_PIO_DMA) && !(dev->flags & ATA_DFLAG_PIO)) {
tf.protocol = ATAPI_PROT_DMA;
tf.feature |= ATAPI_PKT_DMA;
} else {
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 027/286] f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 026/286] ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 028/286] ahci: add PCI ID for Marvell 88SE9215 SATA Controller Greg Kroah-Hartman
` (263 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6653f10281a1badc749e, Chao Yu,
Jaegeuk Kim, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit e6494977bd4a83862118a05f57a8df40256951c0 ]
syzbot reports an UBSAN issue as below:
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10
index 18446744073709550692 is out of range for type '__le32[5]' (aka 'unsigned int[5]')
CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
get_nid fs/f2fs/node.h:381 [inline]
f2fs_truncate_inode_blocks+0xa5e/0xf60 fs/f2fs/node.c:1181
f2fs_do_truncate_blocks+0x782/0x1030 fs/f2fs/file.c:808
f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:836
f2fs_truncate+0x417/0x720 fs/f2fs/file.c:886
f2fs_file_write_iter+0x1bdb/0x2550 fs/f2fs/file.c:5093
aio_write+0x56b/0x7c0 fs/aio.c:1633
io_submit_one+0x8a7/0x18a0 fs/aio.c:2052
__do_sys_io_submit fs/aio.c:2111 [inline]
__se_sys_io_submit+0x171/0x2e0 fs/aio.c:2081
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f238798cde9
index 18446744073709550692 (decimal, unsigned long long)
= 0xfffffffffffffc64 (hexadecimal, unsigned long long)
= -924 (decimal, long long)
In f2fs_truncate_inode_blocks(), UBSAN detects that get_nid() tries to
access .i_nid[-924], it means both offset[0] and level should zero.
The possible case should be in f2fs_do_truncate_blocks(), we try to
truncate inode size to zero, however, dn.ofs_in_node is zero and
dn.node_page is not an inode page, so it fails to truncate inode page,
and then pass zeroed free_from to f2fs_truncate_inode_blocks(), result
in this issue.
if (dn.ofs_in_node || IS_INODE(dn.node_page)) {
f2fs_truncate_data_blocks_range(&dn, count);
free_from += count;
}
I guess the reason why dn.node_page is not an inode page could be: there
are multiple nat entries share the same node block address, once the node
block address was reused, f2fs_get_node_page() may load a non-inode block.
Let's add a sanity check for such condition to avoid out-of-bounds access
issue.
Reported-by: syzbot+6653f10281a1badc749e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/66fdcdf3.050a0220.40bef.0025.GAE@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/node.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
index 348ad1d6199ff..57baaba17174d 100644
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -1047,7 +1047,14 @@ int f2fs_truncate_inode_blocks(struct inode *inode, pgoff_t from)
trace_f2fs_truncate_inode_blocks_enter(inode, from);
level = get_node_path(inode, from, offset, noffset);
- if (level < 0) {
+ if (level <= 0) {
+ if (!level) {
+ level = -EFSCORRUPTED;
+ f2fs_err(sbi, "%s: inode ino=%lx has corrupted node block, from:%lu addrs:%u",
+ __func__, inode->i_ino,
+ from, ADDRS_PER_INODE(inode));
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ }
trace_f2fs_truncate_inode_blocks_exit(inode, level);
return level;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 028/286] ahci: add PCI ID for Marvell 88SE9215 SATA Controller
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 027/286] f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 029/286] ext4: protect ext4_release_dquot against freezing Greg Kroah-Hartman
` (262 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Daniel Kral, Niklas Cassel,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Kral <d.kral@proxmox.com>
[ Upstream commit 885251dc35767b1c992f6909532ca366c830814a ]
Add support for Marvell Technology Group Ltd. 88SE9215 SATA 6 Gb/s
controller, which is e.g. used in the DAWICONTROL DC-614e RAID bus
controller and was not automatically recognized before.
Tested with a DAWICONTROL DC-614e RAID bus controller.
Signed-off-by: Daniel Kral <d.kral@proxmox.com>
Link: https://lore.kernel.org/r/20250304092030.37108-1-d.kral@proxmox.com
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/ahci.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
index 04b53bb7a692d..2bb9555663e75 100644
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -591,6 +591,8 @@ static const struct pci_device_id ahci_pci_tbl[] = {
.driver_data = board_ahci_yes_fbs },
{ PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x91a3),
.driver_data = board_ahci_yes_fbs },
+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9215),
+ .driver_data = board_ahci_yes_fbs },
{ PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230),
.driver_data = board_ahci_yes_fbs },
{ PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0642), /* highpoint rocketraid 642L */
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 029/286] ext4: protect ext4_release_dquot against freezing
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 028/286] ahci: add PCI ID for Marvell 88SE9215 SATA Controller Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 030/286] ext4: ignore xattrs past end Greg Kroah-Hartman
` (261 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Ojaswin Mujoo, Baokun Li,
Theodore Tso, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
[ Upstream commit 530fea29ef82e169cd7fe048c2b7baaeb85a0028 ]
Protect ext4_release_dquot against freezing so that we
don't try to start a transaction when FS is frozen, leading
to warnings.
Further, avoid taking the freeze protection if a transaction
is already running so that we don't need end up in a deadlock
as described in
46e294efc355 ext4: fix deadlock with fs freezing and EA inodes
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20241121123855.645335-3-ojaswin@linux.ibm.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/super.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 20e89ffe9a068..1e60d957b7c15 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -6251,12 +6251,25 @@ static int ext4_release_dquot(struct dquot *dquot)
{
int ret, err;
handle_t *handle;
+ bool freeze_protected = false;
+
+ /*
+ * Trying to sb_start_intwrite() in a running transaction
+ * can result in a deadlock. Further, running transactions
+ * are already protected from freezing.
+ */
+ if (!ext4_journal_current_handle()) {
+ sb_start_intwrite(dquot->dq_sb);
+ freeze_protected = true;
+ }
handle = ext4_journal_start(dquot_to_inode(dquot), EXT4_HT_QUOTA,
EXT4_QUOTA_DEL_BLOCKS(dquot->dq_sb));
if (IS_ERR(handle)) {
/* Release dquot anyway to avoid endless cycle in dqput() */
dquot_release(dquot);
+ if (freeze_protected)
+ sb_end_intwrite(dquot->dq_sb);
return PTR_ERR(handle);
}
ret = dquot_release(dquot);
@@ -6267,6 +6280,10 @@ static int ext4_release_dquot(struct dquot *dquot)
err = ext4_journal_stop(handle);
if (!ret)
ret = err;
+
+ if (freeze_protected)
+ sb_end_intwrite(dquot->dq_sb);
+
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 030/286] ext4: ignore xattrs past end
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 029/286] ext4: protect ext4_release_dquot against freezing Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 031/286] scsi: st: Fix array overflow in st_setup() Greg Kroah-Hartman
` (260 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b244bda78289b00204ed,
Thadeu Lima de Souza Cascardo, Bhupesh, Theodore Tso, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bhupesh <bhupesh@igalia.com>
[ Upstream commit c8e008b60492cf6fd31ef127aea6d02fd3d314cd ]
Once inside 'ext4_xattr_inode_dec_ref_all' we should
ignore xattrs entries past the 'end' entry.
This fixes the following KASAN reported issue:
==================================================================
BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
Read of size 4 at addr ffff888012c120c4 by task repro/2065
CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x1fd/0x300
? tcp_gro_dev_warn+0x260/0x260
? _printk+0xc0/0x100
? read_lock_is_recursive+0x10/0x10
? irq_work_queue+0x72/0xf0
? __virt_addr_valid+0x17b/0x4b0
print_address_description+0x78/0x390
print_report+0x107/0x1f0
? __virt_addr_valid+0x17b/0x4b0
? __virt_addr_valid+0x3ff/0x4b0
? __phys_addr+0xb5/0x160
? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
kasan_report+0xcc/0x100
? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
? ext4_xattr_delete_inode+0xd30/0xd30
? __ext4_journal_ensure_credits+0x5f0/0x5f0
? __ext4_journal_ensure_credits+0x2b/0x5f0
? inode_update_timestamps+0x410/0x410
ext4_xattr_delete_inode+0xb64/0xd30
? ext4_truncate+0xb70/0xdc0
? ext4_expand_extra_isize_ea+0x1d20/0x1d20
? __ext4_mark_inode_dirty+0x670/0x670
? ext4_journal_check_start+0x16f/0x240
? ext4_inode_is_fast_symlink+0x2f2/0x3a0
ext4_evict_inode+0xc8c/0xff0
? ext4_inode_is_fast_symlink+0x3a0/0x3a0
? do_raw_spin_unlock+0x53/0x8a0
? ext4_inode_is_fast_symlink+0x3a0/0x3a0
evict+0x4ac/0x950
? proc_nr_inodes+0x310/0x310
? trace_ext4_drop_inode+0xa2/0x220
? _raw_spin_unlock+0x1a/0x30
? iput+0x4cb/0x7e0
do_unlinkat+0x495/0x7c0
? try_break_deleg+0x120/0x120
? 0xffffffff81000000
? __check_object_size+0x15a/0x210
? strncpy_from_user+0x13e/0x250
? getname_flags+0x1dc/0x530
__x64_sys_unlinkat+0xc8/0xf0
do_syscall_64+0x65/0x110
entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x434ffd
Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8
RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107
RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001
</TASK>
The buggy address belongs to the object at ffff888012c12000
which belongs to the cache filp of size 360
The buggy address is located 196 bytes inside of
freed 360-byte region [ffff888012c12000, ffff888012c12168)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x40(head|node=0|zone=0)
page_type: f5(slab)
raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004
raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004
head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000
head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
ffff888012c12180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Reported-by: syzbot+b244bda78289b00204ed@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b244bda78289b00204ed
Suggested-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Bhupesh <bhupesh@igalia.com>
Link: https://patch.msgid.link/20250128082751.124948-2-bhupesh@igalia.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/xattr.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index d1d930d09cb8a..4eb75216218a0 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1123,15 +1123,24 @@ ext4_xattr_inode_dec_ref_all(handle_t *handle, struct inode *parent,
{
struct inode *ea_inode;
struct ext4_xattr_entry *entry;
+ struct ext4_iloc iloc;
bool dirty = false;
unsigned int ea_ino;
int err;
int credits;
+ void *end;
+
+ if (block_csum)
+ end = (void *)bh->b_data + bh->b_size;
+ else {
+ ext4_get_inode_loc(parent, &iloc);
+ end = (void *)ext4_raw_inode(&iloc) + EXT4_SB(parent->i_sb)->s_inode_size;
+ }
/* One credit for dec ref on ea_inode, one for orphan list addition, */
credits = 2 + extra_credits;
- for (entry = first; !IS_LAST_ENTRY(entry);
+ for (entry = first; (void *)entry < end && !IS_LAST_ENTRY(entry);
entry = EXT4_XATTR_NEXT(entry)) {
if (!entry->e_value_inum)
continue;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 031/286] scsi: st: Fix array overflow in st_setup()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 030/286] ext4: ignore xattrs past end Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 032/286] wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Greg Kroah-Hartman
` (259 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Kai Mäkisara,
Martin K. Petersen, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai Mäkisara <Kai.Makisara@kolumbus.fi>
[ Upstream commit a018d1cf990d0c339fe0e29b762ea5dc10567d67 ]
Change the array size to follow parms size instead of a fixed value.
Reported-by: Chenyuan Yang <chenyuan0y@gmail.com>
Closes: https://lore.kernel.org/linux-scsi/CALGdzuoubbra4xKOJcsyThdk5Y1BrAmZs==wbqjbkAgmKS39Aw@mail.gmail.com/
Signed-off-by: Kai Mäkisara <Kai.Makisara@kolumbus.fi>
Link: https://lore.kernel.org/r/20250311112516.5548-2-Kai.Makisara@kolumbus.fi
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/st.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
index 3b819c6b15a56..465fe83b49e98 100644
--- a/drivers/scsi/st.c
+++ b/drivers/scsi/st.c
@@ -4144,7 +4144,7 @@ static void validate_options(void)
*/
static int __init st_setup(char *str)
{
- int i, len, ints[5];
+ int i, len, ints[ARRAY_SIZE(parms) + 1];
char *stp;
stp = get_options(str, ARRAY_SIZE(ints), ints);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 032/286] wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 031/286] scsi: st: Fix array overflow in st_setup() Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 033/286] net: vlan: dont propagate flags on open Greg Kroah-Hartman
` (258 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Icenowy Zheng, Felix Fietkau,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Icenowy Zheng <uwu@icenowy.me>
[ Upstream commit 06cccc2ebbe6c8a20f714f3a0ff3ff489d3004bb ]
The TP-Link TL-WDN6200 "Driverless" version cards use a MT7612U chipset.
Add the USB ID to mt76x2u driver.
Signed-off-by: Icenowy Zheng <uwu@icenowy.me>
Link: https://patch.msgid.link/20250317102235.1421726-1-uwu@icenowy.me
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
index 4e003c7b62cf6..82a193aac09d7 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
@@ -21,6 +21,7 @@ static const struct usb_device_id mt76x2u_device_table[] = {
{ USB_DEVICE(0x0846, 0x9053) }, /* Netgear A6210 */
{ USB_DEVICE(0x045e, 0x02e6) }, /* XBox One Wireless Adapter */
{ USB_DEVICE(0x045e, 0x02fe) }, /* XBox One Wireless Adapter */
+ { USB_DEVICE(0x2357, 0x0137) }, /* TP-Link TL-WDN6200 */
{ },
};
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 033/286] net: vlan: dont propagate flags on open
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 032/286] wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 034/286] tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Greg Kroah-Hartman
` (257 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b0c03d76056ef6cd12a6,
Stanislav Fomichev, Simon Horman, Paolo Abeni, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislav Fomichev <sdf@fomichev.me>
[ Upstream commit 27b918007d96402aba10ed52a6af8015230f1793 ]
With the device instance lock, there is now a possibility of a deadlock:
[ 1.211455] ============================================
[ 1.211571] WARNING: possible recursive locking detected
[ 1.211687] 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 Not tainted
[ 1.211823] --------------------------------------------
[ 1.211936] ip/184 is trying to acquire lock:
[ 1.212032] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_set_allmulti+0x4e/0xb0
[ 1.212207]
[ 1.212207] but task is already holding lock:
[ 1.212332] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0
[ 1.212487]
[ 1.212487] other info that might help us debug this:
[ 1.212626] Possible unsafe locking scenario:
[ 1.212626]
[ 1.212751] CPU0
[ 1.212815] ----
[ 1.212871] lock(&dev->lock);
[ 1.212944] lock(&dev->lock);
[ 1.213016]
[ 1.213016] *** DEADLOCK ***
[ 1.213016]
[ 1.213143] May be due to missing lock nesting notation
[ 1.213143]
[ 1.213294] 3 locks held by ip/184:
[ 1.213371] #0: ffffffff838b53e0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x1b/0xa0
[ 1.213543] #1: ffffffff84e5fc70 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x37/0xa0
[ 1.213727] #2: ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0
[ 1.213895]
[ 1.213895] stack backtrace:
[ 1.213991] CPU: 0 UID: 0 PID: 184 Comm: ip Not tainted 6.14.0-rc5-01215-g032756b4ca7a-dirty #5
[ 1.213993] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
[ 1.213994] Call Trace:
[ 1.213995] <TASK>
[ 1.213996] dump_stack_lvl+0x8e/0xd0
[ 1.214000] print_deadlock_bug+0x28b/0x2a0
[ 1.214020] lock_acquire+0xea/0x2a0
[ 1.214027] __mutex_lock+0xbf/0xd40
[ 1.214038] dev_set_allmulti+0x4e/0xb0 # real_dev->flags & IFF_ALLMULTI
[ 1.214040] vlan_dev_open+0xa5/0x170 # ndo_open on vlandev
[ 1.214042] __dev_open+0x145/0x270
[ 1.214046] __dev_change_flags+0xb0/0x1e0
[ 1.214051] netif_change_flags+0x22/0x60 # IFF_UP vlandev
[ 1.214053] dev_change_flags+0x61/0xb0 # for each device in group from dev->vlan_info
[ 1.214055] vlan_device_event+0x766/0x7c0 # on netdevsim0
[ 1.214058] notifier_call_chain+0x78/0x120
[ 1.214062] netif_open+0x6d/0x90
[ 1.214064] dev_open+0x5b/0xb0 # locks netdevsim0
[ 1.214066] bond_enslave+0x64c/0x1230
[ 1.214075] do_set_master+0x175/0x1e0 # on netdevsim0
[ 1.214077] do_setlink+0x516/0x13b0
[ 1.214094] rtnl_newlink+0xaba/0xb80
[ 1.214132] rtnetlink_rcv_msg+0x440/0x490
[ 1.214144] netlink_rcv_skb+0xeb/0x120
[ 1.214150] netlink_unicast+0x1f9/0x320
[ 1.214153] netlink_sendmsg+0x346/0x3f0
[ 1.214157] __sock_sendmsg+0x86/0xb0
[ 1.214160] ____sys_sendmsg+0x1c8/0x220
[ 1.214164] ___sys_sendmsg+0x28f/0x2d0
[ 1.214179] __x64_sys_sendmsg+0xef/0x140
[ 1.214184] do_syscall_64+0xec/0x1d0
[ 1.214190] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 1.214191] RIP: 0033:0x7f2d1b4a7e56
Device setup:
netdevsim0 (down)
^ ^
bond netdevsim1.100@netdevsim1 allmulticast=on (down)
When we enslave the lower device (netdevsim0) which has a vlan, we
propagate vlan's allmuti/promisc flags during ndo_open. This causes
(re)locking on of the real_dev.
Propagate allmulti/promisc on flags change, not on the open. There
is a slight semantics change that vlans that are down now propagate
the flags, but this seems unlikely to result in the real issues.
Reproducer:
echo 0 1 > /sys/bus/netdevsim/new_device
dev_path=$(ls -d /sys/bus/netdevsim/devices/netdevsim0/net/*)
dev=$(echo $dev_path | rev | cut -d/ -f1 | rev)
ip link set dev $dev name netdevsim0
ip link set dev netdevsim0 up
ip link add link netdevsim0 name netdevsim0.100 type vlan id 100
ip link set dev netdevsim0.100 allmulticast on down
ip link add name bond1 type bond mode 802.3ad
ip link set dev netdevsim0 down
ip link set dev netdevsim0 master bond1
ip link set dev bond1 up
ip link show
Reported-by: syzbot+b0c03d76056ef6cd12a6@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/Z9CfXjLMKn6VLG5d@mini-arch/T/#m15ba130f53227c883e79fb969687d69d670337a0
Signed-off-by: Stanislav Fomichev <sdf@fomichev.me>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250313100657.2287455-1-sdf@fomichev.me
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/8021q/vlan_dev.c | 31 ++++---------------------------
1 file changed, 4 insertions(+), 27 deletions(-)
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index b7cf430006e55..c134f8210b21b 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -272,17 +272,6 @@ static int vlan_dev_open(struct net_device *dev)
goto out;
}
- if (dev->flags & IFF_ALLMULTI) {
- err = dev_set_allmulti(real_dev, 1);
- if (err < 0)
- goto del_unicast;
- }
- if (dev->flags & IFF_PROMISC) {
- err = dev_set_promiscuity(real_dev, 1);
- if (err < 0)
- goto clear_allmulti;
- }
-
ether_addr_copy(vlan->real_dev_addr, real_dev->dev_addr);
if (vlan->flags & VLAN_FLAG_GVRP)
@@ -296,12 +285,6 @@ static int vlan_dev_open(struct net_device *dev)
netif_carrier_on(dev);
return 0;
-clear_allmulti:
- if (dev->flags & IFF_ALLMULTI)
- dev_set_allmulti(real_dev, -1);
-del_unicast:
- if (!ether_addr_equal(dev->dev_addr, real_dev->dev_addr))
- dev_uc_del(real_dev, dev->dev_addr);
out:
netif_carrier_off(dev);
return err;
@@ -314,10 +297,6 @@ static int vlan_dev_stop(struct net_device *dev)
dev_mc_unsync(real_dev, dev);
dev_uc_unsync(real_dev, dev);
- if (dev->flags & IFF_ALLMULTI)
- dev_set_allmulti(real_dev, -1);
- if (dev->flags & IFF_PROMISC)
- dev_set_promiscuity(real_dev, -1);
if (!ether_addr_equal(dev->dev_addr, real_dev->dev_addr))
dev_uc_del(real_dev, dev->dev_addr);
@@ -474,12 +453,10 @@ static void vlan_dev_change_rx_flags(struct net_device *dev, int change)
{
struct net_device *real_dev = vlan_dev_priv(dev)->real_dev;
- if (dev->flags & IFF_UP) {
- if (change & IFF_ALLMULTI)
- dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1);
- if (change & IFF_PROMISC)
- dev_set_promiscuity(real_dev, dev->flags & IFF_PROMISC ? 1 : -1);
- }
+ if (change & IFF_ALLMULTI)
+ dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1);
+ if (change & IFF_PROMISC)
+ dev_set_promiscuity(real_dev, dev->flags & IFF_PROMISC ? 1 : -1);
}
static void vlan_dev_set_rx_mode(struct net_device *vlan_dev)
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 034/286] tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 033/286] net: vlan: dont propagate flags on open Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 035/286] Bluetooth: hci_uart: fix race during initialization Greg Kroah-Hartman
` (256 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gabriele Paoloni,
Steven Rostedt (Google), Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriele Paoloni <gpaoloni@redhat.com>
[ Upstream commit 0c588ac0ca6c22b774d9ad4a6594681fdfa57d9d ]
When __ftrace_event_enable_disable invokes the class callback to
unregister the event, the return value is not reported up to the
caller, hence leading to event unregister failures being silently
ignored.
This patch assigns the ret variable to the invocation of the
event unregister callback, so that its return value is stored
and reported to the caller, and it raises a warning in case
of error.
Link: https://lore.kernel.org/20250321170821.101403-1-gpaoloni@redhat.com
Signed-off-by: Gabriele Paoloni <gpaoloni@redhat.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_events.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
index 4b5a8d7275be7..92693e2140a94 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -411,7 +411,9 @@ static int __ftrace_event_enable_disable(struct trace_event_file *file,
clear_bit(EVENT_FILE_FL_RECORDED_TGID_BIT, &file->flags);
}
- call->class->reg(call, TRACE_REG_UNREGISTER, file);
+ ret = call->class->reg(call, TRACE_REG_UNREGISTER, file);
+
+ WARN_ON_ONCE(ret);
}
/* If in SOFT_MODE, just set the SOFT_DISABLE_BIT, else clear it */
if (file->flags & EVENT_FILE_FL_SOFT_MODE)
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 035/286] Bluetooth: hci_uart: fix race during initialization
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 034/286] tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Greg Kroah-Hartman
@ 2025-04-29 16:38 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 036/286] drm: allow encoder mode_set even when connectors change for crtc Greg Kroah-Hartman
` (255 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arseniy Krasnov,
Luiz Augusto von Dentz, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arseniy Krasnov <avkrasnov@salutedevices.com>
[ Upstream commit 366ceff495f902182d42b6f41525c2474caf3f9a ]
'hci_register_dev()' calls power up function, which is executed by
kworker - 'hci_power_on()'. This function does access to bluetooth chip
using callbacks from 'hci_ldisc.c', for example 'hci_uart_send_frame()'.
Now 'hci_uart_send_frame()' checks 'HCI_UART_PROTO_READY' bit set, and
if not - it fails. Problem is that 'HCI_UART_PROTO_READY' is set after
'hci_register_dev()', and there is tiny chance that 'hci_power_on()' will
be executed before setting this bit. In that case HCI init logic fails.
Patch moves setting of 'HCI_UART_PROTO_READY' before calling function
'hci_uart_register_dev()'.
Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/hci_ldisc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index e7d78937f7d6b..8ca0ac3a440c9 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -706,12 +706,13 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id)
hu->proto = p;
+ set_bit(HCI_UART_PROTO_READY, &hu->flags);
+
err = hci_uart_register_dev(hu);
if (err) {
return err;
}
- set_bit(HCI_UART_PROTO_READY, &hu->flags);
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 036/286] drm: allow encoder mode_set even when connectors change for crtc
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2025-04-29 16:38 ` [PATCH 5.10 035/286] Bluetooth: hci_uart: fix race during initialization Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 037/286] drm: panel-orientation-quirks: Add support for AYANEO 2S Greg Kroah-Hartman
` (254 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abhinav Kumar, Jessica Zhang,
Maxime Ripard, Dmitry Baryshkov, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abhinav Kumar <quic_abhinavk@quicinc.com>
[ Upstream commit 7e182cb4f5567f53417b762ec0d679f0b6f0039d ]
In certain use-cases, a CRTC could switch between two encoders
and because the mode being programmed on the CRTC remains
the same during this switch, the CRTC's mode_changed remains false.
In such cases, the encoder's mode_set also gets skipped.
Skipping mode_set on the encoder for such cases could cause an issue
because even though the same CRTC mode was being used, the encoder
type could have changed like the CRTC could have switched from a
real time encoder to a writeback encoder OR vice-versa.
Allow encoder's mode_set to happen even when connectors changed on a
CRTC and not just when the mode changed.
Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Jessica Zhang <quic_jesszhan@quicinc.com>
Reviewed-by: Maxime Ripard <mripard@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20241211-abhinavk-modeset-fix-v3-1-0de4bf3e7c32@quicinc.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_atomic_helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
index 0fde260b7edd8..dee3b81dec587 100644
--- a/drivers/gpu/drm/drm_atomic_helper.c
+++ b/drivers/gpu/drm/drm_atomic_helper.c
@@ -1268,7 +1268,7 @@ crtc_set_mode(struct drm_device *dev, struct drm_atomic_state *old_state)
mode = &new_crtc_state->mode;
adjusted_mode = &new_crtc_state->adjusted_mode;
- if (!new_crtc_state->mode_changed)
+ if (!new_crtc_state->mode_changed && !new_crtc_state->connectors_changed)
continue;
DRM_DEBUG_ATOMIC("modeset on [ENCODER:%d:%s]\n",
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 037/286] drm: panel-orientation-quirks: Add support for AYANEO 2S
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 036/286] drm: allow encoder mode_set even when connectors change for crtc Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 038/286] drm: panel-orientation-quirks: Add new quirk for GPD Win 2 Greg Kroah-Hartman
` (253 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Wyatt, John Edwards,
Thomas Zimmermann, Hans de Goede, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Wyatt <fewtarius@steamfork.org>
[ Upstream commit eb8f1e3e8ee10cff591d4a47437dfd34d850d454 ]
AYANEO 2S uses the same panel and orientation as the AYANEO 2.
Update the AYANEO 2 DMI match to also match AYANEO 2S.
Signed-off-by: Andrew Wyatt <fewtarius@steamfork.org>
Signed-off-by: John Edwards <uejji@uejji.net>
Tested-by: John Edwards <uejji@uejji.net>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20250213222455.93533-2-uejji@uejji.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel_orientation_quirks.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
index bf90a5be956fe..6bb8d4502ca8e 100644
--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
@@ -166,10 +166,10 @@ static const struct dmi_system_id orientation_data[] = {
DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T103HAF"),
},
.driver_data = (void *)&lcd800x1280_rightside_up,
- }, { /* AYA NEO AYANEO 2 */
+ }, { /* AYA NEO AYANEO 2/2S */
.matches = {
DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYANEO"),
- DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "AYANEO 2"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "AYANEO 2"),
},
.driver_data = (void *)&lcd1200x1920_rightside_up,
}, { /* AYA NEO 2021 */
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 038/286] drm: panel-orientation-quirks: Add new quirk for GPD Win 2
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 037/286] drm: panel-orientation-quirks: Add support for AYANEO 2S Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 039/286] drm/bridge: panel: forbid initializing a panel with unknown connector type Greg Kroah-Hartman
` (252 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Wyatt, John Edwards,
Paco Avelar, Thomas Zimmermann, Hans de Goede, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Wyatt <fewtarius@steamfork.org>
[ Upstream commit a860eb9c6ba6cdbf32e3e01a606556e5a90a2931 ]
Some GPD Win 2 units shipped with the correct DMI strings.
Add a DMI match to correctly rotate the panel on these units.
Signed-off-by: Andrew Wyatt <fewtarius@steamfork.org>
Signed-off-by: John Edwards <uejji@uejji.net>
Tested-by: Paco Avelar <pacoavelar@hotmail.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20250213222455.93533-5-uejji@uejji.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
index 6bb8d4502ca8e..6fc9d638ccd23 100644
--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
@@ -235,6 +235,12 @@ static const struct dmi_system_id orientation_data[] = {
DMI_EXACT_MATCH(DMI_BOARD_NAME, "Default string"),
},
.driver_data = (void *)&gpd_win2,
+ }, { /* GPD Win 2 (correct DMI strings) */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "GPD"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "WIN2")
+ },
+ .driver_data = (void *)&lcd720x1280_rightside_up,
}, { /* GPD Win 3 */
.matches = {
DMI_EXACT_MATCH(DMI_SYS_VENDOR, "GPD"),
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 039/286] drm/bridge: panel: forbid initializing a panel with unknown connector type
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 038/286] drm: panel-orientation-quirks: Add new quirk for GPD Win 2 Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 040/286] drm/amdkfd: clamp queue size to minimum Greg Kroah-Hartman
` (251 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Luca Ceresoli,
Robert Foss, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Ceresoli <luca.ceresoli@bootlin.com>
[ Upstream commit b296955b3a740ecc8b3b08e34fd64f1ceabb8fb4 ]
Having an DRM_MODE_CONNECTOR_Unknown connector type is considered bad, and
drm_panel_bridge_add_typed() and derivatives are deprecated for this.
drm_panel_init() won't prevent initializing a panel with a
DRM_MODE_CONNECTOR_Unknown connector type. Luckily there are no in-tree
users doing it, so take this as an opportinuty to document a valid
connector type must be passed.
Returning an error if this rule is violated is not possible because
drm_panel_init() is a void function. Add at least a warning to make any
violations noticeable, especially to non-upstream drivers.
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Robert Foss <rfoss@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20250214-drm-assorted-cleanups-v7-5-88ca5827d7af@bootlin.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_panel.c b/drivers/gpu/drm/drm_panel.c
index 7fd3de89ed079..acd29b4f43f84 100644
--- a/drivers/gpu/drm/drm_panel.c
+++ b/drivers/gpu/drm/drm_panel.c
@@ -49,7 +49,7 @@ static LIST_HEAD(panel_list);
* @dev: parent device of the panel
* @funcs: panel operations
* @connector_type: the connector type (DRM_MODE_CONNECTOR_*) corresponding to
- * the panel interface
+ * the panel interface (must NOT be DRM_MODE_CONNECTOR_Unknown)
*
* Initialize the panel structure for subsequent registration with
* drm_panel_add().
@@ -57,6 +57,9 @@ static LIST_HEAD(panel_list);
void drm_panel_init(struct drm_panel *panel, struct device *dev,
const struct drm_panel_funcs *funcs, int connector_type)
{
+ if (connector_type == DRM_MODE_CONNECTOR_Unknown)
+ DRM_WARN("%s: %s: a valid connector type is required!\n", __func__, dev_name(dev));
+
INIT_LIST_HEAD(&panel->list);
panel->dev = dev;
panel->funcs = funcs;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 040/286] drm/amdkfd: clamp queue size to minimum
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 039/286] drm/bridge: panel: forbid initializing a panel with unknown connector type Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 041/286] drm/amdkfd: Fix pqm_destroy_queue race with GPU reset Greg Kroah-Hartman
` (250 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Yat Sin, Jay Cornwall,
Harish Kasiviswanathan, Alex Deucher, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Yat Sin <David.YatSin@amd.com>
[ Upstream commit e90711946b53590371ecce32e8fcc381a99d6333 ]
If queue size is less than minimum, clamp it to minimum to prevent
underflow when writing queue mqd.
Signed-off-by: David Yat Sin <David.YatSin@amd.com>
Reviewed-by: Jay Cornwall <jay.cornwall@amd.com>
Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 ++++++++++
include/uapi/linux/kfd_ioctl.h | 2 ++
2 files changed, 12 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index 9a444b17530a4..869c8786df5c9 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -190,6 +190,11 @@ static int set_queue_properties_from_user(struct queue_properties *q_properties,
return -EINVAL;
}
+ if (args->ring_size < KFD_MIN_QUEUE_RING_SIZE) {
+ args->ring_size = KFD_MIN_QUEUE_RING_SIZE;
+ pr_debug("Size lower. clamped to KFD_MIN_QUEUE_RING_SIZE");
+ }
+
if (!access_ok((const void __user *) args->read_pointer_address,
sizeof(uint32_t))) {
pr_err("Can't access read pointer\n");
@@ -394,6 +399,11 @@ static int kfd_ioctl_update_queue(struct file *filp, struct kfd_process *p,
return -EINVAL;
}
+ if (args->ring_size < KFD_MIN_QUEUE_RING_SIZE) {
+ args->ring_size = KFD_MIN_QUEUE_RING_SIZE;
+ pr_debug("Size lower. clamped to KFD_MIN_QUEUE_RING_SIZE");
+ }
+
properties.queue_address = args->ring_base_address;
properties.queue_size = args->ring_size;
properties.queue_percent = args->queue_percentage;
diff --git a/include/uapi/linux/kfd_ioctl.h b/include/uapi/linux/kfd_ioctl.h
index 695b606da4b15..94af84e845549 100644
--- a/include/uapi/linux/kfd_ioctl.h
+++ b/include/uapi/linux/kfd_ioctl.h
@@ -47,6 +47,8 @@ struct kfd_ioctl_get_version_args {
#define KFD_MAX_QUEUE_PERCENTAGE 100
#define KFD_MAX_QUEUE_PRIORITY 15
+#define KFD_MIN_QUEUE_RING_SIZE 1024
+
struct kfd_ioctl_create_queue_args {
__u64 ring_base_address; /* to KFD */
__u64 write_pointer_address; /* from KFD */
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 041/286] drm/amdkfd: Fix pqm_destroy_queue race with GPU reset
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 040/286] drm/amdkfd: clamp queue size to minimum Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 042/286] drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off Greg Kroah-Hartman
` (249 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Yang, Felix Kuehling,
Alex Deucher, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philip Yang <Philip.Yang@amd.com>
[ Upstream commit 7919b4cad5545ed93778f11881ceee72e4dbed66 ]
If GPU in reset, destroy_queue return -EIO, pqm_destroy_queue should
delete the queue from process_queue_list and free the resource.
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
index 43c07ac2c6fce..cabe0012ab5b1 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
@@ -384,7 +384,7 @@ int pqm_destroy_queue(struct process_queue_manager *pqm, unsigned int qid)
pr_err("Pasid 0x%x destroy queue %d failed, ret %d\n",
pqm->process->pasid,
pqn->q->properties.queue_id, retval);
- if (retval != -ETIME)
+ if (retval != -ETIME && retval != -EIO)
goto err_destroy_queue;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 042/286] drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 041/286] drm/amdkfd: Fix pqm_destroy_queue race with GPU reset Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 043/286] fbdev: omapfb: Add plane value check Greg Kroah-Hartman
` (248 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, CK Hu, AngeloGioacchino Del Regno,
Chun-Kuang Hu, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit 473c33f5ce651365468503c76f33158aaa1c7dd2 ]
In preparation for adding support for MT8195's HDMI reserved
DPI, add calls to clk_prepare_enable() / clk_disable_unprepare()
for the TVD clock: in this particular case, the aforementioned
clock is not (and cannot be) parented to neither pixel or engine
clocks hence it won't get enabled automatically by the clock
framework.
Please note that on all of the currently supported MediaTek
platforms, the TVD clock is always a parent of either pixel or
engine clocks, and this means that the common clock framework
is already enabling this clock before the children.
On such platforms, this commit will only increase the refcount
of the TVD clock without any functional change.
Reviewed-by: CK Hu <ck.hu@mediatek.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20250217154836.108895-10-angelogioacchino.delregno@collabora.com/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/mediatek/mtk_dpi.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/gpu/drm/mediatek/mtk_dpi.c b/drivers/gpu/drm/mediatek/mtk_dpi.c
index aa3d472c79d77..ac75c10aed2f6 100644
--- a/drivers/gpu/drm/mediatek/mtk_dpi.c
+++ b/drivers/gpu/drm/mediatek/mtk_dpi.c
@@ -369,6 +369,7 @@ static void mtk_dpi_power_off(struct mtk_dpi *dpi)
mtk_dpi_disable(dpi);
clk_disable_unprepare(dpi->pixel_clk);
+ clk_disable_unprepare(dpi->tvd_clk);
clk_disable_unprepare(dpi->engine_clk);
}
@@ -385,6 +386,12 @@ static int mtk_dpi_power_on(struct mtk_dpi *dpi)
goto err_refcount;
}
+ ret = clk_prepare_enable(dpi->tvd_clk);
+ if (ret) {
+ dev_err(dpi->dev, "Failed to enable tvd pll: %d\n", ret);
+ goto err_engine;
+ }
+
ret = clk_prepare_enable(dpi->pixel_clk);
if (ret) {
dev_err(dpi->dev, "Failed to enable pixel clock: %d\n", ret);
@@ -394,6 +401,8 @@ static int mtk_dpi_power_on(struct mtk_dpi *dpi)
return 0;
err_pixel:
+ clk_disable_unprepare(dpi->tvd_clk);
+err_engine:
clk_disable_unprepare(dpi->engine_clk);
err_refcount:
dpi->refcount--;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 043/286] fbdev: omapfb: Add plane value check
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 042/286] drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 044/286] pwm: mediatek: Always use bus clock Greg Kroah-Hartman
` (247 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leonid Arapov, Helge Deller,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leonid Arapov <arapovl839@gmail.com>
[ Upstream commit 3e411827f31db7f938a30a3c7a7599839401ec30 ]
Function dispc_ovl_setup is not intended to work with the value OMAP_DSS_WB
of the enum parameter plane.
The value of this parameter is initialized in dss_init_overlays and in the
current state of the code it cannot take this value so it's not a real
problem.
For the purposes of defensive coding it wouldn't be superfluous to check
the parameter value, because some functions down the call stack process
this value correctly and some not.
For example, in dispc_ovl_setup_global_alpha it may lead to buffer
overflow.
Add check for this value.
Found by Linux Verification Center (linuxtesting.org) with SVACE static
analysis tool.
Signed-off-by: Leonid Arapov <arapovl839@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c
index b2d6e6df21615..d852bef1d507f 100644
--- a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c
+++ b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c
@@ -2751,9 +2751,13 @@ int dispc_ovl_setup(enum omap_plane plane, const struct omap_overlay_info *oi,
bool mem_to_mem)
{
int r;
- enum omap_overlay_caps caps = dss_feat_get_overlay_caps(plane);
+ enum omap_overlay_caps caps;
enum omap_channel channel;
+ if (plane == OMAP_DSS_WB)
+ return -EINVAL;
+
+ caps = dss_feat_get_overlay_caps(plane);
channel = dispc_ovl_get_channel_out(plane);
DSSDBG("dispc_ovl_setup %d, pa %pad, pa_uv %pad, sw %d, %d,%d, %dx%d ->"
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 044/286] pwm: mediatek: Always use bus clock
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 043/286] fbdev: omapfb: Add plane value check Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 045/286] pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Greg Kroah-Hartman
` (246 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fabien Parent, Matthias Brugger,
Thierry Reding, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabien Parent <fparent@baylibre.com>
[ Upstream commit 0c0ead76235db0bcfaab83f04db546995449d002 ]
The MediaTek PWM IP can sometimes use the 26 MHz source clock to
generate the PWM signal, but the driver currently assumes that we always
use the PWM bus clock to generate the PWM signal.
This commit modifies the PWM driver in order to force the PWM IP to
always use the bus clock as source clock.
I do not have the datasheet of all the MediaTek SoC, so I don't know if
the register to choose the source clock is present in all the SoCs or
only in subset. As a consequence I made this change optional by using a
platform data paremeter to says whether this register is supported or
not. On all the SoCs I don't have the datasheet (MT2712, MT7622, MT7623,
MT7628, MT7629) I kept the behavior to be the same as before this
change.
Signed-off-by: Fabien Parent <fparent@baylibre.com>
Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Stable-dep-of: 7ca59947b5fc ("pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-mediatek.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/pwm/pwm-mediatek.c b/drivers/pwm/pwm-mediatek.c
index ab001ce55178e..108881619aea1 100644
--- a/drivers/pwm/pwm-mediatek.c
+++ b/drivers/pwm/pwm-mediatek.c
@@ -30,12 +30,14 @@
#define PWM45DWIDTH_FIXUP 0x30
#define PWMTHRES 0x30
#define PWM45THRES_FIXUP 0x34
+#define PWM_CK_26M_SEL 0x210
#define PWM_CLK_DIV_MAX 7
struct pwm_mediatek_of_data {
unsigned int num_pwms;
bool pwm45_fixup;
+ bool has_ck_26m_sel;
};
/**
@@ -132,6 +134,10 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm,
if (ret < 0)
return ret;
+ /* Make sure we use the bus clock and not the 26MHz clock */
+ if (pc->soc->has_ck_26m_sel)
+ writel(0, pc->regs + PWM_CK_26M_SEL);
+
/* Using resolution in picosecond gets accuracy higher */
resolution = (u64)NSEC_PER_SEC * 1000;
do_div(resolution, clk_get_rate(pc->clk_pwms[pwm->hwpwm]));
@@ -281,31 +287,37 @@ static int pwm_mediatek_remove(struct platform_device *pdev)
static const struct pwm_mediatek_of_data mt2712_pwm_data = {
.num_pwms = 8,
.pwm45_fixup = false,
+ .has_ck_26m_sel = false,
};
static const struct pwm_mediatek_of_data mt7622_pwm_data = {
.num_pwms = 6,
.pwm45_fixup = false,
+ .has_ck_26m_sel = false,
};
static const struct pwm_mediatek_of_data mt7623_pwm_data = {
.num_pwms = 5,
.pwm45_fixup = true,
+ .has_ck_26m_sel = false,
};
static const struct pwm_mediatek_of_data mt7628_pwm_data = {
.num_pwms = 4,
.pwm45_fixup = true,
+ .has_ck_26m_sel = false,
};
static const struct pwm_mediatek_of_data mt7629_pwm_data = {
.num_pwms = 1,
.pwm45_fixup = false,
+ .has_ck_26m_sel = false,
};
static const struct pwm_mediatek_of_data mt8516_pwm_data = {
.num_pwms = 5,
.pwm45_fixup = false,
+ .has_ck_26m_sel = true,
};
static const struct of_device_id pwm_mediatek_of_match[] = {
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 045/286] pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 044/286] pwm: mediatek: Always use bus clock Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 046/286] pwm: rcar: Simplify multiplication/shift logic Greg Kroah-Hartman
` (245 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josh Poimboeuf,
Uwe Kleine-König, Uwe Kleine-König, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit 7ca59947b5fcf94e7ea4029d1bd0f7c41500a161 ]
With CONFIG_COMPILE_TEST && !CONFIG_HAVE_CLK, pwm_mediatek_config() has a
divide-by-zero in the following line:
do_div(resolution, clk_get_rate(pc->clk_pwms[pwm->hwpwm]));
due to the fact that the !CONFIG_HAVE_CLK version of clk_get_rate()
returns zero.
This is presumably just a theoretical problem: COMPILE_TEST overrides
the dependency on RALINK which would select COMMON_CLK. Regardless it's
a good idea to check for the error explicitly to avoid divide-by-zero.
Fixes the following warning:
drivers/pwm/pwm-mediatek.o: warning: objtool: .text: unexpected end of section
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Link: https://lore.kernel.org/r/fb56444939325cc173e752ba199abd7aeae3bf12.1742852847.git.jpoimboe@kernel.org
[ukleinek: s/CONFIG_CLK/CONFIG_HAVE_CLK/]
Fixes: caf065f8fd58 ("pwm: Add MediaTek PWM support")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/9e78a0796acba3435553ed7db1c7965dcffa6215.1743501688.git.u.kleine-koenig@baylibre.com
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-mediatek.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/pwm/pwm-mediatek.c b/drivers/pwm/pwm-mediatek.c
index 108881619aea1..9df8f33138de6 100644
--- a/drivers/pwm/pwm-mediatek.c
+++ b/drivers/pwm/pwm-mediatek.c
@@ -126,21 +126,25 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm,
struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
u32 clkdiv = 0, cnt_period, cnt_duty, reg_width = PWMDWIDTH,
reg_thres = PWMTHRES;
+ unsigned long clk_rate;
u64 resolution;
int ret;
ret = pwm_mediatek_clk_enable(chip, pwm);
-
if (ret < 0)
return ret;
+ clk_rate = clk_get_rate(pc->clk_pwms[pwm->hwpwm]);
+ if (!clk_rate)
+ return -EINVAL;
+
/* Make sure we use the bus clock and not the 26MHz clock */
if (pc->soc->has_ck_26m_sel)
writel(0, pc->regs + PWM_CK_26M_SEL);
/* Using resolution in picosecond gets accuracy higher */
resolution = (u64)NSEC_PER_SEC * 1000;
- do_div(resolution, clk_get_rate(pc->clk_pwms[pwm->hwpwm]));
+ do_div(resolution, clk_rate);
cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000, resolution);
while (cnt_period > 8191) {
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 046/286] pwm: rcar: Simplify multiplication/shift logic
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 045/286] pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 047/286] pwm: rcar: Improve register calculation Greg Kroah-Hartman
` (244 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven,
Uwe Kleine-König, Thierry Reding, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit ed14d36498c8d15be098df4af9ca324f96e9de74 ]
- Remove the superfluous cast; the multiplication will yield a 64-bit
result due to the "100ULL" anyway,
- "a * (1 << b)" == "a << b".
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Stable-dep-of: e7327c193014 ("pwm: rcar: Improve register calculation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-rcar.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pwm/pwm-rcar.c b/drivers/pwm/pwm-rcar.c
index 7ab9eb6616d95..efe11e4e449e1 100644
--- a/drivers/pwm/pwm-rcar.c
+++ b/drivers/pwm/pwm-rcar.c
@@ -110,7 +110,7 @@ static int rcar_pwm_set_counter(struct rcar_pwm_chip *rp, int div, int duty_ns,
unsigned long clk_rate = clk_get_rate(rp->clk);
u32 cyc, ph;
- one_cycle = (unsigned long long)NSEC_PER_SEC * 100ULL * (1 << div);
+ one_cycle = NSEC_PER_SEC * 100ULL << div;
do_div(one_cycle, clk_rate);
tmp = period_ns * 100ULL;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 047/286] pwm: rcar: Improve register calculation
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 046/286] pwm: rcar: Simplify multiplication/shift logic Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 048/286] pwm: fsl-ftm: Handle clk_get_rate() returning 0 Greg Kroah-Hartman
` (243 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Geert Uytterhoeven, Uwe Kleine-König, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit e7327c193014a4d8666e9c1cda09cf2c060518e8 ]
There were several issues in the function rcar_pwm_set_counter():
- The u64 values period_ns and duty_ns were cast to int on function
call which might loose bits on 32 bit architectures.
Fix: Make parameters to rcar_pwm_set_counter() u64
- The algorithm divided by the result of a division which looses
precision.
Fix: Make use of mul_u64_u64_div_u64()
- The calculated values were just masked to fit the respective register
fields which again might loose bits.
Fix: Explicitly check for overlow
Implement the respective fixes.
A side effect of fixing the 2nd issue is that there is no division by 0
if clk_get_rate() returns 0.
Fixes: ed6c1476bf7f ("pwm: Add support for R-Car PWM Timer")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/ab3dac794b2216cc1cc56d65c93dd164f8bd461b.1743501688.git.u.kleine-koenig@baylibre.com
[ukleinek: Added an explicit #include <linux/bitfield.h> to please the
0day build bot]
Link: https://lore.kernel.org/oe-kbuild-all/202504031354.VJtxScP5-lkp@intel.com/
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-rcar.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/drivers/pwm/pwm-rcar.c b/drivers/pwm/pwm-rcar.c
index efe11e4e449e1..83da738954074 100644
--- a/drivers/pwm/pwm-rcar.c
+++ b/drivers/pwm/pwm-rcar.c
@@ -8,6 +8,7 @@
* - The hardware cannot generate a 0% duty cycle.
*/
+#include <linux/bitfield.h>
#include <linux/clk.h>
#include <linux/err.h>
#include <linux/io.h>
@@ -103,23 +104,24 @@ static void rcar_pwm_set_clock_control(struct rcar_pwm_chip *rp,
rcar_pwm_write(rp, value, RCAR_PWMCR);
}
-static int rcar_pwm_set_counter(struct rcar_pwm_chip *rp, int div, int duty_ns,
- int period_ns)
+static int rcar_pwm_set_counter(struct rcar_pwm_chip *rp, int div, u64 duty_ns,
+ u64 period_ns)
{
- unsigned long long one_cycle, tmp; /* 0.01 nanoseconds */
+ unsigned long long tmp;
unsigned long clk_rate = clk_get_rate(rp->clk);
u32 cyc, ph;
- one_cycle = NSEC_PER_SEC * 100ULL << div;
- do_div(one_cycle, clk_rate);
+ /* div <= 24 == RCAR_PWM_MAX_DIVISION, so the shift doesn't overflow. */
+ tmp = mul_u64_u64_div_u64(period_ns, clk_rate, (u64)NSEC_PER_SEC << div);
+ if (tmp > FIELD_MAX(RCAR_PWMCNT_CYC0_MASK))
+ tmp = FIELD_MAX(RCAR_PWMCNT_CYC0_MASK);
- tmp = period_ns * 100ULL;
- do_div(tmp, one_cycle);
- cyc = (tmp << RCAR_PWMCNT_CYC0_SHIFT) & RCAR_PWMCNT_CYC0_MASK;
+ cyc = FIELD_PREP(RCAR_PWMCNT_CYC0_MASK, tmp);
- tmp = duty_ns * 100ULL;
- do_div(tmp, one_cycle);
- ph = tmp & RCAR_PWMCNT_PH0_MASK;
+ tmp = mul_u64_u64_div_u64(duty_ns, clk_rate, (u64)NSEC_PER_SEC << div);
+ if (tmp > FIELD_MAX(RCAR_PWMCNT_PH0_MASK))
+ tmp = FIELD_MAX(RCAR_PWMCNT_PH0_MASK);
+ ph = FIELD_PREP(RCAR_PWMCNT_PH0_MASK, tmp);
/* Avoid prohibited setting */
if (cyc == 0 || ph == 0)
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 048/286] pwm: fsl-ftm: Handle clk_get_rate() returning 0
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 047/286] pwm: rcar: Improve register calculation Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 049/286] bpf: Add endian modifiers to fix endian warnings Greg Kroah-Hartman
` (242 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Uwe Kleine-König, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit 928446a5302eee30ebb32075c0db5dda5a138fb7 ]
Considering that the driver doesn't enable the used clocks (and also
that clk_get_rate() returns 0 if CONFIG_HAVE_CLK is unset) better check
the return value of clk_get_rate() for being non-zero before dividing by
it.
Fixes: 3479bbd1e1f8 ("pwm: fsl-ftm: More relaxed permissions for updating period")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/b68351a51017035651bc62ad3146afcb706874f0.1743501688.git.u.kleine-koenig@baylibre.com
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-fsl-ftm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/pwm/pwm-fsl-ftm.c b/drivers/pwm/pwm-fsl-ftm.c
index 59272a9204793..8221f286f5828 100644
--- a/drivers/pwm/pwm-fsl-ftm.c
+++ b/drivers/pwm/pwm-fsl-ftm.c
@@ -123,6 +123,9 @@ static unsigned int fsl_pwm_ticks_to_ns(struct fsl_pwm_chip *fpc,
unsigned long long exval;
rate = clk_get_rate(fpc->clk[fpc->period.clk_select]);
+ if (rate >> fpc->period.clk_ps == 0)
+ return 0;
+
exval = ticks;
exval *= 1000000000UL;
do_div(exval, rate >> fpc->period.clk_ps);
@@ -195,6 +198,9 @@ static unsigned int fsl_pwm_calculate_duty(struct fsl_pwm_chip *fpc,
unsigned int period = fpc->period.mod_period + 1;
unsigned int period_ns = fsl_pwm_ticks_to_ns(fpc, period);
+ if (!period_ns)
+ return 0;
+
duty = (unsigned long long)duty_ns * period;
do_div(duty, period_ns);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 049/286] bpf: Add endian modifiers to fix endian warnings
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 048/286] pwm: fsl-ftm: Handle clk_get_rate() returning 0 Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 050/286] bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Greg Kroah-Hartman
` (241 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ben Dooks, Daniel Borkmann,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Dooks <ben.dooks@sifive.com>
[ Upstream commit 96a233e600df351bcb06e3c20efe048855552926 ]
A couple of the syscalls which load values (bpf_skb_load_helper_16() and
bpf_skb_load_helper_32()) are using u16/u32 types which are triggering
warnings as they are then converted from big-endian to CPU-endian. Fix
these by making the types __be instead.
Fixes the following sparse warnings:
net/core/filter.c:246:32: warning: cast to restricted __be16
net/core/filter.c:246:32: warning: cast to restricted __be16
net/core/filter.c:246:32: warning: cast to restricted __be16
net/core/filter.c:246:32: warning: cast to restricted __be16
net/core/filter.c:273:32: warning: cast to restricted __be32
net/core/filter.c:273:32: warning: cast to restricted __be32
net/core/filter.c:273:32: warning: cast to restricted __be32
net/core/filter.c:273:32: warning: cast to restricted __be32
net/core/filter.c:273:32: warning: cast to restricted __be32
net/core/filter.c:273:32: warning: cast to restricted __be32
Signed-off-by: Ben Dooks <ben.dooks@sifive.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20220714105101.297304-1-ben.dooks@sifive.com
Stable-dep-of: d4bac0288a2b ("bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index d9f4d98acc45b..07fa811917380 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -238,7 +238,7 @@ BPF_CALL_2(bpf_skb_load_helper_8_no_cache, const struct sk_buff *, skb,
BPF_CALL_4(bpf_skb_load_helper_16, const struct sk_buff *, skb, const void *,
data, int, headlen, int, offset)
{
- u16 tmp, *ptr;
+ __be16 tmp, *ptr;
const int len = sizeof(tmp);
if (offset >= 0) {
@@ -265,7 +265,7 @@ BPF_CALL_2(bpf_skb_load_helper_16_no_cache, const struct sk_buff *, skb,
BPF_CALL_4(bpf_skb_load_helper_32, const struct sk_buff *, skb, const void *,
data, int, headlen, int, offset)
{
- u32 tmp, *ptr;
+ __be32 tmp, *ptr;
const int len = sizeof(tmp);
if (likely(offset >= 0)) {
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 050/286] bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 049/286] bpf: Add endian modifiers to fix endian warnings Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 051/286] ext4: reject casefold inode flag without casefold feature Greg Kroah-Hartman
` (240 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Moeller,
Maciej Żenczykowski, Willem de Bruijn, Stanislav Fomichev,
Alexei Starovoitov, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <willemb@google.com>
[ Upstream commit d4bac0288a2b444e468e6df9cb4ed69479ddf14a ]
Classic BPF socket filters with SKB_NET_OFF and SKB_LL_OFF fail to
read when these offsets extend into frags.
This has been observed with iwlwifi and reproduced with tun with
IFF_NAPI_FRAGS. The below straightforward socket filter on UDP port,
applied to a RAW socket, will silently miss matching packets.
const int offset_proto = offsetof(struct ip6_hdr, ip6_nxt);
const int offset_dport = sizeof(struct ip6_hdr) + offsetof(struct udphdr, dest);
struct sock_filter filter_code[] = {
BPF_STMT(BPF_LD + BPF_B + BPF_ABS, SKF_AD_OFF + SKF_AD_PKTTYPE),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, PACKET_HOST, 0, 4),
BPF_STMT(BPF_LD + BPF_B + BPF_ABS, SKF_NET_OFF + offset_proto),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 0, 2),
BPF_STMT(BPF_LD + BPF_H + BPF_ABS, SKF_NET_OFF + offset_dport),
This is unexpected behavior. Socket filter programs should be
consistent regardless of environment. Silent misses are
particularly concerning as hard to detect.
Use skb_copy_bits for offsets outside linear, same as done for
non-SKF_(LL|NET) offsets.
Offset is always positive after subtracting the reference threshold
SKB_(LL|NET)_OFF, so is always >= skb_(mac|network)_offset. The sum of
the two is an offset against skb->data, and may be negative, but it
cannot point before skb->head, as skb_(mac|network)_offset would too.
This appears to go back to when frag support was introduced to
sk_run_filter in linux-2.4.4, before the introduction of git.
The amount of code change and 8/16/32 bit duplication are unfortunate.
But any attempt I made to be smarter saved very few LoC while
complicating the code.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Link: https://lore.kernel.org/netdev/20250122200402.3461154-1-maze@google.com/
Link: https://elixir.bootlin.com/linux/2.4.4/source/net/core/filter.c#L244
Reported-by: Matt Moeller <moeller.matt@gmail.com>
Co-developed-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Link: https://lore.kernel.org/r/20250408132833.195491-2-willemdebruijn.kernel@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 80 ++++++++++++++++++++++++++---------------------
1 file changed, 44 insertions(+), 36 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index 07fa811917380..b262cad02bad9 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -208,24 +208,36 @@ BPF_CALL_3(bpf_skb_get_nlattr_nest, struct sk_buff *, skb, u32, a, u32, x)
return 0;
}
+static int bpf_skb_load_helper_convert_offset(const struct sk_buff *skb, int offset)
+{
+ if (likely(offset >= 0))
+ return offset;
+
+ if (offset >= SKF_NET_OFF)
+ return offset - SKF_NET_OFF + skb_network_offset(skb);
+
+ if (offset >= SKF_LL_OFF && skb_mac_header_was_set(skb))
+ return offset - SKF_LL_OFF + skb_mac_offset(skb);
+
+ return INT_MIN;
+}
+
BPF_CALL_4(bpf_skb_load_helper_8, const struct sk_buff *, skb, const void *,
data, int, headlen, int, offset)
{
- u8 tmp, *ptr;
+ u8 tmp;
const int len = sizeof(tmp);
- if (offset >= 0) {
- if (headlen - offset >= len)
- return *(u8 *)(data + offset);
- if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
- return tmp;
- } else {
- ptr = bpf_internal_load_pointer_neg_helper(skb, offset, len);
- if (likely(ptr))
- return *(u8 *)ptr;
- }
+ offset = bpf_skb_load_helper_convert_offset(skb, offset);
+ if (offset == INT_MIN)
+ return -EFAULT;
- return -EFAULT;
+ if (headlen - offset >= len)
+ return *(u8 *)(data + offset);
+ if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
+ return tmp;
+ else
+ return -EFAULT;
}
BPF_CALL_2(bpf_skb_load_helper_8_no_cache, const struct sk_buff *, skb,
@@ -238,21 +250,19 @@ BPF_CALL_2(bpf_skb_load_helper_8_no_cache, const struct sk_buff *, skb,
BPF_CALL_4(bpf_skb_load_helper_16, const struct sk_buff *, skb, const void *,
data, int, headlen, int, offset)
{
- __be16 tmp, *ptr;
+ __be16 tmp;
const int len = sizeof(tmp);
- if (offset >= 0) {
- if (headlen - offset >= len)
- return get_unaligned_be16(data + offset);
- if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
- return be16_to_cpu(tmp);
- } else {
- ptr = bpf_internal_load_pointer_neg_helper(skb, offset, len);
- if (likely(ptr))
- return get_unaligned_be16(ptr);
- }
+ offset = bpf_skb_load_helper_convert_offset(skb, offset);
+ if (offset == INT_MIN)
+ return -EFAULT;
- return -EFAULT;
+ if (headlen - offset >= len)
+ return get_unaligned_be16(data + offset);
+ if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
+ return be16_to_cpu(tmp);
+ else
+ return -EFAULT;
}
BPF_CALL_2(bpf_skb_load_helper_16_no_cache, const struct sk_buff *, skb,
@@ -265,21 +275,19 @@ BPF_CALL_2(bpf_skb_load_helper_16_no_cache, const struct sk_buff *, skb,
BPF_CALL_4(bpf_skb_load_helper_32, const struct sk_buff *, skb, const void *,
data, int, headlen, int, offset)
{
- __be32 tmp, *ptr;
+ __be32 tmp;
const int len = sizeof(tmp);
- if (likely(offset >= 0)) {
- if (headlen - offset >= len)
- return get_unaligned_be32(data + offset);
- if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
- return be32_to_cpu(tmp);
- } else {
- ptr = bpf_internal_load_pointer_neg_helper(skb, offset, len);
- if (likely(ptr))
- return get_unaligned_be32(ptr);
- }
+ offset = bpf_skb_load_helper_convert_offset(skb, offset);
+ if (offset == INT_MIN)
+ return -EFAULT;
- return -EFAULT;
+ if (headlen - offset >= len)
+ return get_unaligned_be32(data + offset);
+ if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
+ return be32_to_cpu(tmp);
+ else
+ return -EFAULT;
}
BPF_CALL_2(bpf_skb_load_helper_32_no_cache, const struct sk_buff *, skb,
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 051/286] ext4: reject casefold inode flag without casefold feature
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 050/286] bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 052/286] ext4: dont treat fhandle lookup of ea_inode as FS corruption Greg Kroah-Hartman
` (239 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Theodore Tso,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
[ Upstream commit 8216776ccff6fcd40e3fdaa109aa4150ebe760b3 ]
It is invalid for the casefold inode flag to be set without the casefold
superblock feature flag also being set. e2fsck already considers this
case to be invalid and handles it by offering to clear the casefold flag
on the inode. __ext4_iget() also already considered this to be invalid,
sort of, but it only got so far as logging an error message; it didn't
actually reject the inode. Make it reject the inode so that other code
doesn't have to handle this case. This matches what f2fs does.
Note: we could check 's_encoding != NULL' instead of
ext4_has_feature_casefold(). This would make the check robust against
the casefold feature being enabled by userspace writing to the page
cache of the mounted block device. However, it's unsolvable in general
for filesystems to be robust against concurrent writes to the page cache
of the mounted block device. Though this very particular scenario
involving the casefold feature is solvable, we should not pretend that
we can support this model, so let's just check the casefold feature.
tune2fs already forbids enabling casefold on a mounted filesystem.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20230814182903.37267-2-ebiggers@kernel.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: 642335f3ea2b ("ext4: don't treat fhandle lookup of ea_inode as FS corruption")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/inode.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index c991955412a49..d0fcf91ec9d62 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5004,9 +5004,12 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
"iget: bogus i_mode (%o)", inode->i_mode);
goto bad_inode;
}
- if (IS_CASEFOLDED(inode) && !ext4_has_feature_casefold(inode->i_sb))
+ if (IS_CASEFOLDED(inode) && !ext4_has_feature_casefold(inode->i_sb)) {
ext4_error_inode(inode, function, line, 0,
"casefold flag without casefold feature");
+ ret = -EFSCORRUPTED;
+ goto bad_inode;
+ }
if ((err_str = check_igot_inode(inode, flags)) != NULL) {
ext4_error_inode(inode, function, line, 0, err_str);
ret = -EFSCORRUPTED;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 052/286] ext4: dont treat fhandle lookup of ea_inode as FS corruption
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 051/286] ext4: reject casefold inode flag without casefold feature Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 053/286] media: i2c: adv748x: Fix test pattern selection mask Greg Kroah-Hartman
` (238 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Jan Kara, Theodore Tso,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
[ Upstream commit 642335f3ea2b3fd6dba03e57e01fa9587843a497 ]
A file handle that userspace provides to open_by_handle_at() can
legitimately contain an outdated inode number that has since been reused
for another purpose - that's why the file handle also contains a generation
number.
But if the inode number has been reused for an ea_inode, check_igot_inode()
will notice, __ext4_iget() will go through ext4_error_inode(), and if the
inode was newly created, it will also be marked as bad by iget_failed().
This all happens before the point where the inode generation is checked.
ext4_error_inode() is supposed to only be used on filesystem corruption; it
should not be used when userspace just got unlucky with a stale file
handle. So when this happens, let __ext4_iget() just return an error.
Fixes: b3e6bcb94590 ("ext4: add EA_INODE checking to ext4_iget()")
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20241129-ext4-ignore-ea-fhandle-v1-1-e532c0d1cee0@google.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/inode.c | 68 ++++++++++++++++++++++++++++++++++---------------
1 file changed, 48 insertions(+), 20 deletions(-)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index d0fcf91ec9d62..52d68edb6a09b 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4681,22 +4681,43 @@ static inline u64 ext4_inode_peek_iversion(const struct inode *inode)
return inode_peek_iversion(inode);
}
-static const char *check_igot_inode(struct inode *inode, ext4_iget_flags flags)
-
+static int check_igot_inode(struct inode *inode, ext4_iget_flags flags,
+ const char *function, unsigned int line)
{
+ const char *err_str;
+
if (flags & EXT4_IGET_EA_INODE) {
- if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL))
- return "missing EA_INODE flag";
+ if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) {
+ err_str = "missing EA_INODE flag";
+ goto error;
+ }
if (ext4_test_inode_state(inode, EXT4_STATE_XATTR) ||
- EXT4_I(inode)->i_file_acl)
- return "ea_inode with extended attributes";
+ EXT4_I(inode)->i_file_acl) {
+ err_str = "ea_inode with extended attributes";
+ goto error;
+ }
} else {
- if ((EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL))
- return "unexpected EA_INODE flag";
+ if ((EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) {
+ /*
+ * open_by_handle_at() could provide an old inode number
+ * that has since been reused for an ea_inode; this does
+ * not indicate filesystem corruption
+ */
+ if (flags & EXT4_IGET_HANDLE)
+ return -ESTALE;
+ err_str = "unexpected EA_INODE flag";
+ goto error;
+ }
+ }
+ if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD)) {
+ err_str = "unexpected bad inode w/o EXT4_IGET_BAD";
+ goto error;
}
- if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD))
- return "unexpected bad inode w/o EXT4_IGET_BAD";
- return NULL;
+ return 0;
+
+error:
+ ext4_error_inode(inode, function, line, 0, err_str);
+ return -EFSCORRUPTED;
}
struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
@@ -4707,7 +4728,6 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
struct ext4_inode *raw_inode;
struct ext4_inode_info *ei;
struct inode *inode;
- const char *err_str;
journal_t *journal = EXT4_SB(sb)->s_journal;
long ret;
loff_t size;
@@ -4732,10 +4752,10 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
if (!inode)
return ERR_PTR(-ENOMEM);
if (!(inode->i_state & I_NEW)) {
- if ((err_str = check_igot_inode(inode, flags)) != NULL) {
- ext4_error_inode(inode, function, line, 0, err_str);
+ ret = check_igot_inode(inode, flags, function, line);
+ if (ret) {
iput(inode);
- return ERR_PTR(-EFSCORRUPTED);
+ return ERR_PTR(ret);
}
return inode;
}
@@ -5010,13 +5030,21 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
ret = -EFSCORRUPTED;
goto bad_inode;
}
- if ((err_str = check_igot_inode(inode, flags)) != NULL) {
- ext4_error_inode(inode, function, line, 0, err_str);
- ret = -EFSCORRUPTED;
- goto bad_inode;
+ ret = check_igot_inode(inode, flags, function, line);
+ /*
+ * -ESTALE here means there is nothing inherently wrong with the inode,
+ * it's just not an inode we can return for an fhandle lookup.
+ */
+ if (ret == -ESTALE) {
+ brelse(iloc.bh);
+ unlock_new_inode(inode);
+ iput(inode);
+ return ERR_PTR(-ESTALE);
}
-
+ if (ret)
+ goto bad_inode;
brelse(iloc.bh);
+
unlock_new_inode(inode);
return inode;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 053/286] media: i2c: adv748x: Fix test pattern selection mask
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 052/286] ext4: dont treat fhandle lookup of ea_inode as FS corruption Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 054/286] media: venus: hfi: add a check to handle OOB in sfr region Greg Kroah-Hartman
` (237 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Söderlund,
Kieran Bingham, Hans Verkuil
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
commit 9e38acacb9d809b97a0bdc5c76e725355a47158a upstream.
The mask to select the test-pattern in register ADV748X_SDP_FRP is
incorrect, it's the lower 3 bits which controls the pattern. The
GENMASK() macro is used incorrectly and the generated mask is 0x0e
instead of 0x07.
The result is that not all test patterns are selectable, and that in
some cases the wrong test pattern is activated. Fix this by correcting
the GENMASK().
Fixes: 3e89586a64df ("media: i2c: adv748x: add adv748x driver")
Cc: stable@vger.kernel.org
Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
[hverkuil: fixed tiny typo in commit log: my -> by]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/adv748x/adv748x.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/i2c/adv748x/adv748x.h
+++ b/drivers/media/i2c/adv748x/adv748x.h
@@ -322,7 +322,7 @@ struct adv748x_state {
/* Free run pattern select */
#define ADV748X_SDP_FRP 0x14
-#define ADV748X_SDP_FRP_MASK GENMASK(3, 1)
+#define ADV748X_SDP_FRP_MASK GENMASK(2, 0)
/* Saturation */
#define ADV748X_SDP_SD_SAT_U 0xe3 /* user_map_rw_reg_e3 */
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 054/286] media: venus: hfi: add a check to handle OOB in sfr region
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 053/286] media: i2c: adv748x: Fix test pattern selection mask Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 055/286] media: venus: hfi: add check to handle incorrect queue size Greg Kroah-Hartman
` (236 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Vikash Garodia,
Hans Verkuil
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vikash Garodia <quic_vgarodia@quicinc.com>
commit f4b211714bcc70effa60c34d9fa613d182e3ef1e upstream.
sfr->buf_size is in shared memory and can be modified by malicious user.
OOB write is possible when the size is made higher than actual sfr data
buffer. Cap the size to allocated size for such cases.
Cc: stable@vger.kernel.org
Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_venus.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/media/platform/qcom/venus/hfi_venus.c
+++ b/drivers/media/platform/qcom/venus/hfi_venus.c
@@ -978,18 +978,26 @@ static void venus_sfr_print(struct venus
{
struct device *dev = hdev->core->dev;
struct hfi_sfr *sfr = hdev->sfr.kva;
+ u32 size;
void *p;
if (!sfr)
return;
- p = memchr(sfr->data, '\0', sfr->buf_size);
+ size = sfr->buf_size;
+ if (!size)
+ return;
+
+ if (size > ALIGNED_SFR_SIZE)
+ size = ALIGNED_SFR_SIZE;
+
+ p = memchr(sfr->data, '\0', size);
/*
* SFR isn't guaranteed to be NULL terminated since SYS_ERROR indicates
* that Venus is in the process of crashing.
*/
if (!p)
- sfr->data[sfr->buf_size - 1] = '\0';
+ sfr->data[size - 1] = '\0';
dev_err_ratelimited(dev, "SFR message from FW: %s\n", sfr->data);
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 055/286] media: venus: hfi: add check to handle incorrect queue size
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 054/286] media: venus: hfi: add a check to handle OOB in sfr region Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 056/286] media: vim2m: print device name after registering device Greg Kroah-Hartman
` (235 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Vikash Garodia,
Hans Verkuil
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vikash Garodia <quic_vgarodia@quicinc.com>
commit 69baf245b23e20efda0079238b27fc63ecf13de1 upstream.
qsize represents size of shared queued between driver and video
firmware. Firmware can modify this value to an invalid large value. In
such situation, empty_space will be bigger than the space actually
available. Since new_wr_idx is not checked, so the following code will
result in an OOB write.
...
qsize = qhdr->q_size
if (wr_idx >= rd_idx)
empty_space = qsize - (wr_idx - rd_idx)
....
if (new_wr_idx < qsize) {
memcpy(wr_ptr, packet, dwords << 2) --> OOB write
Add check to ensure qsize is within the allocated size while
reading and writing packets into the queue.
Cc: stable@vger.kernel.org
Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_venus.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/media/platform/qcom/venus/hfi_venus.c
+++ b/drivers/media/platform/qcom/venus/hfi_venus.c
@@ -188,6 +188,9 @@ static int venus_write_queue(struct venu
/* ensure rd/wr indices's are read from memory */
rmb();
+ if (qsize > IFACEQ_QUEUE_SIZE / 4)
+ return -EINVAL;
+
if (wr_idx >= rd_idx)
empty_space = qsize - (wr_idx - rd_idx);
else
@@ -256,6 +259,9 @@ static int venus_read_queue(struct venus
wr_idx = qhdr->write_idx;
qsize = qhdr->q_size;
+ if (qsize > IFACEQ_QUEUE_SIZE / 4)
+ return -EINVAL;
+
/* make sure data is valid before using it */
rmb();
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 056/286] media: vim2m: print device name after registering device
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 055/286] media: venus: hfi: add check to handle incorrect queue size Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 057/286] media: siano: Fix error handling in smsdvb_module_init() Greg Kroah-Hartman
` (234 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matthew Majewski, Hans Verkuil
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Majewski <mattwmajewski@gmail.com>
commit 143d75583f2427f3a97dba62413c4f0604867ebf upstream.
Move the v4l2_info() call displaying the video device name after the
device is actually registered.
This fixes a bug where the driver was always displaying "/dev/video0"
since it was reading from the vfd before it was registered.
Fixes: cf7f34777a5b ("media: vim2m: Register video device after setting up internals")
Cc: stable@vger.kernel.org
Signed-off-by: Matthew Majewski <mattwmajewski@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/test-drivers/vim2m.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/media/test-drivers/vim2m.c
+++ b/drivers/media/test-drivers/vim2m.c
@@ -1326,9 +1326,6 @@ static int vim2m_probe(struct platform_d
vfd->v4l2_dev = &dev->v4l2_dev;
video_set_drvdata(vfd, dev);
- v4l2_info(&dev->v4l2_dev,
- "Device registered as /dev/video%d\n", vfd->num);
-
platform_set_drvdata(pdev, dev);
dev->m2m_dev = v4l2_m2m_init(&m2m_ops);
@@ -1355,6 +1352,9 @@ static int vim2m_probe(struct platform_d
goto error_m2m;
}
+ v4l2_info(&dev->v4l2_dev,
+ "Device registered as /dev/video%d\n", vfd->num);
+
#ifdef CONFIG_MEDIA_CONTROLLER
ret = v4l2_m2m_register_media_controller(dev->m2m_dev, vfd,
MEDIA_ENT_F_PROC_VIDEO_SCALER);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 057/286] media: siano: Fix error handling in smsdvb_module_init()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 056/286] media: vim2m: print device name after registering device Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 058/286] xenfs/xensyms: respect hypervisors "next" indication Greg Kroah-Hartman
` (233 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuan Can, Ricardo Ribalda,
Hans Verkuil
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuan Can <yuancan@huawei.com>
commit 734ac57e47b3bdd140a1119e2c4e8e6f8ef8b33d upstream.
The smsdvb_module_init() returns without checking the retval from
smscore_register_hotplug().
If the smscore_register_hotplug() failed, the module failed to install,
leaving the smsdvb_debugfs not unregistered.
Fixes: 3f6b87cff66b ("[media] siano: allow showing the complete statistics via debugfs")
Cc: stable@vger.kernel.org
Signed-off-by: Yuan Can <yuancan@huawei.com>
Acked-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/common/siano/smsdvb-main.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/common/siano/smsdvb-main.c
+++ b/drivers/media/common/siano/smsdvb-main.c
@@ -1210,6 +1210,8 @@ static int __init smsdvb_module_init(voi
smsdvb_debugfs_register();
rc = smscore_register_hotplug(smsdvb_hotplug);
+ if (rc)
+ smsdvb_debugfs_unregister();
pr_debug("\n");
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 058/286] xenfs/xensyms: respect hypervisors "next" indication
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 057/286] media: siano: Fix error handling in smsdvb_module_init() Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 059/286] arm64: cputype: Add MIDR_CORTEX_A76AE Greg Kroah-Hartman
` (232 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Jan Beulich, Juergen Gross
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <jbeulich@suse.com>
commit 5c4e79e29a9fe4ea132118ac40c2bc97cfe23077 upstream.
The interface specifies the symnum field as an input and output; the
hypervisor sets it to the next sequential symbol's index. xensyms_next()
incrementing the position explicitly (and xensyms_next_sym()
decrementing it to "rewind") is only correct as long as the sequence of
symbol indexes is non-sparse. Use the hypervisor-supplied value instead
to update the position in xensyms_next(), and use the saved incoming
index in xensyms_next_sym().
Cc: stable@kernel.org
Fixes: a11f4f0a4e18 ("xen: xensyms support")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Message-ID: <15d5e7fa-ec5d-422f-9319-d28bed916349@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/xenfs/xensyms.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/xen/xenfs/xensyms.c
+++ b/drivers/xen/xenfs/xensyms.c
@@ -48,7 +48,7 @@ static int xensyms_next_sym(struct xensy
return -ENOMEM;
set_xen_guest_handle(symdata->name, xs->name);
- symdata->symnum--; /* Rewind */
+ symdata->symnum = symnum; /* Rewind */
ret = HYPERVISOR_platform_op(&xs->op);
if (ret < 0)
@@ -78,7 +78,7 @@ static void *xensyms_next(struct seq_fil
{
struct xensyms *xs = (struct xensyms *)m->private;
- xs->op.u.symdata.symnum = ++(*pos);
+ *pos = xs->op.u.symdata.symnum;
if (xensyms_next_sym(xs))
return NULL;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 059/286] arm64: cputype: Add MIDR_CORTEX_A76AE
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 058/286] xenfs/xensyms: respect hypervisors "next" indication Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 060/286] arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list Greg Kroah-Hartman
` (231 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Douglas Anderson, Catalin Marinas
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit a9b5bd81b294d30a747edd125e9f6aef2def7c79 upstream.
>From the TRM, MIDR_CORTEX_A76AE has a partnum of 0xDOE and an
implementor of 0x41 (ARM). Add the values.
Cc: stable@vger.kernel.org # dependency of the next fix in the series
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://lore.kernel.org/r/20250107120555.v4.4.I151f3b7ee323bcc3082179b8c60c3cd03308aa94@changeid
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -74,6 +74,7 @@
#define ARM_CPU_PART_CORTEX_A76 0xD0B
#define ARM_CPU_PART_NEOVERSE_N1 0xD0C
#define ARM_CPU_PART_CORTEX_A77 0xD0D
+#define ARM_CPU_PART_CORTEX_A76AE 0xD0E
#define ARM_CPU_PART_NEOVERSE_V1 0xD40
#define ARM_CPU_PART_CORTEX_A78 0xD41
#define ARM_CPU_PART_CORTEX_A78AE 0xD42
@@ -137,6 +138,7 @@
#define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76)
#define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1)
#define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77)
+#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE)
#define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1)
#define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78)
#define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE)
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 060/286] arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 059/286] arm64: cputype: Add MIDR_CORTEX_A76AE Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 061/286] spi: cadence-qspi: Fix probe on AM62A LP SK Greg Kroah-Hartman
` (230 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Scott Bauer, Douglas Anderson,
Trilok Soni, Catalin Marinas
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit ed1ce841245d8febe3badf51c57e81c3619d0a1d upstream.
Qualcomm Kryo 400-series Gold cores have a derivative of an ARM Cortex
A76 in them. Since A76 needs Spectre mitigation via looping then the
Kyro 400-series Gold cores also need Spectre mitigation via looping.
Qualcomm has confirmed that the proper "k" value for Kryo 400-series
Gold cores is 24.
Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
Cc: stable@vger.kernel.org
Cc: Scott Bauer <sbauer@quicinc.com>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Acked-by: Trilok Soni <quic_tsoni@quicinc.com>
Link: https://lore.kernel.org/r/20250107120555.v4.1.Ie4ef54abe02e7eb0eee50f830575719bf23bda48@changeid
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/proton-pack.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm64/kernel/proton-pack.c
+++ b/arch/arm64/kernel/proton-pack.c
@@ -874,6 +874,7 @@ u8 spectre_bhb_loop_affected(int scope)
MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
+ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
{},
};
static const struct midr_range spectre_bhb_k11_list[] = {
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 061/286] spi: cadence-qspi: Fix probe on AM62A LP SK
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 060/286] arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 062/286] mtd: rawnand: brcmnand: fix PM resume warning Greg Kroah-Hartman
` (229 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Mark Brown
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
commit b8665a1b49f5498edb7b21d730030c06b7348a3c upstream.
In 2020, there's been an unnoticed change which rightfully attempted to
report probe deferrals upon DMA absence by checking the return value of
dma_request_chan_by_mask(). By doing so, it also reported errors which
were simply ignored otherwise, likely on purpose.
This change actually turned a void return into an error code. Hence, not
only the -EPROBE_DEFER error codes but all error codes got reported to
the callers, now failing to probe in the absence of Rx DMA channel,
despite the fact that DMA seems to not be supported natively by many
implementations.
Looking at the history, this change probably led to:
ad2775dc3fc5 ("spi: cadence-quadspi: Disable the DAC for Intel LGM SoC")
f724c296f2f2 ("spi: cadence-quadspi: fix Direct Access Mode disable for SoCFPGA")
In my case, the AM62A LP SK core octo-SPI node from TI does not
advertise any DMA channel, hinting that there is likely no support for
it, but yet when the support for the am654 compatible was added, DMA
seemed to be used, so just discarding its use with the
CQSPI_DISABLE_DAC_MODE quirk for this compatible does not seem the
correct approach.
Let's get change the return condition back to:
- return a probe deferral error if we get one
- ignore the return value otherwise
The "error" log level was however likely too high for something that is
expected to fail, so let's lower it arbitrarily to the info level.
Fixes: 935da5e5100f ("mtd: spi-nor: cadence-quadspi: Handle probe deferral while requesting DMA channel")
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://patch.msgid.link/20250305200933.2512925-2-miquel.raynal@bootlin.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-cadence-quadspi.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/spi/spi-cadence-quadspi.c
+++ b/drivers/spi/spi-cadence-quadspi.c
@@ -1120,6 +1120,12 @@ static int cqspi_request_mmap_dma(struct
if (IS_ERR(cqspi->rx_chan)) {
int ret = PTR_ERR(cqspi->rx_chan);
cqspi->rx_chan = NULL;
+ if (ret == -ENODEV) {
+ /* DMA support is not mandatory */
+ dev_info(&cqspi->pdev->dev, "No Rx DMA available\n");
+ return 0;
+ }
+
return dev_err_probe(&cqspi->pdev->dev, ret, "No Rx DMA available\n");
}
init_completion(&cqspi->rx_dma_complete);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 062/286] mtd: rawnand: brcmnand: fix PM resume warning
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 061/286] spi: cadence-qspi: Fix probe on AM62A LP SK Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 063/286] media: streamzap: prevent processing IR data on URB failure Greg Kroah-Hartman
` (228 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kamal Dasu, Florian Fainelli,
Miquel Raynal
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kamal Dasu <kamal.dasu@broadcom.com>
commit ddc210cf8b8a8be68051ad958bf3e2cef6b681c2 upstream.
Fixed warning on PM resume as shown below caused due to uninitialized
struct nand_operation that checks chip select field :
WARN_ON(op->cs >= nanddev_ntargets(&chip->base)
[ 14.588522] ------------[ cut here ]------------
[ 14.588529] WARNING: CPU: 0 PID: 1392 at drivers/mtd/nand/raw/internals.h:139 nand_reset_op+0x1e0/0x1f8
[ 14.588553] Modules linked in: bdc udc_core
[ 14.588579] CPU: 0 UID: 0 PID: 1392 Comm: rtcwake Tainted: G W 6.14.0-rc4-g5394eea10651 #16
[ 14.588590] Tainted: [W]=WARN
[ 14.588593] Hardware name: Broadcom STB (Flattened Device Tree)
[ 14.588598] Call trace:
[ 14.588604] dump_backtrace from show_stack+0x18/0x1c
[ 14.588622] r7:00000009 r6:0000008b r5:60000153 r4:c0fa558c
[ 14.588625] show_stack from dump_stack_lvl+0x70/0x7c
[ 14.588639] dump_stack_lvl from dump_stack+0x18/0x1c
[ 14.588653] r5:c08d40b0 r4:c1003cb0
[ 14.588656] dump_stack from __warn+0x84/0xe4
[ 14.588668] __warn from warn_slowpath_fmt+0x18c/0x194
[ 14.588678] r7:c08d40b0 r6:c1003cb0 r5:00000000 r4:00000000
[ 14.588681] warn_slowpath_fmt from nand_reset_op+0x1e0/0x1f8
[ 14.588695] r8:70c40dff r7:89705f41 r6:36b4a597 r5:c26c9444 r4:c26b0048
[ 14.588697] nand_reset_op from brcmnand_resume+0x13c/0x150
[ 14.588714] r9:00000000 r8:00000000 r7:c24f8010 r6:c228a3f8 r5:c26c94bc r4:c26b0040
[ 14.588717] brcmnand_resume from platform_pm_resume+0x34/0x54
[ 14.588735] r5:00000010 r4:c0840a50
[ 14.588738] platform_pm_resume from dpm_run_callback+0x5c/0x14c
[ 14.588757] dpm_run_callback from device_resume+0xc0/0x324
[ 14.588776] r9:c24f8054 r8:c24f80a0 r7:00000000 r6:00000000 r5:00000010 r4:c24f8010
[ 14.588779] device_resume from dpm_resume+0x130/0x160
[ 14.588799] r9:c22539e4 r8:00000010 r7:c22bebb0 r6:c24f8010 r5:c22539dc r4:c22539b0
[ 14.588802] dpm_resume from dpm_resume_end+0x14/0x20
[ 14.588822] r10:c2204e40 r9:00000000 r8:c228a3fc r7:00000000 r6:00000003 r5:c228a414
[ 14.588826] r4:00000010
[ 14.588828] dpm_resume_end from suspend_devices_and_enter+0x274/0x6f8
[ 14.588848] r5:c228a414 r4:00000000
[ 14.588851] suspend_devices_and_enter from pm_suspend+0x228/0x2bc
[ 14.588868] r10:c3502910 r9:c3501f40 r8:00000004 r7:c228a438 r6:c0f95e18 r5:00000000
[ 14.588871] r4:00000003
[ 14.588874] pm_suspend from state_store+0x74/0xd0
[ 14.588889] r7:c228a438 r6:c0f934c8 r5:00000003 r4:00000003
[ 14.588892] state_store from kobj_attr_store+0x1c/0x28
[ 14.588913] r9:00000000 r8:00000000 r7:f09f9f08 r6:00000004 r5:c3502900 r4:c0283250
[ 14.588916] kobj_attr_store from sysfs_kf_write+0x40/0x4c
[ 14.588936] r5:c3502900 r4:c0d92a48
[ 14.588939] sysfs_kf_write from kernfs_fop_write_iter+0x104/0x1f0
[ 14.588956] r5:c3502900 r4:c3501f40
[ 14.588960] kernfs_fop_write_iter from vfs_write+0x250/0x420
[ 14.588980] r10:c0e14b48 r9:00000000 r8:c25f5780 r7:00443398 r6:f09f9f68 r5:c34f7f00
[ 14.588983] r4:c042a88c
[ 14.588987] vfs_write from ksys_write+0x74/0xe4
[ 14.589005] r10:00000004 r9:c25f5780 r8:c02002fA0 r7:00000000 r6:00000000 r5:c34f7f00
[ 14.589008] r4:c34f7f00
[ 14.589011] ksys_write from sys_write+0x10/0x14
[ 14.589029] r7:00000004 r6:004421c0 r5:00443398 r4:00000004
[ 14.589032] sys_write from ret_fast_syscall+0x0/0x5c
[ 14.589044] Exception stack(0xf09f9fa8 to 0xf09f9ff0)
[ 14.589050] 9fa0: 00000004 00443398 00000004 00443398 00000004 00000001
[ 14.589056] 9fc0: 00000004 00443398 004421c0 00000004 b6ecbd58 00000008 bebfbc38 0043eb78
[ 14.589062] 9fe0: 00440eb0 bebfbaf8 b6de18a0 b6e579e8
[ 14.589065] ---[ end trace 0000000000000000 ]---
The fix uses the higher level nand_reset(chip, chipnr); where chipnr = 0, when
doing PM resume operation in compliance with the controller support for single
die nand chip. Switching from nand_reset_op() to nand_reset() implies more
than just setting the cs field op->cs, it also reconfigures the data interface
(ie. the timings). Tested and confirmed the NAND chip is in sync timing wise
with host after the fix.
Fixes: 97d90da8a886 ("mtd: nand: provide several helpers to do common NAND operations")
Cc: stable@vger.kernel.org
Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
@@ -2914,7 +2914,7 @@ static int brcmnand_resume(struct device
brcmnand_save_restore_cs_config(host, 1);
/* Reset the chip, required by some chips after power-up */
- nand_reset_op(chip);
+ nand_reset(chip, 0);
}
return 0;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 063/286] media: streamzap: prevent processing IR data on URB failure
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 062/286] mtd: rawnand: brcmnand: fix PM resume warning Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 064/286] media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Greg Kroah-Hartman
` (227 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Murad Masimov, Sean Young,
Hans Verkuil
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Murad Masimov <m.masimov@mt-integration.ru>
commit 549f6d348167fb2f7800ed7c8d4bce9630c74498 upstream.
If streamzap_callback() receives an urb with any non-critical error
status, i.e. any error code other than -ECONNRESET, -ENOENT or -ESHUTDOWN,
it will try to process IR data, ignoring a possible transfer failure.
Make streamzap_callback() process IR data only when urb->status is 0.
Move processing logic to a separate function to make code cleaner and
more similar to the URB completion handlers in other RC drivers.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 19770693c354 ("V4L/DVB: staging/lirc: add lirc_streamzap driver")
Cc: stable@vger.kernel.org
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/streamzap.c | 68 ++++++++++++++++++++++++-------------------
1 file changed, 38 insertions(+), 30 deletions(-)
--- a/drivers/media/rc/streamzap.c
+++ b/drivers/media/rc/streamzap.c
@@ -179,39 +179,10 @@ static void sz_push_half_space(struct st
sz_push_full_space(sz, value & SZ_SPACE_MASK);
}
-/*
- * streamzap_callback - usb IRQ handler callback
- *
- * This procedure is invoked on reception of data from
- * the usb remote.
- */
-static void streamzap_callback(struct urb *urb)
+static void sz_process_ir_data(struct streamzap_ir *sz, int len)
{
- struct streamzap_ir *sz;
unsigned int i;
- int len;
-
- if (!urb)
- return;
-
- sz = urb->context;
- len = urb->actual_length;
-
- switch (urb->status) {
- case -ECONNRESET:
- case -ENOENT:
- case -ESHUTDOWN:
- /*
- * this urb is terminated, clean up.
- * sz might already be invalid at this point
- */
- dev_err(sz->dev, "urb terminated, status: %d\n", urb->status);
- return;
- default:
- break;
- }
- dev_dbg(sz->dev, "%s: received urb, len %d\n", __func__, len);
for (i = 0; i < len; i++) {
dev_dbg(sz->dev, "sz->buf_in[%d]: %x\n",
i, (unsigned char)sz->buf_in[i]);
@@ -264,6 +235,43 @@ static void streamzap_callback(struct ur
}
ir_raw_event_handle(sz->rdev);
+}
+
+/*
+ * streamzap_callback - usb IRQ handler callback
+ *
+ * This procedure is invoked on reception of data from
+ * the usb remote.
+ */
+static void streamzap_callback(struct urb *urb)
+{
+ struct streamzap_ir *sz;
+ int len;
+
+ if (!urb)
+ return;
+
+ sz = urb->context;
+ len = urb->actual_length;
+
+ switch (urb->status) {
+ case 0:
+ dev_dbg(sz->dev, "%s: received urb, len %d\n", __func__, len);
+ sz_process_ir_data(sz, len);
+ break;
+ case -ECONNRESET:
+ case -ENOENT:
+ case -ESHUTDOWN:
+ /*
+ * this urb is terminated, clean up.
+ * sz might already be invalid at this point
+ */
+ dev_err(sz->dev, "urb terminated, status: %d\n", urb->status);
+ return;
+ default:
+ break;
+ }
+
usb_submit_urb(urb, GFP_ATOMIC);
return;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 064/286] media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 063/286] media: streamzap: prevent processing IR data on URB failure Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 065/286] media: i2c: ov7251: Set enable GPIO low in probe Greg Kroah-Hartman
` (226 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Karina Yankevich, Sergey Shtylyov,
Hans Verkuil
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karina Yankevich <k.yankevich@omp.ru>
commit 3edd1fc48d2c045e8259561797c89fe78f01717e upstream.
In v4l2_detect_gtf(), it seems safer to cast the 32-bit image_width
variable to the 64-bit type u64 before multiplying to avoid
a possible overflow. The resulting object code even seems to
look better, at least on x86_64.
Found by Linux Verification Center (linuxtesting.org) with Svace.
[Sergey: rewrote the patch subject/descripition]
Fixes: c9bc9f50753d ("[media] v4l2-dv-timings: fix overflow in gtf timings calculation")
Cc: stable@vger.kernel.org
Signed-off-by: Karina Yankevich <k.yankevich@omp.ru>
Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/v4l2-core/v4l2-dv-timings.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/v4l2-core/v4l2-dv-timings.c
+++ b/drivers/media/v4l2-core/v4l2-dv-timings.c
@@ -764,7 +764,7 @@ bool v4l2_detect_gtf(unsigned int frame_
u64 num;
u32 den;
- num = ((image_width * GTF_D_C_PRIME * (u64)hfreq) -
+ num = (((u64)image_width * GTF_D_C_PRIME * hfreq) -
((u64)image_width * GTF_D_M_PRIME * 1000));
den = (hfreq * (100 - GTF_D_C_PRIME) + GTF_D_M_PRIME * 1000) *
(2 * GTF_CELL_GRAN);
@@ -774,7 +774,7 @@ bool v4l2_detect_gtf(unsigned int frame_
u64 num;
u32 den;
- num = ((image_width * GTF_S_C_PRIME * (u64)hfreq) -
+ num = (((u64)image_width * GTF_S_C_PRIME * hfreq) -
((u64)image_width * GTF_S_M_PRIME * 1000));
den = (hfreq * (100 - GTF_S_C_PRIME) + GTF_S_M_PRIME * 1000) *
(2 * GTF_CELL_GRAN);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 065/286] media: i2c: ov7251: Set enable GPIO low in probe
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 064/286] media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 066/286] media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Greg Kroah-Hartman
` (225 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Dave Stevenson,
Hans Verkuil
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit a1963698d59cec83df640ded343af08b76c8e9c5 upstream.
Set the enable GPIO low when acquiring it.
Fixes: d30bb512da3d ("media: Add a driver for the ov7251 camera sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ov7251.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/i2c/ov7251.c
+++ b/drivers/media/i2c/ov7251.c
@@ -1330,7 +1330,7 @@ static int ov7251_probe(struct i2c_clien
return PTR_ERR(ov7251->analog_regulator);
}
- ov7251->enable_gpio = devm_gpiod_get(dev, "enable", GPIOD_OUT_HIGH);
+ ov7251->enable_gpio = devm_gpiod_get(dev, "enable", GPIOD_OUT_LOW);
if (IS_ERR(ov7251->enable_gpio)) {
dev_err(dev, "cannot get enable gpio\n");
return PTR_ERR(ov7251->enable_gpio);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 066/286] media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 065/286] media: i2c: ov7251: Set enable GPIO low in probe Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 067/286] media: venus: hfi_parser: add check to avoid out of bound access Greg Kroah-Hartman
` (224 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Dave Stevenson,
Hans Verkuil
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit 3d391292cdd53984ec1b9a1f6182a62a62751e03 upstream.
Lift the xshutdown (enable) GPIO 1 ms after enabling the regulators, as
required by the sensor's power-up sequence.
Fixes: d30bb512da3d ("media: Add a driver for the ov7251 camera sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ov7251.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/i2c/ov7251.c
+++ b/drivers/media/i2c/ov7251.c
@@ -748,6 +748,8 @@ static int ov7251_set_power_on(struct ov
return ret;
}
+ usleep_range(1000, 1100);
+
gpiod_set_value_cansleep(ov7251->enable_gpio, 1);
/* wait at least 65536 external clock cycles */
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 067/286] media: venus: hfi_parser: add check to avoid out of bound access
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 066/286] media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 068/286] net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Greg Kroah-Hartman
` (223 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Vikash Garodia,
Hans Verkuil
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vikash Garodia <quic_vgarodia@quicinc.com>
commit 172bf5a9ef70a399bb227809db78442dc01d9e48 upstream.
There is a possibility that init_codecs is invoked multiple times during
manipulated payload from video firmware. In such case, if codecs_count
can get incremented to value more than MAX_CODEC_NUM, there can be OOB
access. Reset the count so that it always starts from beginning.
Cc: stable@vger.kernel.org
Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser")
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_parser.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/platform/qcom/venus/hfi_parser.c
+++ b/drivers/media/platform/qcom/venus/hfi_parser.c
@@ -19,6 +19,8 @@ static void init_codecs(struct venus_cor
struct venus_caps *caps = core->caps, *cap;
unsigned long bit;
+ core->codecs_count = 0;
+
if (hweight_long(core->dec_codecs) + hweight_long(core->enc_codecs) > MAX_CODEC_NUM)
return;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 068/286] net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 067/286] media: venus: hfi_parser: add check to avoid out of bound access Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 069/286] mtd: Replace kcalloc() with devm_kcalloc() Greg Kroah-Hartman
` (222 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Behún, Andrew Lunn,
Jakub Kicinski
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Behún <kabel@kernel.org>
commit 1ebc8e1ef906db9c08e9abe9776d85ddec837725 upstream.
Implement the workaround for erratum
3.3 RGMII timing may be out of spec when transmit delay is enabled
for the 6320 family, which says:
When transmit delay is enabled via Port register 1 bit 14 = 1, duty
cycle may be out of spec. Under very rare conditions this may cause
the attached device receive CRC errors.
Signed-off-by: Marek Behún <kabel@kernel.org>
Cc: <stable@vger.kernel.org> # 5.4.x
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20250317173250.28780-8-kabel@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/mv88e6xxx/chip.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
--- a/drivers/net/dsa/mv88e6xxx/chip.c
+++ b/drivers/net/dsa/mv88e6xxx/chip.c
@@ -2832,6 +2832,21 @@ static int mv88e6xxx_stats_setup(struct
return mv88e6xxx_g1_stats_clear(chip);
}
+static int mv88e6320_setup_errata(struct mv88e6xxx_chip *chip)
+{
+ u16 dummy;
+ int err;
+
+ /* Workaround for erratum
+ * 3.3 RGMII timing may be out of spec when transmit delay is enabled
+ */
+ err = mv88e6xxx_port_hidden_write(chip, 0, 0xf, 0x7, 0xe000);
+ if (err)
+ return err;
+
+ return mv88e6xxx_port_hidden_read(chip, 0, 0xf, 0x7, &dummy);
+}
+
/* Check if the errata has already been applied. */
static bool mv88e6390_setup_errata_applied(struct mv88e6xxx_chip *chip)
{
@@ -4122,6 +4137,7 @@ static const struct mv88e6xxx_ops mv88e6
static const struct mv88e6xxx_ops mv88e6320_ops = {
/* MV88E6XXX_FAMILY_6320 */
+ .setup_errata = mv88e6320_setup_errata,
.ieee_pri_map = mv88e6085_g1_ieee_pri_map,
.ip_pri_map = mv88e6085_g1_ip_pri_map,
.irl_init_all = mv88e6352_g2_irl_init_all,
@@ -4164,6 +4180,7 @@ static const struct mv88e6xxx_ops mv88e6
static const struct mv88e6xxx_ops mv88e6321_ops = {
/* MV88E6XXX_FAMILY_6320 */
+ .setup_errata = mv88e6320_setup_errata,
.ieee_pri_map = mv88e6085_g1_ieee_pri_map,
.ip_pri_map = mv88e6085_g1_ip_pri_map,
.irl_init_all = mv88e6352_g2_irl_init_all,
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 069/286] mtd: Replace kcalloc() with devm_kcalloc()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 068/286] net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 070/286] clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup Greg Kroah-Hartman
` (221 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Miquel Raynal
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
commit 1b61a59876f0eafc19b23007c522ee407f55dbec upstream.
Replace kcalloc() with devm_kcalloc() to prevent memory leaks in case of
errors.
Fixes: 78c08247b9d3 ("mtd: Support kmsg dumper based on pstore/blk")
Cc: stable@vger.kernel.org # v5.10+
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/mtdpstore.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--- a/drivers/mtd/mtdpstore.c
+++ b/drivers/mtd/mtdpstore.c
@@ -417,11 +417,11 @@ static void mtdpstore_notify_add(struct
}
longcnt = BITS_TO_LONGS(div_u64(mtd->size, info->kmsg_size));
- cxt->rmmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
- cxt->usedmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
+ cxt->rmmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL);
+ cxt->usedmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL);
longcnt = BITS_TO_LONGS(div_u64(mtd->size, mtd->erasesize));
- cxt->badmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
+ cxt->badmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL);
cxt->dev.total_size = mtd->size;
/* just support dmesg right now */
@@ -527,9 +527,6 @@ static void mtdpstore_notify_remove(stru
mtdpstore_flush_removed(cxt);
unregister_pstore_device(&cxt->dev);
- kfree(cxt->badmap);
- kfree(cxt->usedmap);
- kfree(cxt->rmmap);
cxt->mtd = NULL;
cxt->index = -1;
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 070/286] clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 069/286] mtd: Replace kcalloc() with devm_kcalloc() Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 071/286] wifi: mac80211: fix integer overflow in hwmp_route_info_get() Greg Kroah-Hartman
` (220 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Torgue, Fabrice Gasnier,
Daniel Lezcano
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Torgue <alexandre.torgue@foss.st.com>
commit 96bf4b89a6ab22426ad83ef76e66c72a5a8daca0 upstream.
"wakeup-source" property describes a device which has wakeup capability
but should not force this device as a wakeup source.
Fixes: 48b41c5e2de6 ("clocksource: Add Low Power STM32 timers driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
Signed-off-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
Rule: add
Link: https://lore.kernel.org/stable/20250306083407.2374894-1-fabrice.gasnier%40foss.st.com
Link: https://lore.kernel.org/r/20250306102501.2980153-1-fabrice.gasnier@foss.st.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clocksource/timer-stm32-lp.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/clocksource/timer-stm32-lp.c
+++ b/drivers/clocksource/timer-stm32-lp.c
@@ -168,9 +168,7 @@ static int stm32_clkevent_lp_probe(struc
}
if (of_property_read_bool(pdev->dev.parent->of_node, "wakeup-source")) {
- ret = device_init_wakeup(&pdev->dev, true);
- if (ret)
- goto out_clk_disable;
+ device_set_wakeup_capable(&pdev->dev, true);
ret = dev_pm_set_wake_irq(&pdev->dev, irq);
if (ret)
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 071/286] wifi: mac80211: fix integer overflow in hwmp_route_info_get()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 070/286] clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 072/286] ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path Greg Kroah-Hartman
` (219 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ilia Gavrilov, Johannes Berg
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
commit d00c0c4105e5ab8a6a13ed23d701cceb285761fa upstream.
Since the new_metric and last_hop_metric variables can reach
the MAX_METRIC(0xffffffff) value, an integer overflow may occur
when multiplying them by 10/9. It can lead to incorrect behavior.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Fixes: a8d418d9ac25 ("mac80211: mesh: only switch path when new metric is at least 10% better")
Cc: stable@vger.kernel.org
Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru>
Link: https://patch.msgid.link/20250212082124.4078236-1-Ilia.Gavrilov@infotecs.ru
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/mesh_hwmp.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -360,6 +360,12 @@ u32 airtime_link_metric_get(struct ieee8
return (u32)result;
}
+/* Check that the first metric is at least 10% better than the second one */
+static bool is_metric_better(u32 x, u32 y)
+{
+ return (x < y) && (x < (y - x / 10));
+}
+
/**
* hwmp_route_info_get - Update routing info to originator and transmitter
*
@@ -450,8 +456,8 @@ static u32 hwmp_route_info_get(struct ie
(mpath->sn == orig_sn &&
(rcu_access_pointer(mpath->next_hop) !=
sta ?
- mult_frac(new_metric, 10, 9) :
- new_metric) >= mpath->metric)) {
+ !is_metric_better(new_metric, mpath->metric) :
+ new_metric >= mpath->metric))) {
process = false;
fresh_info = false;
}
@@ -521,8 +527,8 @@ static u32 hwmp_route_info_get(struct ie
if ((mpath->flags & MESH_PATH_FIXED) ||
((mpath->flags & MESH_PATH_ACTIVE) &&
((rcu_access_pointer(mpath->next_hop) != sta ?
- mult_frac(last_hop_metric, 10, 9) :
- last_hop_metric) > mpath->metric)))
+ !is_metric_better(last_hop_metric, mpath->metric) :
+ last_hop_metric > mpath->metric))))
fresh_info = false;
} else {
mpath = mesh_path_add(sdata, ta);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 072/286] ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 071/286] wifi: mac80211: fix integer overflow in hwmp_route_info_get() Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 073/286] ext4: fix off-by-one error in do_split Greg Kroah-Hartman
` (218 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Vinod Koul,
Pierre-Louis Bossart, Alexey Klimov, Mark Brown
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Klimov <alexey.klimov@linaro.org>
commit 7eccc86e90f04a0d758d16c08627a620ac59604d upstream.
In case of attempts to compress playback something, for instance,
when audio routing is not set up correctly, the audio DSP is left in
inconsistent state because we are not doing the correct things in
the error path of q6asm_dai_compr_set_params().
So, when routing is not set up and compress playback is attempted
the following errors are present (simplified log):
q6routing routing: Routing not setup for MultiMedia-1 Session
q6asm-dai dais: Stream reg failed ret:-22
q6asm-dai dais: ASoC error (-22): at snd_soc_component_compr_set_params()
on 17300000.remoteproc:glink-edge:apr:service@7:dais
After setting the correct routing the compress playback will always fail:
q6asm-dai dais: cmd = 0x10db3 returned error = 0x9
q6asm-dai dais: DSP returned error[9]
q6asm-dai dais: q6asm_open_write failed
q6asm-dai dais: ASoC error (-22): at snd_soc_component_compr_set_params()
on 17300000.remoteproc:glink-edge:apr:service@7:dais
0x9 here means "Operation is already processed". The CMD_OPEN here was
sent the second time hence DSP responds that it was already done.
Turns out the CMD_CLOSE should be sent after the q6asm_open_write()
succeeded but something failed after that, for instance, routing
setup.
Fix this by slightly reworking the error path in
q6asm_dai_compr_set_params().
Tested on QRB5165 RB5 and SDM845 RB3 boards.
Cc: stable@vger.kernel.org
Fixes: 5b39363e54cc ("ASoC: q6asm-dai: prepare set params to accept profile change")
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Cc: Vinod Koul <vkoul@kernel.org>
Cc: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Alexey Klimov <alexey.klimov@linaro.org>
Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://patch.msgid.link/20250327154650.337404-1-alexey.klimov@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -916,9 +916,7 @@ static int q6asm_dai_compr_set_params(st
if (ret < 0) {
dev_err(dev, "q6asm_open_write failed\n");
- q6asm_audio_client_free(prtd->audio_client);
- prtd->audio_client = NULL;
- return ret;
+ goto open_err;
}
}
@@ -927,7 +925,7 @@ static int q6asm_dai_compr_set_params(st
prtd->session_id, dir);
if (ret) {
dev_err(dev, "Stream reg failed ret:%d\n", ret);
- return ret;
+ goto q6_err;
}
ret = __q6asm_dai_compr_set_codec_params(component, stream,
@@ -935,7 +933,7 @@ static int q6asm_dai_compr_set_params(st
prtd->stream_id);
if (ret) {
dev_err(dev, "codec param setup failed ret:%d\n", ret);
- return ret;
+ goto q6_err;
}
ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys,
@@ -944,12 +942,21 @@ static int q6asm_dai_compr_set_params(st
if (ret < 0) {
dev_err(dev, "Buffer Mapping failed ret:%d\n", ret);
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto q6_err;
}
prtd->state = Q6ASM_STREAM_RUNNING;
return 0;
+
+q6_err:
+ q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
+
+open_err:
+ q6asm_audio_client_free(prtd->audio_client);
+ prtd->audio_client = NULL;
+ return ret;
}
static int q6asm_dai_compr_set_metadata(struct snd_soc_component *component,
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 073/286] ext4: fix off-by-one error in do_split
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 072/286] ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 074/286] vdpa/mlx5: Fix oversized null mkey longer than 32bit Greg Kroah-Hartman
` (217 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Artem Sadovnikov, Jan Kara,
Theodore Tso
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Artem Sadovnikov <a.sadovnikov@ispras.ru>
commit 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d upstream.
Syzkaller detected a use-after-free issue in ext4_insert_dentry that was
caused by out-of-bounds access due to incorrect splitting in do_split.
BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847
CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154
make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351
ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455
ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796
ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431
vfs_symlink+0x137/0x2e0 fs/namei.c:4615
do_symlinkat+0x222/0x3a0 fs/namei.c:4641
__do_sys_symlink fs/namei.c:4662 [inline]
__se_sys_symlink fs/namei.c:4660 [inline]
__x64_sys_symlink+0x7a/0x90 fs/namei.c:4660
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
The following loop is located right above 'if' statement.
for (i = count-1; i >= 0; i--) {
/* is more than half of this entry in 2nd half of the block? */
if (size + map[i].size/2 > blocksize/2)
break;
size += map[i].size;
move++;
}
'i' in this case could go down to -1, in which case sum of active entries
wouldn't exceed half the block size, but previous behaviour would also do
split in half if sum would exceed at the very last block, which in case of
having too many long name files in a single block could lead to
out-of-bounds access and following use-after-free.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Cc: stable@vger.kernel.org
Fixes: 5872331b3d91 ("ext4: fix potential negative array index in do_split()")
Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250404082804.2567-3-a.sadovnikov@ispras.ru
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -1930,7 +1930,7 @@ static struct ext4_dir_entry_2 *do_split
* split it in half by count; each resulting block will have at least
* half the space free.
*/
- if (i > 0)
+ if (i >= 0)
split = count - move;
else
split = count/2;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 074/286] vdpa/mlx5: Fix oversized null mkey longer than 32bit
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 073/286] ext4: fix off-by-one error in do_split Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 075/286] i3c: Add NULL pointer check in i3c_master_queue_ibi() Greg Kroah-Hartman
` (216 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cong Meng, Si-Wei Liu,
Dragos Tatulea, Eugenio Pérez, Michael S. Tsirkin,
Jason Wang
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Si-Wei Liu <si-wei.liu@oracle.com>
commit a6097e0a54a5c24f8d577ffecbc35289ae281c2e upstream.
create_user_mr() has correct code to count the number of null keys
used to fill in a hole for the memory map. However, fill_indir()
does not follow the same to cap the range up to the 1GB limit
correspondingly. Fill in more null keys for the gaps in between,
so that null keys are correctly populated.
Fixes: 94abbccdf291 ("vdpa/mlx5: Add shared memory registration code")
Cc: stable@vger.kernel.org
Reported-by: Cong Meng <cong.meng@oracle.com>
Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Acked-by: Eugenio Pérez <eperezma@redhat.com>
Message-Id: <20250220193732.521462-2-dtatulea@nvidia.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vdpa/mlx5/core/mr.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/vdpa/mlx5/core/mr.c
+++ b/drivers/vdpa/mlx5/core/mr.c
@@ -165,9 +165,12 @@ again:
klm->bcount = cpu_to_be32(klm_bcount(dmr->end - dmr->start));
preve = dmr->end;
} else {
+ u64 bcount = min_t(u64, dmr->start - preve, MAX_KLM_SIZE);
+
klm->key = cpu_to_be32(mvdev->res.null_mkey);
- klm->bcount = cpu_to_be32(klm_bcount(dmr->start - preve));
- preve = dmr->start;
+ klm->bcount = cpu_to_be32(klm_bcount(bcount));
+ preve += bcount;
+
goto again;
}
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 075/286] i3c: Add NULL pointer check in i3c_master_queue_ibi()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 074/286] vdpa/mlx5: Fix oversized null mkey longer than 32bit Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 076/286] jbd2: remove wrong sb->s_sequence check Greg Kroah-Hartman
` (215 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manjunatha Venkatesh, Frank Li,
Alexandre Belloni
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manjunatha Venkatesh <manjunatha.venkatesh@nxp.com>
commit bd496a44f041da9ef3afe14d1d6193d460424e91 upstream.
The I3C master driver may receive an IBI from a target device that has not
been probed yet. In such cases, the master calls `i3c_master_queue_ibi()`
to queue an IBI work task, leading to "Unable to handle kernel read from
unreadable memory" and resulting in a kernel panic.
Typical IBI handling flow:
1. The I3C master scans target devices and probes their respective drivers.
2. The target device driver calls `i3c_device_request_ibi()` to enable IBI
and assigns `dev->ibi = ibi`.
3. The I3C master receives an IBI from the target device and calls
`i3c_master_queue_ibi()` to queue the target device driver’s IBI
handler task.
However, since target device events are asynchronous to the I3C probe
sequence, step 3 may occur before step 2, causing `dev->ibi` to be `NULL`,
leading to a kernel panic.
Add a NULL pointer check in `i3c_master_queue_ibi()` to prevent accessing
an uninitialized `dev->ibi`, ensuring stability.
Fixes: 3a379bbcea0af ("i3c: Add core I3C infrastructure")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/lkml/Z9gjGYudiYyl3bSe@lizhi-Precision-Tower-5810/
Signed-off-by: Manjunatha Venkatesh <manjunatha.venkatesh@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://lore.kernel.org/r/20250326123047.2797946-1-manjunatha.venkatesh@nxp.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -2282,6 +2282,9 @@ static void i3c_master_unregister_i3c_de
*/
void i3c_master_queue_ibi(struct i3c_dev_desc *dev, struct i3c_ibi_slot *slot)
{
+ if (!dev->ibi || !slot)
+ return;
+
atomic_inc(&dev->ibi->pending_ibis);
queue_work(dev->common.master->wq, &slot->work);
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 076/286] jbd2: remove wrong sb->s_sequence check
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 075/286] i3c: Add NULL pointer check in i3c_master_queue_ibi() Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 077/286] mfd: ene-kb3930: Fix a potential NULL pointer dereference Greg Kroah-Hartman
` (214 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara, Zhang Yi, Theodore Tso
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit e6eff39dd0fe4190c6146069cc16d160e71d1148 upstream.
Journal emptiness is not determined by sb->s_sequence == 0 but rather by
sb->s_start == 0 (which is set a few lines above). Furthermore 0 is a
valid transaction ID so the check can spuriously trigger. Remove the
invalid WARN_ON.
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Link: https://patch.msgid.link/20250206094657.20865-3-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/journal.c | 1 -
1 file changed, 1 deletion(-)
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -1649,7 +1649,6 @@ int jbd2_journal_update_sb_log_tail(jour
/* Log is no longer empty */
write_lock(&journal->j_state_lock);
- WARN_ON(!sb->s_sequence);
journal->j_flags &= ~JBD2_FLUSHED;
write_unlock(&journal->j_state_lock);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 077/286] mfd: ene-kb3930: Fix a potential NULL pointer dereference
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 076/286] jbd2: remove wrong sb->s_sequence check Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 078/286] locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Greg Kroah-Hartman
` (213 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lee Jones, Chenyuan Yang
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenyuan Yang <chenyuan0y@gmail.com>
commit 4cdf1d2a816a93fa02f7b6b5492dc7f55af2a199 upstream.
The off_gpios could be NULL. Add missing check in the kb3930_probe().
This is similar to the issue fixed in commit b1ba8bcb2d1f
("backlight: hx8357: Fix potential NULL pointer dereference").
This was detected by our static analysis tool.
Cc: stable@vger.kernel.org
Fixes: ede6b2d1dfc0 ("mfd: ene-kb3930: Add driver for ENE KB3930 Embedded Controller")
Suggested-by: Lee Jones <lee@kernel.org>
Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
Link: https://lore.kernel.org/r/20250224233736.1919739-1-chenyuan0y@gmail.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mfd/ene-kb3930.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mfd/ene-kb3930.c
+++ b/drivers/mfd/ene-kb3930.c
@@ -162,7 +162,7 @@ static int kb3930_probe(struct i2c_clien
devm_gpiod_get_array_optional(dev, "off", GPIOD_IN);
if (IS_ERR(ddata->off_gpios))
return PTR_ERR(ddata->off_gpios);
- if (ddata->off_gpios->ndescs < 2) {
+ if (ddata->off_gpios && ddata->off_gpios->ndescs < 2) {
dev_err(dev, "invalid off-gpios property\n");
return -EINVAL;
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 078/286] locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 077/286] mfd: ene-kb3930: Fix a potential NULL pointer dereference Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 079/286] lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Greg Kroah-Hartman
` (212 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Boqun Feng, Ingo Molnar, Waiman Long
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boqun Feng <boqun.feng@gmail.com>
commit 495f53d5cca0f939eaed9dca90b67e7e6fb0e30c upstream.
Currently, when a lock class is allocated, nr_unused_locks will be
increased by 1, until it gets used: nr_unused_locks will be decreased by
1 in mark_lock(). However, one scenario is missed: a lock class may be
zapped without even being used once. This could result into a situation
that nr_unused_locks != 0 but no unused lock class is active in the
system, and when `cat /proc/lockdep_stats`, a WARN_ON() will
be triggered in a CONFIG_DEBUG_LOCKDEP=y kernel:
[...] DEBUG_LOCKS_WARN_ON(debug_atomic_read(nr_unused_locks) != nr_unused)
[...] WARNING: CPU: 41 PID: 1121 at kernel/locking/lockdep_proc.c:283 lockdep_stats_show+0xba9/0xbd0
And as a result, lockdep will be disabled after this.
Therefore, nr_unused_locks needs to be accounted correctly at
zap_class() time.
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Waiman Long <longman@redhat.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250326180831.510348-1-boqun.feng@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/locking/lockdep.c | 3 +++
1 file changed, 3 insertions(+)
--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -5921,6 +5921,9 @@ static void zap_class(struct pending_fre
hlist_del_rcu(&class->hash_entry);
WRITE_ONCE(class->key, NULL);
WRITE_ONCE(class->name, NULL);
+ /* Class allocated but not used, -1 in nr_unused_locks */
+ if (class->usage_mask == 0)
+ debug_atomic_dec(nr_unused_locks);
nr_lock_classes--;
__clear_bit(class - lock_classes, lock_classes_in_use);
if (class - lock_classes == max_lock_class_idx)
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 079/286] lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 078/286] locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 080/286] mtd: inftlcore: Add error check for inftl_read_oob() Greg Kroah-Hartman
` (211 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, T Pratham, Robert Jarzmik,
Jens Axboe, Kamlesh Gurudasani, Praneeth Bajjuri,
Vignesh Raghavendra, Andrew Morton
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: T Pratham <t-pratham@ti.com>
commit 8b46fdaea819a679da176b879e7b0674a1161a5e upstream.
The split_sg_phys function was incorrectly setting the offsets of all
scatterlist entries (except the first) to 0. Only the first scatterlist
entry's offset and length needs to be modified to account for the skip.
Setting the rest entries' offsets to 0 could lead to incorrect data
access.
I am using this function in a crypto driver that I'm currently developing
(not yet sent to mailing list). During testing, it was observed that the
output scatterlists (except the first one) contained incorrect garbage
data.
I narrowed this issue down to the call of sg_split(). Upon debugging
inside this function, I found that this resetting of offset is the cause
of the problem, causing the subsequent scatterlists to point to incorrect
memory locations in a page. By removing this code, I am obtaining
expected data in all the split output scatterlists. Thus, this was indeed
causing observable runtime effects!
This patch removes the offending code, ensuring that the page offsets in
the input scatterlist are preserved in the output scatterlist.
Link: https://lkml.kernel.org/r/20250319111437.1969903-1-t-pratham@ti.com
Fixes: f8bcbe62acd0 ("lib: scatterlist: add sg splitting function")
Signed-off-by: T Pratham <t-pratham@ti.com>
Cc: Robert Jarzmik <robert.jarzmik@free.fr>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Kamlesh Gurudasani <kamlesh@ti.com>
Cc: Praneeth Bajjuri <praneeth@ti.com>
Cc: Vignesh Raghavendra <vigneshr@ti.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/sg_split.c | 2 --
1 file changed, 2 deletions(-)
--- a/lib/sg_split.c
+++ b/lib/sg_split.c
@@ -88,8 +88,6 @@ static void sg_split_phys(struct sg_spli
if (!j) {
out_sg->offset += split->skip_sg0;
out_sg->length -= split->skip_sg0;
- } else {
- out_sg->offset = 0;
}
sg_dma_address(out_sg) = 0;
sg_dma_len(out_sg) = 0;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 080/286] mtd: inftlcore: Add error check for inftl_read_oob()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 079/286] lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 081/286] mtd: rawnand: Add status chack in r852_ready() Greg Kroah-Hartman
` (210 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Miquel Raynal
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit d027951dc85cb2e15924c980dc22a6754d100c7c upstream.
In INFTL_findwriteunit(), the return value of inftl_read_oob()
need to be checked. A proper implementation can be
found in INFTL_deleteblock(). The status will be set as
SECTOR_IGNORE to break from the while-loop correctly
if the inftl_read_oob() fails.
Fixes: 8593fbc68b0d ("[MTD] Rework the out of band handling completely")
Cc: stable@vger.kernel.org # v2.6+
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/inftlcore.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/mtd/inftlcore.c
+++ b/drivers/mtd/inftlcore.c
@@ -482,10 +482,11 @@ static inline u16 INFTL_findwriteunit(st
silly = MAX_LOOPS;
while (thisEUN <= inftl->lastEUN) {
- inftl_read_oob(mtd, (thisEUN * inftl->EraseSize) +
- blockofs, 8, &retlen, (char *)&bci);
-
- status = bci.Status | bci.Status1;
+ if (inftl_read_oob(mtd, (thisEUN * inftl->EraseSize) +
+ blockofs, 8, &retlen, (char *)&bci) < 0)
+ status = SECTOR_IGNORE;
+ else
+ status = bci.Status | bci.Status1;
pr_debug("INFTL: status of block %d in EUN %d is %x\n",
block , writeEUN, status);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 081/286] mtd: rawnand: Add status chack in r852_ready()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 080/286] mtd: inftlcore: Add error check for inftl_read_oob() Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 082/286] arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Greg Kroah-Hartman
` (209 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Miquel Raynal
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit b79fe1829975556854665258cf4d2476784a89db upstream.
In r852_ready(), the dev get from r852_get_dev() need to be checked.
An unstable device should not be ready. A proper implementation can
be found in r852_read_byte(). Add a status check and return 0 when it is
unstable.
Fixes: 50a487e7719c ("mtd: rawnand: Pass a nand_chip object to chip->dev_ready()")
Cc: stable@vger.kernel.org # v4.20+
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/r852.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/mtd/nand/raw/r852.c
+++ b/drivers/mtd/nand/raw/r852.c
@@ -387,6 +387,9 @@ static int r852_wait(struct nand_chip *c
static int r852_ready(struct nand_chip *chip)
{
struct r852_device *dev = r852_get_dev(nand_to_mtd(chip));
+ if (dev->card_unstable)
+ return 0;
+
return !(r852_read_reg(dev, R852_CARD_STA) & R852_CARD_STA_BUSY);
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 082/286] arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 081/286] mtd: rawnand: Add status chack in r852_ready() Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 083/286] sparc/mm: disable preemption in lazy mmu mode Greg Kroah-Hartman
` (208 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, YH Huang, Chen-Yu Tsai,
AngeloGioacchino Del Regno
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wenst@chromium.org>
commit 46ad36002088eff8fc5cae200aa42ae9f9310ddd upstream.
The MT8173 disp-pwm device should have only one compatible string, based
on the following DT validation error:
arch/arm64/boot/dts/mediatek/mt8173-elm.dtb: pwm@1401e000: compatible: 'oneOf' conditional failed, one must be fixed:
['mediatek,mt8173-disp-pwm', 'mediatek,mt6595-disp-pwm'] is too long
'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt6795-disp-pwm', 'mediatek,mt8167-disp-pwm']
'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt8186-disp-pwm', 'mediatek,mt8188-disp-pwm', 'mediatek,mt8192-disp-pwm', 'mediatek,mt8195-disp-pwm', 'mediatek,mt8365-disp-pwm']
'mediatek,mt8173-disp-pwm' was expected
'mediatek,mt8183-disp-pwm' was expected
from schema $id: http://devicetree.org/schemas/pwm/mediatek,pwm-disp.yaml#
arch/arm64/boot/dts/mediatek/mt8173-elm.dtb: pwm@1401f000: compatible: 'oneOf' conditional failed, one must be fixed:
['mediatek,mt8173-disp-pwm', 'mediatek,mt6595-disp-pwm'] is too long
'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt6795-disp-pwm', 'mediatek,mt8167-disp-pwm']
'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt8186-disp-pwm', 'mediatek,mt8188-disp-pwm', 'mediatek,mt8192-disp-pwm', 'mediatek,mt8195-disp-pwm', 'mediatek,mt8365-disp-pwm']
'mediatek,mt8173-disp-pwm' was expected
'mediatek,mt8183-disp-pwm' was expected
from schema $id: http://devicetree.org/schemas/pwm/mediatek,pwm-disp.yaml#
Drop the extra "mediatek,mt6595-disp-pwm" compatible string.
Fixes: 61aee9342514 ("arm64: dts: mt8173: add MT8173 display PWM driver support node")
Cc: YH Huang <yh.huang@mediatek.com>
Cc: stable@vger.kernel.org # v4.5+
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20250108083424.2732375-2-wenst@chromium.org
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/arch/arm64/boot/dts/mediatek/mt8173.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt8173.dtsi
@@ -1193,8 +1193,7 @@
};
pwm0: pwm@1401e000 {
- compatible = "mediatek,mt8173-disp-pwm",
- "mediatek,mt6595-disp-pwm";
+ compatible = "mediatek,mt8173-disp-pwm";
reg = <0 0x1401e000 0 0x1000>;
#pwm-cells = <2>;
clocks = <&mmsys CLK_MM_DISP_PWM026M>,
@@ -1204,8 +1203,7 @@
};
pwm1: pwm@1401f000 {
- compatible = "mediatek,mt8173-disp-pwm",
- "mediatek,mt6595-disp-pwm";
+ compatible = "mediatek,mt8173-disp-pwm";
reg = <0 0x1401f000 0 0x1000>;
#pwm-cells = <2>;
clocks = <&mmsys CLK_MM_DISP_PWM126M>,
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 083/286] sparc/mm: disable preemption in lazy mmu mode
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 082/286] arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 084/286] mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Greg Kroah-Hartman
` (207 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryan Roberts, David Hildenbrand,
Andreas Larsson, Juergen Gross, Borislav Betkov, Boris Ostrovsky,
Catalin Marinas, Dave Hansen, David S. Miller, H. Peter Anvin,
Ingo Molnar, Matthew Wilcow (Oracle), Thomas Gleinxer,
Andrew Morton
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryan Roberts <ryan.roberts@arm.com>
commit a1d416bf9faf4f4871cb5a943614a07f80a7d70f upstream.
Since commit 38e0edb15bd0 ("mm/apply_to_range: call pte function with lazy
updates") it's been possible for arch_[enter|leave]_lazy_mmu_mode() to be
called without holding a page table lock (for the kernel mappings case),
and therefore it is possible that preemption may occur while in the lazy
mmu mode. The Sparc lazy mmu implementation is not robust to preemption
since it stores the lazy mode state in a per-cpu structure and does not
attempt to manage that state on task switch.
Powerpc had the same issue and fixed it by explicitly disabling preemption
in arch_enter_lazy_mmu_mode() and re-enabling in
arch_leave_lazy_mmu_mode(). See commit b9ef323ea168 ("powerpc/64s:
Disable preemption in hash lazy mmu mode").
Given Sparc's lazy mmu mode is based on powerpc's, let's fix it in the
same way here.
Link: https://lkml.kernel.org/r/20250303141542.3371656-4-ryan.roberts@arm.com
Fixes: 38e0edb15bd0 ("mm/apply_to_range: call pte function with lazy updates")
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Andreas Larsson <andreas@gaisler.com>
Acked-by: Juergen Gross <jgross@suse.com>
Cc: Borislav Betkov <bp@alien8.de>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Juegren Gross <jgross@suse.com>
Cc: Matthew Wilcow (Oracle) <willy@infradead.org>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/sparc/mm/tlb.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/sparc/mm/tlb.c
+++ b/arch/sparc/mm/tlb.c
@@ -51,8 +51,10 @@ out:
void arch_enter_lazy_mmu_mode(void)
{
- struct tlb_batch *tb = this_cpu_ptr(&tlb_batch);
+ struct tlb_batch *tb;
+ preempt_disable();
+ tb = this_cpu_ptr(&tlb_batch);
tb->active = 1;
}
@@ -63,6 +65,7 @@ void arch_leave_lazy_mmu_mode(void)
if (tb->tlb_nr)
flush_tlb_pending();
tb->active = 0;
+ preempt_enable();
}
static void tlb_batch_add_one(struct mm_struct *mm, unsigned long vaddr,
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 084/286] mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 083/286] sparc/mm: disable preemption in lazy mmu mode Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 085/286] sctp: detect and prevent references to a freed transport in sendmsg Greg Kroah-Hartman
` (206 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers, Lorenzo Stoakes,
Matthew Wilcox, Alan Stern, Andrea Parri, Will Deacon,
Peter Zijlstra, Boqun Feng, Nicholas Piggin, David Howells,
Jade Alglave, Luc Maranget, Paul E. McKenney, Andrew Morton
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
commit c0ebbb3841e07c4493e6fe351698806b09a87a37 upstream.
The PGDAT_RECLAIM_LOCKED bit is used to provide mutual exclusion of node
reclaim for struct pglist_data using a single bit.
It is "locked" with a test_and_set_bit (similarly to a try lock) which
provides full ordering with respect to loads and stores done within
__node_reclaim().
It is "unlocked" with clear_bit(), which does not provide any ordering
with respect to loads and stores done before clearing the bit.
The lack of clear_bit() memory ordering with respect to stores within
__node_reclaim() can cause a subsequent CPU to fail to observe stores from
a prior node reclaim. This is not an issue in practice on TSO (e.g.
x86), but it is an issue on weakly-ordered architectures (e.g. arm64).
Fix this by using clear_bit_unlock rather than clear_bit to clear
PGDAT_RECLAIM_LOCKED with a release memory ordering semantic.
This provides stronger memory ordering (release rather than relaxed).
Link: https://lkml.kernel.org/r/20250312141014.129725-1-mathieu.desnoyers@efficios.com
Fixes: d773ed6b856a ("mm: test and set zone reclaim lock before starting reclaim")
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Andrea Parri <parri.andrea@gmail.com>
Cc: Will Deacon <will@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Jade Alglave <j.alglave@ucl.ac.uk>
Cc: Luc Maranget <luc.maranget@inria.fr>
Cc: "Paul E. McKenney" <paulmck@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/vmscan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -4264,7 +4264,7 @@ int node_reclaim(struct pglist_data *pgd
return NODE_RECLAIM_NOSCAN;
ret = __node_reclaim(pgdat, gfp_mask, order);
- clear_bit(PGDAT_RECLAIM_LOCKED, &pgdat->flags);
+ clear_bit_unlock(PGDAT_RECLAIM_LOCKED, &pgdat->flags);
if (!ret)
count_vm_event(PGSCAN_ZONE_RECLAIM_FAILED);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 085/286] sctp: detect and prevent references to a freed transport in sendmsg
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 084/286] mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 086/286] thermal/drivers/rockchip: Add missing rk3328 mapping entry Greg Kroah-Hartman
` (205 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Long,
Ricardo Cañuelo Navarro, Paolo Abeni
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Cañuelo Navarro <rcn@igalia.com>
commit f1a69a940de58b16e8249dff26f74c8cc59b32be upstream.
sctp_sendmsg() re-uses associations and transports when possible by
doing a lookup based on the socket endpoint and the message destination
address, and then sctp_sendmsg_to_asoc() sets the selected transport in
all the message chunks to be sent.
There's a possible race condition if another thread triggers the removal
of that selected transport, for instance, by explicitly unbinding an
address with setsockopt(SCTP_SOCKOPT_BINDX_REM), after the chunks have
been set up and before the message is sent. This can happen if the send
buffer is full, during the period when the sender thread temporarily
releases the socket lock in sctp_wait_for_sndbuf().
This causes the access to the transport data in
sctp_outq_select_transport(), when the association outqueue is flushed,
to result in a use-after-free read.
This change avoids this scenario by having sctp_transport_free() signal
the freeing of the transport, tagging it as "dead". In order to do this,
the patch restores the "dead" bit in struct sctp_transport, which was
removed in
commit 47faa1e4c50e ("sctp: remove the dead field of sctp_transport").
Then, in the scenario where the sender thread has released the socket
lock in sctp_wait_for_sndbuf(), the bit is checked again after
re-acquiring the socket lock to detect the deletion. This is done while
holding a reference to the transport to prevent it from being freed in
the process.
If the transport was deleted while the socket lock was relinquished,
sctp_sendmsg_to_asoc() will return -EAGAIN to let userspace retry the
send.
The bug was found by a private syzbot instance (see the error report [1]
and the C reproducer that triggers it [2]).
Link: https://people.igalia.com/rcn/kernel_logs/20250402__KASAN_slab-use-after-free_Read_in_sctp_outq_select_transport.txt [1]
Link: https://people.igalia.com/rcn/kernel_logs/20250402__KASAN_slab-use-after-free_Read_in_sctp_outq_select_transport__repro.c [2]
Cc: stable@vger.kernel.org
Fixes: df132eff4638 ("sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer")
Suggested-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Ricardo Cañuelo Navarro <rcn@igalia.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20250404-kasan_slab-use-after-free_read_in_sctp_outq_select_transport__20250404-v1-1-5ce4a0b78ef2@igalia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/sctp/structs.h | 3 ++-
net/sctp/socket.c | 22 ++++++++++++++--------
net/sctp/transport.c | 2 ++
3 files changed, 18 insertions(+), 9 deletions(-)
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -771,6 +771,7 @@ struct sctp_transport {
/* Reference counting. */
refcount_t refcnt;
+ __u32 dead:1,
/* RTO-Pending : A flag used to track if one of the DATA
* chunks sent to this address is currently being
* used to compute a RTT. If this flag is 0,
@@ -780,7 +781,7 @@ struct sctp_transport {
* calculation completes (i.e. the DATA chunk
* is SACK'd) clear this flag.
*/
- __u32 rto_pending:1,
+ rto_pending:1,
/*
* hb_sent : a flag that signals that we have a pending
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -70,8 +70,9 @@
/* Forward declarations for internal helper functions. */
static bool sctp_writeable(const struct sock *sk);
static void sctp_wfree(struct sk_buff *skb);
-static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
- size_t msg_len);
+static int sctp_wait_for_sndbuf(struct sctp_association *asoc,
+ struct sctp_transport *transport,
+ long *timeo_p, size_t msg_len);
static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p);
static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p);
static int sctp_wait_for_accept(struct sock *sk, long timeo);
@@ -1828,7 +1829,7 @@ static int sctp_sendmsg_to_asoc(struct s
if (sctp_wspace(asoc) <= 0 || !sk_wmem_schedule(sk, msg_len)) {
timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
- err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
+ err = sctp_wait_for_sndbuf(asoc, transport, &timeo, msg_len);
if (err)
goto err;
if (unlikely(sinfo->sinfo_stream >= asoc->stream.outcnt)) {
@@ -8963,8 +8964,9 @@ void sctp_sock_rfree(struct sk_buff *skb
/* Helper function to wait for space in the sndbuf. */
-static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
- size_t msg_len)
+static int sctp_wait_for_sndbuf(struct sctp_association *asoc,
+ struct sctp_transport *transport,
+ long *timeo_p, size_t msg_len)
{
struct sock *sk = asoc->base.sk;
long current_timeo = *timeo_p;
@@ -8974,7 +8976,9 @@ static int sctp_wait_for_sndbuf(struct s
pr_debug("%s: asoc:%p, timeo:%ld, msg_len:%zu\n", __func__, asoc,
*timeo_p, msg_len);
- /* Increment the association's refcnt. */
+ /* Increment the transport and association's refcnt. */
+ if (transport)
+ sctp_transport_hold(transport);
sctp_association_hold(asoc);
/* Wait on the association specific sndbuf space. */
@@ -8983,7 +8987,7 @@ static int sctp_wait_for_sndbuf(struct s
TASK_INTERRUPTIBLE);
if (asoc->base.dead)
goto do_dead;
- if (!*timeo_p)
+ if ((!*timeo_p) || (transport && transport->dead))
goto do_nonblock;
if (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING)
goto do_error;
@@ -9010,7 +9014,9 @@ static int sctp_wait_for_sndbuf(struct s
out:
finish_wait(&asoc->wait, &wait);
- /* Release the association's refcnt. */
+ /* Release the transport and association's refcnt. */
+ if (transport)
+ sctp_transport_put(transport);
sctp_association_put(asoc);
return err;
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -116,6 +116,8 @@ fail:
*/
void sctp_transport_free(struct sctp_transport *transport)
{
+ transport->dead = 1;
+
/* Try to delete the heartbeat timer. */
if (del_timer(&transport->hb_timer))
sctp_transport_put(transport);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 086/286] thermal/drivers/rockchip: Add missing rk3328 mapping entry
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 085/286] sctp: detect and prevent references to a freed transport in sendmsg Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 087/286] crypto: ccp - Fix check for the primary ASP device Greg Kroah-Hartman
` (204 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Trevor Woerner, Dragan Simic,
Daniel Lezcano
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trevor Woerner <twoerner@gmail.com>
commit ee022e5cae052e0c67ca7c5fec0f2e7bc897c70e upstream.
The mapping table for the rk3328 is missing the entry for -25C which is
found in the TRM section 9.5.2 "Temperature-to-code mapping".
NOTE: the kernel uses the tsadc_q_sel=1'b1 mode which is defined as:
4096-<code in table>. Whereas the table in the TRM gives the code
"3774" for -25C, the kernel uses 4096-3774=322.
[Dragan Simic] : "After going through the RK3308 and RK3328 TRMs, as
well as through the downstream kernel code, it seems we may have
some troubles at our hands. Let me explain, please.
To sum it up, part 1 of the RK3308 TRM v1.1 says on page 538 that
the equation for the output when tsadc_q_sel equals 1 is (4096 -
tsadc_q), while part 1 of the RK3328 TRM v1.2 says that the output
equation is (1024 - tsadc_q) in that case.
The downstream kernel code, however, treats the RK3308 and RK3328
tables and their values as being the same. It even mentions 1024 as
the "offset" value in a comment block for the rk_tsadcv3_control()
function, just like the upstream code does, which is obviously wrong
"offset" value when correlated with the table on page 544 of part 1
of the RK3308 TRM v1.1.
With all this in mind, it's obvious that more work is needed to make
it clear where's the actual mistake (it could be that the TRM is
wrong), which I'll volunteer for as part of the SoC binning project.
In the meantime, this patch looks fine as-is to me, by offering
what's a clear improvement to the current state of the upstream
code"
Link: https://opensource.rock-chips.com/images/9/97/Rockchip_RK3328TRM_V1.1-Part1-20170321.pdf
Cc: stable@vger.kernel.org
Fixes: eda519d5f73e ("thermal: rockchip: Support the RK3328 SOC in thermal driver")
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Reviewed-by: Dragan Simic <dsimic@manjaro.org>
Link: https://lore.kernel.org/r/20250207175048.35959-1-twoerner@gmail.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thermal/rockchip_thermal.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/thermal/rockchip_thermal.c
+++ b/drivers/thermal/rockchip_thermal.c
@@ -363,6 +363,7 @@ static const struct tsadc_table rk3328_c
{296, -40000},
{304, -35000},
{313, -30000},
+ {322, -25000},
{331, -20000},
{340, -15000},
{349, -10000},
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 087/286] crypto: ccp - Fix check for the primary ASP device
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 086/286] thermal/drivers/rockchip: Add missing rk3328 mapping entry Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 088/286] dm-integrity: set ti->error on memory allocation failure Greg Kroah-Hartman
` (203 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Herbert Xu
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tom Lendacky <thomas.lendacky@amd.com>
commit 07bb097b92b987db518e72525b515d77904e966e upstream.
Currently, the ASP primary device check does not have support for PCI
domains, and, as a result, when the system is configured with PCI domains
(PCI segments) the wrong device can be selected as primary. This results
in commands submitted to the device timing out and failing. The device
check also relies on specific device and function assignments that may
not hold in the future.
Fix the primary ASP device check to include support for PCI domains and
to perform proper checking of the Bus/Device/Function positions.
Fixes: 2a6170dfe755 ("crypto: ccp: Add Platform Security Processor (PSP) device support")
Cc: stable@vger.kernel.org
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/ccp/sp-pci.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/drivers/crypto/ccp/sp-pci.c
+++ b/drivers/crypto/ccp/sp-pci.c
@@ -118,14 +118,17 @@ static bool sp_pci_is_master(struct sp_d
pdev_new = to_pci_dev(dev_new);
pdev_cur = to_pci_dev(dev_cur);
- if (pdev_new->bus->number < pdev_cur->bus->number)
- return true;
+ if (pci_domain_nr(pdev_new->bus) != pci_domain_nr(pdev_cur->bus))
+ return pci_domain_nr(pdev_new->bus) < pci_domain_nr(pdev_cur->bus);
- if (PCI_SLOT(pdev_new->devfn) < PCI_SLOT(pdev_cur->devfn))
- return true;
+ if (pdev_new->bus->number != pdev_cur->bus->number)
+ return pdev_new->bus->number < pdev_cur->bus->number;
- if (PCI_FUNC(pdev_new->devfn) < PCI_FUNC(pdev_cur->devfn))
- return true;
+ if (PCI_SLOT(pdev_new->devfn) != PCI_SLOT(pdev_cur->devfn))
+ return PCI_SLOT(pdev_new->devfn) < PCI_SLOT(pdev_cur->devfn);
+
+ if (PCI_FUNC(pdev_new->devfn) != PCI_FUNC(pdev_cur->devfn))
+ return PCI_FUNC(pdev_new->devfn) < PCI_FUNC(pdev_cur->devfn);
return false;
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 088/286] dm-integrity: set ti->error on memory allocation failure
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 087/286] crypto: ccp - Fix check for the primary ASP device Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 089/286] ftrace: Add cond_resched() to ftrace_graph_set_hash() Greg Kroah-Hartman
` (202 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 00204ae3d6712ee053353920e3ce2b00c35ef75b upstream.
The dm-integrity target didn't set the error string when memory
allocation failed. This patch fixes it.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-integrity.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -4303,16 +4303,19 @@ try_smaller_buffer:
ic->recalc_bitmap = dm_integrity_alloc_page_list(n_bitmap_pages);
if (!ic->recalc_bitmap) {
+ ti->error = "Could not allocate memory for bitmap";
r = -ENOMEM;
goto bad;
}
ic->may_write_bitmap = dm_integrity_alloc_page_list(n_bitmap_pages);
if (!ic->may_write_bitmap) {
+ ti->error = "Could not allocate memory for bitmap";
r = -ENOMEM;
goto bad;
}
ic->bbs = kvmalloc_array(ic->n_bitmap_blocks, sizeof(struct bitmap_block_status), GFP_KERNEL);
if (!ic->bbs) {
+ ti->error = "Could not allocate memory for bitmap";
r = -ENOMEM;
goto bad;
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 089/286] ftrace: Add cond_resched() to ftrace_graph_set_hash()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 088/286] dm-integrity: set ti->error on memory allocation failure Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 090/286] gpio: zynq: Fix wakeup source leaks on device unbind Greg Kroah-Hartman
` (201 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, zhoumin, Steven Rostedt (Google)
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: zhoumin <teczm@foxmail.com>
commit 42ea22e754ba4f2b86f8760ca27f6f71da2d982c upstream.
When the kernel contains a large number of functions that can be traced,
the loop in ftrace_graph_set_hash() may take a lot of time to execute.
This may trigger the softlockup watchdog.
Add cond_resched() within the loop to allow the kernel to remain
responsive even when processing a large number of functions.
This matches the cond_resched() that is used in other locations of the
code that iterates over all functions that can be traced.
Cc: stable@vger.kernel.org
Fixes: b9b0c831bed26 ("ftrace: Convert graph filter to use hash tables")
Link: https://lore.kernel.org/tencent_3E06CE338692017B5809534B9C5C03DA7705@qq.com
Signed-off-by: zhoumin <teczm@foxmail.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ftrace.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -6096,6 +6096,7 @@ ftrace_graph_set_hash(struct ftrace_hash
}
}
}
+ cond_resched();
} while_for_each_ftrace_rec();
out:
mutex_unlock(&ftrace_lock);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 090/286] gpio: zynq: Fix wakeup source leaks on device unbind
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 089/286] ftrace: Add cond_resched() to ftrace_graph_set_hash() Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 091/286] ntb: use 64-bit arithmetic for the MSI doorbell mask Greg Kroah-Hartman
` (200 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Bartosz Golaszewski
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit c5672e310ad971d408752fce7596ed27adc6008f upstream.
Device can be unbound, so driver must also release memory for the wakeup
source.
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20250406202245.53854-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-zynq.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpio/gpio-zynq.c
+++ b/drivers/gpio/gpio-zynq.c
@@ -1016,6 +1016,7 @@ static int zynq_gpio_remove(struct platf
ret = pm_runtime_get_sync(&pdev->dev);
if (ret < 0)
dev_warn(&pdev->dev, "pm_runtime_get_sync() Failed\n");
+ device_init_wakeup(&pdev->dev, 0);
gpiochip_remove(&gpio->chip);
clk_disable_unprepare(gpio->clk);
device_set_wakeup_capable(&pdev->dev, 0);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 091/286] ntb: use 64-bit arithmetic for the MSI doorbell mask
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 090/286] gpio: zynq: Fix wakeup source leaks on device unbind Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 092/286] of/irq: Fix device node refcount leakages in of_irq_count() Greg Kroah-Hartman
` (199 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Dave Jiang,
Jon Mason
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit fd5625fc86922f36bedee5846fefd647b7e72751 upstream.
msi_db_mask is of type 'u64', still the standard 'int' arithmetic is
performed to compute its value.
While most of the ntb_hw drivers actually don't utilize the higher 32
bits of the doorbell mask now, this may be the case for Switchtec - see
switchtec_ntb_init_db().
Found by Linux Verification Center (linuxtesting.org) with SVACE static
analysis tool.
Fixes: 2b0569b3b7e6 ("NTB: Add MSI interrupt support to ntb_transport")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ntb/ntb_transport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/ntb/ntb_transport.c
+++ b/drivers/ntb/ntb_transport.c
@@ -1340,7 +1340,7 @@ static int ntb_transport_probe(struct nt
qp_count = ilog2(qp_bitmap);
if (nt->use_msi) {
qp_count -= 1;
- nt->msi_db_mask = 1 << qp_count;
+ nt->msi_db_mask = BIT_ULL(qp_count);
ntb_db_clear_mask(ndev, nt->msi_db_mask);
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 092/286] of/irq: Fix device node refcount leakages in of_irq_count()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 091/286] ntb: use 64-bit arithmetic for the MSI doorbell mask Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 093/286] of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() Greg Kroah-Hartman
` (198 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rob Herring (Arm)
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit bbf71f44aaf241d853759a71de7e7ebcdb89be3d upstream.
of_irq_count() invokes of_irq_parse_one() to count IRQs, and successful
invocation of the later will get device node @irq.np refcount, but the
former does not put the refcount before next iteration invocation, hence
causes device node refcount leakages.
Fix by putting @irq.np refcount before the next iteration invocation.
Fixes: 3da5278727a8 ("of/irq: Rework of_irq_count()")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-5-93e3a2659aa7@quicinc.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/irq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -443,8 +443,10 @@ int of_irq_count(struct device_node *dev
struct of_phandle_args irq;
int nr = 0;
- while (of_irq_parse_one(dev, nr, &irq) == 0)
+ while (of_irq_parse_one(dev, nr, &irq) == 0) {
+ of_node_put(irq.np);
nr++;
+ }
return nr;
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 093/286] of/irq: Fix device node refcount leakage in API irq_of_parse_and_map()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 092/286] of/irq: Fix device node refcount leakages in of_irq_count() Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 094/286] of/irq: Fix device node refcount leakages in of_irq_init() Greg Kroah-Hartman
` (197 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rob Herring (Arm)
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit 962a2805e47b933876ba0e4c488d9e89ced2dd29 upstream.
In irq_of_parse_and_map(), refcount of device node @oirq.np was got
by successful of_irq_parse_one() invocation, but it does not put the
refcount before return, so causes @oirq.np refcount leakage.
Fix by putting @oirq.np refcount before return.
Fixes: e3873444990d ("of/irq: Move irq_of_parse_and_map() to common code")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-6-93e3a2659aa7@quicinc.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/irq.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -36,11 +36,15 @@
unsigned int irq_of_parse_and_map(struct device_node *dev, int index)
{
struct of_phandle_args oirq;
+ unsigned int ret;
if (of_irq_parse_one(dev, index, &oirq))
return 0;
- return irq_create_of_mapping(&oirq);
+ ret = irq_create_of_mapping(&oirq);
+ of_node_put(oirq.np);
+
+ return ret;
}
EXPORT_SYMBOL_GPL(irq_of_parse_and_map);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 094/286] of/irq: Fix device node refcount leakages in of_irq_init()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 093/286] of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 095/286] PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() Greg Kroah-Hartman
` (196 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rob Herring (Arm)
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit 708124d9e6e7ac5ebf927830760679136b23fdf0 upstream.
of_irq_init() will leak interrupt controller device node refcounts
in two places as explained below:
1) Leak refcounts of both @desc->dev and @desc->interrupt_parent when
suffers @desc->irq_init_cb() failure.
2) Leak refcount of @desc->interrupt_parent when cleans up list
@intc_desc_list in the end.
Refcounts of both @desc->dev and @desc->interrupt_parent were got in
the first loop, but of_irq_init() does not put them before kfree(@desc)
in places mentioned above, so causes refcount leakages.
Fix by putting refcounts involved before kfree(@desc).
Fixes: 8363ccb917c6 ("of/irq: add missing of_node_put")
Fixes: c71a54b08201 ("of/irq: introduce of_irq_init")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-7-93e3a2659aa7@quicinc.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/irq.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -555,6 +555,8 @@ void __init of_irq_init(const struct of_
desc->interrupt_parent);
if (ret) {
of_node_clear_flag(desc->dev, OF_POPULATED);
+ of_node_put(desc->interrupt_parent);
+ of_node_put(desc->dev);
kfree(desc);
continue;
}
@@ -585,6 +587,7 @@ void __init of_irq_init(const struct of_
err:
list_for_each_entry_safe(desc, temp_desc, &intc_desc_list, list) {
list_del(&desc->list);
+ of_node_put(desc->interrupt_parent);
of_node_put(desc->dev);
kfree(desc);
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 095/286] PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 094/286] of/irq: Fix device node refcount leakages in of_irq_init() Greg Kroah-Hartman
@ 2025-04-29 16:39 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 096/286] PCI: Fix reference leak in pci_alloc_child_bus() Greg Kroah-Hartman
` (195 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanimir Varbanov, Florian Fainelli,
Manivannan Sadhasivam, Krzysztof Wilczyński
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanimir Varbanov <svarbanov@suse.de>
commit 2df181e1aea4628a8fd257f866026625d0519627 upstream.
A call to of_parse_phandle() is incrementing the refcount, and as such,
the of_node_put() must be called when the reference is no longer needed.
Thus, refactor the existing code and add a missing of_node_put() call
following the check to ensure that "msi_np" matches "pcie->np" and after
MSI initialization, but only if the MSI support is enabled system-wide.
Cc: stable@vger.kernel.org # v5.10+
Fixes: 40ca1bf580ef ("PCI: brcmstb: Add MSI support")
Signed-off-by: Stanimir Varbanov <svarbanov@suse.de>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20250122222955.1752778-1-svarbanov@suse.de
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pcie-brcmstb.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/drivers/pci/controller/pcie-brcmstb.c
+++ b/drivers/pci/controller/pcie-brcmstb.c
@@ -1215,7 +1215,7 @@ static const struct of_device_id brcm_pc
static int brcm_pcie_probe(struct platform_device *pdev)
{
- struct device_node *np = pdev->dev.of_node, *msi_np;
+ struct device_node *np = pdev->dev.of_node;
struct pci_host_bridge *bridge;
const struct pcie_cfg_data *data;
struct brcm_pcie *pcie;
@@ -1280,9 +1280,14 @@ static int brcm_pcie_probe(struct platfo
pcie->hw_rev = readl(pcie->base + PCIE_MISC_REVISION);
- msi_np = of_parse_phandle(pcie->np, "msi-parent", 0);
- if (pci_msi_enabled() && msi_np == pcie->np) {
- ret = brcm_pcie_enable_msi(pcie);
+ if (pci_msi_enabled()) {
+ struct device_node *msi_np = of_parse_phandle(pcie->np, "msi-parent", 0);
+
+ if (msi_np == pcie->np)
+ ret = brcm_pcie_enable_msi(pcie);
+
+ of_node_put(msi_np);
+
if (ret) {
dev_err(pcie->dev, "probe of internal MSI failed");
goto fail;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 096/286] PCI: Fix reference leak in pci_alloc_child_bus()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2025-04-29 16:39 ` [PATCH 5.10 095/286] PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 097/286] pinctrl: qcom: Clear latched interrupt status when changing IRQ type Greg Kroah-Hartman
` (194 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Ke, Bjorn Helgaas,
Ilpo Järvinen
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 1f2768b6a3ee77a295106e3a5d68458064923ede upstream.
If device_register(&child->dev) fails, call put_device() to explicitly
release child->dev, per the comment at device_register().
Found by code review.
Link: https://lore.kernel.org/r/20250202062357.872971-1-make24@iscas.ac.cn
Fixes: 4f535093cf8f ("PCI: Put pci_dev in device tree as early as possible")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/probe.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -1105,7 +1105,10 @@ static struct pci_bus *pci_alloc_child_b
add_dev:
pci_set_bus_msi_domain(child);
ret = device_register(&child->dev);
- WARN_ON(ret < 0);
+ if (WARN_ON(ret < 0)) {
+ put_device(&child->dev);
+ return NULL;
+ }
pcibios_add_bus(child);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 097/286] pinctrl: qcom: Clear latched interrupt status when changing IRQ type
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 096/286] PCI: Fix reference leak in pci_alloc_child_bus() Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 098/286] x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Greg Kroah-Hartman
` (193 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Andersson, Stephan Gerhold,
Bjorn Andersson, Linus Walleij
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Gerhold <stephan.gerhold@linaro.org>
commit e225128c3f8be879e7d4eb71a25949e188b420ae upstream.
When submitting the TLMM test driver, Bjorn reported that some of the test
cases are failing for GPIOs that not are backed by PDC (i.e. "non-wakeup"
GPIOs that are handled directly in pinctrl-msm). Basically, lingering
latched interrupt state is still being delivered at IRQ request time, e.g.:
ok 1 tlmm_test_silent_rising
tlmm_test_silent_falling: ASSERTION FAILED at drivers/pinctrl/qcom/tlmm-test.c:178
Expected atomic_read(&priv->intr_count) == 0, but
atomic_read(&priv->intr_count) == 1 (0x1)
not ok 2 tlmm_test_silent_falling
tlmm_test_silent_low: ASSERTION FAILED at drivers/pinctrl/qcom/tlmm-test.c:178
Expected atomic_read(&priv->intr_count) == 0, but
atomic_read(&priv->intr_count) == 1 (0x1)
not ok 3 tlmm_test_silent_low
ok 4 tlmm_test_silent_high
Whether to report interrupts that came in while the IRQ was unclaimed
doesn't seem to be well-defined in the Linux IRQ API. However, looking
closer at these specific cases, we're actually reporting events that do not
match the interrupt type requested by the driver:
1. After "ok 1 tlmm_test_silent_rising", the GPIO is in low state and
configured for IRQF_TRIGGER_RISING.
2. (a) In preparation for "tlmm_test_silent_falling", the GPIO is switched
to high state. The rising interrupt gets latched.
(b) The GPIO is re-configured for IRQF_TRIGGER_FALLING, but the latched
interrupt isn't cleared.
(c) The IRQ handler is called for the latched interrupt, but there
wasn't any falling edge.
3. (a) For "tlmm_test_silent_low", the GPIO remains in high state.
(b) The GPIO is re-configured for IRQF_TRIGGER_LOW. This seems to
result in a phantom interrupt that gets latched.
(c) The IRQ handler is called for the latched interrupt, but the GPIO
isn't in low state.
4. (a) For "tlmm_test_silent_high", the GPIO is switched to low state.
(b) This doesn't result in a latched interrupt, because RAW_STATUS_EN
was cleared when masking the level-triggered interrupt.
Fix this by clearing the interrupt state whenever making any changes to the
interrupt configuration. This includes previously disabled interrupts, but
also any changes to interrupt polarity or detection type.
With this change, all 16 test cases are now passing for the non-wakeup
GPIOs in the TLMM.
Cc: stable@vger.kernel.org
Fixes: cf9d052aa600 ("pinctrl: qcom: Don't clear pending interrupts when enabling")
Reported-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Closes: https://lore.kernel.org/r/20250227-tlmm-test-v1-1-d18877b4a5db@oss.qualcomm.com/
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Tested-by: Bjorn Andersson <andersson@kernel.org>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/20250312-pinctrl-msm-type-latch-v1-1-ce87c561d3d7@linaro.org
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/qcom/pinctrl-msm.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/pinctrl/qcom/pinctrl-msm.c
+++ b/drivers/pinctrl/qcom/pinctrl-msm.c
@@ -955,8 +955,7 @@ static int msm_gpio_irq_set_type(struct
struct msm_pinctrl *pctrl = gpiochip_get_data(gc);
const struct msm_pingroup *g;
unsigned long flags;
- bool was_enabled;
- u32 val;
+ u32 val, oldval;
if (msm_gpio_needs_dual_edge_parent_workaround(d, type)) {
set_bit(d->hwirq, pctrl->dual_edge_irqs);
@@ -1016,8 +1015,7 @@ static int msm_gpio_irq_set_type(struct
* internal circuitry of TLMM, toggling the RAW_STATUS
* could cause the INTR_STATUS to be set for EDGE interrupts.
*/
- val = msm_readl_intr_cfg(pctrl, g);
- was_enabled = val & BIT(g->intr_raw_status_bit);
+ val = oldval = msm_readl_intr_cfg(pctrl, g);
val |= BIT(g->intr_raw_status_bit);
if (g->intr_detection_width == 2) {
val &= ~(3 << g->intr_detection_bit);
@@ -1070,9 +1068,11 @@ static int msm_gpio_irq_set_type(struct
/*
* The first time we set RAW_STATUS_EN it could trigger an interrupt.
* Clear the interrupt. This is safe because we have
- * IRQCHIP_SET_TYPE_MASKED.
+ * IRQCHIP_SET_TYPE_MASKED. When changing the interrupt type, we could
+ * also still have a non-matching interrupt latched, so clear whenever
+ * making changes to the interrupt configuration.
*/
- if (!was_enabled)
+ if (val != oldval)
msm_ack_intr_status(pctrl, g);
if (test_bit(d->hwirq, pctrl->dual_edge_irqs))
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 098/286] x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 097/286] pinctrl: qcom: Clear latched interrupt status when changing IRQ type Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 099/286] Bluetooth: hci_uart: Fix another race during initialization Greg Kroah-Hartman
` (192 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roberto Ricci, Myrrh Periwinkle,
Ingo Molnar, Rafael J. Wysocki, Ard Biesheuvel, H. Peter Anvin,
Kees Cook, Linus Torvalds, David Woodhouse, Len Brown
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
commit f2f29da9f0d4367f6ff35e0d9d021257bb53e273 upstream.
While debugging kexec/hibernation hangs and crashes, it turned out that
the current implementation of e820__register_nosave_regions() suffers from
multiple serious issues:
- The end of last region is tracked by PFN, causing it to find holes
that aren't there if two consecutive subpage regions are present
- The nosave PFN ranges derived from holes are rounded out (instead of
rounded in) which makes it inconsistent with how explicitly reserved
regions are handled
Fix this by:
- Treating reserved regions as if they were holes, to ensure consistent
handling (rounding out nosave PFN ranges is more correct as the
kernel does not use partial pages)
- Tracking the end of the last RAM region by address instead of pages
to detect holes more precisely
These bugs appear to have been introduced about ~18 years ago with the very
first version of e820_mark_nosave_regions(), and its flawed assumptions were
carried forward uninterrupted through various waves of rewrites and renames.
[ mingo: Added Git archeology details, for kicks and giggles. ]
Fixes: e8eff5ac294e ("[PATCH] Make swsusp avoid memory holes and reserved memory regions on x86_64")
Reported-by: Roberto Ricci <io@r-ricci.it>
Tested-by: Roberto Ricci <io@r-ricci.it>
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Len Brown <len.brown@intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250406-fix-e820-nosave-v3-1-f3787bc1ee1d@qtmlabs.xyz
Closes: https://lore.kernel.org/all/Z4WFjBVHpndct7br@desktop0a/
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/e820.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
--- a/arch/x86/kernel/e820.c
+++ b/arch/x86/kernel/e820.c
@@ -753,22 +753,21 @@ void __init e820__memory_setup_extended(
void __init e820__register_nosave_regions(unsigned long limit_pfn)
{
int i;
- unsigned long pfn = 0;
+ u64 last_addr = 0;
for (i = 0; i < e820_table->nr_entries; i++) {
struct e820_entry *entry = &e820_table->entries[i];
- if (pfn < PFN_UP(entry->addr))
- register_nosave_region(pfn, PFN_UP(entry->addr));
-
- pfn = PFN_DOWN(entry->addr + entry->size);
-
if (entry->type != E820_TYPE_RAM && entry->type != E820_TYPE_RESERVED_KERN)
- register_nosave_region(PFN_UP(entry->addr), pfn);
+ continue;
- if (pfn >= limit_pfn)
- break;
+ if (last_addr < entry->addr)
+ register_nosave_region(PFN_DOWN(last_addr), PFN_UP(entry->addr));
+
+ last_addr = entry->addr + entry->size;
}
+
+ register_nosave_region(PFN_DOWN(last_addr), limit_pfn);
}
#ifdef CONFIG_ACPI
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 099/286] Bluetooth: hci_uart: Fix another race during initialization
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 098/286] x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 100/286] pwm: mediatek: always use bus clock for PWM on MT7622 Greg Kroah-Hartman
` (191 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arseniy Krasnov,
syzbot+683f8cb11b94b1824c77, Luiz Augusto von Dentz
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arseniy Krasnov <avkrasnov@salutedevices.com>
commit 5df5dafc171b90d0b8d51547a82657cd5a1986c7 upstream.
Do not set 'HCI_UART_PROTO_READY' before call 'hci_uart_register_dev()'.
Possible race is when someone calls 'hci_tty_uart_close()' after this bit
is set, but 'hci_uart_register_dev()' wasn't done. This leads to access
to uninitialized fields. To fix it let's set this bit after device was
registered (as before patch c411c62cc133) and to fix previous problem let's
add one more bit in addition to 'HCI_UART_PROTO_READY' which allows to
perform power up without original bit set (pls see commit c411c62cc133).
Crash backtrace from syzbot report:
RIP: 0010:skb_queue_empty_lockless include/linux/skbuff.h:1887 [inline]
RIP: 0010:skb_queue_purge_reason+0x6d/0x140 net/core/skbuff.c:3936
Call Trace:
<TASK>
skb_queue_purge include/linux/skbuff.h:3364 [inline]
mrvl_close+0x2f/0x90 drivers/bluetooth/hci_mrvl.c:100
hci_uart_tty_close+0xb6/0x120 drivers/bluetooth/hci_ldisc.c:557
tty_ldisc_close drivers/tty/tty_ldisc.c:455 [inline]
tty_ldisc_kill+0x66/0xc0 drivers/tty/tty_ldisc.c:613
tty_ldisc_release+0xc9/0x120 drivers/tty/tty_ldisc.c:781
tty_release_struct+0x10/0x80 drivers/tty/tty_io.c:1690
tty_release+0x4ef/0x640 drivers/tty/tty_io.c:1861
__fput+0x86/0x2a0 fs/file_table.c:450
task_work_run+0x82/0xb0 kernel/task_work.c:239
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xa3/0x1b0 kernel/entry/common.c:218
do_syscall_64+0x9a/0x190 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
Reported-by: syzbot+683f8cb11b94b1824c77@syzkaller.appspotmail.com
Tested-by: syzbot+683f8cb11b94b1824c77@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-bluetooth/d159c57f-8490-4c26-79da-6ad3612c4a14@salutedevices.com/
Fixes: 366ceff495f9 ("Bluetooth: hci_uart: fix race during initialization")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_ldisc.c | 20 ++++++++++++++------
drivers/bluetooth/hci_uart.h | 1 +
2 files changed, 15 insertions(+), 6 deletions(-)
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -102,7 +102,8 @@ static inline struct sk_buff *hci_uart_d
if (!skb) {
percpu_down_read(&hu->proto_lock);
- if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
+ if (test_bit(HCI_UART_PROTO_READY, &hu->flags) ||
+ test_bit(HCI_UART_PROTO_INIT, &hu->flags))
skb = hu->proto->dequeue(hu);
percpu_up_read(&hu->proto_lock);
@@ -124,7 +125,8 @@ int hci_uart_tx_wakeup(struct hci_uart *
if (!percpu_down_read_trylock(&hu->proto_lock))
return 0;
- if (!test_bit(HCI_UART_PROTO_READY, &hu->flags))
+ if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) &&
+ !test_bit(HCI_UART_PROTO_INIT, &hu->flags))
goto no_schedule;
set_bit(HCI_UART_TX_WAKEUP, &hu->tx_state);
@@ -278,7 +280,8 @@ static int hci_uart_send_frame(struct hc
percpu_down_read(&hu->proto_lock);
- if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) {
+ if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) &&
+ !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) {
percpu_up_read(&hu->proto_lock);
return -EUNATCH;
}
@@ -579,7 +582,8 @@ static void hci_uart_tty_wakeup(struct t
if (tty != hu->tty)
return;
- if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
+ if (test_bit(HCI_UART_PROTO_READY, &hu->flags) ||
+ test_bit(HCI_UART_PROTO_INIT, &hu->flags))
hci_uart_tx_wakeup(hu);
}
@@ -605,7 +609,8 @@ static void hci_uart_tty_receive(struct
percpu_down_read(&hu->proto_lock);
- if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) {
+ if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) &&
+ !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) {
percpu_up_read(&hu->proto_lock);
return;
}
@@ -706,13 +711,16 @@ static int hci_uart_set_proto(struct hci
hu->proto = p;
- set_bit(HCI_UART_PROTO_READY, &hu->flags);
+ set_bit(HCI_UART_PROTO_INIT, &hu->flags);
err = hci_uart_register_dev(hu);
if (err) {
return err;
}
+ set_bit(HCI_UART_PROTO_READY, &hu->flags);
+ clear_bit(HCI_UART_PROTO_INIT, &hu->flags);
+
return 0;
}
--- a/drivers/bluetooth/hci_uart.h
+++ b/drivers/bluetooth/hci_uart.h
@@ -89,6 +89,7 @@ struct hci_uart {
#define HCI_UART_PROTO_SET 0
#define HCI_UART_REGISTERED 1
#define HCI_UART_PROTO_READY 2
+#define HCI_UART_PROTO_INIT 4
/* TX states */
#define HCI_UART_SENDING 1
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 100/286] pwm: mediatek: always use bus clock for PWM on MT7622
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 099/286] Bluetooth: hci_uart: Fix another race during initialization Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 101/286] HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition Greg Kroah-Hartman
` (190 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Golle,
AngeloGioacchino Del Regno, Uwe Kleine-König, Thierry Reding
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Golle <daniel@makrotopia.org>
commit aa3c668f2f98856af96e13f44da6ca4f26f0b98c upstream.
According to MT7622 Reference Manual for Development Board v1.0 the PWM
unit found in the MT7622 SoC also comes with the PWM_CK_26M_SEL register
at offset 0x210 just like other modern MediaTek ARM64 SoCs.
And also MT7622 sets that register to 0x00000001 on reset which is
described as 'Select 26M fix CLK as BCLK' in the datasheet.
Hence set has_ck_26m_sel to true also for MT7622 which results in the
driver writing 0 to the PWM_CK_26M_SEL register which is described as
'Select bus CLK as BCLK'.
Fixes: 0c0ead76235db0 ("pwm: mediatek: Always use bus clock")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/Y1iF2slvSblf6bYK@makrotopia.org
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pwm/pwm-mediatek.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pwm/pwm-mediatek.c
+++ b/drivers/pwm/pwm-mediatek.c
@@ -297,7 +297,7 @@ static const struct pwm_mediatek_of_data
static const struct pwm_mediatek_of_data mt7622_pwm_data = {
.num_pwms = 6,
.pwm45_fixup = false,
- .has_ck_26m_sel = false,
+ .has_ck_26m_sel = true,
};
static const struct pwm_mediatek_of_data mt7623_pwm_data = {
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 101/286] HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 100/286] pwm: mediatek: always use bus clock for PWM on MT7622 Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 102/286] wifi: at76c50x: fix use after free access in at76_disconnect Greg Kroah-Hartman
` (189 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kaixin Wang, Andy Shevchenko,
Sebastian Reichel
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
commit e3f88665a78045fe35c7669d2926b8d97b892c11 upstream.
In the ssi_protocol_probe() function, &ssi->work is bound with
ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function
within the ssip_pn_ops structure is capable of starting the
work.
If we remove the module which will call ssi_protocol_remove()
to make a cleanup, it will free ssi through kfree(ssi),
while the work mentioned above will be used. The sequence
of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| ssip_xmit_work
ssi_protocol_remove |
kfree(ssi); |
| struct hsi_client *cl = ssi->cl;
| // use ssi
Fix it by ensuring that the work is canceled before proceeding
with the cleanup in ssi_protocol_remove().
Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20240918120749.1730-1-kxwang23@m.fudan.edu.cn
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hsi/clients/ssi_protocol.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/hsi/clients/ssi_protocol.c
+++ b/drivers/hsi/clients/ssi_protocol.c
@@ -403,6 +403,7 @@ static void ssip_reset(struct hsi_client
del_timer(&ssi->rx_wd);
del_timer(&ssi->tx_wd);
del_timer(&ssi->keep_alive);
+ cancel_work_sync(&ssi->work);
ssi->main_state = 0;
ssi->send_state = 0;
ssi->recv_state = 0;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 102/286] wifi: at76c50x: fix use after free access in at76_disconnect
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 101/286] HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 103/286] wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue() Greg Kroah-Hartman
` (188 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Johannes Berg,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <abdun.nihaal@gmail.com>
[ Upstream commit 27c7e63b3cb1a20bb78ed4a36c561ea4579fd7da ]
The memory pointed to by priv is freed at the end of at76_delete_device
function (using ieee80211_free_hw). But the code then accesses the udev
field of the freed object to put the USB device. This may also lead to a
memory leak of the usb device. Fix this by using udev from interface.
Fixes: 29e20aa6c6af ("at76c50x-usb: fix use after free on failure path in at76_probe()")
Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
Link: https://patch.msgid.link/20250330103110.44080-1-abdun.nihaal@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/atmel/at76c50x-usb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/atmel/at76c50x-usb.c b/drivers/net/wireless/atmel/at76c50x-usb.c
index 4042578000331..706de33d0ed49 100644
--- a/drivers/net/wireless/atmel/at76c50x-usb.c
+++ b/drivers/net/wireless/atmel/at76c50x-usb.c
@@ -2553,7 +2553,7 @@ static void at76_disconnect(struct usb_interface *interface)
wiphy_info(priv->hw->wiphy, "disconnecting\n");
at76_delete_device(priv);
- usb_put_dev(priv->udev);
+ usb_put_dev(interface_to_usbdev(interface));
dev_info(&interface->dev, "disconnected\n");
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 103/286] wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 102/286] wifi: at76c50x: fix use after free access in at76_disconnect Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 104/286] wifi: mac80211: Purge vif txq in ieee80211_do_stop() Greg Kroah-Hartman
` (187 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Remi Pommarel, Johannes Berg,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Remi Pommarel <repk@triplefau.lt>
[ Upstream commit a104042e2bf6528199adb6ca901efe7b60c2c27f ]
The ieee80211 skb control block key (set when skb was queued) could have
been removed before ieee80211_tx_dequeue() call. ieee80211_tx_dequeue()
already called ieee80211_tx_h_select_key() to get the current key, but
the latter do not update the key in skb control block in case it is
NULL. Because some drivers actually use this key in their TX callbacks
(e.g. ath1{1,2}k_mac_op_tx()) this could lead to the use after free
below:
BUG: KASAN: slab-use-after-free in ath11k_mac_op_tx+0x590/0x61c
Read of size 4 at addr ffffff803083c248 by task kworker/u16:4/1440
CPU: 3 UID: 0 PID: 1440 Comm: kworker/u16:4 Not tainted 6.13.0-ge128f627f404 #2
Hardware name: HW (DT)
Workqueue: bat_events batadv_send_outstanding_bcast_packet
Call trace:
show_stack+0x14/0x1c (C)
dump_stack_lvl+0x58/0x74
print_report+0x164/0x4c0
kasan_report+0xac/0xe8
__asan_report_load4_noabort+0x1c/0x24
ath11k_mac_op_tx+0x590/0x61c
ieee80211_handle_wake_tx_queue+0x12c/0x1c8
ieee80211_queue_skb+0xdcc/0x1b4c
ieee80211_tx+0x1ec/0x2bc
ieee80211_xmit+0x224/0x324
__ieee80211_subif_start_xmit+0x85c/0xcf8
ieee80211_subif_start_xmit+0xc0/0xec4
dev_hard_start_xmit+0xf4/0x28c
__dev_queue_xmit+0x6ac/0x318c
batadv_send_skb_packet+0x38c/0x4b0
batadv_send_outstanding_bcast_packet+0x110/0x328
process_one_work+0x578/0xc10
worker_thread+0x4bc/0xc7c
kthread+0x2f8/0x380
ret_from_fork+0x10/0x20
Allocated by task 1906:
kasan_save_stack+0x28/0x4c
kasan_save_track+0x1c/0x40
kasan_save_alloc_info+0x3c/0x4c
__kasan_kmalloc+0xac/0xb0
__kmalloc_noprof+0x1b4/0x380
ieee80211_key_alloc+0x3c/0xb64
ieee80211_add_key+0x1b4/0x71c
nl80211_new_key+0x2b4/0x5d8
genl_family_rcv_msg_doit+0x198/0x240
<...>
Freed by task 1494:
kasan_save_stack+0x28/0x4c
kasan_save_track+0x1c/0x40
kasan_save_free_info+0x48/0x94
__kasan_slab_free+0x48/0x60
kfree+0xc8/0x31c
kfree_sensitive+0x70/0x80
ieee80211_key_free_common+0x10c/0x174
ieee80211_free_keys+0x188/0x46c
ieee80211_stop_mesh+0x70/0x2cc
ieee80211_leave_mesh+0x1c/0x60
cfg80211_leave_mesh+0xe0/0x280
cfg80211_leave+0x1e0/0x244
<...>
Reset SKB control block key before calling ieee80211_tx_h_select_key()
to avoid that.
Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue")
Signed-off-by: Remi Pommarel <repk@triplefau.lt>
Link: https://patch.msgid.link/06aa507b853ca385ceded81c18b0a6dd0f081bc8.1742833382.git.repk@triplefau.lt
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/tx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 0d6d12fc3c07e..5615575595efb 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3691,6 +3691,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
* The key can be removed while the packet was queued, so need to call
* this here to get the current key.
*/
+ info->control.hw_key = NULL;
r = ieee80211_tx_h_select_key(&tx);
if (r != TX_CONTINUE) {
ieee80211_free_txskb(&local->hw, skb);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 104/286] wifi: mac80211: Purge vif txq in ieee80211_do_stop()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 103/286] wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue() Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 105/286] wifi: wl1251: fix memory leak in wl1251_tx_work Greg Kroah-Hartman
` (186 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Remi Pommarel, Johannes Berg,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Remi Pommarel <repk@triplefau.lt>
[ Upstream commit 378677eb8f44621ecc9ce659f7af61e5baa94d81 ]
After ieee80211_do_stop() SKB from vif's txq could still be processed.
Indeed another concurrent vif schedule_and_wake_txq call could cause
those packets to be dequeued (see ieee80211_handle_wake_tx_queue())
without checking the sdata current state.
Because vif.drv_priv is now cleared in this function, this could lead to
driver crash.
For example in ath12k, ahvif is store in vif.drv_priv. Thus if
ath12k_mac_op_tx() is called after ieee80211_do_stop(), ahvif->ah can be
NULL, leading the ath12k_warn(ahvif->ah,...) call in this function to
trigger the NULL deref below.
Unable to handle kernel paging request at virtual address dfffffc000000001
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
batman_adv: bat0: Interface deactivated: brbh1337
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfffffc000000001] address between user and kernel address ranges
Internal error: Oops: 0000000096000004 [#1] SMP
CPU: 1 UID: 0 PID: 978 Comm: lbd Not tainted 6.13.0-g633f875b8f1e #114
Hardware name: HW (DT)
pstate: 10000005 (nzcV daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k]
lr : ath12k_mac_op_tx+0x174/0x29b8 [ath12k]
sp : ffffffc086ace450
x29: ffffffc086ace450 x28: 0000000000000000 x27: 1ffffff810d59ca4
x26: ffffff801d05f7c0 x25: 0000000000000000 x24: 000000004000001e
x23: ffffff8009ce4926 x22: ffffff801f9c0800 x21: ffffff801d05f7f0
x20: ffffff8034a19f40 x19: 0000000000000000 x18: ffffff801f9c0958
x17: ffffff800bc0a504 x16: dfffffc000000000 x15: ffffffc086ace4f8
x14: ffffff801d05f83c x13: 0000000000000000 x12: ffffffb003a0bf03
x11: 0000000000000000 x10: ffffffb003a0bf02 x9 : ffffff8034a19f40
x8 : ffffff801d05f818 x7 : 1ffffff0069433dc x6 : ffffff8034a19ee0
x5 : ffffff801d05f7f0 x4 : 0000000000000000 x3 : 0000000000000001
x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000008
Call trace:
ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] (P)
ieee80211_handle_wake_tx_queue+0x16c/0x260
ieee80211_queue_skb+0xeec/0x1d20
ieee80211_tx+0x200/0x2c8
ieee80211_xmit+0x22c/0x338
__ieee80211_subif_start_xmit+0x7e8/0xc60
ieee80211_subif_start_xmit+0xc4/0xee0
__ieee80211_subif_start_xmit_8023.isra.0+0x854/0x17a0
ieee80211_subif_start_xmit_8023+0x124/0x488
dev_hard_start_xmit+0x160/0x5a8
__dev_queue_xmit+0x6f8/0x3120
br_dev_queue_push_xmit+0x120/0x4a8
__br_forward+0xe4/0x2b0
deliver_clone+0x5c/0xd0
br_flood+0x398/0x580
br_dev_xmit+0x454/0x9f8
dev_hard_start_xmit+0x160/0x5a8
__dev_queue_xmit+0x6f8/0x3120
ip6_finish_output2+0xc28/0x1b60
__ip6_finish_output+0x38c/0x638
ip6_output+0x1b4/0x338
ip6_local_out+0x7c/0xa8
ip6_send_skb+0x7c/0x1b0
ip6_push_pending_frames+0x94/0xd0
rawv6_sendmsg+0x1a98/0x2898
inet_sendmsg+0x94/0xe0
__sys_sendto+0x1e4/0x308
__arm64_sys_sendto+0xc4/0x140
do_el0_svc+0x110/0x280
el0_svc+0x20/0x60
el0t_64_sync_handler+0x104/0x138
el0t_64_sync+0x154/0x158
To avoid that, empty vif's txq at ieee80211_do_stop() so no packet could
be dequeued after ieee80211_do_stop() (new packets cannot be queued
because SDATA_STATE_RUNNING is cleared at this point).
Fixes: ba8c3d6f16a1 ("mac80211: add an intermediate software queue implementation")
Signed-off-by: Remi Pommarel <repk@triplefau.lt>
Link: https://patch.msgid.link/ff7849e268562456274213c0476e09481a48f489.1742833382.git.repk@triplefau.lt
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/iface.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 55e3dfa7505d4..644eabaf10e31 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -595,6 +595,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
ieee80211_txq_remove_vlan(local, sdata);
+ if (sdata->vif.txq)
+ ieee80211_txq_purge(sdata->local, to_txq_info(sdata->vif.txq));
+
sdata->bss = NULL;
if (local->open_count == 0)
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 105/286] wifi: wl1251: fix memory leak in wl1251_tx_work
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 104/286] wifi: mac80211: Purge vif txq in ieee80211_do_stop() Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 106/286] scsi: iscsi: Fix missing scsi_host_put() in error path Greg Kroah-Hartman
` (185 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Michael Nemanov,
Johannes Berg, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <abdun.nihaal@gmail.com>
[ Upstream commit a0f0dc96de03ffeefc2a177b7f8acde565cb77f4 ]
The skb dequeued from tx_queue is lost when wl1251_ps_elp_wakeup fails
with a -ETIMEDOUT error. Fix that by queueing the skb back to tx_queue.
Fixes: c5483b719363 ("wl12xx: check if elp wakeup failed")
Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
Reviewed-by: Michael Nemanov <michael.nemanov@ti.com>
Link: https://patch.msgid.link/20250330104532.44935-1-abdun.nihaal@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ti/wl1251/tx.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c
index 98cd39619d579..5771f61392efb 100644
--- a/drivers/net/wireless/ti/wl1251/tx.c
+++ b/drivers/net/wireless/ti/wl1251/tx.c
@@ -342,8 +342,10 @@ void wl1251_tx_work(struct work_struct *work)
while ((skb = skb_dequeue(&wl->tx_queue))) {
if (!woken_up) {
ret = wl1251_ps_elp_wakeup(wl);
- if (ret < 0)
+ if (ret < 0) {
+ skb_queue_head(&wl->tx_queue, skb);
goto out;
+ }
woken_up = true;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 106/286] scsi: iscsi: Fix missing scsi_host_put() in error path
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 105/286] wifi: wl1251: fix memory leak in wl1251_tx_work Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 107/286] RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() Greg Kroah-Hartman
` (184 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Mike Christie,
Martin K. Petersen, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit 72eea84a1092b50a10eeecfeba4b28ac9f1312ab ]
Add goto to ensure scsi_host_put() is called in all error paths of
iscsi_set_host_param() function. This fixes a potential memory leak when
strlen() check fails.
Fixes: ce51c8170084 ("scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param()")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Link: https://lore.kernel.org/r/20250318094344.91776-1-linmq006@gmail.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_transport_iscsi.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
index c636a6d3bdcc1..548adbe544444 100644
--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
@@ -3185,11 +3185,14 @@ iscsi_set_host_param(struct iscsi_transport *transport,
}
/* see similar check in iscsi_if_set_param() */
- if (strlen(data) > ev->u.set_host_param.len)
- return -EINVAL;
+ if (strlen(data) > ev->u.set_host_param.len) {
+ err = -EINVAL;
+ goto out;
+ }
err = transport->set_host_param(shost, ev->u.set_host_param.param,
data, ev->u.set_host_param.len);
+out:
scsi_host_put(shost);
return err;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 107/286] RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 106/286] scsi: iscsi: Fix missing scsi_host_put() in error path Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 108/286] RDMA/hns: Fix wrong maximum DMA segment size Greg Kroah-Hartman
` (183 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yue Haibing, Zhu Yanjun,
Jason Gunthorpe, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yue Haibing <yuehaibing@huawei.com>
[ Upstream commit 95ba3850fed03e01b422ab5d7943aeba130c9723 ]
drivers/infiniband/hw/usnic/usnic_ib_main.c:590
usnic_ib_pci_probe() warn: passing zero to 'PTR_ERR'
Make usnic_ib_device_add() return NULL on fail path, also remove
useless NULL check for usnic_ib_discover_pf()
Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver")
Link: https://patch.msgid.link/r/20250324123132.2392077-1-yuehaibing@huawei.com
Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/infiniband/hw/usnic/usnic_ib_main.c b/drivers/infiniband/hw/usnic/usnic_ib_main.c
index aa2e65fc5cd65..ea3e28e3e0b29 100644
--- a/drivers/infiniband/hw/usnic/usnic_ib_main.c
+++ b/drivers/infiniband/hw/usnic/usnic_ib_main.c
@@ -378,7 +378,7 @@ static void *usnic_ib_device_add(struct pci_dev *dev)
if (!us_ibdev) {
usnic_err("Device %s context alloc failed\n",
netdev_name(pci_get_drvdata(dev)));
- return ERR_PTR(-EFAULT);
+ return NULL;
}
us_ibdev->ufdev = usnic_fwd_dev_alloc(dev);
@@ -519,8 +519,8 @@ static struct usnic_ib_dev *usnic_ib_discover_pf(struct usnic_vnic *vnic)
}
us_ibdev = usnic_ib_device_add(parent_pci);
- if (IS_ERR_OR_NULL(us_ibdev)) {
- us_ibdev = us_ibdev ? us_ibdev : ERR_PTR(-EFAULT);
+ if (!us_ibdev) {
+ us_ibdev = ERR_PTR(-EFAULT);
goto out;
}
@@ -583,10 +583,10 @@ static int usnic_ib_pci_probe(struct pci_dev *pdev,
}
pf = usnic_ib_discover_pf(vf->vnic);
- if (IS_ERR_OR_NULL(pf)) {
- usnic_err("Failed to discover pf of vnic %s with err%ld\n",
- pci_name(pdev), PTR_ERR(pf));
- err = pf ? PTR_ERR(pf) : -EFAULT;
+ if (IS_ERR(pf)) {
+ err = PTR_ERR(pf);
+ usnic_err("Failed to discover pf of vnic %s with err%d\n",
+ pci_name(pdev), err);
goto out_clean_vnic;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 108/286] RDMA/hns: Fix wrong maximum DMA segment size
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 107/286] RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 109/286] RDMA/core: Silence oversized kvmalloc() warning Greg Kroah-Hartman
` (182 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chengchang Tang, Junxian Huang,
Jason Gunthorpe, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chengchang Tang <tangchengchang@huawei.com>
[ Upstream commit 9beb2c91fb86e0be70a5833c6730441fa3c9efa8 ]
Set maximum DMA segment size to 2G instead of UINT_MAX due to HW limit.
Fixes: e0477b34d9d1 ("RDMA: Explicitly pass in the dma_device to ib_register_device")
Link: https://patch.msgid.link/r/20250327114724.3454268-3-huangjunxian6@hisilicon.com
Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hns/hns_roce_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
index f520e43e4e146..3c79668c6b3b5 100644
--- a/drivers/infiniband/hw/hns/hns_roce_main.c
+++ b/drivers/infiniband/hw/hns/hns_roce_main.c
@@ -552,7 +552,7 @@ static int hns_roce_register_device(struct hns_roce_dev *hr_dev)
if (ret)
return ret;
}
- dma_set_max_seg_size(dev, UINT_MAX);
+ dma_set_max_seg_size(dev, SZ_2G);
ret = ib_register_device(ib_dev, "hns_%d", dev);
if (ret) {
dev_err(dev, "ib_register_device failed!\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 109/286] RDMA/core: Silence oversized kvmalloc() warning
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 108/286] RDMA/hns: Fix wrong maximum DMA segment size Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 110/286] Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address Greg Kroah-Hartman
` (181 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shay Drory, Leon Romanovsky,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shay Drory <shayd@nvidia.com>
[ Upstream commit 9a0e6f15029e1a8a21e40f06fd05aa52b7f063de ]
syzkaller triggered an oversized kvmalloc() warning.
Silence it by adding __GFP_NOWARN.
syzkaller log:
WARNING: CPU: 7 PID: 518 at mm/util.c:665 __kvmalloc_node_noprof+0x175/0x180
CPU: 7 UID: 0 PID: 518 Comm: c_repro Not tainted 6.11.0-rc6+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:__kvmalloc_node_noprof+0x175/0x180
RSP: 0018:ffffc90001e67c10 EFLAGS: 00010246
RAX: 0000000000000100 RBX: 0000000000000400 RCX: ffffffff8149d46b
RDX: 0000000000000000 RSI: ffff8881030fae80 RDI: 0000000000000002
RBP: 000000712c800000 R08: 0000000000000100 R09: 0000000000000000
R10: ffffc90001e67c10 R11: 0030ae0601000000 R12: 0000000000000000
R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000
FS: 00007fde79159740(0000) GS:ffff88813bdc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000180 CR3: 0000000105eb4005 CR4: 00000000003706b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ib_umem_odp_get+0x1f6/0x390
mlx5_ib_reg_user_mr+0x1e8/0x450
ib_uverbs_reg_mr+0x28b/0x440
ib_uverbs_write+0x7d3/0xa30
vfs_write+0x1ac/0x6c0
ksys_write+0x134/0x170
? __sanitizer_cov_trace_pc+0x1c/0x50
do_syscall_64+0x50/0x110
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fixes: 37824952dc8f ("RDMA/odp: Use kvcalloc for the dma_list and page_list")
Signed-off-by: Shay Drory <shayd@nvidia.com>
Link: https://patch.msgid.link/c6cb92379de668be94894f49c2cfa40e73f94d56.1742388096.git.leonro@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/umem_odp.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/core/umem_odp.c b/drivers/infiniband/core/umem_odp.c
index af4af4789ef27..dd69b20ed286d 100644
--- a/drivers/infiniband/core/umem_odp.c
+++ b/drivers/infiniband/core/umem_odp.c
@@ -78,12 +78,14 @@ static inline int ib_init_umem_odp(struct ib_umem_odp *umem_odp,
npfns = (end - start) >> PAGE_SHIFT;
umem_odp->pfn_list = kvcalloc(
- npfns, sizeof(*umem_odp->pfn_list), GFP_KERNEL);
+ npfns, sizeof(*umem_odp->pfn_list),
+ GFP_KERNEL | __GFP_NOWARN);
if (!umem_odp->pfn_list)
return -ENOMEM;
umem_odp->dma_list = kvcalloc(
- ndmas, sizeof(*umem_odp->dma_list), GFP_KERNEL);
+ ndmas, sizeof(*umem_odp->dma_list),
+ GFP_KERNEL | __GFP_NOWARN);
if (!umem_odp->dma_list) {
ret = -ENOMEM;
goto out_pfn_list;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 110/286] Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 109/286] RDMA/core: Silence oversized kvmalloc() warning Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 111/286] Bluetooth: btrtl: Prevent potential NULL dereference Greg Kroah-Hartman
` (180 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit eb73b5a9157221f405b4fe32751da84ee46b7a25 ]
This fixes sending MGMT_EV_DEVICE_FOUND for invalid address
(00:00:00:00:00:00) which is a regression introduced by
a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report")
since in the attempt to skip storing data for extended advertisement it
actually made the code to skip the entire if statement supposed to send
MGMT_EV_DEVICE_FOUND without attempting to use the last_addr_adv which
is garanteed to be invalid for extended advertisement since we never
store anything on it.
Link: https://github.com/bluez/bluez/issues/1157
Link: https://github.com/bluez/bluez/issues/1149#issuecomment-2767215658
Fixes: a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_event.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 546795425119b..7f26c1aab9a06 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -5644,11 +5644,12 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
* event or send an immediate device found event if the data
* should not be stored for later.
*/
- if (!ext_adv && !has_pending_adv_report(hdev)) {
+ if (!has_pending_adv_report(hdev)) {
/* If the report will trigger a SCAN_REQ store it for
* later merging.
*/
- if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
+ if (!ext_adv && (type == LE_ADV_IND ||
+ type == LE_ADV_SCAN_IND)) {
store_pending_adv_report(hdev, bdaddr, bdaddr_type,
rssi, flags, data, len);
return;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 111/286] Bluetooth: btrtl: Prevent potential NULL dereference
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 110/286] Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 112/286] Revert "wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue()" Greg Kroah-Hartman
` (179 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Hans de Goede,
Luiz Augusto von Dentz, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 324dddea321078a6eeb535c2bff5257be74c9799 ]
The btrtl_initialize() function checks that rtl_load_file() either
had an error or it loaded a zero length file. However, if it loaded
a zero length file then the error code is not set correctly. It
results in an error pointer vs NULL bug, followed by a NULL pointer
dereference. This was detected by Smatch:
drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR'
Fixes: 26503ad25de8 ("Bluetooth: btrtl: split the device initialization into smaller parts")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btrtl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
index 3a9afc905f243..77de43d8d7962 100644
--- a/drivers/bluetooth/btrtl.c
+++ b/drivers/bluetooth/btrtl.c
@@ -625,6 +625,8 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
rtl_dev_err(hdev, "mandatory config file %s not found",
btrtl_dev->ic_info->cfg_name);
ret = btrtl_dev->cfg_len;
+ if (!ret)
+ ret = -EINVAL;
goto err_free;
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 112/286] Revert "wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue()"
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 111/286] Bluetooth: btrtl: Prevent potential NULL dereference Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 113/286] igc: handle the IGC_PTP_ENABLED flag correctly Greg Kroah-Hartman
` (178 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bert Karwatzki, Johannes Berg,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 0937cb5f345c79d702b4d0d744e2a2529b551cb2 ]
This reverts commit a104042e2bf6528199adb6ca901efe7b60c2c27f.
Since the original bug seems to have been around for years,
but a new issue was report with the fix, revert the fix for
now. We have a couple of weeks to figure it out for this
release, if needed.
Reported-by: Bert Karwatzki <spasswolf@web.de>
Closes: https://lore.kernel.org/linux-wireless/20250410215527.3001-1-spasswolf@web.de
Fixes: a104042e2bf6 ("wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/tx.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 5615575595efb..0d6d12fc3c07e 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3691,7 +3691,6 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
* The key can be removed while the packet was queued, so need to call
* this here to get the current key.
*/
- info->control.hw_key = NULL;
r = ieee80211_tx_h_select_key(&tx);
if (r != TX_CONTINUE) {
ieee80211_free_txskb(&local->hw, skb);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 113/286] igc: handle the IGC_PTP_ENABLED flag correctly
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 112/286] Revert "wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue()" Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 114/286] igc: cleanup PTP module if probe fails Greg Kroah-Hartman
` (177 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christopher S M Hall,
Corinna Vinschen, Jacob Keller, Mor Bar-Gabay,
Vinicius Costa Gomes, Tony Nguyen, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christopher S M Hall <christopher.s.hall@intel.com>
[ Upstream commit 26a3910afd111f7c1a96dace6dc02f3225063896 ]
All functions in igc_ptp.c called from igc_main.c should check the
IGC_PTP_ENABLED flag. Adding check for this flag to stop and reset
functions.
Fixes: 5f2958052c58 ("igc: Add basic skeleton for PTP")
Signed-off-by: Christopher S M Hall <christopher.s.hall@intel.com>
Reviewed-by: Corinna Vinschen <vinschen@redhat.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_ptp.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c
index 25b238c6a675c..d99f597a83be5 100644
--- a/drivers/net/ethernet/intel/igc/igc_ptp.c
+++ b/drivers/net/ethernet/intel/igc/igc_ptp.c
@@ -578,8 +578,12 @@ void igc_ptp_suspend(struct igc_adapter *adapter)
**/
void igc_ptp_stop(struct igc_adapter *adapter)
{
+ if (!(adapter->ptp_flags & IGC_PTP_ENABLED))
+ return;
+
igc_ptp_suspend(adapter);
+ adapter->ptp_flags &= ~IGC_PTP_ENABLED;
if (adapter->ptp_clock) {
ptp_clock_unregister(adapter->ptp_clock);
netdev_info(adapter->netdev, "PHC removed\n");
@@ -598,6 +602,9 @@ void igc_ptp_reset(struct igc_adapter *adapter)
struct igc_hw *hw = &adapter->hw;
unsigned long flags;
+ if (!(adapter->ptp_flags & IGC_PTP_ENABLED))
+ return;
+
/* reset the tstamp_config */
igc_ptp_set_timestamp_mode(adapter, &adapter->tstamp_config);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 114/286] igc: cleanup PTP module if probe fails
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 113/286] igc: handle the IGC_PTP_ENABLED flag correctly Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 115/286] net: openvswitch: fix nested key length validation in the set() action Greg Kroah-Hartman
` (176 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christopher S M Hall,
Corinna Vinschen, Jacob Keller, Mor Bar-Gabay,
Vinicius Costa Gomes, Tony Nguyen, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christopher S M Hall <christopher.s.hall@intel.com>
[ Upstream commit 1f025759ba394dd53e434d2668cb0597886d9b69 ]
Make sure that the PTP module is cleaned up if the igc_probe() fails by
calling igc_ptp_stop() on exit.
Fixes: d89f88419f99 ("igc: Add skeletal frame for Intel(R) 2.5G Ethernet Controller support")
Signed-off-by: Christopher S M Hall <christopher.s.hall@intel.com>
Reviewed-by: Corinna Vinschen <vinschen@redhat.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
index 65cf7035b02d5..7593e8b7469c5 100644
--- a/drivers/net/ethernet/intel/igc/igc_main.c
+++ b/drivers/net/ethernet/intel/igc/igc_main.c
@@ -5405,6 +5405,7 @@ static int igc_probe(struct pci_dev *pdev,
err_register:
igc_release_hw_control(adapter);
+ igc_ptp_stop(adapter);
err_eeprom:
if (!igc_check_reset_block(hw))
igc_reset_phy(hw);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 115/286] net: openvswitch: fix nested key length validation in the set() action
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 114/286] igc: cleanup PTP module if probe fails Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 116/286] cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path Greg Kroah-Hartman
` (175 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b07a9da40df1576b8048,
Ilya Maximets, Eelco Chaudron, Aaron Conole, Jakub Kicinski,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
[ Upstream commit 65d91192aa66f05710cfddf6a14b5a25ee554dba ]
It's not safe to access nla_len(ovs_key) if the data is smaller than
the netlink header. Check that the attribute is OK first.
Fixes: ccb1352e76cf ("net: Add Open vSwitch kernel components.")
Reported-by: syzbot+b07a9da40df1576b8048@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b07a9da40df1576b8048
Tested-by: syzbot+b07a9da40df1576b8048@syzkaller.appspotmail.com
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Reviewed-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/20250412104052.2073688-1-i.maximets@ovn.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/flow_netlink.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index cff18a5bbf386..3f8f43dbf44fc 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -2834,7 +2834,8 @@ static int validate_set(const struct nlattr *a,
size_t key_len;
/* There can be only one key in a action */
- if (nla_total_size(nla_len(ovs_key)) != nla_len(a))
+ if (!nla_ok(ovs_key, nla_len(a)) ||
+ nla_total_size(nla_len(ovs_key)) != nla_len(a))
return -EINVAL;
key_len = nla_len(ovs_key);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 116/286] cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 115/286] net: openvswitch: fix nested key length validation in the set() action Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 117/286] net: b53: enable BPDU reception for management port Greg Kroah-Hartman
` (174 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Simon Horman,
Jacob Keller, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <abdun.nihaal@gmail.com>
[ Upstream commit 00ffb3724ce743578163f5ade2884374554ca021 ]
In the for loop used to allocate the loc_array and bmap for each port, a
memory leak is possible when the allocation for loc_array succeeds,
but the allocation for bmap fails. This is because when the control flow
goes to the label free_eth_finfo, only the allocations starting from
(i-1)th iteration are freed.
Fix that by freeing the loc_array in the bmap allocation error path.
Fixes: d915c299f1da ("cxgb4: add skeleton for ethtool n-tuple filters")
Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20250414170649.89156-1-abdun.nihaal@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c
index 7080cb6c83e4a..0f36319eb3115 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c
@@ -2258,6 +2258,7 @@ int cxgb4_init_ethtool_filters(struct adapter *adap)
GFP_KERNEL);
if (!eth_filter->port[i].bmap) {
ret = -ENOMEM;
+ kvfree(eth_filter->port[i].loc_array);
goto free_eth_finfo;
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 117/286] net: b53: enable BPDU reception for management port
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 116/286] cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 118/286] riscv: KGDB: Do not inline arch_kgdb_breakpoint() Greg Kroah-Hartman
` (173 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski, Jakub Kicinski,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Gorski <jonas.gorski@gmail.com>
[ Upstream commit 36355ddfe8955f226a88a543ed354b9f6b84cd70 ]
For STP to work, receiving BPDUs is essential, but the appropriate bit
was never set. Without GC_RX_BPDU_EN, the switch chip will filter all
BPDUs, even if an appropriate PVID VLAN was setup.
Fixes: ff39c2d68679 ("net: dsa: b53: Add bridge support")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Link: https://patch.msgid.link/20250414200434.194422-1-jonas.gorski@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/b53/b53_common.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index 2fc33019e814a..d3428e62bef24 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -686,6 +686,15 @@ static void b53_enable_mib(struct b53_device *dev)
b53_write8(dev, B53_MGMT_PAGE, B53_GLOBAL_CONFIG, gc);
}
+static void b53_enable_stp(struct b53_device *dev)
+{
+ u8 gc;
+
+ b53_read8(dev, B53_MGMT_PAGE, B53_GLOBAL_CONFIG, &gc);
+ gc |= GC_RX_BPDU_EN;
+ b53_write8(dev, B53_MGMT_PAGE, B53_GLOBAL_CONFIG, gc);
+}
+
static u16 b53_default_pvid(struct b53_device *dev)
{
if (is5325(dev) || is5365(dev))
@@ -807,6 +816,7 @@ static int b53_switch_reset(struct b53_device *dev)
}
b53_enable_mib(dev);
+ b53_enable_stp(dev);
return b53_flush_arl(dev, FAST_AGE_STATIC);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 118/286] riscv: KGDB: Do not inline arch_kgdb_breakpoint()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 117/286] net: b53: enable BPDU reception for management port Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 119/286] riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break Greg Kroah-Hartman
` (172 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Huacai Chen, WangYuli,
Palmer Dabbelt, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyuli@uniontech.com>
[ Upstream commit 3af4bec9c1db3f003be4d5ae09b6a737e4be1612 ]
The arch_kgdb_breakpoint() function defines the kgdb_compiled_break
symbol using inline assembly.
There's a potential issue where the compiler might inline
arch_kgdb_breakpoint(), which would then define the kgdb_compiled_break
symbol multiple times, leading to fail to link vmlinux.o.
This isn't merely a potential compilation problem. The intent here
is to determine the global symbol address of kgdb_compiled_break,
and if this function is inlined multiple times, it would logically
be a grave error.
Link: https://lore.kernel.org/all/4b4187c1-77e5-44b7-885f-d6826723dd9a@sifive.com/
Link: https://lore.kernel.org/all/5b0adf9b-2b22-43fe-ab74-68df94115b9a@ghiti.fr/
Link: https://lore.kernel.org/all/23693e7f-4fff-40f3-a437-e06d827278a5@ghiti.fr/
Fixes: fe89bd2be866 ("riscv: Add KGDB support")
Co-developed-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Link: https://lore.kernel.org/r/F22359AFB6FF9FD8+20250411073222.56820-1-wangyuli@uniontech.com
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/include/asm/kgdb.h | 9 +--------
arch/riscv/kernel/kgdb.c | 8 ++++++++
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/arch/riscv/include/asm/kgdb.h b/arch/riscv/include/asm/kgdb.h
index 46677daf708bd..cc11c4544cffd 100644
--- a/arch/riscv/include/asm/kgdb.h
+++ b/arch/riscv/include/asm/kgdb.h
@@ -19,16 +19,9 @@
#ifndef __ASSEMBLY__
+void arch_kgdb_breakpoint(void);
extern unsigned long kgdb_compiled_break;
-static inline void arch_kgdb_breakpoint(void)
-{
- asm(".global kgdb_compiled_break\n"
- ".option norvc\n"
- "kgdb_compiled_break: ebreak\n"
- ".option rvc\n");
-}
-
#endif /* !__ASSEMBLY__ */
#define DBG_REG_ZERO "zero"
diff --git a/arch/riscv/kernel/kgdb.c b/arch/riscv/kernel/kgdb.c
index 963ed7edcff26..b0db3350d243b 100644
--- a/arch/riscv/kernel/kgdb.c
+++ b/arch/riscv/kernel/kgdb.c
@@ -273,6 +273,14 @@ void kgdb_arch_set_pc(struct pt_regs *regs, unsigned long pc)
regs->epc = pc;
}
+noinline void arch_kgdb_breakpoint(void)
+{
+ asm(".global kgdb_compiled_break\n"
+ ".option norvc\n"
+ "kgdb_compiled_break: ebreak\n"
+ ".option rvc\n");
+}
+
void kgdb_arch_handle_qxfer_pkt(char *remcom_in_buffer,
char *remcom_out_buffer)
{
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 119/286] riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 118/286] riscv: KGDB: Do not inline arch_kgdb_breakpoint() Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 120/286] cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS Greg Kroah-Hartman
` (171 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samuel Holland, Palmer Dabbelt,
Alexandre Ghiti, WangYuli, Palmer Dabbelt, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyuli@uniontech.com>
[ Upstream commit 550c2aa787d1b06efcb11de1877354502a1237f2 ]
[ Quoting Samuel Holland: ]
This is a separate issue, but using ".option rvc" here is a bug.
It will unconditionally enable the C extension for the rest of
the file, even if the kernel is being built with CONFIG_RISCV_ISA_C=n.
[ Quoting Palmer Dabbelt: ]
We're just looking at the address of kgdb_compiled_break, so it's
fine if it ends up as a c.ebreak.
[ Quoting Alexandre Ghiti: ]
.option norvc is used to prevent the assembler from using compressed
instructions, but it's generally used when we need to ensure the
size of the instructions that are used, which is not the case here
as noted by Palmer since we only care about the address. So yes
it will work fine with C enabled :)
So let's just remove them all.
Link: https://lore.kernel.org/all/4b4187c1-77e5-44b7-885f-d6826723dd9a@sifive.com/
Link: https://lore.kernel.org/all/mhng-69513841-5068-441d-be8f-2aeebdc56a08@palmer-ri-x1c9a/
Link: https://lore.kernel.org/all/23693e7f-4fff-40f3-a437-e06d827278a5@ghiti.fr/
Fixes: fe89bd2be866 ("riscv: Add KGDB support")
Cc: Samuel Holland <samuel.holland@sifive.com>
Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Alexandre Ghiti <alex@ghiti.fr>
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Link: https://lore.kernel.org/r/8B431C6A4626225C+20250411073222.56820-2-wangyuli@uniontech.com
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/kernel/kgdb.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/arch/riscv/kernel/kgdb.c b/arch/riscv/kernel/kgdb.c
index b0db3350d243b..1d83b36967212 100644
--- a/arch/riscv/kernel/kgdb.c
+++ b/arch/riscv/kernel/kgdb.c
@@ -276,9 +276,7 @@ void kgdb_arch_set_pc(struct pt_regs *regs, unsigned long pc)
noinline void arch_kgdb_breakpoint(void)
{
asm(".global kgdb_compiled_break\n"
- ".option norvc\n"
- "kgdb_compiled_break: ebreak\n"
- ".option rvc\n");
+ "kgdb_compiled_break: ebreak\n");
}
void kgdb_arch_handle_qxfer_pkt(char *remcom_in_buffer,
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 120/286] cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 119/286] riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 121/286] writeback: fix false warning in inode_to_wb() Greg Kroah-Hartman
` (170 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Rafael J. Wysocki,
Christian Loehle, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit cfde542df7dd51d26cf667f4af497878ddffd85a ]
Commit 8e461a1cb43d ("cpufreq: schedutil: Fix superfluous updates caused
by need_freq_update") modified sugov_should_update_freq() to set the
need_freq_update flag only for drivers with CPUFREQ_NEED_UPDATE_LIMITS
set, but that flag generally needs to be set when the policy limits
change because the driver callback may need to be invoked for the new
limits to take effect.
However, if the return value of cpufreq_driver_resolve_freq() after
applying the new limits is still equal to the previously selected
frequency, the driver callback needs to be invoked only in the case
when CPUFREQ_NEED_UPDATE_LIMITS is set (which means that the driver
specifically wants its callback to be invoked every time the policy
limits change).
Update the code accordingly to avoid missing policy limits changes for
drivers without CPUFREQ_NEED_UPDATE_LIMITS.
Fixes: 8e461a1cb43d ("cpufreq: schedutil: Fix superfluous updates caused by need_freq_update")
Closes: https://lore.kernel.org/lkml/Z_Tlc6Qs-tYpxWYb@linaro.org/
Reported-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Christian Loehle <christian.loehle@arm.com>
Link: https://patch.msgid.link/3010358.e9J7NaK4W3@rjwysocki.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/cpufreq_schedutil.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c
index d8b9e1d25200f..c1307bbdc291b 100644
--- a/kernel/sched/cpufreq_schedutil.c
+++ b/kernel/sched/cpufreq_schedutil.c
@@ -90,7 +90,7 @@ static bool sugov_should_update_freq(struct sugov_policy *sg_policy, u64 time)
if (unlikely(sg_policy->limits_changed)) {
sg_policy->limits_changed = false;
- sg_policy->need_freq_update = cpufreq_driver_test_flags(CPUFREQ_NEED_UPDATE_LIMITS);
+ sg_policy->need_freq_update = true;
return true;
}
@@ -102,10 +102,22 @@ static bool sugov_should_update_freq(struct sugov_policy *sg_policy, u64 time)
static bool sugov_update_next_freq(struct sugov_policy *sg_policy, u64 time,
unsigned int next_freq)
{
- if (sg_policy->need_freq_update)
+ if (sg_policy->need_freq_update) {
sg_policy->need_freq_update = false;
- else if (sg_policy->next_freq == next_freq)
+ /*
+ * The policy limits have changed, but if the return value of
+ * cpufreq_driver_resolve_freq() after applying the new limits
+ * is still equal to the previously selected frequency, the
+ * driver callback need not be invoked unless the driver
+ * specifically wants that to happen on every update of the
+ * policy limits.
+ */
+ if (sg_policy->next_freq == next_freq &&
+ !cpufreq_driver_test_flags(CPUFREQ_NEED_UPDATE_LIMITS))
+ return false;
+ } else if (sg_policy->next_freq == next_freq) {
return false;
+ }
sg_policy->next_freq = next_freq;
sg_policy->last_freq_update_time = time;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 121/286] writeback: fix false warning in inode_to_wb()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 120/286] cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 122/286] asus-laptop: Fix an uninitialized variable Greg Kroah-Hartman
` (169 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Andreas Gruenbacher,
Andrew Morton
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
commit 9e888998ea4d22257b07ce911576509486fa0667 upstream.
inode_to_wb() is used also for filesystems that don't support cgroup
writeback. For these filesystems inode->i_wb is stable during the
lifetime of the inode (it points to bdi->wb) and there's no need to hold
locks protecting the inode->i_wb dereference. Improve the warning in
inode_to_wb() to not trigger for these filesystems.
Link: https://lkml.kernel.org/r/20250412163914.3773459-3-agruenba@redhat.com
Fixes: aaa2cacf8184 ("writeback: add lockdep annotation to inode_to_wb()")
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Reviewed-by: Andreas Gruenbacher <agruenba@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/backing-dev.h | 1 +
1 file changed, 1 insertion(+)
--- a/include/linux/backing-dev.h
+++ b/include/linux/backing-dev.h
@@ -281,6 +281,7 @@ static inline struct bdi_writeback *inod
{
#ifdef CONFIG_LOCKDEP
WARN_ON_ONCE(debug_locks &&
+ (inode->i_sb->s_iflags & SB_I_CGROUPWB) &&
(!lockdep_is_held(&inode->i_lock) &&
!lockdep_is_held(&inode->i_mapping->i_pages.xa_lock) &&
!lockdep_is_held(&inode->i_wb->list_lock)));
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 122/286] asus-laptop: Fix an uninitialized variable
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 121/286] writeback: fix false warning in inode_to_wb() Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 123/286] nfs: move nfs_fhandle_hash to common include file Greg Kroah-Hartman
` (168 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Arefev, Ilpo Järvinen
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Arefev <arefev@swemel.ru>
commit 6c683c6887e4addcd6bd1ddce08cafccb0a21e32 upstream.
The value returned by acpi_evaluate_integer() is not checked,
but the result is not always successful, so it is necessary to
add a check of the returned value.
If the result remains negative during three iterations of the loop,
then the uninitialized variable 'val' will be used in the clamp_val()
macro, so it must be initialized with the current value of the 'curr'
variable.
In this case, the algorithm should be less noisy.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: b23910c2194e ("asus-laptop: Pegatron Lucid accelerometer")
Cc: stable@vger.kernel.org
Signed-off-by: Denis Arefev <arefev@swemel.ru>
Link: https://lore.kernel.org/r/20250403122603.18172-1-arefev@swemel.ru
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/asus-laptop.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/platform/x86/asus-laptop.c
+++ b/drivers/platform/x86/asus-laptop.c
@@ -427,11 +427,14 @@ static int asus_pega_lucid_set(struct as
static int pega_acc_axis(struct asus_laptop *asus, int curr, char *method)
{
+ unsigned long long val = (unsigned long long)curr;
+ acpi_status status;
int i, delta;
- unsigned long long val;
- for (i = 0; i < PEGA_ACC_RETRIES; i++) {
- acpi_evaluate_integer(asus->handle, method, NULL, &val);
+ for (i = 0; i < PEGA_ACC_RETRIES; i++) {
+ status = acpi_evaluate_integer(asus->handle, method, NULL, &val);
+ if (ACPI_FAILURE(status))
+ continue;
/* The output is noisy. From reading the ASL
* dissassembly, timeout errors are returned with 1's
* in the high word, and the lack of locking around
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 123/286] nfs: move nfs_fhandle_hash to common include file
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 122/286] asus-laptop: Fix an uninitialized variable Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 124/286] nfs: add missing selections of CONFIG_CRC32 Greg Kroah-Hartman
` (167 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Chuck Lever,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
[ Upstream commit e59fb6749ed833deee5b3cfd7e89925296d41f49 ]
lockd needs to be able to hash filehandles for tracepoints. Move the
nfs_fhandle_hash() helper to a common nfs include file.
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Stable-dep-of: cd35b6cb4664 ("nfs: add missing selections of CONFIG_CRC32")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/internal.h | 15 ---------------
include/linux/nfs.h | 20 ++++++++++++++++++++
2 files changed, 20 insertions(+), 15 deletions(-)
diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h
index 394a82d470d55..05e807a0ba225 100644
--- a/fs/nfs/internal.h
+++ b/fs/nfs/internal.h
@@ -776,27 +776,12 @@ u64 nfs_timespec_to_change_attr(const struct timespec64 *ts)
}
#ifdef CONFIG_CRC32
-/**
- * nfs_fhandle_hash - calculate the crc32 hash for the filehandle
- * @fh - pointer to filehandle
- *
- * returns a crc32 hash for the filehandle that is compatible with
- * the one displayed by "wireshark".
- */
-static inline u32 nfs_fhandle_hash(const struct nfs_fh *fh)
-{
- return ~crc32_le(0xFFFFFFFF, &fh->data[0], fh->size);
-}
static inline u32 nfs_stateid_hash(const nfs4_stateid *stateid)
{
return ~crc32_le(0xFFFFFFFF, &stateid->other[0],
NFS4_STATEID_OTHER_SIZE);
}
#else
-static inline u32 nfs_fhandle_hash(const struct nfs_fh *fh)
-{
- return 0;
-}
static inline u32 nfs_stateid_hash(nfs4_stateid *stateid)
{
return 0;
diff --git a/include/linux/nfs.h b/include/linux/nfs.h
index b06375e88e589..ceb70a926b95e 100644
--- a/include/linux/nfs.h
+++ b/include/linux/nfs.h
@@ -10,6 +10,7 @@
#include <linux/sunrpc/msg_prot.h>
#include <linux/string.h>
+#include <linux/crc32.h>
#include <uapi/linux/nfs.h>
/*
@@ -44,4 +45,23 @@ enum nfs3_stable_how {
/* used by direct.c to mark verf as invalid */
NFS_INVALID_STABLE_HOW = -1
};
+
+#ifdef CONFIG_CRC32
+/**
+ * nfs_fhandle_hash - calculate the crc32 hash for the filehandle
+ * @fh - pointer to filehandle
+ *
+ * returns a crc32 hash for the filehandle that is compatible with
+ * the one displayed by "wireshark".
+ */
+static inline u32 nfs_fhandle_hash(const struct nfs_fh *fh)
+{
+ return ~crc32_le(0xFFFFFFFF, &fh->data[0], fh->size);
+}
+#else /* CONFIG_CRC32 */
+static inline u32 nfs_fhandle_hash(const struct nfs_fh *fh)
+{
+ return 0;
+}
+#endif /* CONFIG_CRC32 */
#endif /* _LINUX_NFS_H */
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 124/286] nfs: add missing selections of CONFIG_CRC32
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 123/286] nfs: move nfs_fhandle_hash to common include file Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 125/286] nfsd: decrease sc_count directly if fail to queue dl_recall Greg Kroah-Hartman
` (166 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Biggers, Anna Schumaker,
Chuck Lever, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
[ Upstream commit cd35b6cb46649750b7dbd0df0e2d767415d8917b ]
nfs.ko, nfsd.ko, and lockd.ko all use crc32_le(), which is available
only when CONFIG_CRC32 is enabled. But the only NFS kconfig option that
selected CONFIG_CRC32 was CONFIG_NFS_DEBUG, which is client-specific and
did not actually guard the use of crc32_le() even on the client.
The code worked around this bug by only actually calling crc32_le() when
CONFIG_CRC32 is built-in, instead hard-coding '0' in other cases. This
avoided randconfig build errors, and in real kernels the fallback code
was unlikely to be reached since CONFIG_CRC32 is 'default y'. But, this
really needs to just be done properly, especially now that I'm planning
to update CONFIG_CRC32 to not be 'default y'.
Therefore, make CONFIG_NFS_FS, CONFIG_NFSD, and CONFIG_LOCKD select
CONFIG_CRC32. Then remove the fallback code that becomes unnecessary,
as well as the selection of CONFIG_CRC32 from CONFIG_NFS_DEBUG.
Fixes: 1264a2f053a3 ("NFS: refactor code for calculating the crc32 hash of a filehandle")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/Kconfig | 1 +
fs/nfs/Kconfig | 2 +-
fs/nfs/internal.h | 7 -------
fs/nfs/nfs4session.h | 4 ----
fs/nfsd/Kconfig | 1 +
fs/nfsd/nfsfh.h | 7 -------
include/linux/nfs.h | 7 -------
7 files changed, 3 insertions(+), 26 deletions(-)
diff --git a/fs/Kconfig b/fs/Kconfig
index 11b60d160f88f..b2d01d27d4c39 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -316,6 +316,7 @@ config GRACE_PERIOD
config LOCKD
tristate
depends on FILE_LOCKING
+ select CRC32
select GRACE_PERIOD
config LOCKD_V4
diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
index 14a72224b6571..899e25e9b4eb5 100644
--- a/fs/nfs/Kconfig
+++ b/fs/nfs/Kconfig
@@ -2,6 +2,7 @@
config NFS_FS
tristate "NFS client support"
depends on INET && FILE_LOCKING && MULTIUSER
+ select CRC32
select LOCKD
select SUNRPC
select NFS_ACL_SUPPORT if NFS_V3_ACL
@@ -194,7 +195,6 @@ config NFS_USE_KERNEL_DNS
config NFS_DEBUG
bool
depends on NFS_FS && SUNRPC_DEBUG
- select CRC32
default y
config NFS_DISABLE_UDP_SUPPORT
diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h
index 05e807a0ba225..2fdc7c2a17fe8 100644
--- a/fs/nfs/internal.h
+++ b/fs/nfs/internal.h
@@ -775,18 +775,11 @@ u64 nfs_timespec_to_change_attr(const struct timespec64 *ts)
return ((u64)ts->tv_sec << 30) + ts->tv_nsec;
}
-#ifdef CONFIG_CRC32
static inline u32 nfs_stateid_hash(const nfs4_stateid *stateid)
{
return ~crc32_le(0xFFFFFFFF, &stateid->other[0],
NFS4_STATEID_OTHER_SIZE);
}
-#else
-static inline u32 nfs_stateid_hash(nfs4_stateid *stateid)
-{
- return 0;
-}
-#endif
static inline bool nfs_error_is_fatal(int err)
{
diff --git a/fs/nfs/nfs4session.h b/fs/nfs/nfs4session.h
index b996ee23f1bae..8ad99938aae18 100644
--- a/fs/nfs/nfs4session.h
+++ b/fs/nfs/nfs4session.h
@@ -147,16 +147,12 @@ static inline void nfs4_copy_sessionid(struct nfs4_sessionid *dst,
memcpy(dst->data, src->data, NFS4_MAX_SESSIONID_LEN);
}
-#ifdef CONFIG_CRC32
/*
* nfs_session_id_hash - calculate the crc32 hash for the session id
* @session - pointer to session
*/
#define nfs_session_id_hash(sess_id) \
(~crc32_le(0xFFFFFFFF, &(sess_id)->data[0], sizeof((sess_id)->data)))
-#else
-#define nfs_session_id_hash(session) (0)
-#endif
#else /* defined(CONFIG_NFS_V4_1) */
static inline int nfs4_init_session(struct nfs_client *clp)
diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig
index 6d2d498a59573..ba6cfc8caee33 100644
--- a/fs/nfsd/Kconfig
+++ b/fs/nfsd/Kconfig
@@ -4,6 +4,7 @@ config NFSD
depends on INET
depends on FILE_LOCKING
depends on FSNOTIFY
+ select CRC32
select LOCKD
select SUNRPC
select EXPORTFS
diff --git a/fs/nfsd/nfsfh.h b/fs/nfsd/nfsfh.h
index 513e028b0bbee..40aee06ebd952 100644
--- a/fs/nfsd/nfsfh.h
+++ b/fs/nfsd/nfsfh.h
@@ -263,7 +263,6 @@ static inline bool fh_fsid_match(const struct knfsd_fh *fh1,
return true;
}
-#ifdef CONFIG_CRC32
/**
* knfsd_fh_hash - calculate the crc32 hash for the filehandle
* @fh - pointer to filehandle
@@ -275,12 +274,6 @@ static inline u32 knfsd_fh_hash(const struct knfsd_fh *fh)
{
return ~crc32_le(0xFFFFFFFF, fh->fh_raw, fh->fh_size);
}
-#else
-static inline u32 knfsd_fh_hash(const struct knfsd_fh *fh)
-{
- return 0;
-}
-#endif
/**
* fh_clear_pre_post_attrs - Reset pre/post attributes
diff --git a/include/linux/nfs.h b/include/linux/nfs.h
index ceb70a926b95e..095a95c1fae82 100644
--- a/include/linux/nfs.h
+++ b/include/linux/nfs.h
@@ -46,7 +46,6 @@ enum nfs3_stable_how {
NFS_INVALID_STABLE_HOW = -1
};
-#ifdef CONFIG_CRC32
/**
* nfs_fhandle_hash - calculate the crc32 hash for the filehandle
* @fh - pointer to filehandle
@@ -58,10 +57,4 @@ static inline u32 nfs_fhandle_hash(const struct nfs_fh *fh)
{
return ~crc32_le(0xFFFFFFFF, &fh->data[0], fh->size);
}
-#else /* CONFIG_CRC32 */
-static inline u32 nfs_fhandle_hash(const struct nfs_fh *fh)
-{
- return 0;
-}
-#endif /* CONFIG_CRC32 */
#endif /* _LINUX_NFS_H */
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 125/286] nfsd: decrease sc_count directly if fail to queue dl_recall
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 124/286] nfs: add missing selections of CONFIG_CRC32 Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 126/286] btrfs: correctly escape subvol in btrfs_show_options() Greg Kroah-Hartman
` (165 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Lingfeng, Jeff Layton,
Chuck Lever, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Lingfeng <lilingfeng3@huawei.com>
[ Upstream commit a1d14d931bf700c1025db8c46d6731aa5cf440f9 ]
A deadlock warning occurred when invoking nfs4_put_stid following a failed
dl_recall queue operation:
T1 T2
nfs4_laundromat
nfs4_get_client_reaplist
nfs4_anylock_blockers
__break_lease
spin_lock // ctx->flc_lock
spin_lock // clp->cl_lock
nfs4_lockowner_has_blockers
locks_owner_has_blockers
spin_lock // flctx->flc_lock
nfsd_break_deleg_cb
nfsd_break_one_deleg
nfs4_put_stid
refcount_dec_and_lock
spin_lock // clp->cl_lock
When a file is opened, an nfs4_delegation is allocated with sc_count
initialized to 1, and the file_lease holds a reference to the delegation.
The file_lease is then associated with the file through kernel_setlease.
The disassociation is performed in nfsd4_delegreturn via the following
call chain:
nfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg -->
nfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease
The corresponding sc_count reference will be released after this
disassociation.
Since nfsd_break_one_deleg executes while holding the flc_lock, the
disassociation process becomes blocked when attempting to acquire flc_lock
in generic_delete_lease. This means:
1) sc_count in nfsd_break_one_deleg will not be decremented to 0;
2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to
acquire cl_lock;
3) Consequently, no deadlock condition is created.
Given that sc_count in nfsd_break_one_deleg remains non-zero, we can
safely perform refcount_dec on sc_count directly. This approach
effectively avoids triggering deadlock warnings.
Fixes: 230ca758453c ("nfsd: put dl_stid if fail to queue dl_recall")
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfs4state.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 311409be73745..bf78745b19ca9 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -4940,7 +4940,7 @@ static void nfsd_break_one_deleg(struct nfs4_delegation *dp)
queued = nfsd4_run_cb(&dp->dl_recall);
WARN_ON_ONCE(!queued);
if (!queued)
- nfs4_put_stid(&dp->dl_stid);
+ refcount_dec(&dp->dl_stid.sc_count);
}
/* Called from break_lease() with flc_lock held. */
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 126/286] btrfs: correctly escape subvol in btrfs_show_options()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 125/286] nfsd: decrease sc_count directly if fail to queue dl_recall Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 127/286] crypto: caam/qi - Fix drv_ctx refcount bug Greg Kroah-Hartman
` (164 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Calvin Walton, Johannes Kimmel,
David Sterba
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Kimmel <kernel@bareminimum.eu>
commit dc08c58696f8555e4a802f1f23c894a330d80ab7 upstream.
Currently, displaying the btrfs subvol mount option doesn't escape ','.
This makes parsing /proc/self/mounts and /proc/self/mountinfo
ambiguous for subvolume names that contain commas. The text after the
comma could be mistaken for another option (think "subvol=foo,ro", where
ro is actually part of the subvolumes name).
Replace the manual escape characters list with a call to
seq_show_option(). Thanks to Calvin Walton for suggesting this approach.
Fixes: c8d3fe028f64 ("Btrfs: show subvol= and subvolid= in /proc/mounts")
CC: stable@vger.kernel.org # 5.4+
Suggested-by: Calvin Walton <calvin.walton@kepstin.ca>
Signed-off-by: Johannes Kimmel <kernel@bareminimum.eu>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/super.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -1502,8 +1502,7 @@ static int btrfs_show_options(struct seq
subvol_name = btrfs_get_subvol_name_from_objectid(info,
BTRFS_I(d_inode(dentry))->root->root_key.objectid);
if (!IS_ERR(subvol_name)) {
- seq_puts(seq, ",subvol=");
- seq_escape(seq, subvol_name, " \t\n\\");
+ seq_show_option(seq, "subvol", subvol_name);
kfree(subvol_name);
}
return 0;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 127/286] crypto: caam/qi - Fix drv_ctx refcount bug
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 126/286] btrfs: correctly escape subvol in btrfs_show_options() Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 128/286] hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Greg Kroah-Hartman
` (163 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Anderson, Herbert Xu,
Horia Geantă
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit b7b39df7e710b0068356e4c696af07aa10e2cd3d upstream.
Ensure refcount is raised before request is enqueued since it could
be dequeued before the call returns.
Reported-by: Sean Anderson <sean.anderson@linux.dev>
Cc: <stable@vger.kernel.org>
Fixes: 11144416a755 ("crypto: caam/qi - optimize frame queue cleanup")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Tested-by: Sean Anderson <sean.anderson@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/caam/qi.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/crypto/caam/qi.c
+++ b/drivers/crypto/caam/qi.c
@@ -115,12 +115,12 @@ int caam_qi_enqueue(struct device *qidev
qm_fd_addr_set64(&fd, addr);
do {
+ refcount_inc(&req->drv_ctx->refcnt);
ret = qman_enqueue(req->drv_ctx->req_fq, &fd);
- if (likely(!ret)) {
- refcount_inc(&req->drv_ctx->refcnt);
+ if (likely(!ret))
return 0;
- }
+ refcount_dec(&req->drv_ctx->refcnt);
if (ret != -EBUSY)
break;
num_retries++;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 128/286] hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 127/286] crypto: caam/qi - Fix drv_ctx refcount bug Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 129/286] i2c: cros-ec-tunnel: defer probe if parent EC is not present Greg Kroah-Hartman
` (162 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5f3a973ed3dfb85a6683,
Vasiliy Kovalev, Cengiz Can, Christian Brauner
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kovalev <kovalev@altlinux.org>
commit bb5e07cb927724e0b47be371fa081141cfb14414 upstream.
Syzbot reported an issue in hfs subsystem:
BUG: KASAN: slab-out-of-bounds in memcpy_from_page include/linux/highmem.h:423 [inline]
BUG: KASAN: slab-out-of-bounds in hfs_bnode_read fs/hfs/bnode.c:35 [inline]
BUG: KASAN: slab-out-of-bounds in hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70
Write of size 94 at addr ffff8880123cd100 by task syz-executor237/5102
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
memcpy_from_page include/linux/highmem.h:423 [inline]
hfs_bnode_read fs/hfs/bnode.c:35 [inline]
hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70
hfs_brec_insert+0x7f3/0xbd0 fs/hfs/brec.c:159
hfs_cat_create+0x41d/0xa50 fs/hfs/catalog.c:118
hfs_mkdir+0x6c/0xe0 fs/hfs/dir.c:232
vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257
do_mkdirat+0x264/0x3a0 fs/namei.c:4280
__do_sys_mkdir fs/namei.c:4300 [inline]
__se_sys_mkdir fs/namei.c:4298 [inline]
__x64_sys_mkdir+0x6c/0x80 fs/namei.c:4298
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbdd6057a99
Add a check for key length in hfs_bnode_read_key to prevent
out-of-bounds memory access. If the key length is invalid, the
key buffer is cleared, improving stability and reliability.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+5f3a973ed3dfb85a6683@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5f3a973ed3dfb85a6683
Cc: stable@vger.kernel.org
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
Link: https://lore.kernel.org/20241019191303.24048-1-kovalev@altlinux.org
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hfs/bnode.c | 6 ++++++
fs/hfsplus/bnode.c | 6 ++++++
2 files changed, 12 insertions(+)
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -70,6 +70,12 @@ void hfs_bnode_read_key(struct hfs_bnode
else
key_len = tree->max_key_len + 1;
+ if (key_len > sizeof(hfs_btree_key) || key_len < 1) {
+ memset(key, 0, sizeof(hfs_btree_key));
+ pr_err("hfs: Invalid key length: %d\n", key_len);
+ return;
+ }
+
hfs_bnode_read(node, key, off, key_len);
}
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -69,6 +69,12 @@ void hfs_bnode_read_key(struct hfs_bnode
else
key_len = tree->max_key_len + 2;
+ if (key_len > sizeof(hfsplus_btree_key) || key_len < 1) {
+ memset(key, 0, sizeof(hfsplus_btree_key));
+ pr_err("hfsplus: Invalid key length: %d\n", key_len);
+ return;
+ }
+
hfs_bnode_read(node, key, off, key_len);
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 129/286] i2c: cros-ec-tunnel: defer probe if parent EC is not present
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 128/286] hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 130/286] isofs: Prevent the use of too small fid Greg Kroah-Hartman
` (161 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo,
Andi Shyti
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
commit 424eafe65647a8d6c690284536e711977153195a upstream.
When i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent
device will not be found, leading to NULL pointer dereference.
That can also be reproduced by unbinding the controller driver and then
loading i2c-cros-ec-tunnel module (or binding the device).
[ 271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058
[ 271.998215] #PF: supervisor read access in kernel mode
[ 272.003351] #PF: error_code(0x0000) - not-present page
[ 272.008485] PGD 0 P4D 0
[ 272.011022] Oops: Oops: 0000 [#1] SMP NOPTI
[ 272.015207] CPU: 0 UID: 0 PID: 3859 Comm: insmod Tainted: G S 6.15.0-rc1-00004-g44722359ed83 #30 PREEMPT(full) 3c7fb39a552e7d949de2ad921a7d6588d3a4fdc5
[ 272.030312] Tainted: [S]=CPU_OUT_OF_SPEC
[ 272.034233] Hardware name: HP Berknip/Berknip, BIOS Google_Berknip.13434.356.0 05/17/2021
[ 272.042400] RIP: 0010:ec_i2c_probe+0x2b/0x1c0 [i2c_cros_ec_tunnel]
[ 272.048577] Code: 1f 44 00 00 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 05 06 a0 6c e7 48 89 44 24 08 4c 8d 7f 10 48 8b 47 50 4c 8b 60 78 <49> 83 7c 24 58 00 0f 84 2f 01 00 00 48 89 fb be 30 06 00 00 4c 9
[ 272.067317] RSP: 0018:ffffa32082a03940 EFLAGS: 00010282
[ 272.072541] RAX: ffff969580b6a810 RBX: ffff969580b68c10 RCX: 0000000000000000
[ 272.079672] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff969580b68c00
[ 272.086804] RBP: 00000000fffffdfb R08: 0000000000000000 R09: 0000000000000000
[ 272.093936] R10: 0000000000000000 R11: ffffffffc0600000 R12: 0000000000000000
[ 272.101067] R13: ffffffffa666fbb8 R14: ffffffffc05b5528 R15: ffff969580b68c10
[ 272.108198] FS: 00007b930906fc40(0000) GS:ffff969603149000(0000) knlGS:0000000000000000
[ 272.116282] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 272.122024] CR2: 0000000000000058 CR3: 000000012631c000 CR4: 00000000003506f0
[ 272.129155] Call Trace:
[ 272.131606] <TASK>
[ 272.133709] ? acpi_dev_pm_attach+0xdd/0x110
[ 272.137985] platform_probe+0x69/0xa0
[ 272.141652] really_probe+0x152/0x310
[ 272.145318] __driver_probe_device+0x77/0x110
[ 272.149678] driver_probe_device+0x1e/0x190
[ 272.153864] __driver_attach+0x10b/0x1e0
[ 272.157790] ? driver_attach+0x20/0x20
[ 272.161542] bus_for_each_dev+0x107/0x150
[ 272.165553] bus_add_driver+0x15d/0x270
[ 272.169392] driver_register+0x65/0x110
[ 272.173232] ? cleanup_module+0xa80/0xa80 [i2c_cros_ec_tunnel 3a00532f3f4af4a9eade753f86b0f8dd4e4e5698]
[ 272.182617] do_one_initcall+0x110/0x350
[ 272.186543] ? security_kernfs_init_security+0x49/0xd0
[ 272.191682] ? __kernfs_new_node+0x1b9/0x240
[ 272.195954] ? security_kernfs_init_security+0x49/0xd0
[ 272.201093] ? __kernfs_new_node+0x1b9/0x240
[ 272.205365] ? kernfs_link_sibling+0x105/0x130
[ 272.209810] ? kernfs_next_descendant_post+0x1c/0xa0
[ 272.214773] ? kernfs_activate+0x57/0x70
[ 272.218699] ? kernfs_add_one+0x118/0x160
[ 272.222710] ? __kernfs_create_file+0x71/0xa0
[ 272.227069] ? sysfs_add_bin_file_mode_ns+0xd6/0x110
[ 272.232033] ? internal_create_group+0x453/0x4a0
[ 272.236651] ? __vunmap_range_noflush+0x214/0x2d0
[ 272.241355] ? __free_frozen_pages+0x1dc/0x420
[ 272.245799] ? free_vmap_area_noflush+0x10a/0x1c0
[ 272.250505] ? load_module+0x1509/0x16f0
[ 272.254431] do_init_module+0x60/0x230
[ 272.258181] __se_sys_finit_module+0x27a/0x370
[ 272.262627] do_syscall_64+0x6a/0xf0
[ 272.266206] ? do_syscall_64+0x76/0xf0
[ 272.269956] ? irqentry_exit_to_user_mode+0x79/0x90
[ 272.274836] entry_SYSCALL_64_after_hwframe+0x55/0x5d
[ 272.279887] RIP: 0033:0x7b9309168d39
[ 272.283466] Code: 5b 41 5c 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d af 40 0c 00 f7 d8 64 89 01 8
[ 272.302210] RSP: 002b:00007fff50f1a288 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 272.309774] RAX: ffffffffffffffda RBX: 000058bf9b50f6d0 RCX: 00007b9309168d39
[ 272.316905] RDX: 0000000000000000 RSI: 000058bf6c103a77 RDI: 0000000000000003
[ 272.324036] RBP: 00007fff50f1a2e0 R08: 00007fff50f19218 R09: 0000000021ec4150
[ 272.331166] R10: 000058bf9b50f7f0 R11: 0000000000000246 R12: 0000000000000000
[ 272.338296] R13: 00000000fffffffe R14: 0000000000000000 R15: 000058bf6c103a77
[ 272.345428] </TASK>
[ 272.347617] Modules linked in: i2c_cros_ec_tunnel(+)
[ 272.364585] gsmi: Log Shutdown Reason 0x03
Returning -EPROBE_DEFER will allow the device to be bound once the
controller is bound, in the case of built-in drivers.
Fixes: 9d230c9e4f4e ("i2c: ChromeOS EC tunnel driver")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Cc: <stable@vger.kernel.org> # v3.16+
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20250407-null-ec-parent-v1-1-f7dda62d3110@igalia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/i2c/busses/i2c-cros-ec-tunnel.c
+++ b/drivers/i2c/busses/i2c-cros-ec-tunnel.c
@@ -247,6 +247,9 @@ static int ec_i2c_probe(struct platform_
u32 remote_bus;
int err;
+ if (!ec)
+ return dev_err_probe(dev, -EPROBE_DEFER, "couldn't find parent EC device\n");
+
if (!ec->cmd_xfer) {
dev_err(dev, "Missing sendrecv\n");
return -EINVAL;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 130/286] isofs: Prevent the use of too small fid
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 129/286] i2c: cros-ec-tunnel: defer probe if parent EC is not present Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 131/286] riscv: Avoid fortify warning in syscall_get_arguments() Greg Kroah-Hartman
` (160 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4d7cd7dd0ce1aa8d5c65,
Edward Adam Davis, Jan Kara
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
commit 0405d4b63d082861f4eaff9d39c78ee9dc34f845 upstream.
syzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1]
The handle_bytes value passed in by the reproducing program is equal to 12.
In handle_to_path(), only 12 bytes of memory are allocated for the structure
file_handle->f_handle member, which causes an out-of-bounds access when
accessing the member parent_block of the structure isofs_fid in isofs,
because accessing parent_block requires at least 16 bytes of f_handle.
Here, fh_len is used to indirectly confirm that the value of handle_bytes
is greater than 3 before accessing parent_block.
[1]
BUG: KASAN: slab-out-of-bounds in isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183
Read of size 4 at addr ffff0000cc030d94 by task syz-executor215/6466
CPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0x198/0x550 mm/kasan/report.c:521
kasan_report+0xd8/0x138 mm/kasan/report.c:634
__asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183
exportfs_decode_fh_raw+0x2dc/0x608 fs/exportfs/expfs.c:523
do_handle_to_path+0xa0/0x198 fs/fhandle.c:257
handle_to_path fs/fhandle.c:385 [inline]
do_handle_open+0x8cc/0xb8c fs/fhandle.c:403
__do_sys_open_by_handle_at fs/fhandle.c:443 [inline]
__se_sys_open_by_handle_at fs/fhandle.c:434 [inline]
__arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Allocated by task 6466:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:68
kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4294 [inline]
__kmalloc_noprof+0x32c/0x54c mm/slub.c:4306
kmalloc_noprof include/linux/slab.h:905 [inline]
handle_to_path fs/fhandle.c:357 [inline]
do_handle_open+0x5a4/0xb8c fs/fhandle.c:403
__do_sys_open_by_handle_at fs/fhandle.c:443 [inline]
__se_sys_open_by_handle_at fs/fhandle.c:434 [inline]
__arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Reported-by: syzbot+4d7cd7dd0ce1aa8d5c65@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4d7cd7dd0ce1aa8d5c65
Tested-by: syzbot+4d7cd7dd0ce1aa8d5c65@syzkaller.appspotmail.com
CC: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/tencent_9C8CB8A7E7C6C512C7065DC98B6EDF6EC606@qq.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/isofs/export.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/isofs/export.c
+++ b/fs/isofs/export.c
@@ -180,7 +180,7 @@ static struct dentry *isofs_fh_to_parent
return NULL;
return isofs_export_iget(sb,
- fh_len > 2 ? ifid->parent_block : 0,
+ fh_len > 3 ? ifid->parent_block : 0,
ifid->parent_offset,
fh_len > 4 ? ifid->parent_generation : 0);
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 131/286] riscv: Avoid fortify warning in syscall_get_arguments()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 130/286] isofs: Prevent the use of too small fid Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 132/286] tracing: Fix filter string testing Greg Kroah-Hartman
` (159 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Dmitry V. Levin,
Palmer Dabbelt
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit adf53771a3123df99ca26e38818760fbcf5c05d0 upstream.
When building with CONFIG_FORTIFY_SOURCE=y and W=1, there is a warning
because of the memcpy() in syscall_get_arguments():
In file included from include/linux/string.h:392,
from include/linux/bitmap.h:13,
from include/linux/cpumask.h:12,
from arch/riscv/include/asm/processor.h:55,
from include/linux/sched.h:13,
from kernel/ptrace.c:13:
In function 'fortify_memcpy_chk',
inlined from 'syscall_get_arguments.isra' at arch/riscv/include/asm/syscall.h:66:2:
include/linux/fortify-string.h:580:25: error: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
580 | __read_overflow2_field(q_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
The fortified memcpy() routine enforces that the source is not overread
and the destination is not overwritten if the size of either field and
the size of the copy are known at compile time. The memcpy() in
syscall_get_arguments() intentionally overreads from a1 to a5 in
'struct pt_regs' but this is bigger than the size of a1.
Normally, this could be solved by wrapping a1 through a5 with
struct_group() but there was already a struct_group() applied to these
members in commit bba547810c66 ("riscv: tracing: Fix
__write_overflow_field in ftrace_partial_regs()").
Just avoid memcpy() altogether and write the copying of args from regs
manually, which clears up the warning at the expense of three extra
lines of code.
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Dmitry V. Levin <ldv@strace.io>
Fixes: e2c0cdfba7f6 ("RISC-V: User-facing API")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250409-riscv-avoid-fortify-warning-syscall_get_arguments-v1-1-7853436d4755@kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/include/asm/syscall.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/arch/riscv/include/asm/syscall.h
+++ b/arch/riscv/include/asm/syscall.h
@@ -60,8 +60,11 @@ static inline void syscall_get_arguments
unsigned long *args)
{
args[0] = regs->orig_a0;
- args++;
- memcpy(args, ®s->a1, 5 * sizeof(args[0]));
+ args[1] = regs->a1;
+ args[2] = regs->a2;
+ args[3] = regs->a3;
+ args[4] = regs->a4;
+ args[5] = regs->a5;
}
static inline void syscall_set_arguments(struct task_struct *task,
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 132/286] tracing: Fix filter string testing
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 131/286] riscv: Avoid fortify warning in syscall_get_arguments() Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 133/286] virtiofs: add filesystem context source name check Greg Kroah-Hartman
` (158 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Andrew Morton, Andrii Nakryiko, Mykyta Yatsenko,
Steven Rostedt (Google)
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit a8c5b0ed89a3f2c81c6ae0b041394e6eea0e7024 upstream.
The filter string testing uses strncpy_from_kernel/user_nofault() to
retrieve the string to test the filter against. The if() statement was
incorrect as it considered 0 as a fault, when it is only negative that it
faulted.
Running the following commands:
# cd /sys/kernel/tracing
# echo "filename.ustring ~ \"/proc*\"" > events/syscalls/sys_enter_openat/filter
# echo 1 > events/syscalls/sys_enter_openat/enable
# ls /proc/$$/maps
# cat trace
Would produce nothing, but with the fix it will produce something like:
ls-1192 [007] ..... 8169.828333: sys_openat(dfd: ffffffffffffff9c, filename: 7efc18359904, flags: 80000, mode: 0)
Link: https://lore.kernel.org/all/CAEf4BzbVPQ=BjWztmEwBPRKHUwNfKBkS3kce-Rzka6zvbQeVpg@mail.gmail.com/
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Link: https://lore.kernel.org/20250417183003.505835fb@gandalf.local.home
Fixes: 77360f9bbc7e5 ("tracing: Add test for user space strings when filtering on string pointers")
Reported-by: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Reported-by: Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events_filter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -676,7 +676,7 @@ static __always_inline char *test_string
kstr = ubuf->buffer;
/* For safety, do not trust the string pointer */
- if (!strncpy_from_kernel_nofault(kstr, str, USTRING_BUF_SIZE))
+ if (strncpy_from_kernel_nofault(kstr, str, USTRING_BUF_SIZE) < 0)
return NULL;
return kstr;
}
@@ -695,7 +695,7 @@ static __always_inline char *test_ustrin
/* user space address? */
ustr = (char __user *)str;
- if (!strncpy_from_user_nofault(kstr, ustr, USTRING_BUF_SIZE))
+ if (strncpy_from_user_nofault(kstr, ustr, USTRING_BUF_SIZE) < 0)
return NULL;
return kstr;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 133/286] virtiofs: add filesystem context source name check
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 132/286] tracing: Fix filter string testing Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 134/286] perf/x86/intel: Allow to update user space GPRs from PEBS records Greg Kroah-Hartman
` (157 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xiangsheng Hou, Christian Brauner
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiangsheng Hou <xiangsheng.hou@mediatek.com>
commit a94fd938df2b1628da66b498aa0eeb89593bc7a2 upstream.
In certain scenarios, for example, during fuzz testing, the source
name may be NULL, which could lead to a kernel panic. Therefore, an
extra check for the source name should be added.
Fixes: a62a8ef9d97d ("virtio-fs: add virtiofs filesystem")
Cc: <stable@vger.kernel.org> # all LTS kernels
Signed-off-by: Xiangsheng Hou <xiangsheng.hou@mediatek.com>
Link: https://lore.kernel.org/20250407115111.25535-1-xiangsheng.hou@mediatek.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/virtio_fs.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/fuse/virtio_fs.c
+++ b/fs/fuse/virtio_fs.c
@@ -1447,6 +1447,9 @@ static int virtio_fs_get_tree(struct fs_
unsigned int virtqueue_size;
int err = -EIO;
+ if (!fsc->source)
+ return invalf(fsc, "No source specified");
+
/* This gets a reference on virtio_fs object. This ptr gets installed
* in fc->iq->priv. Once fuse_conn is going away, it calls ->put()
* to drop the reference to this object.
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 134/286] perf/x86/intel: Allow to update user space GPRs from PEBS records
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 133/286] virtiofs: add filesystem context source name check Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 135/286] perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR Greg Kroah-Hartman
` (156 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dapeng Mi, Peter Zijlstra (Intel),
Ingo Molnar
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dapeng Mi <dapeng1.mi@linux.intel.com>
commit 71dcc11c2cd9e434c34a63154ecadca21c135ddd upstream.
Currently when a user samples user space GPRs (--user-regs option) with
PEBS, the user space GPRs actually always come from software PMI
instead of from PEBS hardware. This leads to the sampled GPRs to
possibly be inaccurate for single PEBS record case because of the
skid between counter overflow and GPRs sampling on PMI.
For the large PEBS case, it is even worse. If user sets the
exclude_kernel attribute, large PEBS would be used to sample user space
GPRs, but since PEBS GPRs group is not really enabled, it leads to all
samples in the large PEBS record to share the same piece of user space
GPRs, like this reproducer shows:
$ perf record -e branches:pu --user-regs=ip,ax -c 100000 ./foo
$ perf report -D | grep "AX"
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
So enable GPRs group for user space GPRs sampling and prioritize reading
GPRs from PEBS. If the PEBS sampled GPRs is not user space GPRs (single
PEBS record case), perf_sample_regs_user() modifies them to user space
GPRs.
[ mingo: Clarified the changelog. ]
Fixes: c22497f5838c ("perf/x86/intel: Support adaptive PEBS v4")
Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250415104135.318169-2-dapeng1.mi@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/ds.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/arch/x86/events/intel/ds.c
+++ b/arch/x86/events/intel/ds.c
@@ -988,8 +988,10 @@ static u64 pebs_update_adaptive_cfg(stru
* + precise_ip < 2 for the non event IP
* + For RTM TSX weight we need GPRs for the abort code.
*/
- gprs = (sample_type & PERF_SAMPLE_REGS_INTR) &&
- (attr->sample_regs_intr & PEBS_GP_REGS);
+ gprs = ((sample_type & PERF_SAMPLE_REGS_INTR) &&
+ (attr->sample_regs_intr & PEBS_GP_REGS)) ||
+ ((sample_type & PERF_SAMPLE_REGS_USER) &&
+ (attr->sample_regs_user & PEBS_GP_REGS));
tsx_weight = (sample_type & PERF_SAMPLE_WEIGHT) &&
((attr->config & INTEL_ARCH_EVENT_MASK) ==
@@ -1572,7 +1574,7 @@ static void setup_pebs_adaptive_sample_d
regs->flags &= ~PERF_EFLAGS_EXACT;
}
- if (sample_type & PERF_SAMPLE_REGS_INTR)
+ if (sample_type & (PERF_SAMPLE_REGS_INTR | PERF_SAMPLE_REGS_USER))
adaptive_pebs_save_regs(regs, gprs);
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 135/286] perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 134/286] perf/x86/intel: Allow to update user space GPRs from PEBS records Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 136/286] perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX Greg Kroah-Hartman
` (155 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kan Liang, Ingo Molnar,
Peter Zijlstra
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kan Liang <kan.liang@linux.intel.com>
commit 96a720db59ab330c8562b2437153faa45dac705f upstream.
There was a mistake in the SNR uncore spec. The counter increments for
every 32 bytes of data sent from the IO agent to the SOC, not 4 bytes
which was documented in the spec.
The event list has been updated:
"EventName": "UNC_IIO_BANDWIDTH_IN.PART0_FREERUN",
"BriefDescription": "Free running counter that increments for every 32
bytes of data sent from the IO agent to the SOC",
Update the scale of the IIO bandwidth in free running counters as well.
Fixes: 210cc5f9db7a ("perf/x86/intel/uncore: Add uncore support for Snow Ridge server")
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250416142426.3933977-1-kan.liang@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/uncore_snbep.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -4487,28 +4487,28 @@ static struct uncore_event_desc snr_unco
INTEL_UNCORE_EVENT_DESC(ioclk, "event=0xff,umask=0x10"),
/* Free-Running IIO BANDWIDTH IN Counters */
INTEL_UNCORE_EVENT_DESC(bw_in_port0, "event=0xff,umask=0x20"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.814697266e-6"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.0517578125e-5"),
INTEL_UNCORE_EVENT_DESC(bw_in_port0.unit, "MiB"),
INTEL_UNCORE_EVENT_DESC(bw_in_port1, "event=0xff,umask=0x21"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.814697266e-6"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.0517578125e-5"),
INTEL_UNCORE_EVENT_DESC(bw_in_port1.unit, "MiB"),
INTEL_UNCORE_EVENT_DESC(bw_in_port2, "event=0xff,umask=0x22"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.814697266e-6"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.0517578125e-5"),
INTEL_UNCORE_EVENT_DESC(bw_in_port2.unit, "MiB"),
INTEL_UNCORE_EVENT_DESC(bw_in_port3, "event=0xff,umask=0x23"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.814697266e-6"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.0517578125e-5"),
INTEL_UNCORE_EVENT_DESC(bw_in_port3.unit, "MiB"),
INTEL_UNCORE_EVENT_DESC(bw_in_port4, "event=0xff,umask=0x24"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.814697266e-6"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.0517578125e-5"),
INTEL_UNCORE_EVENT_DESC(bw_in_port4.unit, "MiB"),
INTEL_UNCORE_EVENT_DESC(bw_in_port5, "event=0xff,umask=0x25"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.814697266e-6"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.0517578125e-5"),
INTEL_UNCORE_EVENT_DESC(bw_in_port5.unit, "MiB"),
INTEL_UNCORE_EVENT_DESC(bw_in_port6, "event=0xff,umask=0x26"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.814697266e-6"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.0517578125e-5"),
INTEL_UNCORE_EVENT_DESC(bw_in_port6.unit, "MiB"),
INTEL_UNCORE_EVENT_DESC(bw_in_port7, "event=0xff,umask=0x27"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.814697266e-6"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.0517578125e-5"),
INTEL_UNCORE_EVENT_DESC(bw_in_port7.unit, "MiB"),
{ /* end: all zeroes */ },
};
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 136/286] perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 135/286] perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 137/286] module: sign with sha512 instead of sha1 by default Greg Kroah-Hartman
` (154 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tang Jun, Kan Liang, Ingo Molnar,
Peter Zijlstra
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kan Liang <kan.liang@linux.intel.com>
commit 32c7f1150225694d95a51110a93be25db03bb5db upstream.
There was a mistake in the ICX uncore spec too. The counter increments
for every 32 bytes rather than 4 bytes.
The same as SNR, there are 1 ioclk and 8 IIO bandwidth in free running
counters. Reuse the snr_uncore_iio_freerunning_events().
Fixes: 2b3b76b5ec67 ("perf/x86/intel/uncore: Add Ice Lake server uncore support")
Reported-by: Tang Jun <dukang.tj@alibaba-inc.com>
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250416142426.3933977-2-kan.liang@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/uncore_snbep.c | 33 +--------------------------------
1 file changed, 1 insertion(+), 32 deletions(-)
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -5013,37 +5013,6 @@ static struct freerunning_counters icx_i
[ICX_IIO_MSR_BW_IN] = { 0xaa0, 0x1, 0x10, 8, 48, icx_iio_bw_freerunning_box_offsets },
};
-static struct uncore_event_desc icx_uncore_iio_freerunning_events[] = {
- /* Free-Running IIO CLOCKS Counter */
- INTEL_UNCORE_EVENT_DESC(ioclk, "event=0xff,umask=0x10"),
- /* Free-Running IIO BANDWIDTH IN Counters */
- INTEL_UNCORE_EVENT_DESC(bw_in_port0, "event=0xff,umask=0x20"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port0.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port1, "event=0xff,umask=0x21"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port1.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port2, "event=0xff,umask=0x22"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port2.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port3, "event=0xff,umask=0x23"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port3.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port4, "event=0xff,umask=0x24"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port4.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port5, "event=0xff,umask=0x25"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port5.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port6, "event=0xff,umask=0x26"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port6.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port7, "event=0xff,umask=0x27"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port7.unit, "MiB"),
- { /* end: all zeroes */ },
-};
-
static struct intel_uncore_type icx_uncore_iio_free_running = {
.name = "iio_free_running",
.num_counters = 9,
@@ -5051,7 +5020,7 @@ static struct intel_uncore_type icx_unco
.num_freerunning_types = ICX_IIO_FREERUNNING_TYPE_MAX,
.freerunning = icx_iio_freerunning,
.ops = &skx_uncore_iio_freerunning_ops,
- .event_descs = icx_uncore_iio_freerunning_events,
+ .event_descs = snr_uncore_iio_freerunning_events,
.format_group = &skx_uncore_iio_freerunning_format_group,
};
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 137/286] module: sign with sha512 instead of sha1 by default
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 136/286] perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 138/286] drm/repaper: fix integer overflows in repeat functions Greg Kroah-Hartman
` (153 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Leemhuis, Sami Tolvanen,
Petr Pavlu, kdevops
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Leemhuis <linux@leemhuis.info>
commit f3b93547b91ad849b58eb5ab2dd070950ad7beb3 upstream.
Switch away from using sha1 for module signing by default and use the
more modern sha512 instead, which is what among others Arch, Fedora,
RHEL, and Ubuntu are currently using for their kernels.
Sha1 has not been considered secure against well-funded opponents since
2005[1]; since 2011 the NIST and other organizations furthermore
recommended its replacement[2]. This is why OpenSSL on RHEL9, Fedora
Linux 41+[3], and likely some other current and future distributions
reject the creation of sha1 signatures, which leads to a build error of
allmodconfig configurations:
80A20474797F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342:
make[4]: *** [.../certs/Makefile:53: certs/signing_key.pem] Error 1
make[4]: *** Deleting file 'certs/signing_key.pem'
make[4]: *** Waiting for unfinished jobs....
make[3]: *** [.../scripts/Makefile.build:478: certs] Error 2
make[2]: *** [.../Makefile:1936: .] Error 2
make[1]: *** [.../Makefile:224: __sub-make] Error 2
make[1]: Leaving directory '...'
make: *** [Makefile:224: __sub-make] Error 2
This change makes allmodconfig work again and sets a default that is
more appropriate for current and future users, too.
Link: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html [1]
Link: https://csrc.nist.gov/projects/hash-functions [2]
Link: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustsha1SigVer [3]
Signed-off-by: Thorsten Leemhuis <linux@leemhuis.info>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Tested-by: kdevops <kdevops@lists.linux.dev> [0]
Link: https://github.com/linux-kdevops/linux-modules-kpd/actions/runs/11420092929/job/31775404330 [0]
Link: https://lore.kernel.org/r/52ee32c0c92afc4d3263cea1f8a1cdc809728aff.1729088288.git.linux@leemhuis.info
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
init/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -2211,6 +2211,7 @@ comment "Do not forget to sign required
choice
prompt "Which hash algorithm should modules be signed with?"
depends on MODULE_SIG
+ default MODULE_SIG_SHA512
help
This determines which sort of hashing algorithm will be used during
signature generation. This algorithm _must_ be built into the kernel
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 138/286] drm/repaper: fix integer overflows in repeat functions
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 137/286] module: sign with sha512 instead of sha1 by default Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 139/286] drm/amd/pm/powerplay: Prevent division by zero Greg Kroah-Hartman
` (152 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nikita Zhandarovich, Alex Lanzano
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
commit 4d098000ac193f359e6b8ca4801dbdbd6a27b41f upstream.
There are conditions, albeit somewhat unlikely, under which right hand
expressions, calculating the end of time period in functions like
repaper_frame_fixed_repeat(), may overflow.
For instance, if 'factor10x' in repaper_get_temperature() is high
enough (170), as is 'epd->stage_time' in repaper_probe(), then the
resulting value of 'end' will not fit in unsigned int expression.
Mitigate this by casting 'epd->factored_stage_time' to wider type before
any multiplication is done.
Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.
Fixes: 3589211e9b03 ("drm/tinydrm: Add RePaper e-ink driver")
Cc: stable@vger.kernel.org
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Signed-off-by: Alex Lanzano <lanzano.alex@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250116134801.22067-1-n.zhandarovich@fintech.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/tiny/repaper.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/tiny/repaper.c
+++ b/drivers/gpu/drm/tiny/repaper.c
@@ -454,7 +454,7 @@ static void repaper_frame_fixed_repeat(s
enum repaper_stage stage)
{
u64 start = local_clock();
- u64 end = start + (epd->factored_stage_time * 1000 * 1000);
+ u64 end = start + ((u64)epd->factored_stage_time * 1000 * 1000);
do {
repaper_frame_fixed(epd, fixed_value, stage);
@@ -465,7 +465,7 @@ static void repaper_frame_data_repeat(st
const u8 *mask, enum repaper_stage stage)
{
u64 start = local_clock();
- u64 end = start + (epd->factored_stage_time * 1000 * 1000);
+ u64 end = start + ((u64)epd->factored_stage_time * 1000 * 1000);
do {
repaper_frame_data(epd, image, mask, stage);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 139/286] drm/amd/pm/powerplay: Prevent division by zero
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 138/286] drm/repaper: fix integer overflows in repeat functions Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 140/286] drm/amd/pm/powerplay/hwmgr/smu7_thermal: " Greg Kroah-Hartman
` (151 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Arefev, Alex Deucher
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Arefev <arefev@swemel.ru>
commit 4b8c3c0d17c07f301011e2908fecd2ebdcfe3d1c upstream.
The user can set any speed value.
If speed is greater than UINT_MAX/8, division by zero is possible.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: c52dcf49195d ("drm/amd/pp: Avoid divide-by-zero in fan_ctrl_set_fan_speed_rpm")
Signed-off-by: Denis Arefev <arefev@swemel.ru>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_thermal.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_thermal.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_thermal.c
@@ -311,10 +311,10 @@ int vega10_fan_ctrl_set_fan_speed_rpm(st
int result = 0;
if (hwmgr->thermal_controller.fanInfo.bNoFan ||
- speed == 0 ||
+ (!speed || speed > UINT_MAX/8) ||
(speed < hwmgr->thermal_controller.fanInfo.ulMinRPM) ||
(speed > hwmgr->thermal_controller.fanInfo.ulMaxRPM))
- return -1;
+ return -EINVAL;
if (PP_CAP(PHM_PlatformCaps_MicrocodeFanControl))
result = vega10_fan_ctrl_stop_smc_fan_control(hwmgr);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 140/286] drm/amd/pm/powerplay/hwmgr/smu7_thermal: Prevent division by zero
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 139/286] drm/amd/pm/powerplay: Prevent division by zero Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 141/286] drm/amd/pm/powerplay/hwmgr/vega20_thermal: " Greg Kroah-Hartman
` (150 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Arefev, Alex Deucher
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Arefev <arefev@swemel.ru>
commit 7c246a05df51c52fe0852ce56ba10c41e6ed1f39 upstream.
The user can set any speed value.
If speed is greater than UINT_MAX/8, division by zero is possible.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: c52dcf49195d ("drm/amd/pp: Avoid divide-by-zero in fan_ctrl_set_fan_speed_rpm")
Signed-off-by: Denis Arefev <arefev@swemel.ru>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_thermal.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_thermal.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_thermal.c
@@ -261,10 +261,10 @@ int smu7_fan_ctrl_set_fan_speed_rpm(stru
if (hwmgr->thermal_controller.fanInfo.bNoFan ||
(hwmgr->thermal_controller.fanInfo.
ucTachometerPulsesPerRevolution == 0) ||
- speed == 0 ||
+ (!speed || speed > UINT_MAX/8) ||
(speed < hwmgr->thermal_controller.fanInfo.ulMinRPM) ||
(speed > hwmgr->thermal_controller.fanInfo.ulMaxRPM))
- return 0;
+ return -EINVAL;
if (PP_CAP(PHM_PlatformCaps_MicrocodeFanControl))
smu7_fan_ctrl_stop_smc_fan_control(hwmgr);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 141/286] drm/amd/pm/powerplay/hwmgr/vega20_thermal: Prevent division by zero
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 140/286] drm/amd/pm/powerplay/hwmgr/smu7_thermal: " Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 142/286] drm/nouveau: prime: fix ttm_bo_delayed_delete oops Greg Kroah-Hartman
` (149 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Arefev, Alex Deucher
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Arefev <arefev@swemel.ru>
commit 4e3d9508c056d7e0a56b58d5c81253e2a0d22b6c upstream.
The user can set any speed value.
If speed is greater than UINT_MAX/8, division by zero is possible.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 031db09017da ("drm/amd/powerplay/vega20: enable fan RPM and pwm settings V2")
Signed-off-by: Denis Arefev <arefev@swemel.ru>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_thermal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_thermal.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_thermal.c
@@ -189,7 +189,7 @@ int vega20_fan_ctrl_set_fan_speed_rpm(st
uint32_t tach_period, crystal_clock_freq;
int result = 0;
- if (!speed)
+ if (!speed || speed > UINT_MAX/8)
return -EINVAL;
if (PP_CAP(PHM_PlatformCaps_MicrocodeFanControl)) {
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 142/286] drm/nouveau: prime: fix ttm_bo_delayed_delete oops
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 141/286] drm/amd/pm/powerplay/hwmgr/vega20_thermal: " Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 143/286] drm/sti: remove duplicate object names Greg Kroah-Hartman
` (148 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Bainbridge,
Christian König, Stable, Danilo Krummrich
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Bainbridge <chris.bainbridge@gmail.com>
commit 8ec0fbb28d049273bfd4f1e7a5ae4c74884beed3 upstream.
Fix an oops in ttm_bo_delayed_delete which results from dererencing a
dangling pointer:
Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b7b: 0000 [#1] PREEMPT SMP
CPU: 4 UID: 0 PID: 1082 Comm: kworker/u65:2 Not tainted 6.14.0-rc4-00267-g505460b44513-dirty #216
Hardware name: LENOVO 82N6/LNVNB161216, BIOS GKCN65WW 01/16/2024
Workqueue: ttm ttm_bo_delayed_delete [ttm]
RIP: 0010:dma_resv_iter_first_unlocked+0x55/0x290
Code: 31 f6 48 c7 c7 00 2b fa aa e8 97 bd 52 ff e8 a2 c1 53 00 5a 85 c0 74 48 e9 88 01 00 00 4c 89 63 20 4d 85 e4 0f 84 30 01 00 00 <41> 8b 44 24 10 c6 43 2c 01 48 89 df 89 43 28 e8 97 fd ff ff 4c 8b
RSP: 0018:ffffbf9383473d60 EFLAGS: 00010202
RAX: 0000000000000001 RBX: ffffbf9383473d88 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffbf9383473d78 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 6b6b6b6b6b6b6b6b
R13: ffffa003bbf78580 R14: ffffa003a6728040 R15: 00000000000383cc
FS: 0000000000000000(0000) GS:ffffa00991c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000758348024dd0 CR3: 000000012c259000 CR4: 0000000000f50ef0
PKRU: 55555554
Call Trace:
<TASK>
? __die_body.cold+0x19/0x26
? die_addr+0x3d/0x70
? exc_general_protection+0x159/0x460
? asm_exc_general_protection+0x27/0x30
? dma_resv_iter_first_unlocked+0x55/0x290
dma_resv_wait_timeout+0x56/0x100
ttm_bo_delayed_delete+0x69/0xb0 [ttm]
process_one_work+0x217/0x5c0
worker_thread+0x1c8/0x3d0
? apply_wqattrs_cleanup.part.0+0xc0/0xc0
kthread+0x10b/0x240
? kthreads_online_cpu+0x140/0x140
ret_from_fork+0x40/0x70
? kthreads_online_cpu+0x140/0x140
ret_from_fork_asm+0x11/0x20
</TASK>
The cause of this is:
- drm_prime_gem_destroy calls dma_buf_put(dma_buf) which releases the
reference to the shared dma_buf. The reference count is 0, so the
dma_buf is destroyed, which in turn decrements the corresponding
amdgpu_bo reference count to 0, and the amdgpu_bo is destroyed -
calling drm_gem_object_release then dma_resv_fini (which destroys the
reservation object), then finally freeing the amdgpu_bo.
- nouveau_bo obj->bo.base.resv is now a dangling pointer to the memory
formerly allocated to the amdgpu_bo.
- nouveau_gem_object_del calls ttm_bo_put(&nvbo->bo) which calls
ttm_bo_release, which schedules ttm_bo_delayed_delete.
- ttm_bo_delayed_delete runs and dereferences the dangling resv pointer,
resulting in a general protection fault.
Fix this by moving the drm_prime_gem_destroy call from
nouveau_gem_object_del to nouveau_bo_del_ttm. This ensures that it will
be run after ttm_bo_delayed_delete.
Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
Suggested-by: Christian König <christian.koenig@amd.com>
Fixes: 22b33e8ed0e3 ("nouveau: add PRIME support")
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3937
Cc: Stable@vger.kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/Z-P4epVK8k7tFZ7C@debian.local
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nouveau_bo.c | 3 +++
drivers/gpu/drm/nouveau/nouveau_gem.c | 3 ---
2 files changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/nouveau/nouveau_bo.c
+++ b/drivers/gpu/drm/nouveau/nouveau_bo.c
@@ -143,6 +143,9 @@ nouveau_bo_del_ttm(struct ttm_buffer_obj
nouveau_bo_del_io_reserve_lru(bo);
nv10_bo_put_tile_region(dev, nvbo->tile, NULL);
+ if (bo->base.import_attach)
+ drm_prime_gem_destroy(&bo->base, bo->sg);
+
/*
* If nouveau_bo_new() allocated this buffer, the GEM object was never
* initialized, so don't attempt to release it.
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -51,9 +51,6 @@ nouveau_gem_object_del(struct drm_gem_ob
return;
}
- if (gem->import_attach)
- drm_prime_gem_destroy(gem, nvbo->bo.sg);
-
ttm_bo_put(&nvbo->bo);
pm_runtime_mark_last_busy(dev);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 143/286] drm/sti: remove duplicate object names
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 142/286] drm/nouveau: prime: fix ttm_bo_delayed_delete oops Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 144/286] cpufreq: Reference count policy in cpufreq_update_limits() Greg Kroah-Hartman
` (147 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Rolf Eike Beer,
Dmitry Baryshkov, Raphael Gallais-Pou
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rolf Eike Beer <eb@emlix.com>
commit 7fb6afa9125fc111478615e24231943c4f76cc2e upstream.
When merging 2 drivers common object files were not deduplicated.
Fixes: dcec16efd677 ("drm/sti: Build monolithic driver")
Cc: stable@kernel.org
Signed-off-by: Rolf Eike Beer <eb@emlix.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/1920148.tdWV9SEqCh@devpool47.emlix.com
Signed-off-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/sti/Makefile | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/gpu/drm/sti/Makefile
+++ b/drivers/gpu/drm/sti/Makefile
@@ -7,8 +7,6 @@ sti-drm-y := \
sti_compositor.o \
sti_crtc.o \
sti_plane.o \
- sti_crtc.o \
- sti_plane.o \
sti_hdmi.o \
sti_hdmi_tx3g4c28phy.o \
sti_dvo.o \
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 144/286] cpufreq: Reference count policy in cpufreq_update_limits()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 143/286] drm/sti: remove duplicate object names Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 145/286] kbuild: Add -fno-builtin-wcslen Greg Kroah-Hartman
` (146 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Marczykowski-Górecki,
Rafael J. Wysocki, Viresh Kumar
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 9e4e249018d208678888bdf22f6b652728106528 upstream.
Since acpi_processor_notify() can be called before registering a cpufreq
driver or even in cases when a cpufreq driver is not registered at all,
cpufreq_update_limits() needs to check if a cpufreq driver is present
and prevent it from being unregistered.
For this purpose, make it call cpufreq_cpu_get() to obtain a cpufreq
policy pointer for the given CPU and reference count the corresponding
policy object, if present.
Fixes: 5a25e3f7cc53 ("cpufreq: intel_pstate: Driver-specific handling of _PPC updates")
Closes: https://lore.kernel.org/linux-acpi/Z-ShAR59cTow0KcR@mail-itl
Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Link: https://patch.msgid.link/1928789.tdWV9SEqCh@rjwysocki.net
[do not use __free(cpufreq_cpu_put) in a backport]
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/cpufreq.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -2593,10 +2593,18 @@ EXPORT_SYMBOL(cpufreq_update_policy);
*/
void cpufreq_update_limits(unsigned int cpu)
{
+ struct cpufreq_policy *policy;
+
+ policy = cpufreq_cpu_get(cpu);
+ if (!policy)
+ return;
+
if (cpufreq_driver->update_limits)
cpufreq_driver->update_limits(cpu);
else
cpufreq_update_policy(cpu);
+
+ cpufreq_cpu_put(policy);
}
EXPORT_SYMBOL_GPL(cpufreq_update_limits);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 145/286] kbuild: Add -fno-builtin-wcslen
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 144/286] cpufreq: Reference count policy in cpufreq_update_limits() Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 146/286] tcp/dccp: Dont use timer_pending() in reqsk_queue_unlink() Greg Kroah-Hartman
` (145 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Linus Torvalds
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 84ffc79bfbf70c779e60218563f2f3ad45288671 upstream.
A recent optimization change in LLVM [1] aims to transform certain loop
idioms into calls to strlen() or wcslen(). This change transforms the
first while loop in UniStrcat() into a call to wcslen(), breaking the
build when UniStrcat() gets inlined into alloc_path_with_tree_prefix():
ld.lld: error: undefined symbol: wcslen
>>> referenced by nls_ucs2_utils.h:54 (fs/smb/client/../../nls/nls_ucs2_utils.h:54)
>>> vmlinux.o:(alloc_path_with_tree_prefix)
>>> referenced by nls_ucs2_utils.h:54 (fs/smb/client/../../nls/nls_ucs2_utils.h:54)
>>> vmlinux.o:(alloc_path_with_tree_prefix)
Disable this optimization with '-fno-builtin-wcslen', which prevents the
compiler from assuming that wcslen() is available in the kernel's C
library.
[ More to the point - it's not that we couldn't implement wcslen(), it's
that this isn't an optimization at all in the context of the kernel.
Replacing a simple inlined loop with a function call to the same loop
is just stupid and pointless if you don't have long strings and fancy
libraries with vectorization support etc.
For the regular 'strlen()' cases, we want the compiler to do this in
order to handle the trivial case of constant strings. And we do have
optimized versions of 'strlen()' on some architectures. But for
wcslen? Just no. - Linus ]
Cc: stable@vger.kernel.org
Link: https://github.com/llvm/llvm-project/commit/9694844d7e36fd5e01011ab56b64f27b867aa72d [1]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[nathan: Resolve small conflict in older trees]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Makefile | 3 +++
1 file changed, 3 insertions(+)
--- a/Makefile
+++ b/Makefile
@@ -976,6 +976,9 @@ KBUILD_CFLAGS += $(call cc-option,-Wer
# Require designated initializers for all marked structures
KBUILD_CFLAGS += $(call cc-option,-Werror=designated-init)
+# Ensure compilers do not transform certain loops into calls to wcslen()
+KBUILD_CFLAGS += -fno-builtin-wcslen
+
# change __FILE__ to the relative path from the srctree
KBUILD_CPPFLAGS += $(call cc-option,-fmacro-prefix-map=$(srctree)/=)
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 146/286] tcp/dccp: Dont use timer_pending() in reqsk_queue_unlink().
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 145/286] kbuild: Add -fno-builtin-wcslen Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 147/286] mptcp: fix NULL pointer in can_accept_new_subflow Greg Kroah-Hartman
` (144 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin KaFai Lau, Kuniyuki Iwashima,
Eric Dumazet, Jakub Kicinski, Bin Lan, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
commit e8c526f2bdf1845bedaf6a478816a3d06fa78b8f upstream.
Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().
"""
We are seeing a use-after-free from a bpf prog attached to
trace_tcp_retransmit_synack. The program passes the req->sk to the
bpf_sk_storage_get_tracing kernel helper which does check for null
before using it.
"""
The commit 83fccfc3940c ("inet: fix potential deadlock in
reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not
to call del_timer_sync() from reqsk_timer_handler(), but it introduced a
small race window.
Before the timer is called, expire_timers() calls detach_timer(timer, true)
to clear timer->entry.pprev and marks it as not pending.
If reqsk_queue_unlink() checks timer_pending() just after expire_timers()
calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will
continue running and send multiple SYN+ACKs until it expires.
The reported UAF could happen if req->sk is close()d earlier than the timer
expiration, which is 63s by default.
The scenario would be
1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),
but del_timer_sync() is missed
2. reqsk timer is executed and scheduled again
3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but
reqsk timer still has another one, and inet_csk_accept() does not
clear req->sk for non-TFO sockets
4. sk is close()d
5. reqsk timer is executed again, and BPF touches req->sk
Let's not use timer_pending() by passing the caller context to
__inet_csk_reqsk_queue_drop().
Note that reqsk timer is pinned, so the issue does not happen in most
use cases. [1]
[0]
BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0
Use-after-free read at 0x00000000a891fb3a (in kfence-#1):
bpf_sk_storage_get_tracing+0x2e/0x1b0
bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda
bpf_trace_run2+0x4c/0xc0
tcp_rtx_synack+0xf9/0x100
reqsk_timer_handler+0xda/0x3d0
run_timer_softirq+0x292/0x8a0
irq_exit_rcu+0xf5/0x320
sysvec_apic_timer_interrupt+0x6d/0x80
asm_sysvec_apic_timer_interrupt+0x16/0x20
intel_idle_irq+0x5a/0xa0
cpuidle_enter_state+0x94/0x273
cpu_startup_entry+0x15e/0x260
start_secondary+0x8a/0x90
secondary_startup_64_no_verify+0xfa/0xfb
kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6
allocated by task 0 on cpu 9 at 260507.901592s:
sk_prot_alloc+0x35/0x140
sk_clone_lock+0x1f/0x3f0
inet_csk_clone_lock+0x15/0x160
tcp_create_openreq_child+0x1f/0x410
tcp_v6_syn_recv_sock+0x1da/0x700
tcp_check_req+0x1fb/0x510
tcp_v6_rcv+0x98b/0x1420
ipv6_list_rcv+0x2258/0x26e0
napi_complete_done+0x5b1/0x2990
mlx5e_napi_poll+0x2ae/0x8d0
net_rx_action+0x13e/0x590
irq_exit_rcu+0xf5/0x320
common_interrupt+0x80/0x90
asm_common_interrupt+0x22/0x40
cpuidle_enter_state+0xfb/0x273
cpu_startup_entry+0x15e/0x260
start_secondary+0x8a/0x90
secondary_startup_64_no_verify+0xfa/0xfb
freed by task 0 on cpu 9 at 260507.927527s:
rcu_core_si+0x4ff/0xf10
irq_exit_rcu+0xf5/0x320
sysvec_apic_timer_interrupt+0x6d/0x80
asm_sysvec_apic_timer_interrupt+0x16/0x20
cpuidle_enter_state+0xfb/0x273
cpu_startup_entry+0x15e/0x260
start_secondary+0x8a/0x90
secondary_startup_64_no_verify+0xfa/0xfb
Fixes: 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()")
Reported-by: Martin KaFai Lau <martin.lau@kernel.org>
Closes: https://lore.kernel.org/netdev/eb6684d0-ffd9-4bdc-9196-33f690c25824@linux.dev/
Link: https://lore.kernel.org/netdev/b55e2ca0-42f2-4b7c-b445-6ffd87ca74a0@linux.dev/ [1]
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://patch.msgid.link/20241014223312.4254-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/inet_connection_sock.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -722,21 +722,31 @@ static bool reqsk_queue_unlink(struct re
found = __sk_nulls_del_node_init_rcu(req_to_sk(req));
spin_unlock(lock);
}
- if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer))
- reqsk_put(req);
+
return found;
}
-bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req)
+static bool __inet_csk_reqsk_queue_drop(struct sock *sk,
+ struct request_sock *req,
+ bool from_timer)
{
bool unlinked = reqsk_queue_unlink(req);
+ if (!from_timer && timer_delete_sync(&req->rsk_timer))
+ reqsk_put(req);
+
if (unlinked) {
reqsk_queue_removed(&inet_csk(sk)->icsk_accept_queue, req);
reqsk_put(req);
}
+
return unlinked;
}
+
+bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req)
+{
+ return __inet_csk_reqsk_queue_drop(sk, req, false);
+}
EXPORT_SYMBOL(inet_csk_reqsk_queue_drop);
void inet_csk_reqsk_queue_drop_and_put(struct sock *sk, struct request_sock *req)
@@ -804,7 +814,8 @@ static void reqsk_timer_handler(struct t
return;
}
drop:
- inet_csk_reqsk_queue_drop_and_put(sk_listener, req);
+ __inet_csk_reqsk_queue_drop(sk_listener, req, true);
+ reqsk_put(req);
}
static void reqsk_queue_hash_req(struct request_sock *req,
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 147/286] mptcp: fix NULL pointer in can_accept_new_subflow
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 146/286] tcp/dccp: Dont use timer_pending() in reqsk_queue_unlink() Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 148/286] mptcp: only inc MPJoinAckHMacFailure for HMAC failures Greg Kroah-Hartman
` (143 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Gang Yan,
Matthieu Baerts (NGI0), Jakub Kicinski
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gang Yan <yangang@kylinos.cn>
commit 443041deb5ef6a1289a99ed95015ec7442f141dc upstream.
When testing valkey benchmark tool with MPTCP, the kernel panics in
'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL.
Call trace:
mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P)
subflow_syn_recv_sock (./net/mptcp/subflow.c:854)
tcp_check_req (./net/ipv4/tcp_minisocks.c:863)
tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268)
ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207)
ip_local_deliver_finish (./net/ipv4/ip_input.c:234)
ip_local_deliver (./net/ipv4/ip_input.c:254)
ip_rcv_finish (./net/ipv4/ip_input.c:449)
...
According to the debug log, the same req received two SYN-ACK in a very
short time, very likely because the client retransmits the syn ack due
to multiple reasons.
Even if the packets are transmitted with a relevant time interval, they
can be processed by the server on different CPUs concurrently). The
'subflow_req->msk' ownership is transferred to the subflow the first,
and there will be a risk of a null pointer dereference here.
This patch fixes this issue by moving the 'subflow_req->msk' under the
`own_req == true` conditional.
Note that the !msk check in subflow_hmac_valid() can be dropped, because
the same check already exists under the own_req mpj branch where the
code has been moved to.
Fixes: 9466a1ccebbe ("mptcp: enable JOIN requests even if cookies are in use")
Cc: stable@vger.kernel.org
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Gang Yan <yangang@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250328-net-mptcp-misc-fixes-6-15-v1-1-34161a482a7f@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflict in subflow.c because commit 74c7dfbee3e1 ("mptcp: consolidate
in_opt sub-options fields in a bitmask") is not in this version. The
conflict is in the context, and the modification can still be applied.
Note that subflow_add_reset_reason() is not needed here, because the
related feature is not supported in this version. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/subflow.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -454,8 +454,6 @@ static bool subflow_hmac_valid(const str
subflow_req = mptcp_subflow_rsk(req);
msk = subflow_req->msk;
- if (!msk)
- return false;
subflow_generate_hmac(msk->remote_key, msk->local_key,
subflow_req->remote_nonce,
@@ -578,11 +576,8 @@ static struct sock *subflow_syn_recv_soc
fallback = true;
} else if (subflow_req->mp_join) {
mptcp_get_options(skb, &mp_opt);
- if (!mp_opt.mp_join || !subflow_hmac_valid(req, &mp_opt) ||
- !mptcp_can_accept_new_subflow(subflow_req->msk)) {
- SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC);
+ if (!mp_opt.mp_join)
fallback = true;
- }
}
create_child:
@@ -636,6 +631,12 @@ create_child:
if (!owner)
goto dispose_child;
+ if (!subflow_hmac_valid(req, &mp_opt) ||
+ !mptcp_can_accept_new_subflow(subflow_req->msk)) {
+ SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC);
+ goto dispose_child;
+ }
+
/* move the msk reference ownership to the subflow */
subflow_req->msk = NULL;
ctx->conn = (struct sock *)owner;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 148/286] mptcp: only inc MPJoinAckHMacFailure for HMAC failures
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 147/286] mptcp: fix NULL pointer in can_accept_new_subflow Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 149/286] mptcp: sockopt: fix getting IPV6_V6ONLY Greg Kroah-Hartman
` (142 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geliang Tang, Matthieu Baerts (NGI0),
Simon Horman, Jakub Kicinski
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 21c02e8272bc95ba0dd44943665c669029b42760 upstream.
Recently, during a debugging session using local MPTCP connections, I
noticed MPJoinAckHMacFailure was not zero on the server side. The
counter was in fact incremented when the PM rejected new subflows,
because the 'subflow' limit was reached.
The fix is easy, simply dissociating the two cases: only the HMAC
validation check should increase MPTCP_MIB_JOINACKMAC counter.
Fixes: 4cf8b7e48a09 ("subflow: introduce and use mptcp_can_accept_new_subflow()")
Cc: stable@vger.kernel.org
Reviewed-by: Geliang Tang <geliang@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250407-net-mptcp-hmac-failure-mib-v1-1-3c9ecd0a3a50@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ No conflicts, but subflow_add_reset_reason() is not needed is this
version: the related feature is not supported in this version. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/subflow.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -631,12 +631,14 @@ create_child:
if (!owner)
goto dispose_child;
- if (!subflow_hmac_valid(req, &mp_opt) ||
- !mptcp_can_accept_new_subflow(subflow_req->msk)) {
+ if (!subflow_hmac_valid(req, &mp_opt)) {
SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC);
goto dispose_child;
}
+ if (!mptcp_can_accept_new_subflow(owner))
+ goto dispose_child;
+
/* move the msk reference ownership to the subflow */
subflow_req->msk = NULL;
ctx->conn = (struct sock *)owner;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 149/286] mptcp: sockopt: fix getting IPV6_V6ONLY
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 148/286] mptcp: only inc MPJoinAckHMacFailure for HMAC failures Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 150/286] misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error Greg Kroah-Hartman
` (141 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Simon Horman, Paolo Abeni
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 8c39633759885b6ff85f6d96cf445560e74df5e8 upstream.
When adding a socket option support in MPTCP, both the get and set parts
are supposed to be implemented.
IPV6_V6ONLY support for the setsockopt part has been added a while ago,
but it looks like the get part got forgotten. It should have been
present as a way to verify a setting has been set as expected, and not
to act differently from TCP or any other socket types.
Not supporting this getsockopt(IPV6_V6ONLY) blocks some apps which want
to check the default value, before doing extra actions. On Linux, the
default value is 0, but this can be changed with the net.ipv6.bindv6only
sysctl knob. On Windows, it is set to 1 by default. So supporting the
get part, like for all other socket options, is important.
Everything was in place to expose it, just the last step was missing.
Only new code is added to cover this specific getsockopt(), that seems
safe.
Fixes: c9b95a135987 ("mptcp: support IPV6_V6ONLY setsockopt")
Cc: stable@vger.kernel.org
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/550
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250314-net-mptcp-fix-data-stream-corr-sockopt-v1-2-122dbb249db3@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ Conflicts in sockopt.c in the context, because commit 0abdde82b163
("mptcp: move sockopt function into a new file") is not in this
release. The modifications can still be done in protocol.c without
difficulties. A particularity is that the mptcp_put_int_option()
helper is required, and imported from newer versions without taking
the extra features introduced with them in commit 2c9e77659a0c
("mptcp: add TCP_INQ cmsg support") and commit 3b1e21eb60e8 ("mptcp:
getsockopt: add support for IP_TOS"). ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 45 insertions(+)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2395,6 +2395,49 @@ static int mptcp_setsockopt(struct sock
return -EOPNOTSUPP;
}
+static int mptcp_put_int_option(struct mptcp_sock *msk, char __user *optval,
+ int __user *optlen, int val)
+{
+ int len;
+
+ if (get_user(len, optlen))
+ return -EFAULT;
+ if (len < 0)
+ return -EINVAL;
+
+ if (len < sizeof(int) && len > 0 && val >= 0 && val <= 255) {
+ unsigned char ucval = (unsigned char)val;
+
+ len = 1;
+ if (put_user(len, optlen))
+ return -EFAULT;
+ if (copy_to_user(optval, &ucval, 1))
+ return -EFAULT;
+ } else {
+ len = min_t(unsigned int, len, sizeof(int));
+ if (put_user(len, optlen))
+ return -EFAULT;
+ if (copy_to_user(optval, &val, len))
+ return -EFAULT;
+ }
+
+ return 0;
+}
+
+static int mptcp_getsockopt_v6(struct mptcp_sock *msk, int optname,
+ char __user *optval, int __user *optlen)
+{
+ struct sock *sk = (void *)msk;
+
+ switch (optname) {
+ case IPV6_V6ONLY:
+ return mptcp_put_int_option(msk, optval, optlen,
+ sk->sk_ipv6only);
+ }
+
+ return -EOPNOTSUPP;
+}
+
static int mptcp_getsockopt(struct sock *sk, int level, int optname,
char __user *optval, int __user *option)
{
@@ -2415,6 +2458,8 @@ static int mptcp_getsockopt(struct sock
if (ssk)
return tcp_getsockopt(ssk, level, optname, optval, option);
+ if (level == SOL_IPV6)
+ return mptcp_getsockopt_v6(msk, optname, optval, option);
return -EOPNOTSUPP;
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 150/286] misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 149/286] mptcp: sockopt: fix getting IPV6_V6ONLY Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 151/286] misc: pci_endpoint_test: Fix displaying irq_type " Greg Kroah-Hartman
` (140 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Kunihiko Hayashi, Krzysztof Wilczyński
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
commit f6cb7828c8e17520d4f5afb416515d3fae1af9a9 upstream.
After devm_request_irq() fails with error in pci_endpoint_test_request_irq(),
the pci_endpoint_test_free_irq_vectors() is called assuming that all IRQs
have been released.
However, some requested IRQs remain unreleased, so there are still
/proc/irq/* entries remaining, and this results in WARN() with the
following message:
remove_proc_entry: removing non-empty directory 'irq/30', leaking at least 'pci-endpoint-test.0'
WARNING: CPU: 0 PID: 202 at fs/proc/generic.c:719 remove_proc_entry +0x190/0x19c
To solve this issue, set the number of remaining IRQs to test->num_irqs,
and release IRQs in advance by calling pci_endpoint_test_release_irq().
Cc: stable@vger.kernel.org
Fixes: e03327122e2c ("pci_endpoint_test: Add 2 ioctl commands")
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Link: https://lore.kernel.org/r/20250225110252.28866-3-hayashi.kunihiko@socionext.com
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/pci_endpoint_test.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/misc/pci_endpoint_test.c
+++ b/drivers/misc/pci_endpoint_test.c
@@ -263,6 +263,9 @@ fail:
break;
}
+ test->num_irqs = i;
+ pci_endpoint_test_release_irq(test);
+
return false;
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 151/286] misc: pci_endpoint_test: Fix displaying irq_type after request_irq error
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 150/286] misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 152/286] misc: pci_endpoint_test: Fix irq_type to convey the correct type Greg Kroah-Hartman
` (139 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Kunihiko Hayashi, Krzysztof Wilczyński
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
commit 919d14603dab6a9cf03ebbeb2cfa556df48737c8 upstream.
There are two variables that indicate the interrupt type to be used
in the next test execution, global "irq_type" and "test->irq_type".
The former is referenced from pci_endpoint_test_get_irq() to preserve
the current type for ioctl(PCITEST_GET_IRQTYPE).
In the pci_endpoint_test_request_irq(), since this global variable
is referenced when an error occurs, the unintended error message is
displayed.
For example, after running "pcitest -i 2", the following message
shows "MSI 3" even if the current IRQ type becomes "MSI-X":
pci-endpoint-test 0000:01:00.0: Failed to request IRQ 30 for MSI 3
SET IRQ TYPE TO MSI-X: NOT OKAY
Fix this issue by using "test->irq_type" instead of global "irq_type".
Cc: stable@vger.kernel.org
Fixes: b2ba9225e031 ("misc: pci_endpoint_test: Avoid using module parameter to determine irqtype")
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Link: https://lore.kernel.org/r/20250225110252.28866-4-hayashi.kunihiko@socionext.com
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/pci_endpoint_test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/misc/pci_endpoint_test.c
+++ b/drivers/misc/pci_endpoint_test.c
@@ -246,7 +246,7 @@ static bool pci_endpoint_test_request_ir
return true;
fail:
- switch (irq_type) {
+ switch (test->irq_type) {
case IRQ_TYPE_LEGACY:
dev_err(dev, "Failed to request IRQ %d for Legacy\n",
pci_irq_vector(pdev, i));
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 152/286] misc: pci_endpoint_test: Fix irq_type to convey the correct type
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 151/286] misc: pci_endpoint_test: Fix displaying irq_type " Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 153/286] x86/pvh: Call C code via the kernel virtual mapping Greg Kroah-Hartman
` (138 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kunihiko Hayashi,
Krzysztof Wilczyński, Niklas Cassel, Manivannan Sadhasivam
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
commit baaef0a274cfb75f9b50eab3ef93205e604f662c upstream.
There are two variables that indicate the interrupt type to be used
in the next test execution, "irq_type" as global and "test->irq_type".
The global is referenced from pci_endpoint_test_get_irq() to preserve
the current type for ioctl(PCITEST_GET_IRQTYPE).
The type set in this function isn't reflected in the global "irq_type",
so ioctl(PCITEST_GET_IRQTYPE) returns the previous type.
As a result, the wrong type is displayed in old version of "pcitest"
as follows:
- Result of running "pcitest -i 0"
SET IRQ TYPE TO LEGACY: OKAY
- Result of running "pcitest -I"
GET IRQ TYPE: MSI
Whereas running the new version of "pcitest" in kselftest results in an
error as follows:
# RUN pci_ep_basic.LEGACY_IRQ_TEST ...
# pci_endpoint_test.c:104:LEGACY_IRQ_TEST:Expected 0 (0) == ret (1)
# pci_endpoint_test.c:104:LEGACY_IRQ_TEST:Can't get Legacy IRQ type
Fix this issue by propagating the current type to the global "irq_type".
Fixes: b2ba9225e031 ("misc: pci_endpoint_test: Avoid using module parameter to determine irqtype")
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250225110252.28866-5-hayashi.kunihiko@socionext.com
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/pci_endpoint_test.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/misc/pci_endpoint_test.c
+++ b/drivers/misc/pci_endpoint_test.c
@@ -718,6 +718,7 @@ static bool pci_endpoint_test_set_irq(st
if (!pci_endpoint_test_request_irq(test))
goto err;
+ irq_type = test->irq_type;
return true;
err:
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 153/286] x86/pvh: Call C code via the kernel virtual mapping
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 152/286] misc: pci_endpoint_test: Fix irq_type to convey the correct type Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 154/286] nvme: avoid double free special payload Greg Kroah-Hartman
` (137 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Andryuk, Ard Biesheuvel,
Juergen Gross
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ardb@kernel.org>
commit e8fbc0d9cab6c1ee6403f42c0991b0c1d5dbc092 upstream.
Calling C code via a different mapping than it was linked at is
problematic, because the compiler assumes that RIP-relative and absolute
symbol references are interchangeable. GCC in particular may use
RIP-relative per-CPU variable references even when not using -fpic.
So call xen_prepare_pvh() via its kernel virtual mapping on x86_64, so
that those RIP-relative references produce the correct values. This
matches the pre-existing behavior for i386, which also invokes
xen_prepare_pvh() via the kernel virtual mapping before invoking
startup_32 with paging disabled again.
Fixes: 7243b93345f7 ("xen/pvh: Bootstrap PVH guest")
Tested-by: Jason Andryuk <jason.andryuk@amd.com>
Reviewed-by: Jason Andryuk <jason.andryuk@amd.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Message-ID: <20241009160438.3884381-8-ardb+git@google.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
[ Stable context update ]
Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/platform/pvh/head.S | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/arch/x86/platform/pvh/head.S
+++ b/arch/x86/platform/pvh/head.S
@@ -99,7 +99,12 @@ SYM_CODE_START_LOCAL(pvh_start_xen)
xor %edx, %edx
wrmsr
- call xen_prepare_pvh
+ /* Call xen_prepare_pvh() via the kernel virtual mapping */
+ leaq xen_prepare_pvh(%rip), %rax
+ subq phys_base(%rip), %rax
+ addq $__START_KERNEL_map, %rax
+ ANNOTATE_RETPOLINE_SAFE
+ call *%rax
/* startup_64 expects boot_params in %rsi. */
mov $_pa(pvh_bootparams), %rsi
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 154/286] nvme: avoid double free special payload
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 153/286] x86/pvh: Call C code via the kernel virtual mapping Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 155/286] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Greg Kroah-Hartman
` (136 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chunguang Xu, Sagi Grimberg,
Max Gurtovoy, Keith Busch, Cliff Liu, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chunguang Xu <chunguang.xu@shopee.com>
commit e5d574ab37f5f2e7937405613d9b1a724811e5ad upstream.
If a discard request needs to be retried, and that retry may fail before
a new special payload is added, a double free will result. Clear the
RQF_SPECIAL_LOAD when the request is cleaned.
Signed-off-by: Chunguang Xu <chunguang.xu@shopee.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
[Minor context change fixed]
Signed-off-by: Cliff Liu <donghua.liu@windriver.com>
Signed-off-by: He Zhe <Zhe.He@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -850,6 +850,7 @@ void nvme_cleanup_cmd(struct request *re
clear_bit_unlock(0, &ns->ctrl->discard_page_busy);
else
kfree(page_address(page) + req->special_vec.bv_offset);
+ req->rq_flags &= ~RQF_SPECIAL_PAYLOAD;
}
}
EXPORT_SYMBOL_GPL(nvme_cleanup_cmd);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 155/286] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 154/286] nvme: avoid double free special payload Greg Kroah-Hartman
@ 2025-04-29 16:40 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 156/286] phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node function Greg Kroah-Hartman
` (135 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Lynch, Breno Leitao,
Michael Ellerman, Cliff Liu, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Lynch <nathanl@linux.ibm.com>
commit 0974d03eb479384466d828d65637814bee6b26d7 upstream.
Smatch warns:
arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential
spectre issue 'args.args' [r] (local cap)
The 'nargs' and 'nret' locals come directly from a user-supplied
buffer and are used as indexes into a small stack-based array and as
inputs to copy_to_user() after they are subject to bounds checks.
Use array_index_nospec() after the bounds checks to clamp these values
for speculative execution.
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Reported-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240530-sys_rtas-nargs-nret-v1-1-129acddd4d89@linux.ibm.com
[Minor context change fixed]
Signed-off-by: Cliff Liu <donghua.liu@windriver.com>
Signed-off-by: He Zhe <Zhe.He@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kernel/rtas.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/powerpc/kernel/rtas.c
+++ b/arch/powerpc/kernel/rtas.c
@@ -16,6 +16,7 @@
#include <linux/capability.h>
#include <linux/delay.h>
#include <linux/cpu.h>
+#include <linux/nospec.h>
#include <linux/sched.h>
#include <linux/smp.h>
#include <linux/completion.h>
@@ -1173,6 +1174,9 @@ SYSCALL_DEFINE1(rtas, struct rtas_args _
|| nargs + nret > ARRAY_SIZE(args.args))
return -EINVAL;
+ nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args));
+ nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs);
+
/* Copy in args. */
if (copy_from_user(args.args, uargs->args,
nargs * sizeof(rtas_arg_t)) != 0)
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 156/286] phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node function
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2025-04-29 16:40 ` [PATCH 5.10 155/286] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 157/286] wifi: ath10k: avoid NULL pointer error during sdio remove Greg Kroah-Hartman
` (134 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Thierry Reding,
Vinod Koul, Alva Lan
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit 045a31b95509c8f25f5f04ec5e0dec5cd09f2c5f upstream.
callers of tegra_xusb_find_port_node() function only do NULL checking for
the return value. return NULL instead of ERR_PTR(-ENOMEM) to keep
consistent.
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Link: https://lore.kernel.org/r/20211213020507.1458-1-linmq006@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/tegra/xusb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/phy/tegra/xusb.c
+++ b/drivers/phy/tegra/xusb.c
@@ -449,7 +449,7 @@ tegra_xusb_find_port_node(struct tegra_x
name = kasprintf(GFP_KERNEL, "%s-%u", type, index);
if (!name) {
of_node_put(ports);
- return ERR_PTR(-ENOMEM);
+ return NULL;
}
np = of_get_child_by_name(ports, name);
kfree(name);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 157/286] wifi: ath10k: avoid NULL pointer error during sdio remove
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 156/286] phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node function Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 158/286] drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links Greg Kroah-Hartman
` (133 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kang Yang, David Ruth, Jeff Johnson,
Alva Lan
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kang Yang <quic_kangyang@quicinc.com>
commit 95c38953cb1ecf40399a676a1f85dfe2b5780a9a upstream.
When running 'rmmod ath10k', ath10k_sdio_remove() will free sdio
workqueue by destroy_workqueue(). But if CONFIG_INIT_ON_FREE_DEFAULT_ON
is set to yes, kernel panic will happen:
Call trace:
destroy_workqueue+0x1c/0x258
ath10k_sdio_remove+0x84/0x94
sdio_bus_remove+0x50/0x16c
device_release_driver_internal+0x188/0x25c
device_driver_detach+0x20/0x2c
This is because during 'rmmod ath10k', ath10k_sdio_remove() will call
ath10k_core_destroy() before destroy_workqueue(). wiphy_dev_release()
will finally be called in ath10k_core_destroy(). This function will free
struct cfg80211_registered_device *rdev and all its members, including
wiphy, dev and the pointer of sdio workqueue. Then the pointer of sdio
workqueue will be set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON.
After device release, destroy_workqueue() will use NULL pointer then the
kernel panic happen.
Call trace:
ath10k_sdio_remove
->ath10k_core_unregister
……
->ath10k_core_stop
->ath10k_hif_stop
->ath10k_sdio_irq_disable
->ath10k_hif_power_down
->del_timer_sync(&ar_sdio->sleep_timer)
->ath10k_core_destroy
->ath10k_mac_destroy
->ieee80211_free_hw
->wiphy_free
……
->wiphy_dev_release
->destroy_workqueue
Need to call destroy_workqueue() before ath10k_core_destroy(), free
the work queue buffer first and then free pointer of work queue by
ath10k_core_destroy(). This order matches the error path order in
ath10k_sdio_probe().
No work will be queued on sdio workqueue between it is destroyed and
ath10k_core_destroy() is called. Based on the call_stack above, the
reason is:
Only ath10k_sdio_sleep_timer_handler(), ath10k_sdio_hif_tx_sg() and
ath10k_sdio_irq_disable() will queue work on sdio workqueue.
Sleep timer will be deleted before ath10k_core_destroy() in
ath10k_hif_power_down().
ath10k_sdio_irq_disable() only be called in ath10k_hif_stop().
ath10k_core_unregister() will call ath10k_hif_power_down() to stop hif
bus, so ath10k_sdio_hif_tx_sg() won't be called anymore.
Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189
Signed-off-by: Kang Yang <quic_kangyang@quicinc.com>
Tested-by: David Ruth <druth@chromium.org>
Reviewed-by: David Ruth <druth@chromium.org>
Link: https://patch.msgid.link/20241008022246.1010-1-quic_kangyang@quicinc.com
Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath10k/sdio.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/ath/ath10k/sdio.c
+++ b/drivers/net/wireless/ath/ath10k/sdio.c
@@ -3,6 +3,7 @@
* Copyright (c) 2004-2011 Atheros Communications Inc.
* Copyright (c) 2011-2012,2017 Qualcomm Atheros, Inc.
* Copyright (c) 2016-2017 Erik Stromdahl <erik.stromdahl@gmail.com>
+ * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include <linux/module.h>
@@ -2649,9 +2650,9 @@ static void ath10k_sdio_remove(struct sd
netif_napi_del(&ar->napi);
- ath10k_core_destroy(ar);
-
destroy_workqueue(ar_sdio->workqueue);
+
+ ath10k_core_destroy(ar);
}
static const struct sdio_device_id ath10k_sdio_devices[] = {
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 158/286] drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 157/286] wifi: ath10k: avoid NULL pointer error during sdio remove Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 159/286] drm/amd/display: Fix out-of-bounds access in dcn21_link_encoder_create Greg Kroah-Hartman
` (132 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harry Wentland, Tom Chung, Hersen Wu,
Daniel Wheeler, Alex Deucher, Jianqi Ren, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hersen Wu <hersenxs.wu@amd.com>
commit cf8b16857db702ceb8d52f9219a4613363e2b1cf upstream.
[Why]
Coverity report OVERRUN warning. There are
only max_links elements within dc->links. link
count could up to AMDGPU_DM_MAX_DISPLAY_INDEX 31.
[How]
Make sure link count less than max_links.
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Acked-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[Minor conflict resolved due to code context change. And the macro MAX_LINKS
is introduced by Commit 60df5628144b ("drm/amd/display: handle invalid
connector indices") after 6.10. So here we still use the original array
length MAX_PIPES * 2]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -3397,17 +3397,17 @@ static int amdgpu_dm_initialize_drm_devi
goto fail;
}
+ if (link_cnt > (MAX_PIPES * 2)) {
+ DRM_ERROR(
+ "KMS: Cannot support more than %d display indexes\n",
+ MAX_PIPES * 2);
+ goto fail;
+ }
+
/* loops over all connectors on the board */
for (i = 0; i < link_cnt; i++) {
struct dc_link *link = NULL;
- if (i > AMDGPU_DM_MAX_DISPLAY_INDEX) {
- DRM_ERROR(
- "KMS: Cannot support more than %d display indexes\n",
- AMDGPU_DM_MAX_DISPLAY_INDEX);
- continue;
- }
-
aconnector = kzalloc(sizeof(*aconnector), GFP_KERNEL);
if (!aconnector)
goto fail;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 159/286] drm/amd/display: Fix out-of-bounds access in dcn21_link_encoder_create
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 158/286] drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 160/286] nvmet-fc: Remove unused functions Greg Kroah-Hartman
` (131 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Chung, Rodrigo Siqueira,
Roman Li, Alex Hung, Aurabindo Pillai, Harry Wentland,
Hamza Mahfooz, Srinivasan Shanmugam, Alex Deucher, Bin Lan,
He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
commit 63de35a8fcfca59ae8750d469a7eb220c7557baf upstream.
An issue was identified in the dcn21_link_encoder_create function where
an out-of-bounds access could occur when the hpd_source index was used
to reference the link_enc_hpd_regs array. This array has a fixed size
and the index was not being checked against the array's bounds before
accessing it.
This fix adds a conditional check to ensure that the hpd_source index is
within the valid range of the link_enc_hpd_regs array. If the index is
out of bounds, the function now returns NULL to prevent undefined
behavior.
References:
[ 65.920507] ------------[ cut here ]------------
[ 65.920510] UBSAN: array-index-out-of-bounds in drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn21/dcn21_resource.c:1312:29
[ 65.920519] index 7 is out of range for type 'dcn10_link_enc_hpd_registers [5]'
[ 65.920523] CPU: 3 PID: 1178 Comm: modprobe Tainted: G OE 6.8.0-cleanershaderfeatureresetasdntipmi200nv2132 #13
[ 65.920525] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS WMJ0429N_Weekly_20_04_2 04/29/2020
[ 65.920527] Call Trace:
[ 65.920529] <TASK>
[ 65.920532] dump_stack_lvl+0x48/0x70
[ 65.920541] dump_stack+0x10/0x20
[ 65.920543] __ubsan_handle_out_of_bounds+0xa2/0xe0
[ 65.920549] dcn21_link_encoder_create+0xd9/0x140 [amdgpu]
[ 65.921009] link_create+0x6d3/0xed0 [amdgpu]
[ 65.921355] create_links+0x18a/0x4e0 [amdgpu]
[ 65.921679] dc_create+0x360/0x720 [amdgpu]
[ 65.921999] ? dmi_matches+0xa0/0x220
[ 65.922004] amdgpu_dm_init+0x2b6/0x2c90 [amdgpu]
[ 65.922342] ? console_unlock+0x77/0x120
[ 65.922348] ? dev_printk_emit+0x86/0xb0
[ 65.922354] dm_hw_init+0x15/0x40 [amdgpu]
[ 65.922686] amdgpu_device_init+0x26a8/0x33a0 [amdgpu]
[ 65.922921] amdgpu_driver_load_kms+0x1b/0xa0 [amdgpu]
[ 65.923087] amdgpu_pci_probe+0x1b7/0x630 [amdgpu]
[ 65.923087] local_pci_probe+0x4b/0xb0
[ 65.923087] pci_device_probe+0xc8/0x280
[ 65.923087] really_probe+0x187/0x300
[ 65.923087] __driver_probe_device+0x85/0x130
[ 65.923087] driver_probe_device+0x24/0x110
[ 65.923087] __driver_attach+0xac/0x1d0
[ 65.923087] ? __pfx___driver_attach+0x10/0x10
[ 65.923087] bus_for_each_dev+0x7d/0xd0
[ 65.923087] driver_attach+0x1e/0x30
[ 65.923087] bus_add_driver+0xf2/0x200
[ 65.923087] driver_register+0x64/0x130
[ 65.923087] ? __pfx_amdgpu_init+0x10/0x10 [amdgpu]
[ 65.923087] __pci_register_driver+0x61/0x70
[ 65.923087] amdgpu_init+0x7d/0xff0 [amdgpu]
[ 65.923087] do_one_initcall+0x49/0x310
[ 65.923087] ? kmalloc_trace+0x136/0x360
[ 65.923087] do_init_module+0x6a/0x270
[ 65.923087] load_module+0x1fce/0x23a0
[ 65.923087] init_module_from_file+0x9c/0xe0
[ 65.923087] ? init_module_from_file+0x9c/0xe0
[ 65.923087] idempotent_init_module+0x179/0x230
[ 65.923087] __x64_sys_finit_module+0x5d/0xa0
[ 65.923087] do_syscall_64+0x76/0x120
[ 65.923087] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[ 65.923087] RIP: 0033:0x7f2d80f1e88d
[ 65.923087] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48
[ 65.923087] RSP: 002b:00007ffc7bc1aa78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 65.923087] RAX: ffffffffffffffda RBX: 0000564c9c1db130 RCX: 00007f2d80f1e88d
[ 65.923087] RDX: 0000000000000000 RSI: 0000564c9c1e5480 RDI: 000000000000000f
[ 65.923087] RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000002
[ 65.923087] R10: 000000000000000f R11: 0000000000000246 R12: 0000564c9c1e5480
[ 65.923087] R13: 0000564c9c1db260 R14: 0000000000000000 R15: 0000564c9c1e54b0
[ 65.923087] </TASK>
[ 65.923927] ---[ end trace ]---
Cc: Tom Chung <chiahsuan.chung@amd.com>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Cc: Roman Li <roman.li@amd.com>
Cc: Alex Hung <alex.hung@amd.com>
Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
Cc: Harry Wentland <harry.wentland@amd.com>
Cc: Hamza Mahfooz <hamza.mahfooz@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: Roman Li <roman.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
@@ -1698,7 +1698,7 @@ static struct link_encoder *dcn21_link_e
kzalloc(sizeof(struct dcn21_link_encoder), GFP_KERNEL);
int link_regs_id;
- if (!enc21)
+ if (!enc21 || enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs))
return NULL;
link_regs_id =
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 160/286] nvmet-fc: Remove unused functions
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 159/286] drm/amd/display: Fix out-of-bounds access in dcn21_link_encoder_create Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 161/286] smb: client: fix potential UAF in cifs_debug_files_proc_show() Greg Kroah-Hartman
` (130 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, WangYuli, Chaitanya Kulkarni,
Christoph Hellwig, Keith Busch
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyuli@uniontech.com>
commit 1b304c006b0fb4f0517a8c4ba8c46e88f48a069c upstream.
The functions nvmet_fc_iodnum() and nvmet_fc_fodnum() are currently
unutilized.
Following commit c53432030d86 ("nvme-fabrics: Add target support for FC
transport"), which introduced these two functions, they have not been
used at all in practice.
Remove them to resolve the compiler warnings.
Fix follow errors with clang-19 when W=1e:
drivers/nvme/target/fc.c:177:1: error: unused function 'nvmet_fc_iodnum' [-Werror,-Wunused-function]
177 | nvmet_fc_iodnum(struct nvmet_fc_ls_iod *iodptr)
| ^~~~~~~~~~~~~~~
drivers/nvme/target/fc.c:183:1: error: unused function 'nvmet_fc_fodnum' [-Werror,-Wunused-function]
183 | nvmet_fc_fodnum(struct nvmet_fc_fcp_iod *fodptr)
| ^~~~~~~~~~~~~~~
2 errors generated.
make[8]: *** [scripts/Makefile.build:207: drivers/nvme/target/fc.o] Error 1
make[7]: *** [scripts/Makefile.build:465: drivers/nvme/target] Error 2
make[6]: *** [scripts/Makefile.build:465: drivers/nvme] Error 2
make[6]: *** Waiting for unfinished jobs....
Fixes: c53432030d86 ("nvme-fabrics: Add target support for FC transport")
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/target/fc.c | 14 --------------
1 file changed, 14 deletions(-)
--- a/drivers/nvme/target/fc.c
+++ b/drivers/nvme/target/fc.c
@@ -169,20 +169,6 @@ struct nvmet_fc_tgt_assoc {
struct work_struct del_work;
};
-
-static inline int
-nvmet_fc_iodnum(struct nvmet_fc_ls_iod *iodptr)
-{
- return (iodptr - iodptr->tgtport->iod);
-}
-
-static inline int
-nvmet_fc_fodnum(struct nvmet_fc_fcp_iod *fodptr)
-{
- return (fodptr - fodptr->queue->fod);
-}
-
-
/*
* Association and Connection IDs:
*
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 161/286] smb: client: fix potential UAF in cifs_debug_files_proc_show()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 160/286] nvmet-fc: Remove unused functions Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 162/286] smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Greg Kroah-Hartman
` (129 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
Steve French, Jianqi Ren, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.com>
commit ca545b7f0823f19db0f1148d59bc5e1a56634502 upstream.
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ This patch removes lock/unlock operation in routine cifs_ses_exiting()
for ses_lock is not present in v5.10 and not ported yet. ses->status
is protected by a global lock, cifs_tcp_ses_lock, in v5.10. ]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/cifs_debug.c | 2 ++
fs/cifs/cifsglob.h | 8 ++++++++
2 files changed, 10 insertions(+)
--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -183,6 +183,8 @@ static int cifs_debug_files_proc_show(st
tcp_ses_list);
list_for_each(tmp, &server->smb_ses_list) {
ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
+ if (cifs_ses_exiting(ses))
+ continue;
list_for_each(tmp1, &ses->tcon_list) {
tcon = list_entry(tmp1, struct cifs_tcon, tcon_list);
spin_lock(&tcon->open_file_lock);
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -2115,4 +2115,12 @@ static inline struct scatterlist *cifs_s
return sg;
}
+static inline bool cifs_ses_exiting(struct cifs_ses *ses)
+{
+ bool ret;
+
+ ret = ses->status == CifsExiting;
+ return ret;
+}
+
#endif /* _CIFS_GLOB_H */
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 162/286] smb: client: fix use-after-free bug in cifs_debug_data_proc_show()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 161/286] smb: client: fix potential UAF in cifs_debug_files_proc_show() Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 163/286] cifs: Fix UAF in cifs_demultiplex_thread() Greg Kroah-Hartman
` (128 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (SUSE), Steve French,
Xiangyu Chen, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.com>
commit d328c09ee9f15ee5a26431f5aad7c9239fa85e62 upstream.
Skip SMB sessions that are being teared down
(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()
to avoid use-after-free in @ses.
This fixes the following GPF when reading from /proc/fs/cifs/DebugData
while mounting and umounting
[ 816.251274] general protection fault, probably for non-canonical
address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI
...
[ 816.260138] Call Trace:
[ 816.260329] <TASK>
[ 816.260499] ? die_addr+0x36/0x90
[ 816.260762] ? exc_general_protection+0x1b3/0x410
[ 816.261126] ? asm_exc_general_protection+0x26/0x30
[ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs]
[ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs]
[ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs]
[ 816.262689] ? seq_read_iter+0x379/0x470
[ 816.262995] seq_read_iter+0x118/0x470
[ 816.263291] proc_reg_read_iter+0x53/0x90
[ 816.263596] ? srso_alias_return_thunk+0x5/0x7f
[ 816.263945] vfs_read+0x201/0x350
[ 816.264211] ksys_read+0x75/0x100
[ 816.264472] do_syscall_64+0x3f/0x90
[ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 816.265135] RIP: 0033:0x7fd5e669d381
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ This patch removed lock/unlock operation due to ses_lock is
not present in v5.10 and not ported yet. ses->status is protected
by a global lock, cifs_tcp_ses_lock, in v5.10. ]
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/cifs_debug.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -358,6 +358,8 @@ skip_rdma:
list_for_each(tmp2, &server->smb_ses_list) {
ses = list_entry(tmp2, struct cifs_ses,
smb_ses_list);
+ if (ses->status == CifsExiting)
+ continue;
if ((ses->serverDomain == NULL) ||
(ses->serverOS == NULL) ||
(ses->serverNOS == NULL)) {
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 163/286] cifs: Fix UAF in cifs_demultiplex_thread()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 162/286] smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 164/286] smb: client: fix potential deadlock when releasing mids Greg Kroah-Hartman
` (127 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (SUSE), Zhang Xiaoxu,
Steve French, He Zhe, Xiangyu Chen
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
commit d527f51331cace562393a8038d870b3e9916686f upstream.
There is a UAF when xfstests on cifs:
BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160
Read of size 4 at addr ffff88810103fc08 by task cifsd/923
CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45
...
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
print_report+0x171/0x472
kasan_report+0xad/0x130
kasan_check_range+0x145/0x1a0
smb2_is_network_name_deleted+0x27/0x160
cifs_demultiplex_thread.cold+0x172/0x5a4
kthread+0x165/0x1a0
ret_from_fork+0x1f/0x30
</TASK>
Allocated by task 923:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
__kasan_slab_alloc+0x54/0x60
kmem_cache_alloc+0x147/0x320
mempool_alloc+0xe1/0x260
cifs_small_buf_get+0x24/0x60
allocate_buffers+0xa1/0x1c0
cifs_demultiplex_thread+0x199/0x10d0
kthread+0x165/0x1a0
ret_from_fork+0x1f/0x30
Freed by task 921:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_save_free_info+0x2a/0x40
____kasan_slab_free+0x143/0x1b0
kmem_cache_free+0xe3/0x4d0
cifs_small_buf_release+0x29/0x90
SMB2_negotiate+0x8b7/0x1c60
smb2_negotiate+0x51/0x70
cifs_negotiate_protocol+0xf0/0x160
cifs_get_smb_ses+0x5fa/0x13c0
mount_get_conns+0x7a/0x750
cifs_mount+0x103/0xd00
cifs_smb3_do_mount+0x1dd/0xcb0
smb3_get_tree+0x1d5/0x300
vfs_get_tree+0x41/0xf0
path_mount+0x9b3/0xdd0
__x64_sys_mount+0x190/0x1d0
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
The UAF is because:
mount(pid: 921) | cifsd(pid: 923)
-------------------------------|-------------------------------
| cifs_demultiplex_thread
SMB2_negotiate |
cifs_send_recv |
compound_send_recv |
smb_send_rqst |
wait_for_response |
wait_event_state [1] |
| standard_receive3
| cifs_handle_standard
| handle_mid
| mid->resp_buf = buf; [2]
| dequeue_mid [3]
KILL the process [4] |
resp_iov[i].iov_base = buf |
free_rsp_buf [5] |
| is_network_name_deleted [6]
| callback
1. After send request to server, wait the response until
mid->mid_state != SUBMITTED;
2. Receive response from server, and set it to mid;
3. Set the mid state to RECEIVED;
4. Kill the process, the mid state already RECEIVED, get 0;
5. Handle and release the negotiate response;
6. UAF.
It can be easily reproduce with add some delay in [3] - [6].
Only sync call has the problem since async call's callback is
executed in cifsd process.
Add an extra state to mark the mid state to READY before wakeup the
waitter, then it can get the resp safely.
Fixes: ec637e3ffb6b ("[CIFS] Avoid extra large buffer allocation (and memcpy) in cifs_readpages")
Reviewed-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[fs/cifs was moved to fs/smb/client since
38c8a9a52082 ("smb: move client and server files to common directory fs/smb").
We apply the patch to fs/cifs with some minor context changes.]
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/cifsglob.h | 1 +
fs/cifs/transport.c | 34 +++++++++++++++++++++++-----------
2 files changed, 24 insertions(+), 11 deletions(-)
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -1768,6 +1768,7 @@ static inline bool is_retryable_error(in
#define MID_RETRY_NEEDED 8 /* session closed while this request out */
#define MID_RESPONSE_MALFORMED 0x10
#define MID_SHUTDOWN 0x20
+#define MID_RESPONSE_READY 0x40 /* ready for other process handle the rsp */
/* Flags */
#define MID_WAIT_CANCELLED 1 /* Cancelled while waiting for response */
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -47,6 +47,8 @@
void
cifs_wake_up_task(struct mid_q_entry *mid)
{
+ if (mid->mid_state == MID_RESPONSE_RECEIVED)
+ mid->mid_state = MID_RESPONSE_READY;
wake_up_process(mid->callback_data);
}
@@ -99,7 +101,8 @@ static void _cifs_mid_q_entry_release(st
struct TCP_Server_Info *server = midEntry->server;
if (midEntry->resp_buf && (midEntry->mid_flags & MID_WAIT_CANCELLED) &&
- midEntry->mid_state == MID_RESPONSE_RECEIVED &&
+ (midEntry->mid_state == MID_RESPONSE_RECEIVED ||
+ midEntry->mid_state == MID_RESPONSE_READY) &&
server->ops->handle_cancelled_mid)
server->ops->handle_cancelled_mid(midEntry, server);
@@ -733,7 +736,8 @@ wait_for_response(struct TCP_Server_Info
int error;
error = wait_event_freezekillable_unsafe(server->response_q,
- midQ->mid_state != MID_REQUEST_SUBMITTED);
+ midQ->mid_state != MID_REQUEST_SUBMITTED &&
+ midQ->mid_state != MID_RESPONSE_RECEIVED);
if (error < 0)
return -ERESTARTSYS;
@@ -885,7 +889,7 @@ cifs_sync_mid_result(struct mid_q_entry
spin_lock(&GlobalMid_Lock);
switch (mid->mid_state) {
- case MID_RESPONSE_RECEIVED:
+ case MID_RESPONSE_READY:
spin_unlock(&GlobalMid_Lock);
return rc;
case MID_RETRY_NEEDED:
@@ -984,6 +988,9 @@ cifs_compound_callback(struct mid_q_entr
credits.instance = server->reconnect_instance;
add_credits(server, &credits, mid->optype);
+
+ if (mid->mid_state == MID_RESPONSE_RECEIVED)
+ mid->mid_state = MID_RESPONSE_READY;
}
static void
@@ -1172,7 +1179,8 @@ compound_send_recv(const unsigned int xi
send_cancel(server, &rqst[i], midQ[i]);
spin_lock(&GlobalMid_Lock);
midQ[i]->mid_flags |= MID_WAIT_CANCELLED;
- if (midQ[i]->mid_state == MID_REQUEST_SUBMITTED) {
+ if (midQ[i]->mid_state == MID_REQUEST_SUBMITTED ||
+ midQ[i]->mid_state == MID_RESPONSE_RECEIVED) {
midQ[i]->callback = cifs_cancelled_callback;
cancelled_mid[i] = true;
credits[i].value = 0;
@@ -1193,7 +1201,7 @@ compound_send_recv(const unsigned int xi
}
if (!midQ[i]->resp_buf ||
- midQ[i]->mid_state != MID_RESPONSE_RECEIVED) {
+ midQ[i]->mid_state != MID_RESPONSE_READY) {
rc = -EIO;
cifs_dbg(FYI, "Bad MID state?\n");
goto out;
@@ -1372,7 +1380,8 @@ SendReceive(const unsigned int xid, stru
if (rc != 0) {
send_cancel(server, &rqst, midQ);
spin_lock(&GlobalMid_Lock);
- if (midQ->mid_state == MID_REQUEST_SUBMITTED) {
+ if (midQ->mid_state == MID_REQUEST_SUBMITTED ||
+ midQ->mid_state == MID_RESPONSE_RECEIVED) {
/* no longer considered to be "in-flight" */
midQ->callback = DeleteMidQEntry;
spin_unlock(&GlobalMid_Lock);
@@ -1389,7 +1398,7 @@ SendReceive(const unsigned int xid, stru
}
if (!midQ->resp_buf || !out_buf ||
- midQ->mid_state != MID_RESPONSE_RECEIVED) {
+ midQ->mid_state != MID_RESPONSE_READY) {
rc = -EIO;
cifs_server_dbg(VFS, "Bad MID state?\n");
goto out;
@@ -1509,13 +1518,15 @@ SendReceiveBlockingLock(const unsigned i
/* Wait for a reply - allow signals to interrupt. */
rc = wait_event_interruptible(server->response_q,
- (!(midQ->mid_state == MID_REQUEST_SUBMITTED)) ||
+ (!(midQ->mid_state == MID_REQUEST_SUBMITTED ||
+ midQ->mid_state == MID_RESPONSE_RECEIVED)) ||
((server->tcpStatus != CifsGood) &&
(server->tcpStatus != CifsNew)));
/* Were we interrupted by a signal ? */
if ((rc == -ERESTARTSYS) &&
- (midQ->mid_state == MID_REQUEST_SUBMITTED) &&
+ (midQ->mid_state == MID_REQUEST_SUBMITTED ||
+ midQ->mid_state == MID_RESPONSE_RECEIVED) &&
((server->tcpStatus == CifsGood) ||
(server->tcpStatus == CifsNew))) {
@@ -1545,7 +1556,8 @@ SendReceiveBlockingLock(const unsigned i
if (rc) {
send_cancel(server, &rqst, midQ);
spin_lock(&GlobalMid_Lock);
- if (midQ->mid_state == MID_REQUEST_SUBMITTED) {
+ if (midQ->mid_state == MID_REQUEST_SUBMITTED ||
+ midQ->mid_state == MID_RESPONSE_RECEIVED) {
/* no longer considered to be "in-flight" */
midQ->callback = DeleteMidQEntry;
spin_unlock(&GlobalMid_Lock);
@@ -1563,7 +1575,7 @@ SendReceiveBlockingLock(const unsigned i
return rc;
/* rcvd frame is ok */
- if (out_buf == NULL || midQ->mid_state != MID_RESPONSE_RECEIVED) {
+ if (out_buf == NULL || midQ->mid_state != MID_RESPONSE_READY) {
rc = -EIO;
cifs_tcon_dbg(VFS, "Bad MID state?\n");
goto out;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 164/286] smb: client: fix potential deadlock when releasing mids
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 163/286] cifs: Fix UAF in cifs_demultiplex_thread() Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 165/286] smb: client: fix potential UAF in cifs_stats_proc_show() Greg Kroah-Hartman
` (126 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (SUSE), Steve French,
Cliff Liu, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.com>
commit e6322fd177c6885a21dd4609dc5e5c973d1a2eb7 upstream.
All release_mid() callers seem to hold a reference of @mid so there is
no need to call kref_put(&mid->refcount, __release_mid) under
@server->mid_lock spinlock. If they don't, then an use-after-free bug
would have occurred anyways.
By getting rid of such spinlock also fixes a potential deadlock as
shown below
CPU 0 CPU 1
------------------------------------------------------------------
cifs_demultiplex_thread() cifs_debug_data_proc_show()
release_mid()
spin_lock(&server->mid_lock);
spin_lock(&cifs_tcp_ses_lock)
spin_lock(&server->mid_lock)
__release_mid()
smb2_find_smb_tcon()
spin_lock(&cifs_tcp_ses_lock) *deadlock*
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[cifs_mid_q_entry_release() is renamed to release_mid() and
_cifs_mid_q_entry_release() is renamed to __release_mid() by
commit 70f08f914a37 ("cifs: remove useless DeleteMidQEntry()")
which is integrated into v6.0, so preserve old names in v5.10.]
Signed-off-by: Cliff Liu <donghua.liu@windriver.com>
Signed-off-by: He Zhe <Zhe.He@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/cifsproto.h | 7 ++++++-
fs/cifs/smb2misc.c | 2 +-
fs/cifs/transport.c | 9 +--------
3 files changed, 8 insertions(+), 10 deletions(-)
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -85,7 +85,7 @@ extern struct mid_q_entry *AllocMidQEntr
struct TCP_Server_Info *server);
extern void DeleteMidQEntry(struct mid_q_entry *midEntry);
extern void cifs_delete_mid(struct mid_q_entry *mid);
-extern void cifs_mid_q_entry_release(struct mid_q_entry *midEntry);
+void _cifs_mid_q_entry_release(struct kref *refcount);
extern void cifs_wake_up_task(struct mid_q_entry *mid);
extern int cifs_handle_standard(struct TCP_Server_Info *server,
struct mid_q_entry *mid);
@@ -646,4 +646,9 @@ static inline int cifs_create_options(st
return options;
}
+static inline void cifs_mid_q_entry_release(struct mid_q_entry *midEntry)
+{
+ kref_put(&midEntry->refcount, _cifs_mid_q_entry_release);
+}
+
#endif /* _CIFSPROTO_H */
--- a/fs/cifs/smb2misc.c
+++ b/fs/cifs/smb2misc.c
@@ -780,7 +780,7 @@ __smb2_handle_cancelled_cmd(struct cifs_
{
struct close_cancelled_open *cancelled;
- cancelled = kzalloc(sizeof(*cancelled), GFP_ATOMIC);
+ cancelled = kzalloc(sizeof(*cancelled), GFP_KERNEL);
if (!cancelled)
return -ENOMEM;
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -88,7 +88,7 @@ AllocMidQEntry(const struct smb_hdr *smb
return temp;
}
-static void _cifs_mid_q_entry_release(struct kref *refcount)
+void _cifs_mid_q_entry_release(struct kref *refcount)
{
struct mid_q_entry *midEntry =
container_of(refcount, struct mid_q_entry, refcount);
@@ -168,13 +168,6 @@ static void _cifs_mid_q_entry_release(st
mempool_free(midEntry, cifs_mid_poolp);
}
-void cifs_mid_q_entry_release(struct mid_q_entry *midEntry)
-{
- spin_lock(&GlobalMid_Lock);
- kref_put(&midEntry->refcount, _cifs_mid_q_entry_release);
- spin_unlock(&GlobalMid_Lock);
-}
-
void DeleteMidQEntry(struct mid_q_entry *midEntry)
{
cifs_mid_q_entry_release(midEntry);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 165/286] smb: client: fix potential UAF in cifs_stats_proc_show()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 164/286] smb: client: fix potential deadlock when releasing mids Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 166/286] smb: client: fix UAF in async decryption Greg Kroah-Hartman
` (125 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
Steve French, Jianqi Ren, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.com>
commit 0865ffefea197b437ba78b5dd8d8e256253efd65 upstream.
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ cifs_debug.c was moved from fs/cifs to fs/smb/client since
38c8a9a52082 ("smb: move client and server files to common directory fs/smb").
The cifs_ses_exiting() was introduced to cifs_debug.c since
ca545b7f0823 ("smb: client: fix potential UAF in cifs_debug_files_proc_show()")
which has been sent to upstream already. ]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/cifs_debug.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -595,6 +595,8 @@ static int cifs_stats_proc_show(struct s
list_for_each(tmp2, &server->smb_ses_list) {
ses = list_entry(tmp2, struct cifs_ses,
smb_ses_list);
+ if (cifs_ses_exiting(ses))
+ continue;
list_for_each(tmp3, &ses->tcon_list) {
tcon = list_entry(tmp3,
struct cifs_tcon,
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 166/286] smb: client: fix UAF in async decryption
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 165/286] smb: client: fix potential UAF in cifs_stats_proc_show() Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 167/286] smb: client: fix NULL ptr deref in crypto_aead_setkey() Greg Kroah-Hartman
` (124 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Enzo Matsumiya, Steve French,
Jianqi Ren, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Enzo Matsumiya <ematsumiya@suse.de>
commit b0abcd65ec545701b8793e12bc27dc98042b151a upstream.
Doing an async decryption (large read) crashes with a
slab-use-after-free way down in the crypto API.
Reproducer:
# mount.cifs -o ...,seal,esize=1 //srv/share /mnt
# dd if=/mnt/largefile of=/dev/null
...
[ 194.196391] ==================================================================
[ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110
[ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899
[ 194.197707]
[ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43
[ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014
[ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs]
[ 194.200032] Call Trace:
[ 194.200191] <TASK>
[ 194.200327] dump_stack_lvl+0x4e/0x70
[ 194.200558] ? gf128mul_4k_lle+0xc1/0x110
[ 194.200809] print_report+0x174/0x505
[ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 194.201352] ? srso_return_thunk+0x5/0x5f
[ 194.201604] ? __virt_addr_valid+0xdf/0x1c0
[ 194.201868] ? gf128mul_4k_lle+0xc1/0x110
[ 194.202128] kasan_report+0xc8/0x150
[ 194.202361] ? gf128mul_4k_lle+0xc1/0x110
[ 194.202616] gf128mul_4k_lle+0xc1/0x110
[ 194.202863] ghash_update+0x184/0x210
[ 194.203103] shash_ahash_update+0x184/0x2a0
[ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10
[ 194.203651] ? srso_return_thunk+0x5/0x5f
[ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340
[ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140
[ 194.204434] crypt_message+0xec1/0x10a0 [cifs]
[ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs]
[ 194.208507] ? srso_return_thunk+0x5/0x5f
[ 194.209205] ? srso_return_thunk+0x5/0x5f
[ 194.209925] ? srso_return_thunk+0x5/0x5f
[ 194.210443] ? srso_return_thunk+0x5/0x5f
[ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs]
[ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs]
[ 194.214670] ? srso_return_thunk+0x5/0x5f
[ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs]
This is because TFM is being used in parallel.
Fix this by allocating a new AEAD TFM for async decryption, but keep
the existing one for synchronous READ cases (similar to what is done
in smb3_calc_signature()).
Also remove the calls to aead_request_set_callback() and
crypto_wait_req() since it's always going to be a synchronous operation.
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
Signed-off-by: Steve French <stfrench@microsoft.com>
[In linux-5.10, dec and enc fields are named ccmaesdecrypt and ccmaesencrypt.]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/smb2ops.c | 48 ++++++++++++++++++++++++++++--------------------
fs/cifs/smb2pdu.c | 6 ++++++
2 files changed, 34 insertions(+), 20 deletions(-)
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -4291,7 +4291,7 @@ smb2_get_enc_key(struct TCP_Server_Info
*/
static int
crypt_message(struct TCP_Server_Info *server, int num_rqst,
- struct smb_rqst *rqst, int enc)
+ struct smb_rqst *rqst, int enc, struct crypto_aead *tfm)
{
struct smb2_transform_hdr *tr_hdr =
(struct smb2_transform_hdr *)rqst[0].rq_iov[0].iov_base;
@@ -4302,8 +4302,6 @@ crypt_message(struct TCP_Server_Info *se
u8 key[SMB3_ENC_DEC_KEY_SIZE];
struct aead_request *req;
u8 *iv;
- DECLARE_CRYPTO_WAIT(wait);
- struct crypto_aead *tfm;
unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize);
void *creq;
@@ -4314,15 +4312,6 @@ crypt_message(struct TCP_Server_Info *se
return rc;
}
- rc = smb3_crypto_aead_allocate(server);
- if (rc) {
- cifs_server_dbg(VFS, "%s: crypto alloc failed\n", __func__);
- return rc;
- }
-
- tfm = enc ? server->secmech.ccmaesencrypt :
- server->secmech.ccmaesdecrypt;
-
if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) ||
(server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
rc = crypto_aead_setkey(tfm, key, SMB3_GCM256_CRYPTKEY_SIZE);
@@ -4361,11 +4350,7 @@ crypt_message(struct TCP_Server_Info *se
aead_request_set_crypt(req, sg, sg, crypt_len, iv);
aead_request_set_ad(req, assoc_data_len);
- aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
- crypto_req_done, &wait);
-
- rc = crypto_wait_req(enc ? crypto_aead_encrypt(req)
- : crypto_aead_decrypt(req), &wait);
+ rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
if (!rc && enc)
memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);
@@ -4454,7 +4439,7 @@ smb3_init_transform_rq(struct TCP_Server
/* fill the 1st iov with a transform header */
fill_transform_hdr(tr_hdr, orig_len, old_rq, server->cipher_type);
- rc = crypt_message(server, num_rqst, new_rq, 1);
+ rc = crypt_message(server, num_rqst, new_rq, 1, server->secmech.ccmaesencrypt);
cifs_dbg(FYI, "Encrypt message returned %d\n", rc);
if (rc)
goto err_free;
@@ -4480,8 +4465,9 @@ decrypt_raw_data(struct TCP_Server_Info
unsigned int npages, unsigned int page_data_size,
bool is_offloaded)
{
- struct kvec iov[2];
+ struct crypto_aead *tfm;
struct smb_rqst rqst = {NULL};
+ struct kvec iov[2];
int rc;
iov[0].iov_base = buf;
@@ -4496,9 +4482,31 @@ decrypt_raw_data(struct TCP_Server_Info
rqst.rq_pagesz = PAGE_SIZE;
rqst.rq_tailsz = (page_data_size % PAGE_SIZE) ? : PAGE_SIZE;
- rc = crypt_message(server, 1, &rqst, 0);
+ if (is_offloaded) {
+ if ((server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) ||
+ (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
+ tfm = crypto_alloc_aead("gcm(aes)", 0, 0);
+ else
+ tfm = crypto_alloc_aead("ccm(aes)", 0, 0);
+ if (IS_ERR(tfm)) {
+ rc = PTR_ERR(tfm);
+ cifs_server_dbg(VFS, "%s: Failed alloc decrypt TFM, rc=%d\n", __func__, rc);
+
+ return rc;
+ }
+ } else {
+ if (unlikely(!server->secmech.ccmaesdecrypt))
+ return -EIO;
+
+ tfm = server->secmech.ccmaesdecrypt;
+ }
+
+ rc = crypt_message(server, 1, &rqst, 0, tfm);
cifs_dbg(FYI, "Decrypt message returned %d\n", rc);
+ if (is_offloaded)
+ crypto_free_aead(tfm);
+
if (rc)
return rc;
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -998,6 +998,12 @@ SMB2_negotiate(const unsigned int xid, s
else
cifs_server_dbg(VFS, "Missing expected negotiate contexts\n");
}
+
+ if (server->cipher_type && !rc) {
+ rc = smb3_crypto_aead_allocate(server);
+ if (rc)
+ cifs_server_dbg(VFS, "%s: crypto alloc failed, rc=%d\n", __func__, rc);
+ }
neg_exit:
free_rsp_buf(resp_buftype, rsp);
return rc;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 167/286] smb: client: fix NULL ptr deref in crypto_aead_setkey()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 166/286] smb: client: fix UAF in async decryption Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 168/286] bpf: avoid holding freeze_mutex during mmap operation Greg Kroah-Hartman
` (123 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Talpey, Jianhong Yin,
Paulo Alcantara (Red Hat), Steve French, Jianqi Ren, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.com>
commit 4bdec0d1f658f7c98749bd2c5a486e6cfa8565d2 upstream.
Neither SMB3.0 or SMB3.02 supports encryption negotiate context, so
when SMB2_GLOBAL_CAP_ENCRYPTION flag is set in the negotiate response,
the client uses AES-128-CCM as the default cipher. See MS-SMB2
3.3.5.4.
Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption") added
a @server->cipher_type check to conditionally call
smb3_crypto_aead_allocate(), but that check would always be false as
@server->cipher_type is unset for SMB3.02.
Fix the following KASAN splat by setting @server->cipher_type for
SMB3.02 as well.
mount.cifs //srv/share /mnt -o vers=3.02,seal,...
BUG: KASAN: null-ptr-deref in crypto_aead_setkey+0x2c/0x130
Read of size 8 at addr 0000000000000020 by task mount.cifs/1095
CPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41
04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
? crypto_aead_setkey+0x2c/0x130
kasan_report+0xda/0x110
? crypto_aead_setkey+0x2c/0x130
crypto_aead_setkey+0x2c/0x130
crypt_message+0x258/0xec0 [cifs]
? __asan_memset+0x23/0x50
? __pfx_crypt_message+0x10/0x10 [cifs]
? mark_lock+0xb0/0x6a0
? hlock_class+0x32/0xb0
? mark_lock+0xb0/0x6a0
smb3_init_transform_rq+0x352/0x3f0 [cifs]
? lock_acquire.part.0+0xf4/0x2a0
smb_send_rqst+0x144/0x230 [cifs]
? __pfx_smb_send_rqst+0x10/0x10 [cifs]
? hlock_class+0x32/0xb0
? smb2_setup_request+0x225/0x3a0 [cifs]
? __pfx_cifs_compound_last_callback+0x10/0x10 [cifs]
compound_send_recv+0x59b/0x1140 [cifs]
? __pfx_compound_send_recv+0x10/0x10 [cifs]
? __create_object+0x5e/0x90
? hlock_class+0x32/0xb0
? do_raw_spin_unlock+0x9a/0xf0
cifs_send_recv+0x23/0x30 [cifs]
SMB2_tcon+0x3ec/0xb30 [cifs]
? __pfx_SMB2_tcon+0x10/0x10 [cifs]
? lock_acquire.part.0+0xf4/0x2a0
? __pfx_lock_release+0x10/0x10
? do_raw_spin_trylock+0xc6/0x120
? lock_acquire+0x3f/0x90
? _get_xid+0x16/0xd0 [cifs]
? __pfx_SMB2_tcon+0x10/0x10 [cifs]
? cifs_get_smb_ses+0xcdd/0x10a0 [cifs]
cifs_get_smb_ses+0xcdd/0x10a0 [cifs]
? __pfx_cifs_get_smb_ses+0x10/0x10 [cifs]
? cifs_get_tcp_session+0xaa0/0xca0 [cifs]
cifs_mount_get_session+0x8a/0x210 [cifs]
dfs_mount_share+0x1b0/0x11d0 [cifs]
? __pfx___lock_acquire+0x10/0x10
? __pfx_dfs_mount_share+0x10/0x10 [cifs]
? lock_acquire.part.0+0xf4/0x2a0
? find_held_lock+0x8a/0xa0
? hlock_class+0x32/0xb0
? lock_release+0x203/0x5d0
cifs_mount+0xb3/0x3d0 [cifs]
? do_raw_spin_trylock+0xc6/0x120
? __pfx_cifs_mount+0x10/0x10 [cifs]
? lock_acquire+0x3f/0x90
? find_nls+0x16/0xa0
? smb3_update_mnt_flags+0x372/0x3b0 [cifs]
cifs_smb3_do_mount+0x1e2/0xc80 [cifs]
? __pfx_vfs_parse_fs_string+0x10/0x10
? __pfx_cifs_smb3_do_mount+0x10/0x10 [cifs]
smb3_get_tree+0x1bf/0x330 [cifs]
vfs_get_tree+0x4a/0x160
path_mount+0x3c1/0xfb0
? kasan_quarantine_put+0xc7/0x1d0
? __pfx_path_mount+0x10/0x10
? kmem_cache_free+0x118/0x3e0
? user_path_at+0x74/0xa0
__x64_sys_mount+0x1a6/0x1e0
? __pfx___x64_sys_mount+0x10/0x10
? mark_held_locks+0x1a/0x90
do_syscall_64+0xbb/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Cc: Tom Talpey <tom@talpey.com>
Reported-by: Jianhong Yin <jiyin@redhat.com>
Cc: stable@vger.kernel.org # v6.12
Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption")
fixes CVE-2024-50047 but brings NULL-pointer dereferebce. So
commit 4bdec0d1f658 ("smb: client: fix NULL ptr deref in crypto_aead_setkey()")
should be backported too. ]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/smb2pdu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -963,7 +963,9 @@ SMB2_negotiate(const unsigned int xid, s
* SMB3.0 supports only 1 cipher and doesn't have a encryption neg context
* Set the cipher type manually.
*/
- if (server->dialect == SMB30_PROT_ID && (server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION))
+ if ((server->dialect == SMB30_PROT_ID ||
+ server->dialect == SMB302_PROT_ID) &&
+ (server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION))
server->cipher_type = SMB2_ENCRYPTION_AES128_CCM;
security_blob = smb2_get_data_area_len(&blob_offset, &blob_length,
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 168/286] bpf: avoid holding freeze_mutex during mmap operation
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 167/286] smb: client: fix NULL ptr deref in crypto_aead_setkey() Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 169/286] bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers Greg Kroah-Hartman
` (122 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4dc041c686b7c816a71e,
Andrii Nakryiko, Alexei Starovoitov, David Sauerwein
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
commit bc27c52eea189e8f7492d40739b7746d67b65beb upstream.
We use map->freeze_mutex to prevent races between map_freeze() and
memory mapping BPF map contents with writable permissions. The way we
naively do this means we'll hold freeze_mutex for entire duration of all
the mm and VMA manipulations, which is completely unnecessary. This can
potentially also lead to deadlocks, as reported by syzbot in [0].
So, instead, hold freeze_mutex only during writeability checks, bump
(proactively) "write active" count for the map, unlock the mutex and
proceed with mmap logic. And only if something went wrong during mmap
logic, then undo that "write active" counter increment.
[0] https://lore.kernel.org/bpf/678dcbc9.050a0220.303755.0066.GAE@google.com/
Fixes: fc9702273e2e ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY")
Reported-by: syzbot+4dc041c686b7c816a71e@syzkaller.appspotmail.com
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20250129012246.1515826-2-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David Sauerwein <dssauerw@amazon.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/syscall.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -647,7 +647,7 @@ static const struct vm_operations_struct
static int bpf_map_mmap(struct file *filp, struct vm_area_struct *vma)
{
struct bpf_map *map = filp->private_data;
- int err;
+ int err = 0;
if (!map->ops->map_mmap || map_value_has_spin_lock(map))
return -ENOTSUPP;
@@ -671,7 +671,12 @@ static int bpf_map_mmap(struct file *fil
err = -EACCES;
goto out;
}
+ bpf_map_write_active_inc(map);
}
+out:
+ mutex_unlock(&map->freeze_mutex);
+ if (err)
+ return err;
/* set default open/close callbacks */
vma->vm_ops = &bpf_map_default_vmops;
@@ -682,13 +687,11 @@ static int bpf_map_mmap(struct file *fil
vma->vm_flags &= ~VM_MAYWRITE;
err = map->ops->map_mmap(map, vma);
- if (err)
- goto out;
+ if (err) {
+ if (vma->vm_flags & VM_WRITE)
+ bpf_map_write_active_dec(map);
+ }
- if (vma->vm_flags & VM_MAYWRITE)
- bpf_map_write_active_inc(map);
-out:
- mutex_unlock(&map->freeze_mutex);
return err;
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 169/286] bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 168/286] bpf: avoid holding freeze_mutex during mmap operation Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 170/286] blk-cgroup: support to track if policy is online Greg Kroah-Hartman
` (121 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hou Tao, Alexei Starovoitov,
Cliff Liu, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hou Tao <houtao1@huawei.com>
commit 169410eba271afc9f0fb476d996795aa26770c6d upstream.
These three bpf_map_{lookup,update,delete}_elem() helpers are also
available for sleepable bpf program, so add the corresponding lock
assertion for sleepable bpf program, otherwise the following warning
will be reported when a sleepable bpf program manipulates bpf map under
interpreter mode (aka bpf_jit_enable=0):
WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ......
CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......
RIP: 0010:bpf_map_lookup_elem+0x54/0x60
......
Call Trace:
<TASK>
? __warn+0xa5/0x240
? bpf_map_lookup_elem+0x54/0x60
? report_bug+0x1ba/0x1f0
? handle_bug+0x40/0x80
? exc_invalid_op+0x18/0x50
? asm_exc_invalid_op+0x1b/0x20
? __pfx_bpf_map_lookup_elem+0x10/0x10
? rcu_lockdep_current_cpu_online+0x65/0xb0
? rcu_is_watching+0x23/0x50
? bpf_map_lookup_elem+0x54/0x60
? __pfx_bpf_map_lookup_elem+0x10/0x10
___bpf_prog_run+0x513/0x3b70
__bpf_prog_run32+0x9d/0xd0
? __bpf_prog_enter_sleepable_recur+0xad/0x120
? __bpf_prog_enter_sleepable_recur+0x3e/0x120
bpf_trampoline_6442580665+0x4d/0x1000
__x64_sys_getpgid+0x5/0x30
? do_syscall_64+0x36/0xb0
entry_SYSCALL_64_after_hwframe+0x6e/0x76
</TASK>
Signed-off-by: Hou Tao <houtao1@huawei.com>
Link: https://lore.kernel.org/r/20231204140425.1480317-2-houtao@huaweicloud.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
[Minor conflict resolved due to code context change.]
Signed-off-by: Cliff Liu <donghua.liu@windriver.com>
Signed-off-by: He Zhe <Zhe.He@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/helpers.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -3,6 +3,7 @@
*/
#include <linux/bpf.h>
#include <linux/rcupdate.h>
+#include <linux/rcupdate_trace.h>
#include <linux/random.h>
#include <linux/smp.h>
#include <linux/topology.h>
@@ -24,12 +25,12 @@
*
* Different map implementations will rely on rcu in map methods
* lookup/update/delete, therefore eBPF programs must run under rcu lock
- * if program is allowed to access maps, so check rcu_read_lock_held in
- * all three functions.
+ * if program is allowed to access maps, so check rcu_read_lock_held() or
+ * rcu_read_lock_trace_held() in all three functions.
*/
BPF_CALL_2(bpf_map_lookup_elem, struct bpf_map *, map, void *, key)
{
- WARN_ON_ONCE(!rcu_read_lock_held());
+ WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_trace_held());
return (unsigned long) map->ops->map_lookup_elem(map, key);
}
@@ -45,7 +46,7 @@ const struct bpf_func_proto bpf_map_look
BPF_CALL_4(bpf_map_update_elem, struct bpf_map *, map, void *, key,
void *, value, u64, flags)
{
- WARN_ON_ONCE(!rcu_read_lock_held());
+ WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_trace_held());
return map->ops->map_update_elem(map, key, value, flags);
}
@@ -62,7 +63,7 @@ const struct bpf_func_proto bpf_map_upda
BPF_CALL_2(bpf_map_delete_elem, struct bpf_map *, map, void *, key)
{
- WARN_ON_ONCE(!rcu_read_lock_held());
+ WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_trace_held());
return map->ops->map_delete_elem(map, key);
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 170/286] blk-cgroup: support to track if policy is online
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 169/286] bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 171/286] blk-iocost: do not WARN if iocg was already offlined Greg Kroah-Hartman
` (120 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yu Kuai, Tejun Heo,
Christoph Hellwig, Jens Axboe, Bin Lan, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai3@huawei.com>
commit dfd6200a095440b663099d8d42f1efb0175a1ce3 upstream.
A new field 'online' is added to blkg_policy_data to fix following
2 problem:
1) In blkcg_activate_policy(), if pd_alloc_fn() with 'GFP_NOWAIT'
failed, 'queue_lock' will be dropped and pd_alloc_fn() will try again
without 'GFP_NOWAIT'. In the meantime, remove cgroup can race with
it, and pd_offline_fn() will be called without pd_init_fn() and
pd_online_fn(). This way null-ptr-deference can be triggered.
2) In order to synchronize pd_free_fn() from blkg_free_workfn() and
blkcg_deactivate_policy(), 'list_del_init(&blkg->q_node)' will be
delayed to blkg_free_workfn(), hence pd_offline_fn() can be called
first in blkg_destroy(), and then blkcg_deactivate_policy() will
call it again, we must prevent it.
The new field 'online' will be set after pd_online_fn() and will be
cleared after pd_offline_fn(), in the meantime pd_offline_fn() will only
be called if 'online' is set.
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Acked-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20230119110350.2287325-3-yukuai1@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-cgroup.c | 24 +++++++++++++++++-------
include/linux/blk-cgroup.h | 1 +
2 files changed, 18 insertions(+), 7 deletions(-)
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -191,6 +191,7 @@ static struct blkcg_gq *blkg_alloc(struc
blkg->pd[i] = pd;
pd->blkg = blkg;
pd->plid = i;
+ pd->online = false;
}
return blkg;
@@ -288,8 +289,11 @@ static struct blkcg_gq *blkg_create(stru
for (i = 0; i < BLKCG_MAX_POLS; i++) {
struct blkcg_policy *pol = blkcg_policy[i];
- if (blkg->pd[i] && pol->pd_online_fn)
- pol->pd_online_fn(blkg->pd[i]);
+ if (blkg->pd[i]) {
+ if (pol->pd_online_fn)
+ pol->pd_online_fn(blkg->pd[i]);
+ blkg->pd[i]->online = true;
+ }
}
}
blkg->online = true;
@@ -389,8 +393,11 @@ static void blkg_destroy(struct blkcg_gq
for (i = 0; i < BLKCG_MAX_POLS; i++) {
struct blkcg_policy *pol = blkcg_policy[i];
- if (blkg->pd[i] && pol->pd_offline_fn)
- pol->pd_offline_fn(blkg->pd[i]);
+ if (blkg->pd[i] && blkg->pd[i]->online) {
+ if (pol->pd_offline_fn)
+ pol->pd_offline_fn(blkg->pd[i]);
+ blkg->pd[i]->online = false;
+ }
}
blkg->online = false;
@@ -1364,6 +1371,7 @@ retry:
blkg->pd[pol->plid] = pd;
pd->blkg = blkg;
pd->plid = pol->plid;
+ pd->online = false;
}
/* all allocated, init in the same order */
@@ -1371,9 +1379,11 @@ retry:
list_for_each_entry_reverse(blkg, &q->blkg_list, q_node)
pol->pd_init_fn(blkg->pd[pol->plid]);
- if (pol->pd_online_fn)
- list_for_each_entry_reverse(blkg, &q->blkg_list, q_node)
+ list_for_each_entry_reverse(blkg, &q->blkg_list, q_node) {
+ if (pol->pd_online_fn)
pol->pd_online_fn(blkg->pd[pol->plid]);
+ blkg->pd[pol->plid]->online = true;
+ }
__set_bit(pol->plid, q->blkcg_pols);
ret = 0;
@@ -1435,7 +1445,7 @@ void blkcg_deactivate_policy(struct requ
spin_lock(&blkcg->lock);
if (blkg->pd[pol->plid]) {
- if (pol->pd_offline_fn)
+ if (blkg->pd[pol->plid]->online && pol->pd_offline_fn)
pol->pd_offline_fn(blkg->pd[pol->plid]);
pol->pd_free_fn(blkg->pd[pol->plid]);
blkg->pd[pol->plid] = NULL;
--- a/include/linux/blk-cgroup.h
+++ b/include/linux/blk-cgroup.h
@@ -87,6 +87,7 @@ struct blkg_policy_data {
/* the blkg and policy id this per-policy data belongs to */
struct blkcg_gq *blkg;
int plid;
+ bool online;
};
/*
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 171/286] blk-iocost: do not WARN if iocg was already offlined
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 170/286] blk-cgroup: support to track if policy is online Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 172/286] ext4: fix timer use-after-free on failed mount Greg Kroah-Hartman
` (119 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Nan, Yu Kuai, Tejun Heo,
Jens Axboe, Bin Lan, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Nan <linan122@huawei.com>
commit 01bc4fda9ea0a6b52f12326486f07a4910666cf6 upstream.
In iocg_pay_debt(), warn is triggered if 'active_list' is empty, which
is intended to confirm iocg is active when it has debt. However, warn
can be triggered during a blkcg or disk removal, if iocg_waitq_timer_fn()
is run at that time:
WARNING: CPU: 0 PID: 2344971 at block/blk-iocost.c:1402 iocg_pay_debt+0x14c/0x190
Call trace:
iocg_pay_debt+0x14c/0x190
iocg_kick_waitq+0x438/0x4c0
iocg_waitq_timer_fn+0xd8/0x130
__run_hrtimer+0x144/0x45c
__hrtimer_run_queues+0x16c/0x244
hrtimer_interrupt+0x2cc/0x7b0
The warn in this situation is meaningless. Since this iocg is being
removed, the state of the 'active_list' is irrelevant, and 'waitq_timer'
is canceled after removing 'active_list' in ioc_pd_free(), which ensures
iocg is freed after iocg_waitq_timer_fn() returns.
Therefore, add the check if iocg was already offlined to avoid warn
when removing a blkcg or disk.
Signed-off-by: Li Nan <linan122@huawei.com>
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
Acked-by: Tejun Heo <tj@kernel.org>
Link: https://lore.kernel.org/r/20240419093257.3004211-1-linan666@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-iocost.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/block/blk-iocost.c
+++ b/block/blk-iocost.c
@@ -1389,8 +1389,11 @@ static void iocg_pay_debt(struct ioc_gq
lockdep_assert_held(&iocg->ioc->lock);
lockdep_assert_held(&iocg->waitq.lock);
- /* make sure that nobody messed with @iocg */
- WARN_ON_ONCE(list_empty(&iocg->active_list));
+ /*
+ * make sure that nobody messed with @iocg. Check iocg->pd.online
+ * to avoid warn when removing blkcg or disk.
+ */
+ WARN_ON_ONCE(list_empty(&iocg->active_list) && iocg->pd.online);
WARN_ON_ONCE(iocg->inuse > 1);
iocg->abs_vdebt -= min(abs_vpay, iocg->abs_vdebt);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 172/286] ext4: fix timer use-after-free on failed mount
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 171/286] blk-iocost: do not WARN if iocg was already offlined Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 173/286] net/mlx5e: Fix use-after-free of encap entry in neigh update handler Greg Kroah-Hartman
` (118 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaxi Shen, Theodore Tso, stable,
Xiangyu Chen, He Zhe, syzbot+59e0101c430934bc9a36
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaxi Shen <shenxiaxi26@gmail.com>
commit 0ce160c5bdb67081a62293028dc85758a8efb22a upstream.
Syzbot has found an ODEBUG bug in ext4_fill_super
The del_timer_sync function cancels the s_err_report timer,
which reminds about filesystem errors daily. We should
guarantee the timer is no longer active before kfree(sbi).
When filesystem mounting fails, the flow goes to failed_mount3,
where an error occurs when ext4_stop_mmpd is called, causing
a read I/O failure. This triggers the ext4_handle_error function
that ultimately re-arms the timer,
leaving the s_err_report timer active before kfree(sbi) is called.
Fix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd.
Signed-off-by: Xiaxi Shen <shenxiaxi26@gmail.com>
Reported-and-tested-by: syzbot+59e0101c430934bc9a36@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=59e0101c430934bc9a36
Link: https://patch.msgid.link/20240715043336.98097-1-shenxiaxi26@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
[Minor context change fixed]
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -5185,8 +5185,8 @@ failed_mount_wq:
failed_mount3a:
ext4_es_unregister_shrinker(sbi);
failed_mount3:
- del_timer_sync(&sbi->s_err_report);
ext4_stop_mmpd(sbi);
+ del_timer_sync(&sbi->s_err_report);
failed_mount2:
rcu_read_lock();
group_desc = rcu_dereference(sbi->s_group_desc);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 173/286] net/mlx5e: Fix use-after-free of encap entry in neigh update handler
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 172/286] ext4: fix timer use-after-free on failed mount Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 174/286] ipvs: properly dereference pe in ip_vs_add_service Greg Kroah-Hartman
` (117 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vlad Buslov, Roi Dayan,
Saeed Mahameed, Xiangyu Chen, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vlad Buslov <vladbu@nvidia.com>
commit fb1a3132ee1ac968316e45d21a48703a6db0b6c3 upstream.
Function mlx5e_rep_neigh_update() wasn't updated to accommodate rtnl lock
removal from TC filter update path and properly handle concurrent encap
entry insertion/deletion which can lead to following use-after-free:
[23827.464923] ==================================================================
[23827.469446] BUG: KASAN: use-after-free in mlx5e_encap_take+0x72/0x140 [mlx5_core]
[23827.470971] Read of size 4 at addr ffff8881d132228c by task kworker/u20:6/21635
[23827.472251]
[23827.472615] CPU: 9 PID: 21635 Comm: kworker/u20:6 Not tainted 5.13.0-rc3+ #5
[23827.473788] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[23827.475639] Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core]
[23827.476731] Call Trace:
[23827.477260] dump_stack+0xbb/0x107
[23827.477906] print_address_description.constprop.0+0x18/0x140
[23827.478896] ? mlx5e_encap_take+0x72/0x140 [mlx5_core]
[23827.479879] ? mlx5e_encap_take+0x72/0x140 [mlx5_core]
[23827.480905] kasan_report.cold+0x7c/0xd8
[23827.481701] ? mlx5e_encap_take+0x72/0x140 [mlx5_core]
[23827.482744] kasan_check_range+0x145/0x1a0
[23827.493112] mlx5e_encap_take+0x72/0x140 [mlx5_core]
[23827.494054] ? mlx5e_tc_tun_encap_info_equal_generic+0x140/0x140 [mlx5_core]
[23827.495296] mlx5e_rep_neigh_update+0x41e/0x5e0 [mlx5_core]
[23827.496338] ? mlx5e_rep_neigh_entry_release+0xb80/0xb80 [mlx5_core]
[23827.497486] ? read_word_at_a_time+0xe/0x20
[23827.498250] ? strscpy+0xa0/0x2a0
[23827.498889] process_one_work+0x8ac/0x14e0
[23827.499638] ? lockdep_hardirqs_on_prepare+0x400/0x400
[23827.500537] ? pwq_dec_nr_in_flight+0x2c0/0x2c0
[23827.501359] ? rwlock_bug.part.0+0x90/0x90
[23827.502116] worker_thread+0x53b/0x1220
[23827.502831] ? process_one_work+0x14e0/0x14e0
[23827.503627] kthread+0x328/0x3f0
[23827.504254] ? _raw_spin_unlock_irq+0x24/0x40
[23827.505065] ? __kthread_bind_mask+0x90/0x90
[23827.505912] ret_from_fork+0x1f/0x30
[23827.506621]
[23827.506987] Allocated by task 28248:
[23827.507694] kasan_save_stack+0x1b/0x40
[23827.508476] __kasan_kmalloc+0x7c/0x90
[23827.509197] mlx5e_attach_encap+0xde1/0x1d40 [mlx5_core]
[23827.510194] mlx5e_tc_add_fdb_flow+0x397/0xc40 [mlx5_core]
[23827.511218] __mlx5e_add_fdb_flow+0x519/0xb30 [mlx5_core]
[23827.512234] mlx5e_configure_flower+0x191c/0x4870 [mlx5_core]
[23827.513298] tc_setup_cb_add+0x1d5/0x420
[23827.514023] fl_hw_replace_filter+0x382/0x6a0 [cls_flower]
[23827.514975] fl_change+0x2ceb/0x4a51 [cls_flower]
[23827.515821] tc_new_tfilter+0x89a/0x2070
[23827.516548] rtnetlink_rcv_msg+0x644/0x8c0
[23827.517300] netlink_rcv_skb+0x11d/0x340
[23827.518021] netlink_unicast+0x42b/0x700
[23827.518742] netlink_sendmsg+0x743/0xc20
[23827.519467] sock_sendmsg+0xb2/0xe0
[23827.520131] ____sys_sendmsg+0x590/0x770
[23827.520851] ___sys_sendmsg+0xd8/0x160
[23827.521552] __sys_sendmsg+0xb7/0x140
[23827.522238] do_syscall_64+0x3a/0x70
[23827.522907] entry_SYSCALL_64_after_hwframe+0x44/0xae
[23827.523797]
[23827.524163] Freed by task 25948:
[23827.524780] kasan_save_stack+0x1b/0x40
[23827.525488] kasan_set_track+0x1c/0x30
[23827.526187] kasan_set_free_info+0x20/0x30
[23827.526968] __kasan_slab_free+0xed/0x130
[23827.527709] slab_free_freelist_hook+0xcf/0x1d0
[23827.528528] kmem_cache_free_bulk+0x33a/0x6e0
[23827.529317] kfree_rcu_work+0x55f/0xb70
[23827.530024] process_one_work+0x8ac/0x14e0
[23827.530770] worker_thread+0x53b/0x1220
[23827.531480] kthread+0x328/0x3f0
[23827.532114] ret_from_fork+0x1f/0x30
[23827.532785]
[23827.533147] Last potentially related work creation:
[23827.534007] kasan_save_stack+0x1b/0x40
[23827.534710] kasan_record_aux_stack+0xab/0xc0
[23827.535492] kvfree_call_rcu+0x31/0x7b0
[23827.536206] mlx5e_tc_del_fdb_flow+0x577/0xef0 [mlx5_core]
[23827.537305] mlx5e_flow_put+0x49/0x80 [mlx5_core]
[23827.538290] mlx5e_delete_flower+0x6d1/0xe60 [mlx5_core]
[23827.539300] tc_setup_cb_destroy+0x18e/0x2f0
[23827.540144] fl_hw_destroy_filter+0x1d2/0x310 [cls_flower]
[23827.541148] __fl_delete+0x4dc/0x660 [cls_flower]
[23827.541985] fl_delete+0x97/0x160 [cls_flower]
[23827.542782] tc_del_tfilter+0x7ab/0x13d0
[23827.543503] rtnetlink_rcv_msg+0x644/0x8c0
[23827.544257] netlink_rcv_skb+0x11d/0x340
[23827.544981] netlink_unicast+0x42b/0x700
[23827.545700] netlink_sendmsg+0x743/0xc20
[23827.546424] sock_sendmsg+0xb2/0xe0
[23827.547084] ____sys_sendmsg+0x590/0x770
[23827.547850] ___sys_sendmsg+0xd8/0x160
[23827.548606] __sys_sendmsg+0xb7/0x140
[23827.549303] do_syscall_64+0x3a/0x70
[23827.549969] entry_SYSCALL_64_after_hwframe+0x44/0xae
[23827.550853]
[23827.551217] The buggy address belongs to the object at ffff8881d1322200
[23827.551217] which belongs to the cache kmalloc-256 of size 256
[23827.553341] The buggy address is located 140 bytes inside of
[23827.553341] 256-byte region [ffff8881d1322200, ffff8881d1322300)
[23827.555747] The buggy address belongs to the page:
[23827.556847] page:00000000898762aa refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d1320
[23827.558651] head:00000000898762aa order:2 compound_mapcount:0 compound_pincount:0
[23827.559961] flags: 0x2ffff800010200(slab|head|node=0|zone=2|lastcpupid=0x1ffff)
[23827.561243] raw: 002ffff800010200 dead000000000100 dead000000000122 ffff888100042b40
[23827.562653] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
[23827.564112] page dumped because: kasan: bad access detected
[23827.565439]
[23827.565932] Memory state around the buggy address:
[23827.566917] ffff8881d1322180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[23827.568485] ffff8881d1322200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[23827.569818] >ffff8881d1322280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[23827.571143] ^
[23827.571879] ffff8881d1322300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[23827.573283] ffff8881d1322380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[23827.574654] ==================================================================
Most of the necessary logic is already correctly implemented by
mlx5e_get_next_valid_encap() helper that is used in neigh stats update
handler. Make the handler generic by renaming it to
mlx5e_get_next_matching_encap() and use callback to test whether flow is
matching instead of hardcoded check for 'valid' flag value. Implement
mlx5e_get_next_valid_encap() by calling mlx5e_get_next_matching_encap()
with callback that tests encap MLX5_ENCAP_ENTRY_VALID flag. Implement new
mlx5e_get_next_init_encap() helper by calling
mlx5e_get_next_matching_encap() with callback that tests encap completion
result to be non-error and use it in mlx5e_rep_neigh_update() to safely
iterate over nhe->encap_list.
Remove encap completion logic from mlx5e_rep_update_flows() since the encap
entries passed to this function are already guaranteed to be properly
initialized by similar code in mlx5e_get_next_init_encap().
Fixes: 2a1f1768fa17 ("net/mlx5e: Refactor neigh update for concurrent execution")
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Reviewed-by: Roi Dayan <roid@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
[ since kernel 5.10 doesn't have commit 0d9f96471493
("net/mlx5e: Extract tc tunnel encap/decap code to dedicated file")
which moved encap/decap from en_tc.c to tc_tun_encap.c, so backport and
move the additional functions to en_tc.c instead of tc_tun_encap.c ]
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en/rep/neigh.c | 17 +++-----
drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c | 6 ---
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 33 +++++++++++++++--
drivers/net/ethernet/mellanox/mlx5/core/en_tc.h | 3 +
4 files changed, 41 insertions(+), 18 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/neigh.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/neigh.c
@@ -129,9 +129,8 @@ static void mlx5e_rep_neigh_update(struc
work);
struct mlx5e_neigh_hash_entry *nhe = update_work->nhe;
struct neighbour *n = update_work->n;
- struct mlx5e_encap_entry *e;
+ struct mlx5e_encap_entry *e = NULL;
unsigned char ha[ETH_ALEN];
- struct mlx5e_priv *priv;
bool neigh_connected;
u8 nud_state, dead;
@@ -152,14 +151,12 @@ static void mlx5e_rep_neigh_update(struc
trace_mlx5e_rep_neigh_update(nhe, ha, neigh_connected);
- list_for_each_entry(e, &nhe->encap_list, encap_list) {
- if (!mlx5e_encap_take(e))
- continue;
-
- priv = netdev_priv(e->out_dev);
- mlx5e_rep_update_flows(priv, e, neigh_connected, ha);
- mlx5e_encap_put(priv, e);
- }
+ /* mlx5e_get_next_init_encap() releases previous encap before returning
+ * the next one.
+ */
+ while ((e = mlx5e_get_next_init_encap(nhe, e)) != NULL)
+ mlx5e_rep_update_flows(netdev_priv(e->out_dev), e, neigh_connected, ha);
+
rtnl_unlock();
mlx5e_release_neigh_update_work(update_work);
}
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c
@@ -91,13 +91,9 @@ void mlx5e_rep_update_flows(struct mlx5e
ASSERT_RTNL();
- /* wait for encap to be fully initialized */
- wait_for_completion(&e->res_ready);
-
mutex_lock(&esw->offloads.encap_tbl_lock);
encap_connected = !!(e->flags & MLX5_ENCAP_ENTRY_VALID);
- if (e->compl_result < 0 || (encap_connected == neigh_connected &&
- ether_addr_equal(e->h_dest, ha)))
+ if (encap_connected == neigh_connected && ether_addr_equal(e->h_dest, ha))
goto unlock;
mlx5e_take_all_encap_flows(e, &flow_list);
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
@@ -1653,9 +1653,12 @@ void mlx5e_put_encap_flow_list(struct ml
mlx5e_flow_put(priv, flow);
}
+typedef bool (match_cb)(struct mlx5e_encap_entry *);
+
static struct mlx5e_encap_entry *
-mlx5e_get_next_valid_encap(struct mlx5e_neigh_hash_entry *nhe,
- struct mlx5e_encap_entry *e)
+mlx5e_get_next_matching_encap(struct mlx5e_neigh_hash_entry *nhe,
+ struct mlx5e_encap_entry *e,
+ match_cb match)
{
struct mlx5e_encap_entry *next = NULL;
@@ -1690,7 +1693,7 @@ retry:
/* wait for encap to be fully initialized */
wait_for_completion(&next->res_ready);
/* continue searching if encap entry is not in valid state after completion */
- if (!(next->flags & MLX5_ENCAP_ENTRY_VALID)) {
+ if (!match(next)) {
e = next;
goto retry;
}
@@ -1698,6 +1701,30 @@ retry:
return next;
}
+static bool mlx5e_encap_valid(struct mlx5e_encap_entry *e)
+{
+ return e->flags & MLX5_ENCAP_ENTRY_VALID;
+}
+
+static struct mlx5e_encap_entry *
+mlx5e_get_next_valid_encap(struct mlx5e_neigh_hash_entry *nhe,
+ struct mlx5e_encap_entry *e)
+{
+ return mlx5e_get_next_matching_encap(nhe, e, mlx5e_encap_valid);
+}
+
+static bool mlx5e_encap_initialized(struct mlx5e_encap_entry *e)
+{
+ return e->compl_result >= 0;
+}
+
+struct mlx5e_encap_entry *
+mlx5e_get_next_init_encap(struct mlx5e_neigh_hash_entry *nhe,
+ struct mlx5e_encap_entry *e)
+{
+ return mlx5e_get_next_matching_encap(nhe, e, mlx5e_encap_initialized);
+}
+
void mlx5e_tc_update_neigh_used_value(struct mlx5e_neigh_hash_entry *nhe)
{
struct mlx5e_neigh *m_neigh = &nhe->m_neigh;
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.h
@@ -161,6 +161,9 @@ void mlx5e_take_all_encap_flows(struct m
void mlx5e_put_encap_flow_list(struct mlx5e_priv *priv, struct list_head *flow_list);
struct mlx5e_neigh_hash_entry;
+struct mlx5e_encap_entry *
+mlx5e_get_next_init_encap(struct mlx5e_neigh_hash_entry *nhe,
+ struct mlx5e_encap_entry *e);
void mlx5e_tc_update_neigh_used_value(struct mlx5e_neigh_hash_entry *nhe);
void mlx5e_tc_reoffload_flows_work(struct work_struct *work);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 174/286] ipvs: properly dereference pe in ip_vs_add_service
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 173/286] net/mlx5e: Fix use-after-free of encap entry in neigh update handler Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 175/286] net: openvswitch: fix race on port output Greg Kroah-Hartman
` (116 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Hanxiao, Julian Anastasov,
Simon Horman, Pablo Neira Ayuso, Cliff Liu, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Hanxiao <chenhx.fnst@fujitsu.com>
commit cbd070a4ae62f119058973f6d2c984e325bce6e7 upstream.
Use pe directly to resolve sparse warning:
net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression
Fixes: 39b972231536 ("ipvs: handle connections started by real-servers")
Signed-off-by: Chen Hanxiao <chenhx.fnst@fujitsu.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Acked-by: Simon Horman <horms@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Cliff Liu <donghua.liu@windriver.com>
Signed-off-by: He Zhe <Zhe.He@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/ipvs/ip_vs_ctl.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -1384,20 +1384,20 @@ ip_vs_add_service(struct netns_ipvs *ipv
sched = NULL;
}
- /* Bind the ct retriever */
- RCU_INIT_POINTER(svc->pe, pe);
- pe = NULL;
-
/* Update the virtual service counters */
if (svc->port == FTPPORT)
atomic_inc(&ipvs->ftpsvc_counter);
else if (svc->port == 0)
atomic_inc(&ipvs->nullsvc_counter);
- if (svc->pe && svc->pe->conn_out)
+ if (pe && pe->conn_out)
atomic_inc(&ipvs->conn_out_counter);
ip_vs_start_estimator(ipvs, &svc->stats);
+ /* Bind the ct retriever */
+ RCU_INIT_POINTER(svc->pe, pe);
+ pe = NULL;
+
/* Count only IPv4 services for old get/setsockopt interface */
if (svc->af == AF_INET)
ipvs->num_services++;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 175/286] net: openvswitch: fix race on port output
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 174/286] ipvs: properly dereference pe in ip_vs_add_service Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 176/286] openvswitch: fix lockup on tx to unregistering netdev with carrier Greg Kroah-Hartman
` (115 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Czesla, Felix Huettner,
Eric Dumazet, Simon Horman, Jakub Kicinski, Carlos Soto,
Florian Fainelli
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Huettner <felix.huettner@mail.schwarz>
commit 066b86787fa3d97b7aefb5ac0a99a22dad2d15f8 upstream.
assume the following setup on a single machine:
1. An openvswitch instance with one bridge and default flows
2. two network namespaces "server" and "client"
3. two ovs interfaces "server" and "client" on the bridge
4. for each ovs interface a veth pair with a matching name and 32 rx and
tx queues
5. move the ends of the veth pairs to the respective network namespaces
6. assign ip addresses to each of the veth ends in the namespaces (needs
to be the same subnet)
7. start some http server on the server network namespace
8. test if a client in the client namespace can reach the http server
when following the actions below the host has a chance of getting a cpu
stuck in a infinite loop:
1. send a large amount of parallel requests to the http server (around
3000 curls should work)
2. in parallel delete the network namespace (do not delete interfaces or
stop the server, just kill the namespace)
there is a low chance that this will cause the below kernel cpu stuck
message. If this does not happen just retry.
Below there is also the output of bpftrace for the functions mentioned
in the output.
The series of events happening here is:
1. the network namespace is deleted calling
`unregister_netdevice_many_notify` somewhere in the process
2. this sets first `NETREG_UNREGISTERING` on both ends of the veth and
then runs `synchronize_net`
3. it then calls `call_netdevice_notifiers` with `NETDEV_UNREGISTER`
4. this is then handled by `dp_device_event` which calls
`ovs_netdev_detach_dev` (if a vport is found, which is the case for
the veth interface attached to ovs)
5. this removes the rx_handlers of the device but does not prevent
packages to be sent to the device
6. `dp_device_event` then queues the vport deletion to work in
background as a ovs_lock is needed that we do not hold in the
unregistration path
7. `unregister_netdevice_many_notify` continues to call
`netdev_unregister_kobject` which sets `real_num_tx_queues` to 0
8. port deletion continues (but details are not relevant for this issue)
9. at some future point the background task deletes the vport
If after 7. but before 9. a packet is send to the ovs vport (which is
not deleted at this point in time) which forwards it to the
`dev_queue_xmit` flow even though the device is unregistering.
In `skb_tx_hash` (which is called in the `dev_queue_xmit`) path there is
a while loop (if the packet has a rx_queue recorded) that is infinite if
`dev->real_num_tx_queues` is zero.
To prevent this from happening we update `do_output` to handle devices
without carrier the same as if the device is not found (which would
be the code path after 9. is done).
Additionally we now produce a warning in `skb_tx_hash` if we will hit
the infinite loop.
bpftrace (first word is function name):
__dev_queue_xmit server: real_num_tx_queues: 1, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 1
netdev_core_pick_tx server: addr: 0xffff9f0a46d4a000 real_num_tx_queues: 1, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 1
dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 2, reg_state: 1
synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024
synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024
synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024
synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024
dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 6, reg_state: 2
ovs_netdev_detach_dev server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, reg_state: 2
netdev_rx_handler_unregister server: real_num_tx_queues: 1, cpu: 9, pid: 21024, tid: 21024, reg_state: 2
synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024
netdev_rx_handler_unregister ret server: real_num_tx_queues: 1, cpu: 9, pid: 21024, tid: 21024, reg_state: 2
dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 27, reg_state: 2
dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 22, reg_state: 2
dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 18, reg_state: 2
netdev_unregister_kobject: real_num_tx_queues: 1, cpu: 9, pid: 21024, tid: 21024
synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024
ovs_vport_send server: real_num_tx_queues: 0, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 2
__dev_queue_xmit server: real_num_tx_queues: 0, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 2
netdev_core_pick_tx server: addr: 0xffff9f0a46d4a000 real_num_tx_queues: 0, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 2
broken device server: real_num_tx_queues: 0, cpu: 2, pid: 28024, tid: 28024
ovs_dp_detach_port server: real_num_tx_queues: 0 cpu 9, pid: 9124, tid: 9124, reg_state: 2
synchronize_rcu_expedited: cpu 9, pid: 33604, tid: 33604
stuck message:
watchdog: BUG: soft lockup - CPU#5 stuck for 26s! [curl:1929279]
Modules linked in: veth pktgen bridge stp llc ip_set_hash_net nft_counter xt_set nft_compat nf_tables ip_set_hash_ip ip_set nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 tls binfmt_misc nls_iso8859_1 input_leds joydev serio_raw dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua sch_fq_codel drm efi_pstore virtio_rng ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel virtio_net ahci net_failover crypto_simd cryptd psmouse libahci virtio_blk failover
CPU: 5 PID: 1929279 Comm: curl Not tainted 5.15.0-67-generic #74-Ubuntu
Hardware name: OpenStack Foundation OpenStack Nova, BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:netdev_pick_tx+0xf1/0x320
Code: 00 00 8d 48 ff 0f b7 c1 66 39 ca 0f 86 e9 01 00 00 45 0f b7 ff 41 39 c7 0f 87 5b 01 00 00 44 29 f8 41 39 c7 0f 87 4f 01 00 00 <eb> f2 0f 1f 44 00 00 49 8b 94 24 28 04 00 00 48 85 d2 0f 84 53 01
RSP: 0018:ffffb78b40298820 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff9c8773adc2e0 RCX: 000000000000083f
RDX: 0000000000000000 RSI: ffff9c8773adc2e0 RDI: ffff9c870a25e000
RBP: ffffb78b40298858 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff9c870a25e000
R13: ffff9c870a25e000 R14: ffff9c87fe043480 R15: 0000000000000000
FS: 00007f7b80008f00(0000) GS:ffff9c8e5f740000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7b80f6a0b0 CR3: 0000000329d66000 CR4: 0000000000350ee0
Call Trace:
<IRQ>
netdev_core_pick_tx+0xa4/0xb0
__dev_queue_xmit+0xf8/0x510
? __bpf_prog_exit+0x1e/0x30
dev_queue_xmit+0x10/0x20
ovs_vport_send+0xad/0x170 [openvswitch]
do_output+0x59/0x180 [openvswitch]
do_execute_actions+0xa80/0xaa0 [openvswitch]
? kfree+0x1/0x250
? kfree+0x1/0x250
? kprobe_perf_func+0x4f/0x2b0
? flow_lookup.constprop.0+0x5c/0x110 [openvswitch]
ovs_execute_actions+0x4c/0x120 [openvswitch]
ovs_dp_process_packet+0xa1/0x200 [openvswitch]
? ovs_ct_update_key.isra.0+0xa8/0x120 [openvswitch]
? ovs_ct_fill_key+0x1d/0x30 [openvswitch]
? ovs_flow_key_extract+0x2db/0x350 [openvswitch]
ovs_vport_receive+0x77/0xd0 [openvswitch]
? __htab_map_lookup_elem+0x4e/0x60
? bpf_prog_680e8aff8547aec1_kfree+0x3b/0x714
? trace_call_bpf+0xc8/0x150
? kfree+0x1/0x250
? kfree+0x1/0x250
? kprobe_perf_func+0x4f/0x2b0
? kprobe_perf_func+0x4f/0x2b0
? __mod_memcg_lruvec_state+0x63/0xe0
netdev_port_receive+0xc4/0x180 [openvswitch]
? netdev_port_receive+0x180/0x180 [openvswitch]
netdev_frame_hook+0x1f/0x40 [openvswitch]
__netif_receive_skb_core.constprop.0+0x23d/0xf00
__netif_receive_skb_one_core+0x3f/0xa0
__netif_receive_skb+0x15/0x60
process_backlog+0x9e/0x170
__napi_poll+0x33/0x180
net_rx_action+0x126/0x280
? ttwu_do_activate+0x72/0xf0
__do_softirq+0xd9/0x2e7
? rcu_report_exp_cpu_mult+0x1b0/0x1b0
do_softirq+0x7d/0xb0
</IRQ>
<TASK>
__local_bh_enable_ip+0x54/0x60
ip_finish_output2+0x191/0x460
__ip_finish_output+0xb7/0x180
ip_finish_output+0x2e/0xc0
ip_output+0x78/0x100
? __ip_finish_output+0x180/0x180
ip_local_out+0x5e/0x70
__ip_queue_xmit+0x184/0x440
? tcp_syn_options+0x1f9/0x300
ip_queue_xmit+0x15/0x20
__tcp_transmit_skb+0x910/0x9c0
? __mod_memcg_state+0x44/0xa0
tcp_connect+0x437/0x4e0
? ktime_get_with_offset+0x60/0xf0
tcp_v4_connect+0x436/0x530
__inet_stream_connect+0xd4/0x3a0
? kprobe_perf_func+0x4f/0x2b0
? aa_sk_perm+0x43/0x1c0
inet_stream_connect+0x3b/0x60
__sys_connect_file+0x63/0x70
__sys_connect+0xa6/0xd0
? setfl+0x108/0x170
? do_fcntl+0xe8/0x5a0
__x64_sys_connect+0x18/0x20
do_syscall_64+0x5c/0xc0
? __x64_sys_fcntl+0xa9/0xd0
? exit_to_user_mode_prepare+0x37/0xb0
? syscall_exit_to_user_mode+0x27/0x50
? do_syscall_64+0x69/0xc0
? __sys_setsockopt+0xea/0x1e0
? exit_to_user_mode_prepare+0x37/0xb0
? syscall_exit_to_user_mode+0x27/0x50
? __x64_sys_setsockopt+0x1f/0x30
? do_syscall_64+0x69/0xc0
? irqentry_exit+0x1d/0x30
? exc_page_fault+0x89/0x170
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f7b8101c6a7
Code: 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 18 89 54 24 0c 48 89 34 24 89
RSP: 002b:00007ffffd6b2198 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7b8101c6a7
RDX: 0000000000000010 RSI: 00007ffffd6b2360 RDI: 0000000000000005
RBP: 0000561f1370d560 R08: 00002795ad21d1ac R09: 0030312e302e302e
R10: 00007ffffd73f080 R11: 0000000000000246 R12: 0000561f1370c410
R13: 0000000000000000 R14: 0000000000000005 R15: 0000000000000000
</TASK>
Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
Co-developed-by: Luca Czesla <luca.czesla@mail.schwarz>
Signed-off-by: Luca Czesla <luca.czesla@mail.schwarz>
Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Link: https://lore.kernel.org/r/ZC0pBXBAgh7c76CA@kernel-bug-kernel-bug
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Carlos Soto <carlos.soto@broadcom.com>
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/dev.c | 1 +
net/openvswitch/actions.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3186,6 +3186,7 @@ static u16 skb_tx_hash(const struct net_
}
if (skb_rx_queue_recorded(skb)) {
+ BUILD_BUG_ON_INVALID(qcount == 0);
hash = skb_get_rx_queue(skb);
if (hash >= qoffset)
hash -= qoffset;
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -912,7 +912,7 @@ static void do_output(struct datapath *d
{
struct vport *vport = ovs_vport_rcu(dp, out_port);
- if (likely(vport)) {
+ if (likely(vport && netif_carrier_ok(vport->dev))) {
u16 mru = OVS_CB(skb)->mru;
u32 cutlen = OVS_CB(skb)->cutlen;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 176/286] openvswitch: fix lockup on tx to unregistering netdev with carrier
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 175/286] net: openvswitch: fix race on port output Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 177/286] scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan() Greg Kroah-Hartman
` (114 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Friedrich Weber, Ilya Maximets,
Aaron Conole, Jakub Kicinski, Sasha Levin, Carlos Soto,
Florian Fainelli
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
commit 47e55e4b410f7d552e43011baa5be1aab4093990 upstream.
Commit in a fixes tag attempted to fix the issue in the following
sequence of calls:
do_output
-> ovs_vport_send
-> dev_queue_xmit
-> __dev_queue_xmit
-> netdev_core_pick_tx
-> skb_tx_hash
When device is unregistering, the 'dev->real_num_tx_queues' goes to
zero and the 'while (unlikely(hash >= qcount))' loop inside the
'skb_tx_hash' becomes infinite, locking up the core forever.
But unfortunately, checking just the carrier status is not enough to
fix the issue, because some devices may still be in unregistering
state while reporting carrier status OK.
One example of such device is a net/dummy. It sets carrier ON
on start, but it doesn't implement .ndo_stop to set the carrier off.
And it makes sense, because dummy doesn't really have a carrier.
Therefore, while this device is unregistering, it's still easy to hit
the infinite loop in the skb_tx_hash() from the OVS datapath. There
might be other drivers that do the same, but dummy by itself is
important for the OVS ecosystem, because it is frequently used as a
packet sink for tcpdump while debugging OVS deployments. And when the
issue is hit, the only way to recover is to reboot.
Fix that by also checking if the device is running. The running
state is handled by the net core during unregistering, so it covers
unregistering case better, and we don't really need to send packets
to devices that are not running anyway.
While only checking the running state might be enough, the carrier
check is preserved. The running and the carrier states seem disjoined
throughout the code and different drivers. And other core functions
like __dev_direct_xmit() check both before attempting to transmit
a packet. So, it seems safer to check both flags in OVS as well.
Fixes: 066b86787fa3 ("net: openvswitch: fix race on port output")
Reported-by: Friedrich Weber <f.weber@proxmox.com>
Closes: https://mail.openvswitch.org/pipermail/ovs-discuss/2025-January/053423.html
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Tested-by: Friedrich Weber <f.weber@proxmox.com>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/20250109122225.4034688-1-i.maximets@ovn.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Carlos Soto <carlos.soto@broadcom.com>
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/openvswitch/actions.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -912,7 +912,9 @@ static void do_output(struct datapath *d
{
struct vport *vport = ovs_vport_rcu(dp, out_port);
- if (likely(vport && netif_carrier_ok(vport->dev))) {
+ if (likely(vport &&
+ netif_running(vport->dev) &&
+ netif_carrier_ok(vport->dev))) {
u16 mru = OVS_CB(skb)->mru;
u32 cutlen = OVS_CB(skb)->cutlen;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 177/286] scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 176/286] openvswitch: fix lockup on tx to unregistering netdev with carrier Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 178/286] scsi: ufs: bsg: Set bsg_queue to NULL after removal Greg Kroah-Hartman
` (113 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, BassCheck, Tuo Li, Justin Tee,
Laurence Oberman, Martin K. Petersen, Bin Lan, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tuo Li <islituo@gmail.com>
commit 0e881c0a4b6146b7e856735226208f48251facd8 upstream.
The variable phba->fcf.fcf_flag is often protected by the lock
phba->hbalock() when is accessed. Here is an example in
lpfc_unregister_fcf_rescan():
spin_lock_irq(&phba->hbalock);
phba->fcf.fcf_flag |= FCF_INIT_DISC;
spin_unlock_irq(&phba->hbalock);
However, in the same function, phba->fcf.fcf_flag is assigned with 0
without holding the lock, and thus can cause a data race:
phba->fcf.fcf_flag = 0;
To fix this possible data race, a lock and unlock pair is added when
accessing the variable phba->fcf.fcf_flag.
Reported-by: BassCheck <bass@buaa.edu.cn>
Signed-off-by: Tuo Li <islituo@gmail.com>
Link: https://lore.kernel.org/r/20230630024748.1035993-1-islituo@gmail.com
Reviewed-by: Justin Tee <justin.tee@broadcom.com>
Reviewed-by: Laurence Oberman <loberman@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/lpfc/lpfc_hbadisc.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -6790,7 +6790,9 @@ lpfc_unregister_fcf_rescan(struct lpfc_h
if (rc)
return;
/* Reset HBA FCF states after successful unregister FCF */
+ spin_lock_irq(&phba->hbalock);
phba->fcf.fcf_flag = 0;
+ spin_unlock_irq(&phba->hbalock);
phba->fcf.current_rec.flag = 0;
/*
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 178/286] scsi: ufs: bsg: Set bsg_queue to NULL after removal
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 177/286] scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan() Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 179/286] net: defer final struct net free in netns dismantle Greg Kroah-Hartman
` (112 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guixin Liu, Avri Altman,
Martin K. Petersen, Xiangyu Chen, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guixin Liu <kanie@linux.alibaba.com>
commit 1e95c798d8a7f70965f0f88d4657b682ff0ec75f upstream.
Currently, this does not cause any issues, but I believe it is necessary to
set bsg_queue to NULL after removing it to prevent potential use-after-free
(UAF) access.
Signed-off-by: Guixin Liu <kanie@linux.alibaba.com>
Link: https://lore.kernel.org/r/20241218014214.64533-3-kanie@linux.alibaba.com
Reviewed-by: Avri Altman <avri.altman@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/ufs/ufs_bsg.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/scsi/ufs/ufs_bsg.c
+++ b/drivers/scsi/ufs/ufs_bsg.c
@@ -175,6 +175,7 @@ void ufs_bsg_remove(struct ufs_hba *hba)
return;
bsg_remove_queue(hba->bsg_queue);
+ hba->bsg_queue = NULL;
device_del(bsg_dev);
put_device(bsg_dev);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 179/286] net: defer final struct net free in netns dismantle
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 178/286] scsi: ufs: bsg: Set bsg_queue to NULL after removal Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 180/286] MIPS: dec: Declare which_prom() as static Greg Kroah-Hartman
` (111 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilya Maximets, Eric Dumazet,
Paolo Abeni, Kuniyuki Iwashima, Jakub Kicinski, Jianqi Ren,
He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 0f6ede9fbc747e2553612271bce108f7517e7a45 upstream.
Ilya reported a slab-use-after-free in dst_destroy [1]
Issue is in xfrm6_net_init() and xfrm4_net_init() :
They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops.
But net structure might be freed before all the dst callbacks are
called. So when dst_destroy() calls later :
if (dst->ops->destroy)
dst->ops->destroy(dst);
dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed.
See a relevant issue fixed in :
ac888d58869b ("net: do not delay dst_entries_add() in dst_release()")
A fix is to queue the 'struct net' to be freed after one
another cleanup_net() round (and existing rcu_barrier())
[1]
BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112)
Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0
Dec 03 05:46:18 kernel:
CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67
Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl (lib/dump_stack.c:124)
print_address_description.constprop.0 (mm/kasan/report.c:378)
? dst_destroy (net/core/dst.c:112)
print_report (mm/kasan/report.c:489)
? dst_destroy (net/core/dst.c:112)
? kasan_addr_to_slab (mm/kasan/common.c:37)
kasan_report (mm/kasan/report.c:603)
? dst_destroy (net/core/dst.c:112)
? rcu_do_batch (kernel/rcu/tree.c:2567)
dst_destroy (net/core/dst.c:112)
rcu_do_batch (kernel/rcu/tree.c:2567)
? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491)
? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406)
rcu_core (kernel/rcu/tree.c:2825)
handle_softirqs (kernel/softirq.c:554)
__irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637)
irq_exit_rcu (kernel/softirq.c:651)
sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049)
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702)
RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743)
Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90
RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246
RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d
R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000
R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000
? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148)
? cpuidle_idle_call (kernel/sched/idle.c:186)
default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118)
cpuidle_idle_call (kernel/sched/idle.c:186)
? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168)
? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848)
? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59)
do_idle (kernel/sched/idle.c:326)
cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1))
start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282)
? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232)
? soft_restart_cpu (arch/x86/kernel/head_64.S:452)
common_startup_64 (arch/x86/kernel/head_64.S:414)
</TASK>
Dec 03 05:46:18 kernel:
Allocated by task 12184:
kasan_save_stack (mm/kasan/common.c:48)
kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69)
__kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)
kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141)
copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480)
create_new_namespaces (kernel/nsproxy.c:110)
unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4))
ksys_unshare (kernel/fork.c:3313)
__x64_sys_unshare (kernel/fork.c:3382)
do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Dec 03 05:46:18 kernel:
Freed by task 11:
kasan_save_stack (mm/kasan/common.c:48)
kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69)
kasan_save_free_info (mm/kasan/generic.c:582)
__kasan_slab_free (mm/kasan/common.c:271)
kmem_cache_free (mm/slub.c:4579 mm/slub.c:4681)
cleanup_net (net/core/net_namespace.c:456 net/core/net_namespace.c:446 net/core/net_namespace.c:647)
process_one_work (kernel/workqueue.c:3229)
worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391)
kthread (kernel/kthread.c:389)
ret_from_fork (arch/x86/kernel/process.c:147)
ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
Dec 03 05:46:18 kernel:
Last potentially related work creation:
kasan_save_stack (mm/kasan/common.c:48)
__kasan_record_aux_stack (mm/kasan/generic.c:541)
insert_work (./include/linux/instrumented.h:68 ./include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186)
__queue_work (kernel/workqueue.c:2340)
queue_work_on (kernel/workqueue.c:2391)
xfrm_policy_insert (net/xfrm/xfrm_policy.c:1610)
xfrm_add_policy (net/xfrm/xfrm_user.c:2116)
xfrm_user_rcv_msg (net/xfrm/xfrm_user.c:3321)
netlink_rcv_skb (net/netlink/af_netlink.c:2536)
xfrm_netlink_rcv (net/xfrm/xfrm_user.c:3344)
netlink_unicast (net/netlink/af_netlink.c:1316 net/netlink/af_netlink.c:1342)
netlink_sendmsg (net/netlink/af_netlink.c:1886)
sock_write_iter (net/socket.c:729 net/socket.c:744 net/socket.c:1165)
vfs_write (fs/read_write.c:590 fs/read_write.c:683)
ksys_write (fs/read_write.c:736)
do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Dec 03 05:46:18 kernel:
Second to last potentially related work creation:
kasan_save_stack (mm/kasan/common.c:48)
__kasan_record_aux_stack (mm/kasan/generic.c:541)
insert_work (./include/linux/instrumented.h:68 ./include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186)
__queue_work (kernel/workqueue.c:2340)
queue_work_on (kernel/workqueue.c:2391)
__xfrm_state_insert (./include/linux/workqueue.h:723 net/xfrm/xfrm_state.c:1150 net/xfrm/xfrm_state.c:1145 net/xfrm/xfrm_state.c:1513)
xfrm_state_update (./include/linux/spinlock.h:396 net/xfrm/xfrm_state.c:1940)
xfrm_add_sa (net/xfrm/xfrm_user.c:912)
xfrm_user_rcv_msg (net/xfrm/xfrm_user.c:3321)
netlink_rcv_skb (net/netlink/af_netlink.c:2536)
xfrm_netlink_rcv (net/xfrm/xfrm_user.c:3344)
netlink_unicast (net/netlink/af_netlink.c:1316 net/netlink/af_netlink.c:1342)
netlink_sendmsg (net/netlink/af_netlink.c:1886)
sock_write_iter (net/socket.c:729 net/socket.c:744 net/socket.c:1165)
vfs_write (fs/read_write.c:590 fs/read_write.c:683)
ksys_write (fs/read_write.c:736)
do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Fixes: a8a572a6b5f2 ("xfrm: dst_entries_init() per-net dst_ops")
Reported-by: Ilya Maximets <i.maximets@ovn.org>
Closes: https://lore.kernel.org/netdev/CANn89iKKYDVpB=MtmfH7nyv2p=rJWSLedO5k7wSZgtY_tO8WQg@mail.gmail.com/T/#m02c98c3009fe66382b73cfb4db9cf1df6fab3fbf
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20241204125455.3871859-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[Minor conflict resolved due to code context change.]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/net_namespace.h | 1 +
net/core/net_namespace.c | 21 ++++++++++++++++++++-
2 files changed, 21 insertions(+), 1 deletion(-)
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -80,6 +80,7 @@ struct net {
* or to unregister pernet ops
* (pernet_ops_rwsem write locked).
*/
+ struct llist_node defer_free_list;
struct llist_node cleanup_list; /* namespaces on death row */
#ifdef CONFIG_KEYS
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -455,11 +455,28 @@ out_free:
goto out;
}
+static LLIST_HEAD(defer_free_list);
+
+static void net_complete_free(void)
+{
+ struct llist_node *kill_list;
+ struct net *net, *next;
+
+ /* Get the list of namespaces to free from last round. */
+ kill_list = llist_del_all(&defer_free_list);
+
+ llist_for_each_entry_safe(net, next, kill_list, defer_free_list)
+ kmem_cache_free(net_cachep, net);
+
+}
+
static void net_free(struct net *net)
{
if (refcount_dec_and_test(&net->passive)) {
kfree(rcu_access_pointer(net->gen));
- kmem_cache_free(net_cachep, net);
+
+ /* Wait for an extra rcu_barrier() before final free. */
+ llist_add(&net->defer_free_list, &defer_free_list);
}
}
@@ -643,6 +660,8 @@ static void cleanup_net(struct work_stru
*/
rcu_barrier();
+ net_complete_free();
+
/* Finally it is safe to free my network namespace structure */
list_for_each_entry_safe(net, tmp, &net_exit_list, exit_list) {
list_del_init(&net->exit_list);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 180/286] MIPS: dec: Declare which_prom() as static
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 179/286] net: defer final struct net free in netns dismantle Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 181/286] MIPS: cevt-ds1287: Add missing ds1287.h include Greg Kroah-Hartman
` (110 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, WangYuli, Thomas Bogendoerfer
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyuli@uniontech.com>
commit 55fa5868519bc48a7344a4c070efa2f4468f2167 upstream.
Declare which_prom() as static to suppress gcc compiler warning that
'missing-prototypes'. This function is not intended to be called
from other parts.
Fix follow error with gcc-14 when -Werror:
arch/mips/dec/prom/init.c:45:13: error: no previous prototype for ‘which_prom’ [-Werror=missing-prototypes]
45 | void __init which_prom(s32 magic, s32 *prom_vec)
| ^~~~~~~~~~
cc1: all warnings being treated as errors
make[6]: *** [scripts/Makefile.build:207: arch/mips/dec/prom/init.o] Error 1
make[5]: *** [scripts/Makefile.build:465: arch/mips/dec/prom] Error 2
make[5]: *** Waiting for unfinished jobs....
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/dec/prom/init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/dec/prom/init.c
+++ b/arch/mips/dec/prom/init.c
@@ -42,7 +42,7 @@ int (*__pmax_close)(int);
* Detect which PROM the DECSTATION has, and set the callback vectors
* appropriately.
*/
-void __init which_prom(s32 magic, s32 *prom_vec)
+static void __init which_prom(s32 magic, s32 *prom_vec)
{
/*
* No sign of the REX PROM's magic number means we assume a non-REX
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 181/286] MIPS: cevt-ds1287: Add missing ds1287.h include
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 180/286] MIPS: dec: Declare which_prom() as static Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 182/286] MIPS: ds1287: Match ds1287_set_base_clock() function types Greg Kroah-Hartman
` (109 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, WangYuli, Thomas Bogendoerfer
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyuli@uniontech.com>
commit f3be225f338a578851a7b607a409f476354a8deb upstream.
Address the issue of cevt-ds1287.c not including the ds1287.h header
file.
Fix follow errors with gcc-14 when -Werror:
arch/mips/kernel/cevt-ds1287.c:15:5: error: no previous prototype for ‘ds1287_timer_state’ [-Werror=missing-prototypes]
15 | int ds1287_timer_state(void)
| ^~~~~~~~~~~~~~~~~~
arch/mips/kernel/cevt-ds1287.c:20:5: error: no previous prototype for ‘ds1287_set_base_clock’ [-Werror=missing-prototypes]
20 | int ds1287_set_base_clock(unsigned int hz)
| ^~~~~~~~~~~~~~~~~~~~~
arch/mips/kernel/cevt-ds1287.c:103:12: error: no previous prototype for ‘ds1287_clockevent_init’ [-Werror=missing-prototypes]
103 | int __init ds1287_clockevent_init(int irq)
| ^~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[7]: *** [scripts/Makefile.build:207: arch/mips/kernel/cevt-ds1287.o] Error 1
make[7]: *** Waiting for unfinished jobs....
make[6]: *** [scripts/Makefile.build:465: arch/mips/kernel] Error 2
make[6]: *** Waiting for unfinished jobs....
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/kernel/cevt-ds1287.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/mips/kernel/cevt-ds1287.c
+++ b/arch/mips/kernel/cevt-ds1287.c
@@ -10,6 +10,7 @@
#include <linux/mc146818rtc.h>
#include <linux/irq.h>
+#include <asm/ds1287.h>
#include <asm/time.h>
int ds1287_timer_state(void)
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 182/286] MIPS: ds1287: Match ds1287_set_base_clock() function types
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 181/286] MIPS: cevt-ds1287: Add missing ds1287.h include Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 183/286] jfs: Fix shift-out-of-bounds in dbDiscardAG Greg Kroah-Hartman
` (108 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, WangYuli, Thomas Bogendoerfer
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyuli@uniontech.com>
commit a759109b234385b74d2f5f4c86b5f59b3201ec12 upstream.
Synchronize the declaration of ds1287_set_base_clock() between
cevt-ds1287.c and ds1287.h.
Fix follow error with gcc-14 when -Werror:
arch/mips/kernel/cevt-ds1287.c:21:5: error: conflicting types for ‘ds1287_set_base_clock’; have ‘int(unsigned int)’
21 | int ds1287_set_base_clock(unsigned int hz)
| ^~~~~~~~~~~~~~~~~~~~~
In file included from arch/mips/kernel/cevt-ds1287.c:13:
./arch/mips/include/asm/ds1287.h:11:13: note: previous declaration of ‘ds1287_set_base_clock’ with type ‘void(unsigned int)’
11 | extern void ds1287_set_base_clock(unsigned int clock);
| ^~~~~~~~~~~~~~~~~~~~~
make[7]: *** [scripts/Makefile.build:207: arch/mips/kernel/cevt-ds1287.o] Error 1
make[6]: *** [scripts/Makefile.build:465: arch/mips/kernel] Error 2
make[6]: *** Waiting for unfinished jobs....
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/include/asm/ds1287.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/include/asm/ds1287.h
+++ b/arch/mips/include/asm/ds1287.h
@@ -8,7 +8,7 @@
#define __ASM_DS1287_H
extern int ds1287_timer_state(void);
-extern void ds1287_set_base_clock(unsigned int clock);
+extern int ds1287_set_base_clock(unsigned int hz);
extern int ds1287_clockevent_init(int irq);
#endif
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 183/286] jfs: Fix shift-out-of-bounds in dbDiscardAG
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 182/286] MIPS: ds1287: Match ds1287_set_base_clock() function types Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 184/286] dm cache: fix flushing uninitialized delayed_work on cache_ctr error Greg Kroah-Hartman
` (107 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+61be3359d2ee3467e7e4, Pei Li,
Dave Kleikamp, Zhi Yang, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pei Li <peili.dev@gmail.com>
commit 7063b80268e2593e58bee8a8d709c2f3ff93e2f2 upstream.
When searching for the next smaller log2 block, BLKSTOL2() returned 0,
causing shift exponent -1 to be negative.
This patch fixes the issue by exiting the loop directly when negative
shift is found.
Reported-by: syzbot+61be3359d2ee3467e7e4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=61be3359d2ee3467e7e4
Signed-off-by: Pei Li <peili.dev@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Zhi Yang <Zhi.Yang@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jfs/jfs_dmap.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -1698,6 +1698,8 @@ s64 dbDiscardAG(struct inode *ip, int ag
} else if (rc == -ENOSPC) {
/* search for next smaller log2 block */
l2nb = BLKSTOL2(nblocks) - 1;
+ if (unlikely(l2nb < 0))
+ break;
nblocks = 1LL << l2nb;
} else {
/* Trim any already allocated blocks */
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 184/286] dm cache: fix flushing uninitialized delayed_work on cache_ctr error
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 183/286] jfs: Fix shift-out-of-bounds in dbDiscardAG Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 185/286] vfio/pci: fix memory leak during D3hot to D0 transition Greg Kroah-Hartman
` (106 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Joe Thornber, Ilia Gavrilov
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
commit 135496c208ba26fd68cdef10b64ed7a91ac9a7ff upstream.
An unexpected WARN_ON from flush_work() may occur when cache creation
fails, caused by destroying the uninitialized delayed_work waker in the
error path of cache_create(). For example, the warning appears on the
superblock checksum error.
Reproduce steps:
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
dd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
Kernel logs:
(snip)
WARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890
Fix by pulling out the cancel_delayed_work_sync() from the constructor's
error path. This patch doesn't affect the use-after-free fix for
concurrent dm_resume and dm_destroy (commit 6a459d8edbdb ("dm cache: Fix
UAF in destroy()")) as cache_dtr is not changed.
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Fixes: 6a459d8edbdb ("dm cache: Fix UAF in destroy()")
Cc: stable@vger.kernel.org
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Joe Thornber <thornber@redhat.com>
Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-cache-target.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1960,16 +1960,13 @@ static void check_migrations(struct work
* This function gets called on the error paths of the constructor, so we
* have to cope with a partially initialised struct.
*/
-static void destroy(struct cache *cache)
+static void __destroy(struct cache *cache)
{
- unsigned i;
-
mempool_exit(&cache->migration_pool);
if (cache->prison)
dm_bio_prison_destroy_v2(cache->prison);
- cancel_delayed_work_sync(&cache->waker);
if (cache->wq)
destroy_workqueue(cache->wq);
@@ -1997,13 +1994,22 @@ static void destroy(struct cache *cache)
if (cache->policy)
dm_cache_policy_destroy(cache->policy);
+ bioset_exit(&cache->bs);
+
+ kfree(cache);
+}
+
+static void destroy(struct cache *cache)
+{
+ unsigned int i;
+
+ cancel_delayed_work_sync(&cache->waker);
+
for (i = 0; i < cache->nr_ctr_args ; i++)
kfree(cache->ctr_args[i]);
kfree(cache->ctr_args);
- bioset_exit(&cache->bs);
-
- kfree(cache);
+ __destroy(cache);
}
static void cache_dtr(struct dm_target *ti)
@@ -2616,7 +2622,7 @@ static int cache_create(struct cache_arg
*result = cache;
return 0;
bad:
- destroy(cache);
+ __destroy(cache);
return r;
}
@@ -2667,7 +2673,7 @@ static int cache_ctr(struct dm_target *t
r = copy_ctr_args(cache, argc - 3, (const char **)argv + 3);
if (r) {
- destroy(cache);
+ __destroy(cache);
goto out;
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 185/286] vfio/pci: fix memory leak during D3hot to D0 transition
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 184/286] dm cache: fix flushing uninitialized delayed_work on cache_ctr error Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 186/286] kernel/resource: fix kfree() of bootmem memory again Greg Kroah-Hartman
` (105 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abhishek Sahu, Alex Williamson,
Feng Liu, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abhishek Sahu <abhsahu@nvidia.com>
commit eadf88ecf6ac7d6a9f47a76c6055d9a1987a8991 upstream.
If 'vfio_pci_core_device::needs_pm_restore' is set (PCI device does
not have No_Soft_Reset bit set in its PMCSR config register), then
the current PCI state will be saved locally in
'vfio_pci_core_device::pm_save' during D0->D3hot transition and same
will be restored back during D3hot->D0 transition.
For saving the PCI state locally, pci_store_saved_state() is being
used and the pci_load_and_free_saved_state() will free the allocated
memory.
But for reset related IOCTLs, vfio driver calls PCI reset-related
API's which will internally change the PCI power state back to D0. So,
when the guest resumes, then it will get the current state as D0 and it
will skip the call to vfio_pci_set_power_state() for changing the
power state to D0 explicitly. In this case, the memory pointed by
'pm_save' will never be freed. In a malicious sequence, the state changing
to D3hot followed by VFIO_DEVICE_RESET/VFIO_DEVICE_PCI_HOT_RESET can be
run in a loop and it can cause an OOM situation.
This patch frees the earlier allocated memory first before overwriting
'pm_save' to prevent the mentioned memory leak.
Fixes: 51ef3a004b1e ("vfio/pci: Restore device state on PM transition")
Signed-off-by: Abhishek Sahu <abhsahu@nvidia.com>
Link: https://lore.kernel.org/r/20220217122107.22434-2-abhsahu@nvidia.com
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
[Minor context change fixed]
Signed-off-by: Feng Liu <Feng.Liu3@windriver.com>
Signed-off-by: He Zhe <Zhe.He@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vfio/pci/vfio_pci.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@@ -299,6 +299,19 @@ int vfio_pci_set_power_state(struct vfio
if (!ret) {
/* D3 might be unsupported via quirk, skip unless in D3 */
if (needs_save && pdev->current_state >= PCI_D3hot) {
+ /*
+ * The current PCI state will be saved locally in
+ * 'pm_save' during the D3hot transition. When the
+ * device state is changed to D0 again with the current
+ * function, then pci_store_saved_state() will restore
+ * the state and will free the memory pointed by
+ * 'pm_save'. There are few cases where the PCI power
+ * state can be changed to D0 without the involvement
+ * of the driver. For these cases, free the earlier
+ * allocated memory first before overwriting 'pm_save'
+ * to prevent the memory leak.
+ */
+ kfree(vdev->pm_save);
vdev->pm_save = pci_store_saved_state(pdev);
} else if (needs_restore) {
pci_load_and_free_saved_state(pdev, &vdev->pm_save);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 186/286] kernel/resource: fix kfree() of bootmem memory again
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 185/286] vfio/pci: fix memory leak during D3hot to D0 transition Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 187/286] drm/i915/gt: Cleanup partial engine discovery failures Greg Kroah-Hartman
` (104 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaohe Lin, David Hildenbrand,
Dan Williams, Alistair Popple, Andrew Morton, Linus Torvalds,
Sasha Levin, David Sauerwein
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaohe Lin <linmiaohe@huawei.com>
commit 0cbcc92917c5de80f15c24d033566539ad696892 upstream.
Since commit ebff7d8f270d ("mem hotunplug: fix kfree() of bootmem
memory"), we could get a resource allocated during boot via
alloc_resource(). And it's required to release the resource using
free_resource(). Howerver, many people use kfree directly which will
result in kernel BUG. In order to fix this without fixing every call
site, just leak a couple of bytes in such corner case.
Link: https://lkml.kernel.org/r/20220217083619.19305-1-linmiaohe@huawei.com
Fixes: ebff7d8f270d ("mem hotunplug: fix kfree() of bootmem memory")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Suggested-by: David Hildenbrand <david@redhat.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Alistair Popple <apopple@nvidia.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: David Sauerwein <dssauerw@amazon.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/resource.c | 41 ++++++++---------------------------------
1 file changed, 8 insertions(+), 33 deletions(-)
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -53,14 +53,6 @@ struct resource_constraint {
static DEFINE_RWLOCK(resource_lock);
-/*
- * For memory hotplug, there is no way to free resource entries allocated
- * by boot mem after the system is up. So for reusing the resource entry
- * we need to remember the resource.
- */
-static struct resource *bootmem_resource_free;
-static DEFINE_SPINLOCK(bootmem_resource_lock);
-
static struct resource *next_resource(struct resource *p, bool sibling_only)
{
/* Caller wants to traverse through siblings only */
@@ -149,36 +141,19 @@ __initcall(ioresources_init);
static void free_resource(struct resource *res)
{
- if (!res)
- return;
-
- if (!PageSlab(virt_to_head_page(res))) {
- spin_lock(&bootmem_resource_lock);
- res->sibling = bootmem_resource_free;
- bootmem_resource_free = res;
- spin_unlock(&bootmem_resource_lock);
- } else {
+ /**
+ * If the resource was allocated using memblock early during boot
+ * we'll leak it here: we can only return full pages back to the
+ * buddy and trying to be smart and reusing them eventually in
+ * alloc_resource() overcomplicates resource handling.
+ */
+ if (res && PageSlab(virt_to_head_page(res)))
kfree(res);
- }
}
static struct resource *alloc_resource(gfp_t flags)
{
- struct resource *res = NULL;
-
- spin_lock(&bootmem_resource_lock);
- if (bootmem_resource_free) {
- res = bootmem_resource_free;
- bootmem_resource_free = res->sibling;
- }
- spin_unlock(&bootmem_resource_lock);
-
- if (res)
- memset(res, 0, sizeof(struct resource));
- else
- res = kzalloc(sizeof(struct resource), flags);
-
- return res;
+ return kzalloc(sizeof(struct resource), flags);
}
/* Return the conflict entry if you can't request it */
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 187/286] drm/i915/gt: Cleanup partial engine discovery failures
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 186/286] kernel/resource: fix kfree() of bootmem memory again Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 188/286] fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats Greg Kroah-Hartman
` (103 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Wilson, Janusz Krzysztofik,
Matt Roper, Zhi Yang, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Wilson <chris.p.wilson@intel.com>
commit 78a033433a5ae4fee85511ee075bc9a48312c79e upstream.
If we abort driver initialisation in the middle of gt/engine discovery,
some engines will be fully setup and some not. Those incompletely setup
engines only have 'engine->release == NULL' and so will leak any of the
common objects allocated.
v2:
- Drop the destroy_pinned_context() helper for now. It's not really
worth it with just a single callsite at the moment. (Janusz)
Signed-off-by: Chris Wilson <chris.p.wilson@intel.com>
Cc: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
Reviewed-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220915232654.3283095-2-matthew.d.roper@intel.com
Signed-off-by: Zhi Yang <Zhi.Yang@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gt/intel_engine_cs.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
@@ -904,8 +904,13 @@ int intel_engines_init(struct intel_gt *
return err;
err = setup(engine);
- if (err)
+ if (err) {
+ intel_engine_cleanup_common(engine);
return err;
+ }
+
+ /* The backend should now be responsible for cleanup */
+ GEM_BUG_ON(engine->release == NULL);
err = engine_init_common(engine);
if (err)
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 188/286] fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 187/286] drm/i915/gt: Cleanup partial engine discovery failures Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 189/286] mm: fix apply_to_existing_page_range() Greg Kroah-Hartman
` (102 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oleg Nesterov, Dylan Hatch,
Eric W. Biederman, Andrew Morton, Sasha Levin, David Sauerwein
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
commit 7601df8031fd67310af891897ef6cc0df4209305 upstream.
lock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call
do_task_stat() at the same time and the process has NR_THREADS, it will
spin with irqs disabled O(NR_CPUS * NR_THREADS) time.
Change do_task_stat() to use sig->stats_lock to gather the statistics
outside of ->siglock protected section, in the likely case this code will
run lockless.
Link: https://lkml.kernel.org/r/20240123153357.GA21857@redhat.com
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Dylan Hatch <dylanbhatch@google.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: David Sauerwein <dssauerw@amazon.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/proc/array.c | 52 ++++++++++++++++++++++++++++++----------------------
1 file changed, 30 insertions(+), 22 deletions(-)
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
@@ -443,12 +443,12 @@ static int do_task_stat(struct seq_file
int permitted;
struct mm_struct *mm;
unsigned long long start_time;
- unsigned long cmin_flt = 0, cmaj_flt = 0;
- unsigned long min_flt = 0, maj_flt = 0;
- u64 cutime, cstime, utime, stime;
- u64 cgtime, gtime;
+ unsigned long cmin_flt, cmaj_flt, min_flt, maj_flt;
+ u64 cutime, cstime, cgtime, utime, stime, gtime;
unsigned long rsslim = 0;
unsigned long flags;
+ struct signal_struct *sig = task->signal;
+ unsigned int seq = 1;
state = *get_task_state(task);
vsize = eip = esp = 0;
@@ -476,12 +476,9 @@ static int do_task_stat(struct seq_file
sigemptyset(&sigign);
sigemptyset(&sigcatch);
- cutime = cstime = utime = stime = 0;
- cgtime = gtime = 0;
+ utime = stime = 0;
if (lock_task_sighand(task, &flags)) {
- struct signal_struct *sig = task->signal;
-
if (sig->tty) {
struct pid *pgrp = tty_get_pgrp(sig->tty);
tty_pgrp = pid_nr_ns(pgrp, ns);
@@ -492,37 +489,48 @@ static int do_task_stat(struct seq_file
num_threads = get_nr_threads(task);
collect_sigign_sigcatch(task, &sigign, &sigcatch);
+ rsslim = READ_ONCE(sig->rlim[RLIMIT_RSS].rlim_cur);
+
+ sid = task_session_nr_ns(task, ns);
+ ppid = task_tgid_nr_ns(task->real_parent, ns);
+ pgid = task_pgrp_nr_ns(task, ns);
+
+ unlock_task_sighand(task, &flags);
+ }
+
+ if (permitted && (!whole || num_threads < 2))
+ wchan = get_wchan(task);
+
+ do {
+ seq++; /* 2 on the 1st/lockless path, otherwise odd */
+ flags = read_seqbegin_or_lock_irqsave(&sig->stats_lock, &seq);
+
cmin_flt = sig->cmin_flt;
cmaj_flt = sig->cmaj_flt;
cutime = sig->cutime;
cstime = sig->cstime;
cgtime = sig->cgtime;
- rsslim = READ_ONCE(sig->rlim[RLIMIT_RSS].rlim_cur);
- /* add up live thread stats at the group level */
if (whole) {
struct task_struct *t = task;
+
+ min_flt = sig->min_flt;
+ maj_flt = sig->maj_flt;
+ gtime = sig->gtime;
+
+ rcu_read_lock();
do {
min_flt += t->min_flt;
maj_flt += t->maj_flt;
gtime += task_gtime(t);
} while_each_thread(task, t);
+ rcu_read_unlock();
- min_flt += sig->min_flt;
- maj_flt += sig->maj_flt;
thread_group_cputime_adjusted(task, &utime, &stime);
- gtime += sig->gtime;
}
+ } while (need_seqretry(&sig->stats_lock, seq));
+ done_seqretry_irqrestore(&sig->stats_lock, seq, flags);
- sid = task_session_nr_ns(task, ns);
- ppid = task_tgid_nr_ns(task->real_parent, ns);
- pgid = task_pgrp_nr_ns(task, ns);
-
- unlock_task_sighand(task, &flags);
- }
-
- if (permitted && (!whole || num_threads < 2))
- wchan = get_wchan(task);
if (!whole) {
min_flt = task->min_flt;
maj_flt = task->maj_flt;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 189/286] mm: fix apply_to_existing_page_range()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 188/286] fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 190/286] drivers: staging: rtl8723bs: Fix deadlock in rtw_surveydone_event_callback() Greg Kroah-Hartman
` (101 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kirill A. Shutemov, Daniel Axtens,
David Hildenbrand, Vlastimil Babka, Andrew Morton
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
commit a995199384347261bb3f21b2e171fa7f988bd2f8 upstream.
In the case of apply_to_existing_page_range(), apply_to_pte_range() is
reached with 'create' set to false. When !create, the loop over the PTE
page table is broken.
apply_to_pte_range() will only move to the next PTE entry if 'create' is
true or if the current entry is not pte_none().
This means that the user of apply_to_existing_page_range() will not have
'fn' called for any entries after the first pte_none() in the PTE page
table.
Fix the loop logic in apply_to_pte_range().
There are no known runtime issues from this, but the fix is trivial enough
for stable@ even without a known buggy user.
Link: https://lkml.kernel.org/r/20250409094043.1629234-1-kirill.shutemov@linux.intel.com
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Fixes: be1db4753ee6 ("mm/memory.c: add apply_to_existing_page_range() helper")
Cc: Daniel Axtens <dja@axtens.net>
Cc: David Hildenbrand <david@redhat.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2469,11 +2469,11 @@ static int apply_to_pte_range(struct mm_
if (fn) {
do {
if (create || !pte_none(*pte)) {
- err = fn(pte++, addr, data);
+ err = fn(pte, addr, data);
if (err)
break;
}
- } while (addr += PAGE_SIZE, addr != end);
+ } while (pte++, addr += PAGE_SIZE, addr != end);
}
*mask |= PGTBL_PTE_MODIFIED;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 190/286] drivers: staging: rtl8723bs: Fix deadlock in rtw_surveydone_event_callback()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 189/286] mm: fix apply_to_existing_page_range() Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 191/286] s390/dasd: fix double module refcount decrement Greg Kroah-Hartman
` (100 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Feng Liu, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
commit cc7ad0d77b51c872d629bcd98aea463a3c4109e7 upstream.
There is a deadlock in rtw_surveydone_event_callback(),
which is shown below:
(Thread 1) | (Thread 2)
| _set_timer()
rtw_surveydone_event_callback()| mod_timer()
spin_lock_bh() //(1) | (wait a time)
... | rtw_scan_timeout_handler()
del_timer_sync() | spin_lock_bh() //(2)
(wait timer to stop) | ...
We hold pmlmepriv->lock in position (1) of thread 1 and use
del_timer_sync() to wait timer to stop, but timer handler
also need pmlmepriv->lock in position (2) of thread 2.
As a result, rtw_surveydone_event_callback() will block forever.
This patch extracts del_timer_sync() from the protection of
spin_lock_bh(), which could let timer handler to obtain
the needed lock. What`s more, we change spin_lock_bh() in
rtw_scan_timeout_handler() to spin_lock_irq(). Otherwise,
spin_lock_bh() will also cause deadlock() in timer handler.
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://lore.kernel.org/r/20220409061836.60529-1-duoming@zju.edu.cn
[Minor context change fixed]
Signed-off-by: Feng Liu <Feng.Liu3@windriver.com>
Signed-off-by: He Zhe <Zhe.He@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_mlme.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
@@ -826,7 +826,9 @@ void rtw_surveydone_event_callback(struc
RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("rtw_surveydone_event_callback: fw_state:%x\n\n", get_fwstate(pmlmepriv)));
if (check_fwstate(pmlmepriv, _FW_UNDER_SURVEY)) {
+ spin_unlock_bh(&pmlmepriv->lock);
del_timer_sync(&pmlmepriv->scan_to_timer);
+ spin_lock_bh(&pmlmepriv->lock);
_clr_fwstate_(pmlmepriv, _FW_UNDER_SURVEY);
} else {
@@ -1753,11 +1755,11 @@ void rtw_scan_timeout_handler(struct tim
DBG_871X(FUNC_ADPT_FMT" fw_state =%x\n", FUNC_ADPT_ARG(adapter), get_fwstate(pmlmepriv));
- spin_lock_bh(&pmlmepriv->lock);
+ spin_lock_irq(&pmlmepriv->lock);
_clr_fwstate_(pmlmepriv, _FW_UNDER_SURVEY);
- spin_unlock_bh(&pmlmepriv->lock);
+ spin_unlock_irq(&pmlmepriv->lock);
rtw_indicate_scan_done(adapter, true);
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 191/286] s390/dasd: fix double module refcount decrement
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 190/286] drivers: staging: rtl8723bs: Fix deadlock in rtw_surveydone_event_callback() Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 192/286] pmdomain: ti: Add a null pointer check to the omap_prm_domain_init Greg Kroah-Hartman
` (99 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miroslav Franc, Jan Höppner,
Stefan Haberland, Jens Axboe, Feng Liu, He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miroslav Franc <mfranc@suse.cz>
commit c3116e62ddeff79cae342147753ce596f01fcf06 upstream.
Once the discipline is associated with the device, deleting the device
takes care of decrementing the module's refcount. Doing it manually on
this error path causes refcount to artificially decrease on each error
while it should just stay the same.
Fixes: c020d722b110 ("s390/dasd: fix panic during offline processing")
Signed-off-by: Miroslav Franc <mfranc@suse.cz>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Link: https://lore.kernel.org/r/20240209124522.3697827-3-sth@linux.ibm.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[Minor context change fixed]
Signed-off-by: Feng Liu <Feng.Liu3@windriver.com>
Signed-off-by: He Zhe <Zhe.He@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/block/dasd.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/s390/block/dasd.c
+++ b/drivers/s390/block/dasd.c
@@ -3637,12 +3637,11 @@ int dasd_generic_set_online(struct ccw_d
dasd_delete_device(device);
return -EINVAL;
}
+ device->base_discipline = base_discipline;
if (!try_module_get(discipline->owner)) {
- module_put(base_discipline->owner);
dasd_delete_device(device);
return -EINVAL;
}
- device->base_discipline = base_discipline;
device->discipline = discipline;
/* check_device will allocate block device if necessary */
@@ -3650,8 +3649,6 @@ int dasd_generic_set_online(struct ccw_d
if (rc) {
pr_warn("%s Setting the DASD online with discipline %s failed with rc=%i\n",
dev_name(&cdev->dev), discipline->name, rc);
- module_put(discipline->owner);
- module_put(base_discipline->owner);
dasd_delete_device(device);
return rc;
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 192/286] pmdomain: ti: Add a null pointer check to the omap_prm_domain_init
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 191/286] s390/dasd: fix double module refcount decrement Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 193/286] drivers: staging: rtl8723bs: Fix locking in rtw_scan_timeout_handler() Greg Kroah-Hartman
` (98 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kunwu Chan, Ulf Hansson, Feng Liu,
He Zhe
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kunwu Chan <chentao@kylinos.cn>
commit 5d7f58ee08434a33340f75ac7ac5071eea9673b3 upstream.
devm_kasprintf() returns a pointer to dynamically allocated memory
which can be NULL upon failure. Ensure the allocation was successful
by checking the pointer validity.
Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
Link: https://lore.kernel.org/r/20240118054257.200814-1-chentao@kylinos.cn
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[Minor context change fixed]
Signed-off-by: Feng Liu <Feng.Liu3@windriver.com>
Signed-off-by: He Zhe <Zhe.He@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/ti/omap_prm.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/soc/ti/omap_prm.c
+++ b/drivers/soc/ti/omap_prm.c
@@ -381,6 +381,8 @@ static int omap_prm_domain_init(struct d
data = prm->data;
name = devm_kasprintf(dev, GFP_KERNEL, "prm_%s",
data->name);
+ if (!name)
+ return -ENOMEM;
prmd->dev = dev;
prmd->prm = prm;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 193/286] drivers: staging: rtl8723bs: Fix locking in rtw_scan_timeout_handler()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 192/286] pmdomain: ti: Add a null pointer check to the omap_prm_domain_init Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 194/286] platform/x86: ISST: Correct command storage data length Greg Kroah-Hartman
` (97 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Hans de Goede
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 3f467036093fedd7e231924327455fc609b5ef02 upstream.
Commit cc7ad0d77b51 ("drivers: staging: rtl8723bs: Fix deadlock in
rtw_surveydone_event_callback()") besides fixing the deadlock also
modified rtw_scan_timeout_handler() to use spin_[un]lock_irq()
instead of spin_[un]lock_bh().
Disabling the IRQs is not necessary since all code taking this lock
runs from either user contexts or from softirqs
rtw_scan_timeout_handler() is the only function taking pmlmepriv->lock
which uses spin_[un]lock_irq() for this. Switch back to
spin_[un]lock_bh() to make it consistent with the rest of the code.
Fixes: cc7ad0d77b51 ("drivers: staging: rtl8723bs: Fix deadlock in rtw_surveydone_event_callback()")
Cc: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20230221145326.7808-2-hdegoede@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_mlme.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
@@ -1755,11 +1755,11 @@ void rtw_scan_timeout_handler(struct tim
DBG_871X(FUNC_ADPT_FMT" fw_state =%x\n", FUNC_ADPT_ARG(adapter), get_fwstate(pmlmepriv));
- spin_lock_irq(&pmlmepriv->lock);
+ spin_lock_bh(&pmlmepriv->lock);
_clr_fwstate_(pmlmepriv, _FW_UNDER_SURVEY);
- spin_unlock_irq(&pmlmepriv->lock);
+ spin_unlock_bh(&pmlmepriv->lock);
rtw_indicate_scan_done(adapter, true);
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 194/286] platform/x86: ISST: Correct command storage data length
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 193/286] drivers: staging: rtl8723bs: Fix locking in rtw_scan_timeout_handler() Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 195/286] tracing: Allow synthetic events to pass around stacktraces Greg Kroah-Hartman
` (96 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Pandruvada,
Ilpo Järvinen, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
[ Upstream commit 9462e74c5c983cce34019bfb27f734552bebe59f ]
After resume/online turbo limit ratio (TRL) is restored partially if
the admin explicitly changed TRL from user space.
A hash table is used to store SST mail box and MSR settings when modified
to restore those settings after resume or online. This uses a struct
isst_cmd field "data" to store these settings. This is a 64 bit field.
But isst_store_new_cmd() is only assigning as u32. This results in
truncation of 32 bits.
Change the argument to u64 from u32.
Fixes: f607874f35cb ("platform/x86: ISST: Restore state on resume")
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250328224749.2691272-1-srinivas.pandruvada@linux.intel.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel_speed_select_if/isst_if_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/platform/x86/intel_speed_select_if/isst_if_common.c b/drivers/platform/x86/intel_speed_select_if/isst_if_common.c
index 407afafc7e83f..e0f7368e7e3e9 100644
--- a/drivers/platform/x86/intel_speed_select_if/isst_if_common.c
+++ b/drivers/platform/x86/intel_speed_select_if/isst_if_common.c
@@ -77,7 +77,7 @@ static DECLARE_HASHTABLE(isst_hash, 8);
static DEFINE_MUTEX(isst_hash_lock);
static int isst_store_new_cmd(int cmd, u32 cpu, int mbox_cmd_type, u32 param,
- u32 data)
+ u64 data)
{
struct isst_cmd *sst_cmd;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 195/286] tracing: Allow synthetic events to pass around stacktraces
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 194/286] platform/x86: ISST: Correct command storage data length Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 196/286] tracing: Fix synth event printk format for str fields Greg Kroah-Hartman
` (95 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Andrew Morton,
Tom Zanussi, Ross Zwisler, Ching-lin Yu, Steven Rostedt (Google),
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt (Google) <rostedt@goodmis.org>
[ Upstream commit 00cf3d672a9dd409418647e9f98784c339c3ff63 ]
Allow a stacktrace from one event to be displayed by the end event of a
synthetic event. This is very useful when looking for the longest latency
of a sleep or something blocked on I/O.
# cd /sys/kernel/tracing/
# echo 's:block_lat pid_t pid; u64 delta; unsigned long[] stack;' > dynamic_events
# echo 'hist:keys=next_pid:ts=common_timestamp.usecs,st=stacktrace if prev_state == 1||prev_state == 2' > events/sched/sched_switch/trigger
# echo 'hist:keys=prev_pid:delta=common_timestamp.usecs-$ts,s=$st:onmax($delta).trace(block_lat,prev_pid,$delta,$s)' >> events/sched/sched_switch/trigger
The above creates a "block_lat" synthetic event that take the stacktrace of
when a task schedules out in either the interruptible or uninterruptible
states, and on a new per process max $delta (the time it was scheduled
out), will print the process id and the stacktrace.
# echo 1 > events/synthetic/block_lat/enable
# cat trace
# TASK-PID CPU# ||||| TIMESTAMP FUNCTION
# | | | ||||| | |
kworker/u16:0-767 [006] d..4. 560.645045: block_lat: pid=767 delta=66 stack=STACK:
=> __schedule
=> schedule
=> pipe_read
=> vfs_read
=> ksys_read
=> do_syscall_64
=> 0x966000aa
<idle>-0 [003] d..4. 561.132117: block_lat: pid=0 delta=413787 stack=STACK:
=> __schedule
=> schedule
=> schedule_hrtimeout_range_clock
=> do_sys_poll
=> __x64_sys_poll
=> do_syscall_64
=> 0x966000aa
<...>-153 [006] d..4. 562.068407: block_lat: pid=153 delta=54 stack=STACK:
=> __schedule
=> schedule
=> io_schedule
=> rq_qos_wait
=> wbt_wait
=> __rq_qos_throttle
=> blk_mq_submit_bio
=> submit_bio_noacct_nocheck
=> ext4_bio_write_page
=> mpage_submit_page
=> mpage_process_page_bufs
=> mpage_prepare_extent_to_map
=> ext4_do_writepages
=> ext4_writepages
=> do_writepages
=> __writeback_single_inode
Link: https://lkml.kernel.org/r/20230117152236.010941267@goodmis.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Tom Zanussi <zanussi@kernel.org>
Cc: Ross Zwisler <zwisler@google.com>
Cc: Ching-lin Yu <chinglinyu@google.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Stable-dep-of: 4d38328eb442 ("tracing: Fix synth event printk format for str fields")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace.h | 4 ++
kernel/trace/trace_events_hist.c | 7 ++-
kernel/trace/trace_events_synth.c | 80 ++++++++++++++++++++++++++++++-
kernel/trace/trace_synth.h | 1 +
4 files changed, 87 insertions(+), 5 deletions(-)
diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
index 7c90872f2435d..f47938d8401a2 100644
--- a/kernel/trace/trace.h
+++ b/kernel/trace/trace.h
@@ -109,6 +109,10 @@ enum trace_type {
unlikely(__ret_warn_once); \
})
+#define HIST_STACKTRACE_DEPTH 16
+#define HIST_STACKTRACE_SIZE (HIST_STACKTRACE_DEPTH * sizeof(unsigned long))
+#define HIST_STACKTRACE_SKIP 5
+
/*
* syscalls are special, and need special handling, this is why
* they are not included in trace_entries.h
diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index 059a106e62bec..a0342b45a06da 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -282,10 +282,6 @@ DEFINE_HIST_FIELD_FN(u8);
#define for_each_hist_key_field(i, hist_data) \
for ((i) = (hist_data)->n_vals; (i) < (hist_data)->n_fields; (i)++)
-#define HIST_STACKTRACE_DEPTH 16
-#define HIST_STACKTRACE_SIZE (HIST_STACKTRACE_DEPTH * sizeof(unsigned long))
-#define HIST_STACKTRACE_SKIP 5
-
#define HITCOUNT_IDX 0
#define HIST_KEY_SIZE_MAX (MAX_FILTER_STR_VAL + HIST_STACKTRACE_SIZE)
@@ -3356,6 +3352,9 @@ static int check_synth_field(struct synth_event *event,
&& field->is_dynamic)
return 0;
+ if (strstr(hist_field->type, "long[") && field->is_stack)
+ return 0;
+
if (strcmp(field->type, hist_field->type) != 0) {
if (field->size != hist_field->size ||
(!field->is_string && field->is_signed != hist_field->is_signed))
diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c
index e43426aa12830..4878758ceea2a 100644
--- a/kernel/trace/trace_events_synth.c
+++ b/kernel/trace/trace_events_synth.c
@@ -162,6 +162,14 @@ static int synth_field_is_string(char *type)
return false;
}
+static int synth_field_is_stack(char *type)
+{
+ if (strstr(type, "long[") != NULL)
+ return true;
+
+ return false;
+}
+
static int synth_field_string_size(char *type)
{
char buf[4], *end, *start;
@@ -237,6 +245,8 @@ static int synth_field_size(char *type)
size = sizeof(gfp_t);
else if (synth_field_is_string(type))
size = synth_field_string_size(type);
+ else if (synth_field_is_stack(type))
+ size = 0;
return size;
}
@@ -281,6 +291,8 @@ static const char *synth_field_fmt(char *type)
fmt = "%x";
else if (synth_field_is_string(type))
fmt = "%.*s";
+ else if (synth_field_is_stack(type))
+ fmt = "%s";
return fmt;
}
@@ -360,6 +372,23 @@ static enum print_line_t print_synth_event(struct trace_iterator *iter,
i == se->n_fields - 1 ? "" : " ");
n_u64 += STR_VAR_LEN_MAX / sizeof(u64);
}
+ } else if (se->fields[i]->is_stack) {
+ u32 offset, data_offset, len;
+ unsigned long *p, *end;
+
+ offset = (u32)entry->fields[n_u64];
+ data_offset = offset & 0xffff;
+ len = offset >> 16;
+
+ p = (void *)entry + data_offset;
+ end = (void *)p + len - (sizeof(long) - 1);
+
+ trace_seq_printf(s, "%s=STACK:\n", se->fields[i]->name);
+
+ for (; *p && p < end; p++)
+ trace_seq_printf(s, "=> %pS\n", (void *)*p);
+ n_u64++;
+
} else {
struct trace_print_flags __flags[] = {
__def_gfpflag_names, {-1, NULL} };
@@ -427,6 +456,43 @@ static unsigned int trace_string(struct synth_trace_event *entry,
return len;
}
+static unsigned int trace_stack(struct synth_trace_event *entry,
+ struct synth_event *event,
+ long *stack,
+ unsigned int data_size,
+ unsigned int *n_u64)
+{
+ unsigned int len;
+ u32 data_offset;
+ void *data_loc;
+
+ data_offset = struct_size(entry, fields, event->n_u64);
+ data_offset += data_size;
+
+ for (len = 0; len < HIST_STACKTRACE_DEPTH; len++) {
+ if (!stack[len])
+ break;
+ }
+
+ /* Include the zero'd element if it fits */
+ if (len < HIST_STACKTRACE_DEPTH)
+ len++;
+
+ len *= sizeof(long);
+
+ /* Find the dynamic section to copy the stack into. */
+ data_loc = (void *)entry + data_offset;
+ memcpy(data_loc, stack, len);
+
+ /* Fill in the field that holds the offset/len combo */
+ data_offset |= len << 16;
+ *(u32 *)&entry->fields[*n_u64] = data_offset;
+
+ (*n_u64)++;
+
+ return len;
+}
+
static notrace void trace_event_raw_event_synth(void *__data,
u64 *var_ref_vals,
unsigned int *var_ref_idx)
@@ -479,6 +545,12 @@ static notrace void trace_event_raw_event_synth(void *__data,
event->fields[i]->is_dynamic,
data_size, &n_u64);
data_size += len; /* only dynamic string increments */
+ } if (event->fields[i]->is_stack) {
+ long *stack = (long *)(long)var_ref_vals[val_idx];
+
+ len = trace_stack(entry, event, stack,
+ data_size, &n_u64);
+ data_size += len;
} else {
struct synth_field *field = event->fields[i];
u64 val = var_ref_vals[val_idx];
@@ -541,6 +613,9 @@ static int __set_synth_event_print_fmt(struct synth_event *event,
event->fields[i]->is_dynamic)
pos += snprintf(buf + pos, LEN_OR_ZERO,
", __get_str(%s)", event->fields[i]->name);
+ else if (event->fields[i]->is_stack)
+ pos += snprintf(buf + pos, LEN_OR_ZERO,
+ ", __get_stacktrace(%s)", event->fields[i]->name);
else
pos += snprintf(buf + pos, LEN_OR_ZERO,
", REC->%s", event->fields[i]->name);
@@ -660,7 +735,8 @@ static struct synth_field *parse_synth_field(int argc, const char **argv,
ret = -EINVAL;
goto free;
} else if (size == 0) {
- if (synth_field_is_string(field->type)) {
+ if (synth_field_is_string(field->type) ||
+ synth_field_is_stack(field->type)) {
char *type;
len = sizeof("__data_loc ") + strlen(field->type) + 1;
@@ -691,6 +767,8 @@ static struct synth_field *parse_synth_field(int argc, const char **argv,
if (synth_field_is_string(field->type))
field->is_string = true;
+ else if (synth_field_is_stack(field->type))
+ field->is_stack = true;
field->is_signed = synth_field_signed(field->type);
out:
diff --git a/kernel/trace/trace_synth.h b/kernel/trace/trace_synth.h
index 4007fe95cf42c..077c748a8b3a6 100644
--- a/kernel/trace/trace_synth.h
+++ b/kernel/trace/trace_synth.h
@@ -18,6 +18,7 @@ struct synth_field {
bool is_signed;
bool is_string;
bool is_dynamic;
+ bool is_stack;
};
struct synth_event {
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 196/286] tracing: Fix synth event printk format for str fields
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 195/286] tracing: Allow synthetic events to pass around stacktraces Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 197/286] media: streamzap: remove unnecessary ir_raw_event_reset and handle Greg Kroah-Hartman
` (94 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Douglas Raillard, Steven Rostedt (Google), Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Raillard <douglas.raillard@arm.com>
[ Upstream commit 4d38328eb442dc06aec4350fd9594ffa6488af02 ]
The printk format for synth event uses "%.*s" to print string fields,
but then only passes the pointer part as var arg.
Replace %.*s with %s as the C string is guaranteed to be null-terminated.
The output in print fmt should never have been updated as __get_str()
handles the string limit because it can access the length of the string in
the string meta data that is saved in the ring buffer.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Fixes: 8db4d6bfbbf92 ("tracing: Change synthetic event string format to limit printed length")
Link: https://lore.kernel.org/20250325165202.541088-1-douglas.raillard@arm.com
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_events_synth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c
index 4878758ceea2a..613d45e7b608d 100644
--- a/kernel/trace/trace_events_synth.c
+++ b/kernel/trace/trace_events_synth.c
@@ -290,7 +290,7 @@ static const char *synth_field_fmt(char *type)
else if (strcmp(type, "gfp_t") == 0)
fmt = "%x";
else if (synth_field_is_string(type))
- fmt = "%.*s";
+ fmt = "%s";
else if (synth_field_is_stack(type))
fmt = "%s";
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 197/286] media: streamzap: remove unnecessary ir_raw_event_reset and handle
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 196/286] tracing: Fix synth event printk format for str fields Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 198/286] media: streamzap: no need for usb pid/vid in device name Greg Kroah-Hartman
` (93 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Young, Mauro Carvalho Chehab,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Young <sean@mess.org>
[ Upstream commit 4bed9306050497f49cbe77b842f0d812f4f27593 ]
There is no reason to have a reset after an IR timeout.
Calling ir_raw_event_handle() twice for the same interrupt has no
affect.
Fixes: 56b0ec30c4bc ("[media] rc/streamzap: fix reporting response times")
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Stable-dep-of: f656cfbc7a29 ("media: streamzap: fix race between device disconnection and urb callback")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/rc/streamzap.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/media/rc/streamzap.c b/drivers/media/rc/streamzap.c
index b6bd3cbec7c7c..cd4bb605a7614 100644
--- a/drivers/media/rc/streamzap.c
+++ b/drivers/media/rc/streamzap.c
@@ -215,8 +215,6 @@ static void sz_process_ir_data(struct streamzap_ir *sz, int len)
sz->idle = true;
if (sz->timeout_enabled)
sz_push(sz, rawir);
- ir_raw_event_handle(sz->rdev);
- ir_raw_event_reset(sz->rdev);
} else {
sz_push_full_space(sz, sz->buf_in[i]);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 198/286] media: streamzap: no need for usb pid/vid in device name
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 197/286] media: streamzap: remove unnecessary ir_raw_event_reset and handle Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 199/286] media: streamzap: less chatter Greg Kroah-Hartman
` (92 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Young, Mauro Carvalho Chehab,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Young <sean@mess.org>
[ Upstream commit 7a25e6849ad73de5aa01d62da43071bc02b8530c ]
The usb pid/vid can be found elsewhere, the idVendor/idProduct usb sysfs
files for example.
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Stable-dep-of: f656cfbc7a29 ("media: streamzap: fix race between device disconnection and urb callback")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/rc/streamzap.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/media/rc/streamzap.c b/drivers/media/rc/streamzap.c
index cd4bb605a7614..b6391ad383143 100644
--- a/drivers/media/rc/streamzap.c
+++ b/drivers/media/rc/streamzap.c
@@ -88,7 +88,6 @@ struct streamzap_ir {
ktime_t signal_start;
bool timeout_enabled;
- char name[128];
char phys[64];
};
@@ -287,13 +286,10 @@ static struct rc_dev *streamzap_init_rc_dev(struct streamzap_ir *sz)
goto out;
}
- snprintf(sz->name, sizeof(sz->name), "Streamzap PC Remote Infrared Receiver (%04x:%04x)",
- le16_to_cpu(sz->usbdev->descriptor.idVendor),
- le16_to_cpu(sz->usbdev->descriptor.idProduct));
usb_make_path(sz->usbdev, sz->phys, sizeof(sz->phys));
strlcat(sz->phys, "/input0", sizeof(sz->phys));
- rdev->device_name = sz->name;
+ rdev->device_name = "Streamzap PC Remote Infrared Receiver";
rdev->input_phys = sz->phys;
usb_to_input_id(sz->usbdev, &rdev->input_id);
rdev->dev.parent = dev;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 199/286] media: streamzap: less chatter
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 198/286] media: streamzap: no need for usb pid/vid in device name Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 200/286] media: streamzap: remove unused struct members Greg Kroah-Hartman
` (91 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Young, Mauro Carvalho Chehab,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Young <sean@mess.org>
[ Upstream commit 35088717ad24140b6ab0ec00ef357709be607526 ]
Remove superfluous messages which add no information.
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Stable-dep-of: f656cfbc7a29 ("media: streamzap: fix race between device disconnection and urb callback")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/rc/streamzap.c | 20 +-------------------
1 file changed, 1 insertion(+), 19 deletions(-)
diff --git a/drivers/media/rc/streamzap.c b/drivers/media/rc/streamzap.c
index b6391ad383143..e862a866b9b0f 100644
--- a/drivers/media/rc/streamzap.c
+++ b/drivers/media/rc/streamzap.c
@@ -26,7 +26,6 @@
#include <linux/usb/input.h>
#include <media/rc-core.h>
-#define DRIVER_VERSION "1.61"
#define DRIVER_NAME "streamzap"
#define DRIVER_DESC "Streamzap Remote Control driver"
@@ -281,10 +280,8 @@ static struct rc_dev *streamzap_init_rc_dev(struct streamzap_ir *sz)
int ret;
rdev = rc_allocate_device(RC_DRIVER_IR_RAW);
- if (!rdev) {
- dev_err(dev, "remote dev allocation failed\n");
+ if (!rdev)
goto out;
- }
usb_make_path(sz->usbdev, sz->phys, sizeof(sz->phys));
strlcat(sz->phys, "/input0", sizeof(sz->phys));
@@ -324,7 +321,6 @@ static int streamzap_probe(struct usb_interface *intf,
struct usb_device *usbdev = interface_to_usbdev(intf);
struct usb_host_interface *iface_host;
struct streamzap_ir *sz = NULL;
- char buf[63], name[128] = "";
int retval = -ENOMEM;
int pipe, maxp;
@@ -383,17 +379,6 @@ static int streamzap_probe(struct usb_interface *intf,
sz->dev = &intf->dev;
sz->buf_in_len = maxp;
- if (usbdev->descriptor.iManufacturer
- && usb_string(usbdev, usbdev->descriptor.iManufacturer,
- buf, sizeof(buf)) > 0)
- strscpy(name, buf, sizeof(name));
-
- if (usbdev->descriptor.iProduct
- && usb_string(usbdev, usbdev->descriptor.iProduct,
- buf, sizeof(buf)) > 0)
- snprintf(name + strlen(name), sizeof(name) - strlen(name),
- " %s", buf);
-
sz->rdev = streamzap_init_rc_dev(sz);
if (!sz->rdev)
goto rc_dev_fail;
@@ -424,9 +409,6 @@ static int streamzap_probe(struct usb_interface *intf,
if (usb_submit_urb(sz->urb_in, GFP_ATOMIC))
dev_err(sz->dev, "urb submit failed\n");
- dev_info(sz->dev, "Registered %s on usb%d:%d\n", name,
- usbdev->bus->busnum, usbdev->devnum);
-
return 0;
rc_dev_fail:
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 200/286] media: streamzap: remove unused struct members
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 199/286] media: streamzap: less chatter Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 201/286] media: streamzap: fix race between device disconnection and urb callback Greg Kroah-Hartman
` (90 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Young, Mauro Carvalho Chehab,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Young <sean@mess.org>
[ Upstream commit 4df69e46c352df9bdbe859824da33428a3ce8a1d ]
These struct members do not serve any purpose.
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Stable-dep-of: f656cfbc7a29 ("media: streamzap: fix race between device disconnection and urb callback")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/rc/streamzap.c | 37 ++++++++++++++----------------------
1 file changed, 14 insertions(+), 23 deletions(-)
diff --git a/drivers/media/rc/streamzap.c b/drivers/media/rc/streamzap.c
index e862a866b9b0f..cd994e27362eb 100644
--- a/drivers/media/rc/streamzap.c
+++ b/drivers/media/rc/streamzap.c
@@ -66,9 +66,6 @@ struct streamzap_ir {
struct device *dev;
/* usb */
- struct usb_device *usbdev;
- struct usb_interface *interface;
- struct usb_endpoint_descriptor *endpoint;
struct urb *urb_in;
/* buffer & dma */
@@ -85,7 +82,6 @@ struct streamzap_ir {
/* start time of signal; necessary for gap tracking */
ktime_t signal_last;
ktime_t signal_start;
- bool timeout_enabled;
char phys[64];
};
@@ -211,8 +207,7 @@ static void sz_process_ir_data(struct streamzap_ir *sz, int len)
.duration = sz->rdev->timeout
};
sz->idle = true;
- if (sz->timeout_enabled)
- sz_push(sz, rawir);
+ sz_push(sz, rawir);
} else {
sz_push_full_space(sz, sz->buf_in[i]);
}
@@ -273,7 +268,8 @@ static void streamzap_callback(struct urb *urb)
return;
}
-static struct rc_dev *streamzap_init_rc_dev(struct streamzap_ir *sz)
+static struct rc_dev *streamzap_init_rc_dev(struct streamzap_ir *sz,
+ struct usb_device *usbdev)
{
struct rc_dev *rdev;
struct device *dev = sz->dev;
@@ -283,12 +279,12 @@ static struct rc_dev *streamzap_init_rc_dev(struct streamzap_ir *sz)
if (!rdev)
goto out;
- usb_make_path(sz->usbdev, sz->phys, sizeof(sz->phys));
+ usb_make_path(usbdev, sz->phys, sizeof(sz->phys));
strlcat(sz->phys, "/input0", sizeof(sz->phys));
rdev->device_name = "Streamzap PC Remote Infrared Receiver";
rdev->input_phys = sz->phys;
- usb_to_input_id(sz->usbdev, &rdev->input_id);
+ usb_to_input_id(usbdev, &rdev->input_id);
rdev->dev.parent = dev;
rdev->priv = sz;
rdev->allowed_protocols = RC_PROTO_BIT_ALL_IR_DECODER;
@@ -319,6 +315,7 @@ static int streamzap_probe(struct usb_interface *intf,
const struct usb_device_id *id)
{
struct usb_device *usbdev = interface_to_usbdev(intf);
+ struct usb_endpoint_descriptor *endpoint;
struct usb_host_interface *iface_host;
struct streamzap_ir *sz = NULL;
int retval = -ENOMEM;
@@ -329,9 +326,6 @@ static int streamzap_probe(struct usb_interface *intf,
if (!sz)
return -ENOMEM;
- sz->usbdev = usbdev;
- sz->interface = intf;
-
/* Check to ensure endpoint information matches requirements */
iface_host = intf->cur_altsetting;
@@ -342,22 +336,22 @@ static int streamzap_probe(struct usb_interface *intf,
goto free_sz;
}
- sz->endpoint = &(iface_host->endpoint[0].desc);
- if (!usb_endpoint_dir_in(sz->endpoint)) {
+ endpoint = &iface_host->endpoint[0].desc;
+ if (!usb_endpoint_dir_in(endpoint)) {
dev_err(&intf->dev, "%s: endpoint doesn't match input device 02%02x\n",
- __func__, sz->endpoint->bEndpointAddress);
+ __func__, endpoint->bEndpointAddress);
retval = -ENODEV;
goto free_sz;
}
- if (!usb_endpoint_xfer_int(sz->endpoint)) {
+ if (!usb_endpoint_xfer_int(endpoint)) {
dev_err(&intf->dev, "%s: endpoint attributes don't match xfer 02%02x\n",
- __func__, sz->endpoint->bmAttributes);
+ __func__, endpoint->bmAttributes);
retval = -ENODEV;
goto free_sz;
}
- pipe = usb_rcvintpipe(usbdev, sz->endpoint->bEndpointAddress);
+ pipe = usb_rcvintpipe(usbdev, endpoint->bEndpointAddress);
maxp = usb_maxpacket(usbdev, pipe, usb_pipeout(pipe));
if (maxp == 0) {
@@ -379,14 +373,13 @@ static int streamzap_probe(struct usb_interface *intf,
sz->dev = &intf->dev;
sz->buf_in_len = maxp;
- sz->rdev = streamzap_init_rc_dev(sz);
+ sz->rdev = streamzap_init_rc_dev(sz, usbdev);
if (!sz->rdev)
goto rc_dev_fail;
sz->idle = true;
sz->decoder_state = PulseSpace;
/* FIXME: don't yet have a way to set this */
- sz->timeout_enabled = true;
sz->rdev->timeout = SZ_TIMEOUT * SZ_RESOLUTION;
#if 0
/* not yet supported, depends on patches from maxim */
@@ -399,8 +392,7 @@ static int streamzap_probe(struct usb_interface *intf,
/* Complete final initialisations */
usb_fill_int_urb(sz->urb_in, usbdev, pipe, sz->buf_in,
- maxp, (usb_complete_t)streamzap_callback,
- sz, sz->endpoint->bInterval);
+ maxp, streamzap_callback, sz, endpoint->bInterval);
sz->urb_in->transfer_dma = sz->dma_in;
sz->urb_in->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
@@ -441,7 +433,6 @@ static void streamzap_disconnect(struct usb_interface *interface)
if (!sz)
return;
- sz->usbdev = NULL;
rc_unregister_device(sz->rdev);
usb_kill_urb(sz->urb_in);
usb_free_urb(sz->urb_in);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 201/286] media: streamzap: fix race between device disconnection and urb callback
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 200/286] media: streamzap: remove unused struct members Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 202/286] media: venus: venc: Init the session only once in queue_setup Greg Kroah-Hartman
` (89 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+34008406ee9a31b13c73,
Murad Masimov, Sean Young, Hans Verkuil, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Murad Masimov <m.masimov@mt-integration.ru>
[ Upstream commit f656cfbc7a293a039d6a0c7100e1c846845148c1 ]
Syzkaller has reported a general protection fault at function
ir_raw_event_store_with_filter(). This crash is caused by a NULL pointer
dereference of dev->raw pointer, even though it is checked for NULL in
the same function, which means there is a race condition. It occurs due
to the incorrect order of actions in the streamzap_disconnect() function:
rc_unregister_device() is called before usb_kill_urb(). The dev->raw
pointer is freed and set to NULL in rc_unregister_device(), and only
after that usb_kill_urb() waits for in-progress requests to finish.
If rc_unregister_device() is called while streamzap_callback() handler is
not finished, this can lead to accessing freed resources. Thus
rc_unregister_device() should be called after usb_kill_urb().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 8e9e60640067 ("V4L/DVB: staging/lirc: port lirc_streamzap to ir-core")
Cc: stable@vger.kernel.org
Reported-by: syzbot+34008406ee9a31b13c73@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=34008406ee9a31b13c73
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/rc/streamzap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/rc/streamzap.c b/drivers/media/rc/streamzap.c
index cd994e27362eb..c0a48f991d9d2 100644
--- a/drivers/media/rc/streamzap.c
+++ b/drivers/media/rc/streamzap.c
@@ -433,8 +433,8 @@ static void streamzap_disconnect(struct usb_interface *interface)
if (!sz)
return;
- rc_unregister_device(sz->rdev);
usb_kill_urb(sz->urb_in);
+ rc_unregister_device(sz->rdev);
usb_free_urb(sz->urb_in);
usb_free_coherent(usbdev, sz->buf_in_len, sz->buf_in, sz->dma_in);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 202/286] media: venus: venc: Init the session only once in queue_setup
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 201/286] media: streamzap: fix race between device disconnection and urb callback Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 203/286] media: venus: Limit HFI sessions to the maximum supported Greg Kroah-Hartman
` (88 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fritz Koenig, Stanimir Varbanov,
Mauro Carvalho Chehab, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanimir Varbanov <stanimir.varbanov@linaro.org>
[ Upstream commit 5f2ca73dcca96c3de96a0e4d9ea24ebb46c55d2e ]
Init the hfi session only once in queue_setup and also cover that
with inst->lock.
Tested-by: Fritz Koenig <frkoenig@chromium.org>
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Stable-dep-of: 9edaaa8e3e15 ("media: venus: hfi_parser: refactor hfi packet parsing logic")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/qcom/venus/venc.c | 85 ++++++++++++++++++------
1 file changed, 64 insertions(+), 21 deletions(-)
diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c
index e2d0fd5eaf29a..18d20b4ca2cfd 100644
--- a/drivers/media/platform/qcom/venus/venc.c
+++ b/drivers/media/platform/qcom/venus/venc.c
@@ -727,7 +727,9 @@ static int venc_init_session(struct venus_inst *inst)
int ret;
ret = hfi_session_init(inst, inst->fmt_cap->pixfmt);
- if (ret)
+ if (ret == -EINVAL)
+ return 0;
+ else if (ret)
return ret;
ret = venus_helper_set_input_resolution(inst, inst->width,
@@ -764,17 +766,13 @@ static int venc_out_num_buffers(struct venus_inst *inst, unsigned int *num)
struct hfi_buffer_requirements bufreq;
int ret;
- ret = venc_init_session(inst);
+ ret = venus_helper_get_bufreq(inst, HFI_BUFFER_INPUT, &bufreq);
if (ret)
return ret;
- ret = venus_helper_get_bufreq(inst, HFI_BUFFER_INPUT, &bufreq);
-
*num = bufreq.count_actual;
- hfi_session_deinit(inst);
-
- return ret;
+ return 0;
}
static int venc_queue_setup(struct vb2_queue *q,
@@ -783,7 +781,7 @@ static int venc_queue_setup(struct vb2_queue *q,
{
struct venus_inst *inst = vb2_get_drv_priv(q);
unsigned int num, min = 4;
- int ret = 0;
+ int ret;
if (*num_planes) {
if (q->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE &&
@@ -805,6 +803,13 @@ static int venc_queue_setup(struct vb2_queue *q,
return 0;
}
+ mutex_lock(&inst->lock);
+ ret = venc_init_session(inst);
+ mutex_unlock(&inst->lock);
+
+ if (ret)
+ return ret;
+
switch (q->type) {
case V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:
*num_planes = inst->fmt_out->num_planes;
@@ -840,6 +845,49 @@ static int venc_queue_setup(struct vb2_queue *q,
return ret;
}
+static int venc_buf_init(struct vb2_buffer *vb)
+{
+ struct venus_inst *inst = vb2_get_drv_priv(vb->vb2_queue);
+
+ inst->buf_count++;
+
+ return venus_helper_vb2_buf_init(vb);
+}
+
+static void venc_release_session(struct venus_inst *inst)
+{
+ int ret;
+
+ mutex_lock(&inst->lock);
+
+ ret = hfi_session_deinit(inst);
+ if (ret || inst->session_error)
+ hfi_session_abort(inst);
+
+ mutex_unlock(&inst->lock);
+
+ venus_pm_load_scale(inst);
+ INIT_LIST_HEAD(&inst->registeredbufs);
+ venus_pm_release_core(inst);
+}
+
+static void venc_buf_cleanup(struct vb2_buffer *vb)
+{
+ struct venus_inst *inst = vb2_get_drv_priv(vb->vb2_queue);
+ struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb);
+ struct venus_buffer *buf = to_venus_buffer(vbuf);
+
+ mutex_lock(&inst->lock);
+ if (vb->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
+ if (!list_empty(&inst->registeredbufs))
+ list_del_init(&buf->reg_list);
+ mutex_unlock(&inst->lock);
+
+ inst->buf_count--;
+ if (!inst->buf_count)
+ venc_release_session(inst);
+}
+
static int venc_verify_conf(struct venus_inst *inst)
{
enum hfi_version ver = inst->core->res->hfi_version;
@@ -890,38 +938,32 @@ static int venc_start_streaming(struct vb2_queue *q, unsigned int count)
inst->sequence_cap = 0;
inst->sequence_out = 0;
- ret = venc_init_session(inst);
- if (ret)
- goto bufs_done;
-
ret = venus_pm_acquire_core(inst);
if (ret)
- goto deinit_sess;
+ goto error;
ret = venc_set_properties(inst);
if (ret)
- goto deinit_sess;
+ goto error;
ret = venc_verify_conf(inst);
if (ret)
- goto deinit_sess;
+ goto error;
ret = venus_helper_set_num_bufs(inst, inst->num_input_bufs,
inst->num_output_bufs, 0);
if (ret)
- goto deinit_sess;
+ goto error;
ret = venus_helper_vb2_start_streaming(inst);
if (ret)
- goto deinit_sess;
+ goto error;
mutex_unlock(&inst->lock);
return 0;
-deinit_sess:
- hfi_session_deinit(inst);
-bufs_done:
+error:
venus_helper_buffers_done(inst, q->type, VB2_BUF_STATE_QUEUED);
if (q->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE)
inst->streamon_out = 0;
@@ -933,7 +975,8 @@ static int venc_start_streaming(struct vb2_queue *q, unsigned int count)
static const struct vb2_ops venc_vb2_ops = {
.queue_setup = venc_queue_setup,
- .buf_init = venus_helper_vb2_buf_init,
+ .buf_init = venc_buf_init,
+ .buf_cleanup = venc_buf_cleanup,
.buf_prepare = venus_helper_vb2_buf_prepare,
.start_streaming = venc_start_streaming,
.stop_streaming = venus_helper_vb2_stop_streaming,
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 203/286] media: venus: Limit HFI sessions to the maximum supported
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 202/286] media: venus: venc: Init the session only once in queue_setup Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 204/286] media: venus: hfi: Correct session init return error Greg Kroah-Hartman
` (87 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fritz Koenig, Stanimir Varbanov,
Mauro Carvalho Chehab, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanimir Varbanov <stanimir.varbanov@linaro.org>
[ Upstream commit 20891170f339a8754312a877f3d17f0e5dadd599 ]
Currently we rely on firmware to return error when we reach the maximum
supported number of sessions. But this errors are happened at reqbuf
time which is a bit later. The more reasonable way looks like is to
return the error on driver open.
To achieve that modify hfi_session_create to return error when we reach
maximum count of sessions and thus refuse open.
Tested-by: Fritz Koenig <frkoenig@chromium.org>
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Stable-dep-of: 9edaaa8e3e15 ("media: venus: hfi_parser: refactor hfi packet parsing logic")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/qcom/venus/core.h | 1 +
drivers/media/platform/qcom/venus/hfi.c | 16 +++++++++++++---
drivers/media/platform/qcom/venus/hfi_parser.c | 3 +++
3 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/drivers/media/platform/qcom/venus/core.h b/drivers/media/platform/qcom/venus/core.h
index 75d0068033276..e56d7b8142152 100644
--- a/drivers/media/platform/qcom/venus/core.h
+++ b/drivers/media/platform/qcom/venus/core.h
@@ -96,6 +96,7 @@ struct venus_format {
#define MAX_CAP_ENTRIES 32
#define MAX_ALLOC_MODE_ENTRIES 16
#define MAX_CODEC_NUM 32
+#define MAX_SESSIONS 16
struct raw_formats {
u32 buftype;
diff --git a/drivers/media/platform/qcom/venus/hfi.c b/drivers/media/platform/qcom/venus/hfi.c
index 966b4d9b57a97..17da555905e98 100644
--- a/drivers/media/platform/qcom/venus/hfi.c
+++ b/drivers/media/platform/qcom/venus/hfi.c
@@ -178,6 +178,8 @@ static int wait_session_msg(struct venus_inst *inst)
int hfi_session_create(struct venus_inst *inst, const struct hfi_inst_ops *ops)
{
struct venus_core *core = inst->core;
+ bool max;
+ int ret;
if (!ops)
return -EINVAL;
@@ -187,11 +189,19 @@ int hfi_session_create(struct venus_inst *inst, const struct hfi_inst_ops *ops)
inst->ops = ops;
mutex_lock(&core->lock);
- list_add_tail(&inst->list, &core->instances);
- atomic_inc(&core->insts_count);
+
+ max = atomic_add_unless(&core->insts_count, 1,
+ core->max_sessions_supported);
+ if (!max) {
+ ret = -EAGAIN;
+ } else {
+ list_add_tail(&inst->list, &core->instances);
+ ret = 0;
+ }
+
mutex_unlock(&core->lock);
- return 0;
+ return ret;
}
EXPORT_SYMBOL_GPL(hfi_session_create);
diff --git a/drivers/media/platform/qcom/venus/hfi_parser.c b/drivers/media/platform/qcom/venus/hfi_parser.c
index 32d2a9ed44003..94981a5e8e9af 100644
--- a/drivers/media/platform/qcom/venus/hfi_parser.c
+++ b/drivers/media/platform/qcom/venus/hfi_parser.c
@@ -295,6 +295,9 @@ u32 hfi_parser(struct venus_core *core, struct venus_inst *inst, void *buf,
words_count--;
}
+ if (!core->max_sessions_supported)
+ core->max_sessions_supported = MAX_SESSIONS;
+
parser_fini(inst, codecs, domain);
return HFI_ERR_NONE;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 204/286] media: venus: hfi: Correct session init return error
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 203/286] media: venus: Limit HFI sessions to the maximum supported Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 205/286] media: venus: pm_helpers: Check instance state when calculate instance frequency Greg Kroah-Hartman
` (86 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fritz Koenig, Stanimir Varbanov,
Mauro Carvalho Chehab, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanimir Varbanov <stanimir.varbanov@linaro.org>
[ Upstream commit e922a33e0228fa314ffc4f70b3b9ffbc4aad1bbe ]
The hfi_session_init can be called many times and it returns
EINVAL when the session was already initialized. This error code
(EINVAL) is confusing for the callers. Change hfi_session_init to
return EALREADY error code when the session has been already
initialized.
Tested-by: Fritz Koenig <frkoenig@chromium.org>
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Stable-dep-of: 9edaaa8e3e15 ("media: venus: hfi_parser: refactor hfi packet parsing logic")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/qcom/venus/hfi.c | 2 +-
drivers/media/platform/qcom/venus/vdec.c | 2 +-
drivers/media/platform/qcom/venus/venc.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/media/platform/qcom/venus/hfi.c b/drivers/media/platform/qcom/venus/hfi.c
index 17da555905e98..5fd53227c2c0b 100644
--- a/drivers/media/platform/qcom/venus/hfi.c
+++ b/drivers/media/platform/qcom/venus/hfi.c
@@ -212,7 +212,7 @@ int hfi_session_init(struct venus_inst *inst, u32 pixfmt)
int ret;
if (inst->state != INST_UNINIT)
- return -EINVAL;
+ return -EALREADY;
inst->hfi_codec = to_codec_type(pixfmt);
reinit_completion(&inst->done);
diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c
index d91030a134c0e..6e9b62645e917 100644
--- a/drivers/media/platform/qcom/venus/vdec.c
+++ b/drivers/media/platform/qcom/venus/vdec.c
@@ -768,7 +768,7 @@ static int vdec_session_init(struct venus_inst *inst)
int ret;
ret = hfi_session_init(inst, inst->fmt_out->pixfmt);
- if (ret == -EINVAL)
+ if (ret == -EALREADY)
return 0;
else if (ret)
return ret;
diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c
index 18d20b4ca2cfd..9f1b02e31b98c 100644
--- a/drivers/media/platform/qcom/venus/venc.c
+++ b/drivers/media/platform/qcom/venus/venc.c
@@ -727,7 +727,7 @@ static int venc_init_session(struct venus_inst *inst)
int ret;
ret = hfi_session_init(inst, inst->fmt_cap->pixfmt);
- if (ret == -EINVAL)
+ if (ret == -EALREADY)
return 0;
else if (ret)
return ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 205/286] media: venus: pm_helpers: Check instance state when calculate instance frequency
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 204/286] media: venus: hfi: Correct session init return error Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 206/286] media: venus: Create hfi platform and move vpp/vsp there Greg Kroah-Hartman
` (85 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanimir Varbanov,
Mauro Carvalho Chehab, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanimir Varbanov <stanimir.varbanov@linaro.org>
[ Upstream commit d33a94412ed1081f30d904cab54faea7c7b839fc ]
Skip calculating instance frequency if it is not in running state.
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Stable-dep-of: 9edaaa8e3e15 ("media: venus: hfi_parser: refactor hfi packet parsing logic")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/qcom/venus/pm_helpers.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/platform/qcom/venus/pm_helpers.c b/drivers/media/platform/qcom/venus/pm_helpers.c
index fd55352d743ee..12c5811fefdf9 100644
--- a/drivers/media/platform/qcom/venus/pm_helpers.c
+++ b/drivers/media/platform/qcom/venus/pm_helpers.c
@@ -937,6 +937,9 @@ static unsigned long calculate_inst_freq(struct venus_inst *inst,
mbs_per_sec = load_per_instance(inst) / fps;
+ if (inst->state != INST_START)
+ return 0;
+
vpp_freq = mbs_per_sec * inst->clk_data.codec_freq_data->vpp_freq;
/* 21 / 20 is overhead factor */
vpp_freq += vpp_freq / 20;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 206/286] media: venus: Create hfi platform and move vpp/vsp there
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 205/286] media: venus: pm_helpers: Check instance state when calculate instance frequency Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 207/286] media: venus: Rename venus_caps to hfi_plat_caps Greg Kroah-Hartman
` (84 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanimir Varbanov,
Mauro Carvalho Chehab, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanimir Varbanov <stanimir.varbanov@linaro.org>
[ Upstream commit aa6033892b1d8ea956ce0358867806e171a620d1 ]
Introduce a new hfi platform to cover differences between hfi
versions. As a start move vpp/vsp freq data in that hfi
platform, more platform data will come later.
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Stable-dep-of: 9edaaa8e3e15 ("media: venus: hfi_parser: refactor hfi packet parsing logic")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/qcom/venus/Makefile | 3 +-
drivers/media/platform/qcom/venus/core.c | 17 ------
drivers/media/platform/qcom/venus/core.h | 12 +---
drivers/media/platform/qcom/venus/helpers.c | 54 ++++++++---------
drivers/media/platform/qcom/venus/helpers.h | 2 +-
.../media/platform/qcom/venus/hfi_platform.c | 49 +++++++++++++++
.../media/platform/qcom/venus/hfi_platform.h | 34 +++++++++++
.../platform/qcom/venus/hfi_platform_v4.c | 60 +++++++++++++++++++
.../media/platform/qcom/venus/pm_helpers.c | 9 +--
drivers/media/platform/qcom/venus/vdec.c | 6 +-
drivers/media/platform/qcom/venus/venc.c | 6 +-
11 files changed, 179 insertions(+), 73 deletions(-)
create mode 100644 drivers/media/platform/qcom/venus/hfi_platform.c
create mode 100644 drivers/media/platform/qcom/venus/hfi_platform.h
create mode 100644 drivers/media/platform/qcom/venus/hfi_platform_v4.c
diff --git a/drivers/media/platform/qcom/venus/Makefile b/drivers/media/platform/qcom/venus/Makefile
index dfc6368657091..09ebf46716925 100644
--- a/drivers/media/platform/qcom/venus/Makefile
+++ b/drivers/media/platform/qcom/venus/Makefile
@@ -3,7 +3,8 @@
venus-core-objs += core.o helpers.o firmware.o \
hfi_venus.o hfi_msgs.o hfi_cmds.o hfi.o \
- hfi_parser.o pm_helpers.o dbgfs.o
+ hfi_parser.o pm_helpers.o dbgfs.o \
+ hfi_platform.o hfi_platform_v4.o \
venus-dec-objs += vdec.o vdec_ctrls.o
venus-enc-objs += venc.o venc_ctrls.o
diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c
index 1859dd3f7f546..987b1d010c047 100644
--- a/drivers/media/platform/qcom/venus/core.c
+++ b/drivers/media/platform/qcom/venus/core.c
@@ -529,17 +529,6 @@ static const struct freq_tbl sdm845_freq_table[] = {
{ 244800, 100000000 }, /* 1920x1080@30 */
};
-static const struct codec_freq_data sdm845_codec_freq_data[] = {
- { V4L2_PIX_FMT_H264, VIDC_SESSION_TYPE_ENC, 675, 10 },
- { V4L2_PIX_FMT_HEVC, VIDC_SESSION_TYPE_ENC, 675, 10 },
- { V4L2_PIX_FMT_VP8, VIDC_SESSION_TYPE_ENC, 675, 10 },
- { V4L2_PIX_FMT_MPEG2, VIDC_SESSION_TYPE_DEC, 200, 10 },
- { V4L2_PIX_FMT_H264, VIDC_SESSION_TYPE_DEC, 200, 10 },
- { V4L2_PIX_FMT_HEVC, VIDC_SESSION_TYPE_DEC, 200, 10 },
- { V4L2_PIX_FMT_VP8, VIDC_SESSION_TYPE_DEC, 200, 10 },
- { V4L2_PIX_FMT_VP9, VIDC_SESSION_TYPE_DEC, 200, 10 },
-};
-
static const struct bw_tbl sdm845_bw_table_enc[] = {
{ 1944000, 1612000, 0, 2416000, 0 }, /* 3840x2160@60 */
{ 972000, 951000, 0, 1434000, 0 }, /* 3840x2160@30 */
@@ -561,8 +550,6 @@ static const struct venus_resources sdm845_res = {
.bw_tbl_enc_size = ARRAY_SIZE(sdm845_bw_table_enc),
.bw_tbl_dec = sdm845_bw_table_dec,
.bw_tbl_dec_size = ARRAY_SIZE(sdm845_bw_table_dec),
- .codec_freq_data = sdm845_codec_freq_data,
- .codec_freq_data_size = ARRAY_SIZE(sdm845_codec_freq_data),
.clks = {"core", "iface", "bus" },
.clks_num = 3,
.vcodec0_clks = { "core", "bus" },
@@ -584,8 +571,6 @@ static const struct venus_resources sdm845_res_v2 = {
.bw_tbl_enc_size = ARRAY_SIZE(sdm845_bw_table_enc),
.bw_tbl_dec = sdm845_bw_table_dec,
.bw_tbl_dec_size = ARRAY_SIZE(sdm845_bw_table_dec),
- .codec_freq_data = sdm845_codec_freq_data,
- .codec_freq_data_size = ARRAY_SIZE(sdm845_codec_freq_data),
.clks = {"core", "iface", "bus" },
.clks_num = 3,
.vcodec0_clks = { "vcodec0_core", "vcodec0_bus" },
@@ -635,8 +620,6 @@ static const struct venus_resources sc7180_res = {
.bw_tbl_enc_size = ARRAY_SIZE(sc7180_bw_table_enc),
.bw_tbl_dec = sc7180_bw_table_dec,
.bw_tbl_dec_size = ARRAY_SIZE(sc7180_bw_table_dec),
- .codec_freq_data = sdm845_codec_freq_data,
- .codec_freq_data_size = ARRAY_SIZE(sdm845_codec_freq_data),
.clks = {"core", "iface", "bus" },
.clks_num = 3,
.vcodec0_clks = { "vcodec0_core", "vcodec0_bus" },
diff --git a/drivers/media/platform/qcom/venus/core.h b/drivers/media/platform/qcom/venus/core.h
index e56d7b8142152..53d3202460ae9 100644
--- a/drivers/media/platform/qcom/venus/core.h
+++ b/drivers/media/platform/qcom/venus/core.h
@@ -36,13 +36,6 @@ struct reg_val {
u32 value;
};
-struct codec_freq_data {
- u32 pixfmt;
- u32 session_type;
- unsigned long vpp_freq;
- unsigned long vsp_freq;
-};
-
struct bw_tbl {
u32 mbs_per_sec;
u32 avg;
@@ -61,8 +54,6 @@ struct venus_resources {
unsigned int bw_tbl_dec_size;
const struct reg_val *reg_tbl;
unsigned int reg_tbl_size;
- const struct codec_freq_data *codec_freq_data;
- unsigned int codec_freq_data_size;
const char * const clks[VIDC_CLKS_NUM_MAX];
unsigned int clks_num;
const char * const vcodec0_clks[VIDC_VCODEC_CLKS_NUM_MAX];
@@ -280,7 +271,8 @@ struct venus_buffer {
struct clock_data {
u32 core_id;
unsigned long freq;
- const struct codec_freq_data *codec_freq_data;
+ unsigned long vpp_freq;
+ unsigned long vsp_freq;
};
#define to_venus_buffer(ptr) container_of(ptr, struct venus_buffer, vb)
diff --git a/drivers/media/platform/qcom/venus/helpers.c b/drivers/media/platform/qcom/venus/helpers.c
index 5fdce5f07364e..9ad8abdc4d4f2 100644
--- a/drivers/media/platform/qcom/venus/helpers.c
+++ b/drivers/media/platform/qcom/venus/helpers.c
@@ -15,6 +15,7 @@
#include "helpers.h"
#include "hfi_helper.h"
#include "pm_helpers.h"
+#include "hfi_platform.h"
struct intbuf {
struct list_head list;
@@ -1040,36 +1041,6 @@ int venus_helper_set_work_mode(struct venus_inst *inst, u32 mode)
}
EXPORT_SYMBOL_GPL(venus_helper_set_work_mode);
-int venus_helper_init_codec_freq_data(struct venus_inst *inst)
-{
- const struct codec_freq_data *data;
- unsigned int i, data_size;
- u32 pixfmt;
- int ret = 0;
-
- if (!IS_V4(inst->core))
- return 0;
-
- data = inst->core->res->codec_freq_data;
- data_size = inst->core->res->codec_freq_data_size;
- pixfmt = inst->session_type == VIDC_SESSION_TYPE_DEC ?
- inst->fmt_out->pixfmt : inst->fmt_cap->pixfmt;
-
- for (i = 0; i < data_size; i++) {
- if (data[i].pixfmt == pixfmt &&
- data[i].session_type == inst->session_type) {
- inst->clk_data.codec_freq_data = &data[i];
- break;
- }
- }
-
- if (!inst->clk_data.codec_freq_data)
- ret = -EINVAL;
-
- return ret;
-}
-EXPORT_SYMBOL_GPL(venus_helper_init_codec_freq_data);
-
int venus_helper_set_num_bufs(struct venus_inst *inst, unsigned int input_bufs,
unsigned int output_bufs,
unsigned int output2_bufs)
@@ -1535,6 +1506,29 @@ void venus_helper_m2m_job_abort(void *priv)
}
EXPORT_SYMBOL_GPL(venus_helper_m2m_job_abort);
+int venus_helper_session_init(struct venus_inst *inst)
+{
+ enum hfi_version version = inst->core->res->hfi_version;
+ u32 session_type = inst->session_type;
+ u32 codec;
+ int ret;
+
+ codec = inst->session_type == VIDC_SESSION_TYPE_DEC ?
+ inst->fmt_out->pixfmt : inst->fmt_cap->pixfmt;
+
+ ret = hfi_session_init(inst, codec);
+ if (ret)
+ return ret;
+
+ inst->clk_data.vpp_freq = hfi_platform_get_codec_vpp_freq(version, codec,
+ session_type);
+ inst->clk_data.vsp_freq = hfi_platform_get_codec_vsp_freq(version, codec,
+ session_type);
+
+ return 0;
+}
+EXPORT_SYMBOL_GPL(venus_helper_session_init);
+
void venus_helper_init_instance(struct venus_inst *inst)
{
if (inst->session_type == VIDC_SESSION_TYPE_DEC) {
diff --git a/drivers/media/platform/qcom/venus/helpers.h b/drivers/media/platform/qcom/venus/helpers.h
index a4a0562bc83f5..5407979bf234b 100644
--- a/drivers/media/platform/qcom/venus/helpers.h
+++ b/drivers/media/platform/qcom/venus/helpers.h
@@ -33,7 +33,6 @@ int venus_helper_set_output_resolution(struct venus_inst *inst,
unsigned int width, unsigned int height,
u32 buftype);
int venus_helper_set_work_mode(struct venus_inst *inst, u32 mode);
-int venus_helper_init_codec_freq_data(struct venus_inst *inst);
int venus_helper_set_num_bufs(struct venus_inst *inst, unsigned int input_bufs,
unsigned int output_bufs,
unsigned int output2_bufs);
@@ -48,6 +47,7 @@ unsigned int venus_helper_get_opb_size(struct venus_inst *inst);
void venus_helper_acquire_buf_ref(struct vb2_v4l2_buffer *vbuf);
void venus_helper_release_buf_ref(struct venus_inst *inst, unsigned int idx);
void venus_helper_init_instance(struct venus_inst *inst);
+int venus_helper_session_init(struct venus_inst *inst);
int venus_helper_get_out_fmts(struct venus_inst *inst, u32 fmt, u32 *out_fmt,
u32 *out2_fmt, bool ubwc);
int venus_helper_alloc_dpb_bufs(struct venus_inst *inst);
diff --git a/drivers/media/platform/qcom/venus/hfi_platform.c b/drivers/media/platform/qcom/venus/hfi_platform.c
new file mode 100644
index 0000000000000..65559cae21aaa
--- /dev/null
+++ b/drivers/media/platform/qcom/venus/hfi_platform.c
@@ -0,0 +1,49 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (c) 2020, The Linux Foundation. All rights reserved.
+ */
+#include "hfi_platform.h"
+
+const struct hfi_platform *hfi_platform_get(enum hfi_version version)
+{
+ switch (version) {
+ case HFI_VERSION_4XX:
+ return &hfi_plat_v4;
+ default:
+ break;
+ }
+
+ return NULL;
+}
+
+unsigned long
+hfi_platform_get_codec_vpp_freq(enum hfi_version version, u32 codec, u32 session_type)
+{
+ const struct hfi_platform *plat;
+ unsigned long freq = 0;
+
+ plat = hfi_platform_get(version);
+ if (!plat)
+ return 0;
+
+ if (plat->codec_vpp_freq)
+ freq = plat->codec_vpp_freq(session_type, codec);
+
+ return freq;
+}
+
+unsigned long
+hfi_platform_get_codec_vsp_freq(enum hfi_version version, u32 codec, u32 session_type)
+{
+ const struct hfi_platform *plat;
+ unsigned long freq = 0;
+
+ plat = hfi_platform_get(version);
+ if (!plat)
+ return 0;
+
+ if (plat->codec_vpp_freq)
+ freq = plat->codec_vsp_freq(session_type, codec);
+
+ return freq;
+}
diff --git a/drivers/media/platform/qcom/venus/hfi_platform.h b/drivers/media/platform/qcom/venus/hfi_platform.h
new file mode 100644
index 0000000000000..8b07ecbb4c825
--- /dev/null
+++ b/drivers/media/platform/qcom/venus/hfi_platform.h
@@ -0,0 +1,34 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Copyright (c) 2020, The Linux Foundation. All rights reserved.
+ */
+
+#ifndef __HFI_PLATFORM_H__
+#define __HFI_PLATFORM_H__
+
+#include <linux/types.h>
+#include <linux/videodev2.h>
+
+#include "hfi.h"
+#include "hfi_helper.h"
+
+struct hfi_platform_codec_freq_data {
+ u32 pixfmt;
+ u32 session_type;
+ unsigned long vpp_freq;
+ unsigned long vsp_freq;
+};
+
+struct hfi_platform {
+ unsigned long (*codec_vpp_freq)(u32 session_type, u32 codec);
+ unsigned long (*codec_vsp_freq)(u32 session_type, u32 codec);
+};
+
+extern const struct hfi_platform hfi_plat_v4;
+
+const struct hfi_platform *hfi_platform_get(enum hfi_version version);
+unsigned long hfi_platform_get_codec_vpp_freq(enum hfi_version version, u32 codec,
+ u32 session_type);
+unsigned long hfi_platform_get_codec_vsp_freq(enum hfi_version version, u32 codec,
+ u32 session_type);
+#endif
diff --git a/drivers/media/platform/qcom/venus/hfi_platform_v4.c b/drivers/media/platform/qcom/venus/hfi_platform_v4.c
new file mode 100644
index 0000000000000..4fc2fd04ca9d1
--- /dev/null
+++ b/drivers/media/platform/qcom/venus/hfi_platform_v4.c
@@ -0,0 +1,60 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (c) 2020, The Linux Foundation. All rights reserved.
+ */
+#include "hfi_platform.h"
+
+static const struct hfi_platform_codec_freq_data codec_freq_data[] = {
+ { V4L2_PIX_FMT_H264, VIDC_SESSION_TYPE_ENC, 675, 10 },
+ { V4L2_PIX_FMT_HEVC, VIDC_SESSION_TYPE_ENC, 675, 10 },
+ { V4L2_PIX_FMT_VP8, VIDC_SESSION_TYPE_ENC, 675, 10 },
+ { V4L2_PIX_FMT_MPEG2, VIDC_SESSION_TYPE_DEC, 200, 10 },
+ { V4L2_PIX_FMT_H264, VIDC_SESSION_TYPE_DEC, 200, 10 },
+ { V4L2_PIX_FMT_HEVC, VIDC_SESSION_TYPE_DEC, 200, 10 },
+ { V4L2_PIX_FMT_VP8, VIDC_SESSION_TYPE_DEC, 200, 10 },
+ { V4L2_PIX_FMT_VP9, VIDC_SESSION_TYPE_DEC, 200, 10 },
+};
+
+static const struct hfi_platform_codec_freq_data *
+get_codec_freq_data(u32 session_type, u32 pixfmt)
+{
+ const struct hfi_platform_codec_freq_data *data = codec_freq_data;
+ unsigned int i, data_size = ARRAY_SIZE(codec_freq_data);
+ const struct hfi_platform_codec_freq_data *found = NULL;
+
+ for (i = 0; i < data_size; i++) {
+ if (data[i].pixfmt == pixfmt && data[i].session_type == session_type) {
+ found = &data[i];
+ break;
+ }
+ }
+
+ return found;
+}
+
+static unsigned long codec_vpp_freq(u32 session_type, u32 codec)
+{
+ const struct hfi_platform_codec_freq_data *data;
+
+ data = get_codec_freq_data(session_type, codec);
+ if (data)
+ return data->vpp_freq;
+
+ return 0;
+}
+
+static unsigned long codec_vsp_freq(u32 session_type, u32 codec)
+{
+ const struct hfi_platform_codec_freq_data *data;
+
+ data = get_codec_freq_data(session_type, codec);
+ if (data)
+ return data->vsp_freq;
+
+ return 0;
+}
+
+const struct hfi_platform hfi_plat_v4 = {
+ .codec_vpp_freq = codec_vpp_freq,
+ .codec_vsp_freq = codec_vsp_freq,
+};
diff --git a/drivers/media/platform/qcom/venus/pm_helpers.c b/drivers/media/platform/qcom/venus/pm_helpers.c
index 12c5811fefdf9..7c3541c35ab69 100644
--- a/drivers/media/platform/qcom/venus/pm_helpers.c
+++ b/drivers/media/platform/qcom/venus/pm_helpers.c
@@ -18,6 +18,7 @@
#include "hfi_parser.h"
#include "hfi_venus_io.h"
#include "pm_helpers.h"
+#include "hfi_platform.h"
static bool legacy_binding;
@@ -506,7 +507,7 @@ min_loaded_core(struct venus_inst *inst, u32 *min_coreid, u32 *min_load)
if (inst_pos->state != INST_START)
continue;
- vpp_freq = inst_pos->clk_data.codec_freq_data->vpp_freq;
+ vpp_freq = inst_pos->clk_data.vpp_freq;
coreid = inst_pos->clk_data.core_id;
mbs_per_sec = load_per_instance(inst_pos);
@@ -555,7 +556,7 @@ static int decide_core(struct venus_inst *inst)
return 0;
inst_load = load_per_instance(inst);
- inst_load *= inst->clk_data.codec_freq_data->vpp_freq;
+ inst_load *= inst->clk_data.vpp_freq;
max_freq = core->res->freq_tbl[0].freq;
min_loaded_core(inst, &min_coreid, &min_load);
@@ -940,10 +941,10 @@ static unsigned long calculate_inst_freq(struct venus_inst *inst,
if (inst->state != INST_START)
return 0;
- vpp_freq = mbs_per_sec * inst->clk_data.codec_freq_data->vpp_freq;
+ vpp_freq = mbs_per_sec * inst->clk_data.vpp_freq;
/* 21 / 20 is overhead factor */
vpp_freq += vpp_freq / 20;
- vsp_freq = mbs_per_sec * inst->clk_data.codec_freq_data->vsp_freq;
+ vsp_freq = mbs_per_sec * inst->clk_data.vsp_freq;
/* 10 / 7 is overhead factor */
if (inst->session_type == VIDC_SESSION_TYPE_ENC)
diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c
index 6e9b62645e917..68390143d37df 100644
--- a/drivers/media/platform/qcom/venus/vdec.c
+++ b/drivers/media/platform/qcom/venus/vdec.c
@@ -767,7 +767,7 @@ static int vdec_session_init(struct venus_inst *inst)
{
int ret;
- ret = hfi_session_init(inst, inst->fmt_out->pixfmt);
+ ret = venus_helper_session_init(inst);
if (ret == -EALREADY)
return 0;
else if (ret)
@@ -778,10 +778,6 @@ static int vdec_session_init(struct venus_inst *inst)
if (ret)
goto deinit;
- ret = venus_helper_init_codec_freq_data(inst);
- if (ret)
- goto deinit;
-
return 0;
deinit:
hfi_session_deinit(inst);
diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c
index 9f1b02e31b98c..bc62cb02458c9 100644
--- a/drivers/media/platform/qcom/venus/venc.c
+++ b/drivers/media/platform/qcom/venus/venc.c
@@ -726,7 +726,7 @@ static int venc_init_session(struct venus_inst *inst)
{
int ret;
- ret = hfi_session_init(inst, inst->fmt_cap->pixfmt);
+ ret = venus_helper_session_init(inst);
if (ret == -EALREADY)
return 0;
else if (ret)
@@ -747,10 +747,6 @@ static int venc_init_session(struct venus_inst *inst)
if (ret)
goto deinit;
- ret = venus_helper_init_codec_freq_data(inst);
- if (ret)
- goto deinit;
-
ret = venc_set_properties(inst);
if (ret)
goto deinit;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 207/286] media: venus: Rename venus_caps to hfi_plat_caps
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 206/286] media: venus: Create hfi platform and move vpp/vsp there Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 208/286] media: venus: hfi_plat: Add codecs and capabilities ops Greg Kroah-Hartman
` (83 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanimir Varbanov,
Mauro Carvalho Chehab, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanimir Varbanov <stanimir.varbanov@linaro.org>
[ Upstream commit 8f3b41dcfb9a0fa2d2ca0af51c3eebd670dc153b ]
Now when we have hfi platform make venus capabilities an
hfi platform capabilities.
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Stable-dep-of: 9edaaa8e3e15 ("media: venus: hfi_parser: refactor hfi packet parsing logic")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/qcom/venus/core.h | 30 ++-----------------
drivers/media/platform/qcom/venus/helpers.c | 6 ++--
.../media/platform/qcom/venus/hfi_parser.c | 18 +++++------
.../media/platform/qcom/venus/hfi_parser.h | 2 +-
.../media/platform/qcom/venus/hfi_platform.h | 25 ++++++++++++++++
5 files changed, 41 insertions(+), 40 deletions(-)
diff --git a/drivers/media/platform/qcom/venus/core.h b/drivers/media/platform/qcom/venus/core.h
index 53d3202460ae9..785a5bbb19c3c 100644
--- a/drivers/media/platform/qcom/venus/core.h
+++ b/drivers/media/platform/qcom/venus/core.h
@@ -14,6 +14,7 @@
#include "dbgfs.h"
#include "hfi.h"
+#include "hfi_platform.h"
#define VDBGL "VenusLow : "
#define VDBGM "VenusMed : "
@@ -82,31 +83,6 @@ struct venus_format {
u32 flags;
};
-#define MAX_PLANES 4
-#define MAX_FMT_ENTRIES 32
-#define MAX_CAP_ENTRIES 32
-#define MAX_ALLOC_MODE_ENTRIES 16
-#define MAX_CODEC_NUM 32
-#define MAX_SESSIONS 16
-
-struct raw_formats {
- u32 buftype;
- u32 fmt;
-};
-
-struct venus_caps {
- u32 codec;
- u32 domain;
- bool cap_bufs_mode_dynamic;
- unsigned int num_caps;
- struct hfi_capability caps[MAX_CAP_ENTRIES];
- unsigned int num_pl;
- struct hfi_profile_level pl[HFI_MAX_PROFILE_COUNT];
- unsigned int num_fmts;
- struct raw_formats fmts[MAX_FMT_ENTRIES];
- bool valid; /* used only for Venus v1xx */
-};
-
/**
* struct venus_core - holds core parameters valid for all instances
*
@@ -199,7 +175,7 @@ struct venus_core {
void *priv;
const struct hfi_ops *ops;
struct delayed_work work;
- struct venus_caps caps[MAX_CODEC_NUM];
+ struct hfi_plat_caps caps[MAX_CODEC_NUM];
unsigned int codecs_count;
unsigned int core0_usage_count;
unsigned int core1_usage_count;
@@ -434,7 +410,7 @@ static inline void *to_hfi_priv(struct venus_core *core)
return core->priv;
}
-static inline struct venus_caps *
+static inline struct hfi_plat_caps *
venus_caps_by_codec(struct venus_core *core, u32 codec, u32 domain)
{
unsigned int c;
diff --git a/drivers/media/platform/qcom/venus/helpers.c b/drivers/media/platform/qcom/venus/helpers.c
index 9ad8abdc4d4f2..dcf9fc0da1ce4 100644
--- a/drivers/media/platform/qcom/venus/helpers.c
+++ b/drivers/media/platform/qcom/venus/helpers.c
@@ -481,7 +481,7 @@ session_process_buf(struct venus_inst *inst, struct vb2_v4l2_buffer *vbuf)
static bool is_dynamic_bufmode(struct venus_inst *inst)
{
struct venus_core *core = inst->core;
- struct venus_caps *caps;
+ struct hfi_plat_caps *caps;
/*
* v4 doesn't send BUFFER_ALLOC_MODE_SUPPORTED property and supports
@@ -1539,7 +1539,7 @@ void venus_helper_init_instance(struct venus_inst *inst)
}
EXPORT_SYMBOL_GPL(venus_helper_init_instance);
-static bool find_fmt_from_caps(struct venus_caps *caps, u32 buftype, u32 fmt)
+static bool find_fmt_from_caps(struct hfi_plat_caps *caps, u32 buftype, u32 fmt)
{
unsigned int i;
@@ -1556,7 +1556,7 @@ int venus_helper_get_out_fmts(struct venus_inst *inst, u32 v4l2_fmt,
u32 *out_fmt, u32 *out2_fmt, bool ubwc)
{
struct venus_core *core = inst->core;
- struct venus_caps *caps;
+ struct hfi_plat_caps *caps;
u32 ubwc_fmt, fmt = to_hfi_raw_fmt(v4l2_fmt);
bool found, found_ubwc;
diff --git a/drivers/media/platform/qcom/venus/hfi_parser.c b/drivers/media/platform/qcom/venus/hfi_parser.c
index 94981a5e8e9af..be9a58ef04d86 100644
--- a/drivers/media/platform/qcom/venus/hfi_parser.c
+++ b/drivers/media/platform/qcom/venus/hfi_parser.c
@@ -11,12 +11,12 @@
#include "hfi_helper.h"
#include "hfi_parser.h"
-typedef void (*func)(struct venus_caps *cap, const void *data,
+typedef void (*func)(struct hfi_plat_caps *cap, const void *data,
unsigned int size);
static void init_codecs(struct venus_core *core)
{
- struct venus_caps *caps = core->caps, *cap;
+ struct hfi_plat_caps *caps = core->caps, *cap;
unsigned long bit;
core->codecs_count = 0;
@@ -39,11 +39,11 @@ static void init_codecs(struct venus_core *core)
}
}
-static void for_each_codec(struct venus_caps *caps, unsigned int caps_num,
+static void for_each_codec(struct hfi_plat_caps *caps, unsigned int caps_num,
u32 codecs, u32 domain, func cb, void *data,
unsigned int size)
{
- struct venus_caps *cap;
+ struct hfi_plat_caps *cap;
unsigned int i;
for (i = 0; i < caps_num; i++) {
@@ -56,7 +56,7 @@ static void for_each_codec(struct venus_caps *caps, unsigned int caps_num,
}
static void
-fill_buf_mode(struct venus_caps *cap, const void *data, unsigned int num)
+fill_buf_mode(struct hfi_plat_caps *cap, const void *data, unsigned int num)
{
const u32 *type = data;
@@ -86,7 +86,7 @@ parse_alloc_mode(struct venus_core *core, u32 codecs, u32 domain, void *data)
}
}
-static void fill_profile_level(struct venus_caps *cap, const void *data,
+static void fill_profile_level(struct hfi_plat_caps *cap, const void *data,
unsigned int num)
{
const struct hfi_profile_level *pl = data;
@@ -115,7 +115,7 @@ parse_profile_level(struct venus_core *core, u32 codecs, u32 domain, void *data)
}
static void
-fill_caps(struct venus_caps *cap, const void *data, unsigned int num)
+fill_caps(struct hfi_plat_caps *cap, const void *data, unsigned int num)
{
const struct hfi_capability *caps = data;
@@ -143,7 +143,7 @@ parse_caps(struct venus_core *core, u32 codecs, u32 domain, void *data)
fill_caps, caps_arr, num_caps);
}
-static void fill_raw_fmts(struct venus_caps *cap, const void *fmts,
+static void fill_raw_fmts(struct hfi_plat_caps *cap, const void *fmts,
unsigned int num_fmts)
{
const struct raw_formats *formats = fmts;
@@ -228,7 +228,7 @@ static void parser_init(struct venus_inst *inst, u32 *codecs, u32 *domain)
static void parser_fini(struct venus_inst *inst, u32 codecs, u32 domain)
{
- struct venus_caps *caps, *cap;
+ struct hfi_plat_caps *caps, *cap;
unsigned int i;
u32 dom;
diff --git a/drivers/media/platform/qcom/venus/hfi_parser.h b/drivers/media/platform/qcom/venus/hfi_parser.h
index 264e6dd2415fe..7f59d82110f9c 100644
--- a/drivers/media/platform/qcom/venus/hfi_parser.h
+++ b/drivers/media/platform/qcom/venus/hfi_parser.h
@@ -16,7 +16,7 @@ static inline u32 get_cap(struct venus_inst *inst, u32 type, u32 which)
{
struct venus_core *core = inst->core;
struct hfi_capability *cap = NULL;
- struct venus_caps *caps;
+ struct hfi_plat_caps *caps;
unsigned int i;
caps = venus_caps_by_codec(core, inst->hfi_codec, inst->session_type);
diff --git a/drivers/media/platform/qcom/venus/hfi_platform.h b/drivers/media/platform/qcom/venus/hfi_platform.h
index 8b07ecbb4c825..6794232322557 100644
--- a/drivers/media/platform/qcom/venus/hfi_platform.h
+++ b/drivers/media/platform/qcom/venus/hfi_platform.h
@@ -12,6 +12,31 @@
#include "hfi.h"
#include "hfi_helper.h"
+#define MAX_PLANES 4
+#define MAX_FMT_ENTRIES 32
+#define MAX_CAP_ENTRIES 32
+#define MAX_ALLOC_MODE_ENTRIES 16
+#define MAX_CODEC_NUM 32
+#define MAX_SESSIONS 16
+
+struct raw_formats {
+ u32 buftype;
+ u32 fmt;
+};
+
+struct hfi_plat_caps {
+ u32 codec;
+ u32 domain;
+ bool cap_bufs_mode_dynamic;
+ unsigned int num_caps;
+ struct hfi_capability caps[MAX_CAP_ENTRIES];
+ unsigned int num_pl;
+ struct hfi_profile_level pl[HFI_MAX_PROFILE_COUNT];
+ unsigned int num_fmts;
+ struct raw_formats fmts[MAX_FMT_ENTRIES];
+ bool valid; /* used only for Venus v1xx */
+};
+
struct hfi_platform_codec_freq_data {
u32 pixfmt;
u32 session_type;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 208/286] media: venus: hfi_plat: Add codecs and capabilities ops
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 207/286] media: venus: Rename venus_caps to hfi_plat_caps Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 209/286] media: venus: Get codecs and capabilities from hfi platform Greg Kroah-Hartman
` (82 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanimir Varbanov,
Mauro Carvalho Chehab, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanimir Varbanov <stanimir.varbanov@linaro.org>
[ Upstream commit 9822291e031f6d7149ae4f3fc00bd9c33ac2a084 ]
Add ops to get the supported by the platform codecs and capabilities.
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Stable-dep-of: 9edaaa8e3e15 ("media: venus: hfi_parser: refactor hfi packet parsing logic")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/qcom/venus/hfi_platform.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/platform/qcom/venus/hfi_platform.h b/drivers/media/platform/qcom/venus/hfi_platform.h
index 6794232322557..50512d142662f 100644
--- a/drivers/media/platform/qcom/venus/hfi_platform.h
+++ b/drivers/media/platform/qcom/venus/hfi_platform.h
@@ -47,6 +47,8 @@ struct hfi_platform_codec_freq_data {
struct hfi_platform {
unsigned long (*codec_vpp_freq)(u32 session_type, u32 codec);
unsigned long (*codec_vsp_freq)(u32 session_type, u32 codec);
+ void (*codecs)(u32 *enc_codecs, u32 *dec_codecs, u32 *count);
+ const struct hfi_plat_caps *(*capabilities)(unsigned int *entries);
};
extern const struct hfi_platform hfi_plat_v4;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 209/286] media: venus: Get codecs and capabilities from hfi platform
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 208/286] media: venus: hfi_plat: Add codecs and capabilities ops Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 210/286] media: venus: hfi_parser: refactor hfi packet parsing logic Greg Kroah-Hartman
` (81 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanimir Varbanov,
Mauro Carvalho Chehab, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanimir Varbanov <stanimir.varbanov@linaro.org>
[ Upstream commit e29929266be1ac0e40121f56b5c13b52c281db06 ]
Wire up hfi platform codec and capabilities instead of
getting them from firmware.
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Stable-dep-of: 9edaaa8e3e15 ("media: venus: hfi_parser: refactor hfi packet parsing logic")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../media/platform/qcom/venus/hfi_parser.c | 38 +++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/drivers/media/platform/qcom/venus/hfi_parser.c b/drivers/media/platform/qcom/venus/hfi_parser.c
index be9a58ef04d86..7a2915befdb83 100644
--- a/drivers/media/platform/qcom/venus/hfi_parser.c
+++ b/drivers/media/platform/qcom/venus/hfi_parser.c
@@ -245,11 +245,49 @@ static void parser_fini(struct venus_inst *inst, u32 codecs, u32 domain)
}
}
+static int hfi_platform_parser(struct venus_core *core, struct venus_inst *inst)
+{
+ const struct hfi_platform *plat;
+ const struct hfi_plat_caps *caps = NULL;
+ u32 enc_codecs, dec_codecs, count;
+ unsigned int entries;
+
+ if (inst)
+ return 0;
+
+ plat = hfi_platform_get(core->res->hfi_version);
+ if (!plat)
+ return -EINVAL;
+
+ if (plat->codecs)
+ plat->codecs(&enc_codecs, &dec_codecs, &count);
+
+ if (plat->capabilities)
+ caps = plat->capabilities(&entries);
+
+ if (!caps || !entries || !count)
+ return -EINVAL;
+
+ core->enc_codecs = enc_codecs;
+ core->dec_codecs = dec_codecs;
+ core->codecs_count = count;
+ core->max_sessions_supported = MAX_SESSIONS;
+ memset(core->caps, 0, sizeof(*caps) * MAX_CODEC_NUM);
+ memcpy(core->caps, caps, sizeof(*caps) * entries);
+
+ return 0;
+}
+
u32 hfi_parser(struct venus_core *core, struct venus_inst *inst, void *buf,
u32 size)
{
unsigned int words_count = size >> 2;
u32 *word = buf, *data, codecs = 0, domain = 0;
+ int ret;
+
+ ret = hfi_platform_parser(core, inst);
+ if (!ret)
+ return HFI_ERR_NONE;
if (size % 4)
return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 210/286] media: venus: hfi_parser: refactor hfi packet parsing logic
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 209/286] media: venus: Get codecs and capabilities from hfi platform Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 211/286] net: dsa: mv88e6xxx: fix VTU methods for 6320 family Greg Kroah-Hartman
` (80 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vikash Garodia, Bryan ODonoghue,
Hans Verkuil, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vikash Garodia <quic_vgarodia@quicinc.com>
[ Upstream commit 9edaaa8e3e15aab1ca413ab50556de1975bcb329 ]
words_count denotes the number of words in total payload, while data
points to payload of various property within it. When words_count
reaches last word, data can access memory beyond the total payload. This
can lead to OOB access. With this patch, the utility api for handling
individual properties now returns the size of data consumed. Accordingly
remaining bytes are calculated before parsing the payload, thereby
eliminates the OOB access possibilities.
Cc: stable@vger.kernel.org
Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser")
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../media/platform/qcom/venus/hfi_parser.c | 98 ++++++++++++++-----
1 file changed, 72 insertions(+), 26 deletions(-)
diff --git a/drivers/media/platform/qcom/venus/hfi_parser.c b/drivers/media/platform/qcom/venus/hfi_parser.c
index 7a2915befdb83..c6be1564c876d 100644
--- a/drivers/media/platform/qcom/venus/hfi_parser.c
+++ b/drivers/media/platform/qcom/venus/hfi_parser.c
@@ -64,7 +64,7 @@ fill_buf_mode(struct hfi_plat_caps *cap, const void *data, unsigned int num)
cap->cap_bufs_mode_dynamic = true;
}
-static void
+static int
parse_alloc_mode(struct venus_core *core, u32 codecs, u32 domain, void *data)
{
struct hfi_buffer_alloc_mode_supported *mode = data;
@@ -72,7 +72,7 @@ parse_alloc_mode(struct venus_core *core, u32 codecs, u32 domain, void *data)
u32 *type;
if (num_entries > MAX_ALLOC_MODE_ENTRIES)
- return;
+ return -EINVAL;
type = mode->data;
@@ -84,6 +84,8 @@ parse_alloc_mode(struct venus_core *core, u32 codecs, u32 domain, void *data)
type++;
}
+
+ return sizeof(*mode);
}
static void fill_profile_level(struct hfi_plat_caps *cap, const void *data,
@@ -98,7 +100,7 @@ static void fill_profile_level(struct hfi_plat_caps *cap, const void *data,
cap->num_pl += num;
}
-static void
+static int
parse_profile_level(struct venus_core *core, u32 codecs, u32 domain, void *data)
{
struct hfi_profile_level_supported *pl = data;
@@ -106,12 +108,14 @@ parse_profile_level(struct venus_core *core, u32 codecs, u32 domain, void *data)
struct hfi_profile_level pl_arr[HFI_MAX_PROFILE_COUNT] = {};
if (pl->profile_count > HFI_MAX_PROFILE_COUNT)
- return;
+ return -EINVAL;
memcpy(pl_arr, proflevel, pl->profile_count * sizeof(*proflevel));
for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain,
fill_profile_level, pl_arr, pl->profile_count);
+
+ return pl->profile_count * sizeof(*proflevel) + sizeof(u32);
}
static void
@@ -126,7 +130,7 @@ fill_caps(struct hfi_plat_caps *cap, const void *data, unsigned int num)
cap->num_caps += num;
}
-static void
+static int
parse_caps(struct venus_core *core, u32 codecs, u32 domain, void *data)
{
struct hfi_capabilities *caps = data;
@@ -135,12 +139,14 @@ parse_caps(struct venus_core *core, u32 codecs, u32 domain, void *data)
struct hfi_capability caps_arr[MAX_CAP_ENTRIES] = {};
if (num_caps > MAX_CAP_ENTRIES)
- return;
+ return -EINVAL;
memcpy(caps_arr, cap, num_caps * sizeof(*cap));
for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain,
fill_caps, caps_arr, num_caps);
+
+ return sizeof(*caps);
}
static void fill_raw_fmts(struct hfi_plat_caps *cap, const void *fmts,
@@ -155,7 +161,7 @@ static void fill_raw_fmts(struct hfi_plat_caps *cap, const void *fmts,
cap->num_fmts += num_fmts;
}
-static void
+static int
parse_raw_formats(struct venus_core *core, u32 codecs, u32 domain, void *data)
{
struct hfi_uncompressed_format_supported *fmt = data;
@@ -164,7 +170,8 @@ parse_raw_formats(struct venus_core *core, u32 codecs, u32 domain, void *data)
struct raw_formats rawfmts[MAX_FMT_ENTRIES] = {};
u32 entries = fmt->format_entries;
unsigned int i = 0;
- u32 num_planes;
+ u32 num_planes = 0;
+ u32 size;
while (entries) {
num_planes = pinfo->num_planes;
@@ -174,7 +181,7 @@ parse_raw_formats(struct venus_core *core, u32 codecs, u32 domain, void *data)
i++;
if (i >= MAX_FMT_ENTRIES)
- return;
+ return -EINVAL;
if (pinfo->num_planes > MAX_PLANES)
break;
@@ -186,9 +193,13 @@ parse_raw_formats(struct venus_core *core, u32 codecs, u32 domain, void *data)
for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain,
fill_raw_fmts, rawfmts, i);
+ size = fmt->format_entries * (sizeof(*constr) * num_planes + 2 * sizeof(u32))
+ + 2 * sizeof(u32);
+
+ return size;
}
-static void parse_codecs(struct venus_core *core, void *data)
+static int parse_codecs(struct venus_core *core, void *data)
{
struct hfi_codec_supported *codecs = data;
@@ -200,21 +211,27 @@ static void parse_codecs(struct venus_core *core, void *data)
core->dec_codecs &= ~HFI_VIDEO_CODEC_SPARK;
core->enc_codecs &= ~HFI_VIDEO_CODEC_HEVC;
}
+
+ return sizeof(*codecs);
}
-static void parse_max_sessions(struct venus_core *core, const void *data)
+static int parse_max_sessions(struct venus_core *core, const void *data)
{
const struct hfi_max_sessions_supported *sessions = data;
core->max_sessions_supported = sessions->max_sessions;
+
+ return sizeof(*sessions);
}
-static void parse_codecs_mask(u32 *codecs, u32 *domain, void *data)
+static int parse_codecs_mask(u32 *codecs, u32 *domain, void *data)
{
struct hfi_codec_mask_supported *mask = data;
*codecs = mask->codecs;
*domain = mask->video_domains;
+
+ return sizeof(*mask);
}
static void parser_init(struct venus_inst *inst, u32 *codecs, u32 *domain)
@@ -281,8 +298,9 @@ static int hfi_platform_parser(struct venus_core *core, struct venus_inst *inst)
u32 hfi_parser(struct venus_core *core, struct venus_inst *inst, void *buf,
u32 size)
{
- unsigned int words_count = size >> 2;
- u32 *word = buf, *data, codecs = 0, domain = 0;
+ u32 *words = buf, *payload, codecs = 0, domain = 0;
+ u32 *frame_size = buf + size;
+ u32 rem_bytes = size;
int ret;
ret = hfi_platform_parser(core, inst);
@@ -299,38 +317,66 @@ u32 hfi_parser(struct venus_core *core, struct venus_inst *inst, void *buf,
memset(core->caps, 0, sizeof(core->caps));
}
- while (words_count) {
- data = word + 1;
+ while (words < frame_size) {
+ payload = words + 1;
- switch (*word) {
+ switch (*words) {
case HFI_PROPERTY_PARAM_CODEC_SUPPORTED:
- parse_codecs(core, data);
+ if (rem_bytes <= sizeof(struct hfi_codec_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_codecs(core, payload);
+ if (ret < 0)
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
init_codecs(core);
break;
case HFI_PROPERTY_PARAM_MAX_SESSIONS_SUPPORTED:
- parse_max_sessions(core, data);
+ if (rem_bytes <= sizeof(struct hfi_max_sessions_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_max_sessions(core, payload);
break;
case HFI_PROPERTY_PARAM_CODEC_MASK_SUPPORTED:
- parse_codecs_mask(&codecs, &domain, data);
+ if (rem_bytes <= sizeof(struct hfi_codec_mask_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_codecs_mask(&codecs, &domain, payload);
break;
case HFI_PROPERTY_PARAM_UNCOMPRESSED_FORMAT_SUPPORTED:
- parse_raw_formats(core, codecs, domain, data);
+ if (rem_bytes <= sizeof(struct hfi_uncompressed_format_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_raw_formats(core, codecs, domain, payload);
break;
case HFI_PROPERTY_PARAM_CAPABILITY_SUPPORTED:
- parse_caps(core, codecs, domain, data);
+ if (rem_bytes <= sizeof(struct hfi_capabilities))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_caps(core, codecs, domain, payload);
break;
case HFI_PROPERTY_PARAM_PROFILE_LEVEL_SUPPORTED:
- parse_profile_level(core, codecs, domain, data);
+ if (rem_bytes <= sizeof(struct hfi_profile_level_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_profile_level(core, codecs, domain, payload);
break;
case HFI_PROPERTY_PARAM_BUFFER_ALLOC_MODE_SUPPORTED:
- parse_alloc_mode(core, codecs, domain, data);
+ if (rem_bytes <= sizeof(struct hfi_buffer_alloc_mode_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_alloc_mode(core, codecs, domain, payload);
break;
default:
+ ret = sizeof(u32);
break;
}
- word++;
- words_count--;
+ if (ret < 0)
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ words += ret / sizeof(u32);
+ rem_bytes -= ret;
}
if (!core->max_sessions_supported)
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 211/286] net: dsa: mv88e6xxx: fix VTU methods for 6320 family
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 210/286] media: venus: hfi_parser: refactor hfi packet parsing logic Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 212/286] soc: samsung: exynos-chipid: initialize later - with arch_initcall Greg Kroah-Hartman
` (79 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Behún, Andrew Lunn,
Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Behún <kabel@kernel.org>
[ Upstream commit f9a457722cf5e3534be5ffab549d6b49737fca72 ]
The VTU registers of the 6320 family use the 6352 semantics, not 6185.
Fix it.
Fixes: b8fee9571063 ("net: dsa: mv88e6xxx: add VLAN Get Next support")
Signed-off-by: Marek Behún <kabel@kernel.org>
Cc: <stable@vger.kernel.org> # 5.15.x
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20250317173250.28780-2-kabel@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/mv88e6xxx/chip.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
index e590ea87b6ea2..ebc8580873940 100644
--- a/drivers/net/dsa/mv88e6xxx/chip.c
+++ b/drivers/net/dsa/mv88e6xxx/chip.c
@@ -4170,8 +4170,8 @@ static const struct mv88e6xxx_ops mv88e6320_ops = {
.mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu,
.pot_clear = mv88e6xxx_g2_pot_clear,
.reset = mv88e6352_g1_reset,
- .vtu_getnext = mv88e6185_g1_vtu_getnext,
- .vtu_loadpurge = mv88e6185_g1_vtu_loadpurge,
+ .vtu_getnext = mv88e6352_g1_vtu_getnext,
+ .vtu_loadpurge = mv88e6352_g1_vtu_loadpurge,
.gpio_ops = &mv88e6352_gpio_ops,
.avb_ops = &mv88e6352_avb_ops,
.ptp_ops = &mv88e6352_ptp_ops,
@@ -4212,8 +4212,8 @@ static const struct mv88e6xxx_ops mv88e6321_ops = {
.watchdog_ops = &mv88e6390_watchdog_ops,
.mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu,
.reset = mv88e6352_g1_reset,
- .vtu_getnext = mv88e6185_g1_vtu_getnext,
- .vtu_loadpurge = mv88e6185_g1_vtu_loadpurge,
+ .vtu_getnext = mv88e6352_g1_vtu_getnext,
+ .vtu_loadpurge = mv88e6352_g1_vtu_loadpurge,
.gpio_ops = &mv88e6352_gpio_ops,
.avb_ops = &mv88e6352_avb_ops,
.ptp_ops = &mv88e6352_ptp_ops,
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 212/286] soc: samsung: exynos-chipid: initialize later - with arch_initcall
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 211/286] net: dsa: mv88e6xxx: fix VTU methods for 6320 family Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 213/286] soc: samsung: exynos-chipid: convert to driver and merge exynos-asv Greg Kroah-Hartman
` (78 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzk@kernel.org>
[ Upstream commit 3b4c362e5ef102ca2d70d33f4e8cf0780053a7db ]
The Exynos ChipID driver on Exynos SoCs has only informational
purpose - to expose the SoC device in sysfs. No other drivers
depend on it so there is really no benefit of initializing it early.
Instead, initialize everything with arch_initcall which:
1. Allows to use dev_info() as the SoC bus is present (since
core_initcall),
2. Could speed things up because of execution in a SMP environment
(after bringing up secondary CPUs, unlike early_initcall),
3. Reduces the amount of work to be done early, when the kernel has to
bring up critical devices.
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Link: https://lore.kernel.org/r/20201202195955.128633-2-krzk@kernel.org
Stable-dep-of: c8222ef6cf29 ("soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/samsung/exynos-chipid.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/soc/samsung/exynos-chipid.c b/drivers/soc/samsung/exynos-chipid.c
index 8d4d050869068..0f2de1b016a59 100644
--- a/drivers/soc/samsung/exynos-chipid.c
+++ b/drivers/soc/samsung/exynos-chipid.c
@@ -98,9 +98,9 @@ static int __init exynos_chipid_early_init(void)
goto err;
}
- /* it is too early to use dev_info() here (soc_dev is NULL) */
- pr_info("soc soc0: Exynos: CPU[%s] PRO_ID[0x%x] REV[0x%x] Detected\n",
- soc_dev_attr->soc_id, product_id, revision);
+ dev_info(soc_device_to_device(soc_dev),
+ "Exynos: CPU[%s] PRO_ID[0x%x] REV[0x%x] Detected\n",
+ soc_dev_attr->soc_id, product_id, revision);
return 0;
@@ -110,4 +110,4 @@ static int __init exynos_chipid_early_init(void)
return ret;
}
-early_initcall(exynos_chipid_early_init);
+arch_initcall(exynos_chipid_early_init);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 213/286] soc: samsung: exynos-chipid: convert to driver and merge exynos-asv
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 212/286] soc: samsung: exynos-chipid: initialize later - with arch_initcall Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 214/286] soc: samsung: exynos-chipid: avoid soc_device_to_device() Greg Kroah-Hartman
` (77 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Pankaj Dubey,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzk@kernel.org>
[ Upstream commit 352bfbb3e0230c96b2bce00d2ac3f0de303cc7b6 ]
The Exynos Chip ID driver on Exynos SoCs has so far only informational
purpose - to expose the SoC device in sysfs. No other drivers depend on
it so there is really no benefit of initializing it early.
The code would be the most flexible if converted to a regular driver.
However there is already another driver - Exynos ASV (Adaptive Supply
Voltage) - which binds to the device node of Chip ID.
The solution is to convert the Exynos Chip ID to a built in driver and
merge the Exynos ASV into it.
This has several benefits:
1. Although the Exynos ASV driver binds to a device node present in all
Exynos DTS (generic compatible), it fails to probe except on the
supported ones (only Exynos5422). This means that the regular boot
process has a planned/normal device probe failure.
Merging the ASV into Chip ID will remove this probe failure because
the final driver will always bind, just with disabled ASV features.
2. Allows to use dev_info() as the SoC bus is present (since
core_initcall).
3. Could speed things up because of execution of Chip ID code in a SMP
environment (after bringing up secondary CPUs, unlike early_initcall),
This reduces the amount of work to be done early, when the kernel has
to bring up critical devices.
5. Makes the Chip ID code defer-probe friendly,
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Link: https://lore.kernel.org/r/20201207190517.262051-5-krzk@kernel.org
Reviewed-by: Pankaj Dubey <pankaj.dubey@samsung.com>
Stable-dep-of: c8222ef6cf29 ("soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-exynos/Kconfig | 1 -
drivers/soc/samsung/Kconfig | 12 +++--
drivers/soc/samsung/Makefile | 3 +-
drivers/soc/samsung/exynos-asv.c | 45 +++++--------------
drivers/soc/samsung/exynos-asv.h | 2 +
drivers/soc/samsung/exynos-chipid.c | 69 ++++++++++++++++++++---------
6 files changed, 67 insertions(+), 65 deletions(-)
diff --git a/arch/arm/mach-exynos/Kconfig b/arch/arm/mach-exynos/Kconfig
index b5df98ee5d176..4b554cc8fa58a 100644
--- a/arch/arm/mach-exynos/Kconfig
+++ b/arch/arm/mach-exynos/Kconfig
@@ -13,7 +13,6 @@ menuconfig ARCH_EXYNOS
select ARM_GIC
select EXYNOS_IRQ_COMBINER
select COMMON_CLK_SAMSUNG
- select EXYNOS_ASV
select EXYNOS_CHIPID
select EXYNOS_THERMAL
select EXYNOS_PMU
diff --git a/drivers/soc/samsung/Kconfig b/drivers/soc/samsung/Kconfig
index fc7f48a922881..5745d7e5908e9 100644
--- a/drivers/soc/samsung/Kconfig
+++ b/drivers/soc/samsung/Kconfig
@@ -7,21 +7,19 @@ menuconfig SOC_SAMSUNG
if SOC_SAMSUNG
-config EXYNOS_ASV
- bool "Exynos Adaptive Supply Voltage support" if COMPILE_TEST
- depends on (ARCH_EXYNOS && EXYNOS_CHIPID) || COMPILE_TEST
- select EXYNOS_ASV_ARM if ARM && ARCH_EXYNOS
-
# There is no need to enable these drivers for ARMv8
config EXYNOS_ASV_ARM
bool "Exynos ASV ARMv7-specific driver extensions" if COMPILE_TEST
- depends on EXYNOS_ASV
+ depends on EXYNOS_CHIPID
config EXYNOS_CHIPID
- bool "Exynos Chipid controller driver" if COMPILE_TEST
+ bool "Exynos ChipID controller and ASV driver" if COMPILE_TEST
depends on ARCH_EXYNOS || COMPILE_TEST
+ select EXYNOS_ASV_ARM if ARM && ARCH_EXYNOS
select MFD_SYSCON
select SOC_BUS
+ help
+ Support for Samsung Exynos SoC ChipID and Adaptive Supply Voltage.
config EXYNOS_PMU
bool "Exynos PMU controller driver" if COMPILE_TEST
diff --git a/drivers/soc/samsung/Makefile b/drivers/soc/samsung/Makefile
index 59e8e9453f27c..0c523a8de4ebf 100644
--- a/drivers/soc/samsung/Makefile
+++ b/drivers/soc/samsung/Makefile
@@ -1,9 +1,8 @@
# SPDX-License-Identifier: GPL-2.0
-obj-$(CONFIG_EXYNOS_ASV) += exynos-asv.o
obj-$(CONFIG_EXYNOS_ASV_ARM) += exynos5422-asv.o
-obj-$(CONFIG_EXYNOS_CHIPID) += exynos-chipid.o
+obj-$(CONFIG_EXYNOS_CHIPID) += exynos-chipid.o exynos-asv.o
obj-$(CONFIG_EXYNOS_PMU) += exynos-pmu.o
obj-$(CONFIG_EXYNOS_PMU_ARM_DRIVERS) += exynos3250-pmu.o exynos4-pmu.o \
diff --git a/drivers/soc/samsung/exynos-asv.c b/drivers/soc/samsung/exynos-asv.c
index 5daeadc363829..d60af8acc3916 100644
--- a/drivers/soc/samsung/exynos-asv.c
+++ b/drivers/soc/samsung/exynos-asv.c
@@ -2,7 +2,9 @@
/*
* Copyright (c) 2019 Samsung Electronics Co., Ltd.
* http://www.samsung.com/
+ * Copyright (c) 2020 Krzysztof Kozlowski <krzk@kernel.org>
* Author: Sylwester Nawrocki <s.nawrocki@samsung.com>
+ * Author: Krzysztof Kozlowski <krzk@kernel.org>
*
* Samsung Exynos SoC Adaptive Supply Voltage support
*/
@@ -10,12 +12,7 @@
#include <linux/cpu.h>
#include <linux/device.h>
#include <linux/errno.h>
-#include <linux/init.h>
-#include <linux/mfd/syscon.h>
-#include <linux/module.h>
#include <linux/of.h>
-#include <linux/of_device.h>
-#include <linux/platform_device.h>
#include <linux/pm_opp.h>
#include <linux/regmap.h>
#include <linux/soc/samsung/exynos-chipid.h>
@@ -111,7 +108,7 @@ static int exynos_asv_update_opps(struct exynos_asv *asv)
return 0;
}
-static int exynos_asv_probe(struct platform_device *pdev)
+int exynos_asv_init(struct device *dev, struct regmap *regmap)
{
int (*probe_func)(struct exynos_asv *asv);
struct exynos_asv *asv;
@@ -119,21 +116,16 @@ static int exynos_asv_probe(struct platform_device *pdev)
u32 product_id = 0;
int ret, i;
- asv = devm_kzalloc(&pdev->dev, sizeof(*asv), GFP_KERNEL);
+ asv = devm_kzalloc(dev, sizeof(*asv), GFP_KERNEL);
if (!asv)
return -ENOMEM;
- asv->chipid_regmap = device_node_to_regmap(pdev->dev.of_node);
- if (IS_ERR(asv->chipid_regmap)) {
- dev_err(&pdev->dev, "Could not find syscon regmap\n");
- return PTR_ERR(asv->chipid_regmap);
- }
-
+ asv->chipid_regmap = regmap;
+ asv->dev = dev;
ret = regmap_read(asv->chipid_regmap, EXYNOS_CHIPID_REG_PRO_ID,
&product_id);
if (ret < 0) {
- dev_err(&pdev->dev, "Cannot read revision from ChipID: %d\n",
- ret);
+ dev_err(dev, "Cannot read revision from ChipID: %d\n", ret);
return -ENODEV;
}
@@ -142,7 +134,9 @@ static int exynos_asv_probe(struct platform_device *pdev)
probe_func = exynos5422_asv_init;
break;
default:
- return -ENODEV;
+ dev_dbg(dev, "No ASV support for this SoC\n");
+ devm_kfree(dev, asv);
+ return 0;
}
cpu_dev = get_cpu_device(0);
@@ -150,14 +144,11 @@ static int exynos_asv_probe(struct platform_device *pdev)
if (ret < 0)
return -EPROBE_DEFER;
- ret = of_property_read_u32(pdev->dev.of_node, "samsung,asv-bin",
+ ret = of_property_read_u32(dev->of_node, "samsung,asv-bin",
&asv->of_bin);
if (ret < 0)
asv->of_bin = -EINVAL;
- asv->dev = &pdev->dev;
- dev_set_drvdata(&pdev->dev, asv);
-
for (i = 0; i < ARRAY_SIZE(asv->subsys); i++)
asv->subsys[i].asv = asv;
@@ -167,17 +158,3 @@ static int exynos_asv_probe(struct platform_device *pdev)
return exynos_asv_update_opps(asv);
}
-
-static const struct of_device_id exynos_asv_of_device_ids[] = {
- { .compatible = "samsung,exynos4210-chipid" },
- {}
-};
-
-static struct platform_driver exynos_asv_driver = {
- .driver = {
- .name = "exynos-asv",
- .of_match_table = exynos_asv_of_device_ids,
- },
- .probe = exynos_asv_probe,
-};
-module_platform_driver(exynos_asv_driver);
diff --git a/drivers/soc/samsung/exynos-asv.h b/drivers/soc/samsung/exynos-asv.h
index 3fd1f2acd9995..dcbe154db31e0 100644
--- a/drivers/soc/samsung/exynos-asv.h
+++ b/drivers/soc/samsung/exynos-asv.h
@@ -68,4 +68,6 @@ static inline u32 exynos_asv_opp_get_frequency(const struct exynos_asv_subsys *s
return __asv_get_table_entry(&subsys->table, level, 0);
}
+int exynos_asv_init(struct device *dev, struct regmap *regmap);
+
#endif /* __LINUX_SOC_EXYNOS_ASV_H */
diff --git a/drivers/soc/samsung/exynos-chipid.c b/drivers/soc/samsung/exynos-chipid.c
index 0f2de1b016a59..2ab6ce71e9be5 100644
--- a/drivers/soc/samsung/exynos-chipid.c
+++ b/drivers/soc/samsung/exynos-chipid.c
@@ -2,20 +2,28 @@
/*
* Copyright (c) 2019 Samsung Electronics Co., Ltd.
* http://www.samsung.com/
+ * Copyright (c) 2020 Krzysztof Kozlowski <krzk@kernel.org>
*
* Exynos - CHIP ID support
* Author: Pankaj Dubey <pankaj.dubey@samsung.com>
* Author: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+ * Author: Krzysztof Kozlowski <krzk@kernel.org>
+ *
+ * Samsung Exynos SoC Adaptive Supply Voltage and Chip ID support
*/
-#include <linux/io.h>
+#include <linux/device.h>
+#include <linux/errno.h>
#include <linux/mfd/syscon.h>
#include <linux/of.h>
+#include <linux/platform_device.h>
#include <linux/regmap.h>
#include <linux/slab.h>
#include <linux/soc/samsung/exynos-chipid.h>
#include <linux/sys_soc.h>
+#include "exynos-asv.h"
+
static const struct exynos_soc_id {
const char *name;
unsigned int id;
@@ -45,25 +53,17 @@ static const char * __init product_id_to_soc_id(unsigned int product_id)
return NULL;
}
-static int __init exynos_chipid_early_init(void)
+static int exynos_chipid_probe(struct platform_device *pdev)
{
struct soc_device_attribute *soc_dev_attr;
struct soc_device *soc_dev;
struct device_node *root;
- struct device_node *syscon;
struct regmap *regmap;
u32 product_id;
u32 revision;
int ret;
- syscon = of_find_compatible_node(NULL, NULL,
- "samsung,exynos4210-chipid");
- if (!syscon)
- return -ENODEV;
-
- regmap = device_node_to_regmap(syscon);
- of_node_put(syscon);
-
+ regmap = device_node_to_regmap(pdev->dev.of_node);
if (IS_ERR(regmap))
return PTR_ERR(regmap);
@@ -73,7 +73,8 @@ static int __init exynos_chipid_early_init(void)
revision = product_id & EXYNOS_REV_MASK;
- soc_dev_attr = kzalloc(sizeof(*soc_dev_attr), GFP_KERNEL);
+ soc_dev_attr = devm_kzalloc(&pdev->dev, sizeof(*soc_dev_attr),
+ GFP_KERNEL);
if (!soc_dev_attr)
return -ENOMEM;
@@ -83,20 +84,24 @@ static int __init exynos_chipid_early_init(void)
of_property_read_string(root, "model", &soc_dev_attr->machine);
of_node_put(root);
- soc_dev_attr->revision = kasprintf(GFP_KERNEL, "%x", revision);
+ soc_dev_attr->revision = devm_kasprintf(&pdev->dev, GFP_KERNEL,
+ "%x", revision);
soc_dev_attr->soc_id = product_id_to_soc_id(product_id);
if (!soc_dev_attr->soc_id) {
pr_err("Unknown SoC\n");
- ret = -ENODEV;
- goto err;
+ return -ENODEV;
}
/* please note that the actual registration will be deferred */
soc_dev = soc_device_register(soc_dev_attr);
- if (IS_ERR(soc_dev)) {
- ret = PTR_ERR(soc_dev);
+ if (IS_ERR(soc_dev))
+ return PTR_ERR(soc_dev);
+
+ ret = exynos_asv_init(&pdev->dev, regmap);
+ if (ret)
goto err;
- }
+
+ platform_set_drvdata(pdev, soc_dev);
dev_info(soc_device_to_device(soc_dev),
"Exynos: CPU[%s] PRO_ID[0x%x] REV[0x%x] Detected\n",
@@ -105,9 +110,31 @@ static int __init exynos_chipid_early_init(void)
return 0;
err:
- kfree(soc_dev_attr->revision);
- kfree(soc_dev_attr);
+ soc_device_unregister(soc_dev);
+
return ret;
}
-arch_initcall(exynos_chipid_early_init);
+static int exynos_chipid_remove(struct platform_device *pdev)
+{
+ struct soc_device *soc_dev = platform_get_drvdata(pdev);
+
+ soc_device_unregister(soc_dev);
+
+ return 0;
+}
+
+static const struct of_device_id exynos_chipid_of_device_ids[] = {
+ { .compatible = "samsung,exynos4210-chipid" },
+ {}
+};
+
+static struct platform_driver exynos_chipid_driver = {
+ .driver = {
+ .name = "exynos-chipid",
+ .of_match_table = exynos_chipid_of_device_ids,
+ },
+ .probe = exynos_chipid_probe,
+ .remove = exynos_chipid_remove,
+};
+builtin_platform_driver(exynos_chipid_driver);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 214/286] soc: samsung: exynos-chipid: avoid soc_device_to_device()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 213/286] soc: samsung: exynos-chipid: convert to driver and merge exynos-asv Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 215/286] soc: samsung: exynos-chipid: Pass revision reg offsets Greg Kroah-Hartman
` (76 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Sylwester Nawrocki, Alim Akhtar, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
[ Upstream commit d1141886c8d72ad77920e6e4b617d366e6e3ee8a ]
soc_device_to_device() seems to be discouraged [1] so remove it in favor
of printing info message with platform device. This will only change
the prefix in the info message from "soc soc0: " to "exynos-chipid
10000000.chipid:".
[1] https://lore.kernel.org/lkml/20191111052741.GB3176397@kroah.com/
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Reviewed-by: Sylwester Nawrocki <snawrocki@kernel.org>
Tested-by: Sylwester Nawrocki <snawrocki@kernel.org>
Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
Tested-by: Alim Akhtar <alim.akhtar@samsung.com>
Link: https://lore.kernel.org/r/20210919093114.35987-2-krzysztof.kozlowski@canonical.com
Stable-dep-of: c8222ef6cf29 ("soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/samsung/exynos-chipid.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/soc/samsung/exynos-chipid.c b/drivers/soc/samsung/exynos-chipid.c
index 2ab6ce71e9be5..2b02af5d2faff 100644
--- a/drivers/soc/samsung/exynos-chipid.c
+++ b/drivers/soc/samsung/exynos-chipid.c
@@ -103,8 +103,7 @@ static int exynos_chipid_probe(struct platform_device *pdev)
platform_set_drvdata(pdev, soc_dev);
- dev_info(soc_device_to_device(soc_dev),
- "Exynos: CPU[%s] PRO_ID[0x%x] REV[0x%x] Detected\n",
+ dev_info(&pdev->dev, "Exynos: CPU[%s] PRO_ID[0x%x] REV[0x%x] Detected\n",
soc_dev_attr->soc_id, product_id, revision);
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 215/286] soc: samsung: exynos-chipid: Pass revision reg offsets
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 214/286] soc: samsung: exynos-chipid: avoid soc_device_to_device() Greg Kroah-Hartman
@ 2025-04-29 16:41 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 216/286] soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() Greg Kroah-Hartman
` (75 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sam Protsenko, Henrik Grimler,
Krzysztof Kozlowski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Protsenko <semen.protsenko@linaro.org>
[ Upstream commit c072c4ef7ef09e1d6470c48cf52570487589b76a ]
Old Exynos SoCs have both Product ID and Revision ID in one single
register, while new SoCs tend to have two separate registers for those
IDs. Implement handling of both cases by passing Revision ID register
offsets in driver data.
Previously existing macros for Exynos4210 (removed in this patch) were
incorrect:
#define EXYNOS_SUBREV_MASK (0xf << 4)
#define EXYNOS_MAINREV_MASK (0xf << 0)
Actual format of PRO_ID register in Exynos4210 (offset 0x0):
[31:12] Product ID
[9:8] Package information
[7:4] Main Revision Number
[3:0] Sub Revision Number
This patch doesn't change the behavior on existing platforms, so
'/sys/devices/soc0/revision' will show the same string as before.
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
Tested-by: Henrik Grimler <henrik@grimler.se>
Link: https://lore.kernel.org/r/20211014133508.1210-1-semen.protsenko@linaro.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Stable-dep-of: c8222ef6cf29 ("soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/samsung/exynos-chipid.c | 69 +++++++++++++++++++----
include/linux/soc/samsung/exynos-chipid.h | 6 +-
2 files changed, 60 insertions(+), 15 deletions(-)
diff --git a/drivers/soc/samsung/exynos-chipid.c b/drivers/soc/samsung/exynos-chipid.c
index 2b02af5d2faff..a2d163a1b4e11 100644
--- a/drivers/soc/samsung/exynos-chipid.c
+++ b/drivers/soc/samsung/exynos-chipid.c
@@ -16,6 +16,7 @@
#include <linux/errno.h>
#include <linux/mfd/syscon.h>
#include <linux/of.h>
+#include <linux/of_device.h>
#include <linux/platform_device.h>
#include <linux/regmap.h>
#include <linux/slab.h>
@@ -24,6 +25,17 @@
#include "exynos-asv.h"
+struct exynos_chipid_variant {
+ unsigned int rev_reg; /* revision register offset */
+ unsigned int main_rev_shift; /* main revision offset in rev_reg */
+ unsigned int sub_rev_shift; /* sub revision offset in rev_reg */
+};
+
+struct exynos_chipid_info {
+ u32 product_id;
+ u32 revision;
+};
+
static const struct exynos_soc_id {
const char *name;
unsigned int id;
@@ -48,31 +60,57 @@ static const char * __init product_id_to_soc_id(unsigned int product_id)
int i;
for (i = 0; i < ARRAY_SIZE(soc_ids); i++)
- if ((product_id & EXYNOS_MASK) == soc_ids[i].id)
+ if (product_id == soc_ids[i].id)
return soc_ids[i].name;
return NULL;
}
+static int exynos_chipid_get_chipid_info(struct regmap *regmap,
+ const struct exynos_chipid_variant *data,
+ struct exynos_chipid_info *soc_info)
+{
+ int ret;
+ unsigned int val, main_rev, sub_rev;
+
+ ret = regmap_read(regmap, EXYNOS_CHIPID_REG_PRO_ID, &val);
+ if (ret < 0)
+ return ret;
+ soc_info->product_id = val & EXYNOS_MASK;
+
+ if (data->rev_reg != EXYNOS_CHIPID_REG_PRO_ID) {
+ ret = regmap_read(regmap, data->rev_reg, &val);
+ if (ret < 0)
+ return ret;
+ }
+ main_rev = (val >> data->main_rev_shift) & EXYNOS_REV_PART_MASK;
+ sub_rev = (val >> data->sub_rev_shift) & EXYNOS_REV_PART_MASK;
+ soc_info->revision = (main_rev << EXYNOS_REV_PART_SHIFT) | sub_rev;
+
+ return 0;
+}
+
static int exynos_chipid_probe(struct platform_device *pdev)
{
+ const struct exynos_chipid_variant *drv_data;
+ struct exynos_chipid_info soc_info;
struct soc_device_attribute *soc_dev_attr;
struct soc_device *soc_dev;
struct device_node *root;
struct regmap *regmap;
- u32 product_id;
- u32 revision;
int ret;
+ drv_data = of_device_get_match_data(&pdev->dev);
+ if (!drv_data)
+ return -EINVAL;
+
regmap = device_node_to_regmap(pdev->dev.of_node);
if (IS_ERR(regmap))
return PTR_ERR(regmap);
- ret = regmap_read(regmap, EXYNOS_CHIPID_REG_PRO_ID, &product_id);
+ ret = exynos_chipid_get_chipid_info(regmap, drv_data, &soc_info);
if (ret < 0)
return ret;
- revision = product_id & EXYNOS_REV_MASK;
-
soc_dev_attr = devm_kzalloc(&pdev->dev, sizeof(*soc_dev_attr),
GFP_KERNEL);
if (!soc_dev_attr)
@@ -85,8 +123,8 @@ static int exynos_chipid_probe(struct platform_device *pdev)
of_node_put(root);
soc_dev_attr->revision = devm_kasprintf(&pdev->dev, GFP_KERNEL,
- "%x", revision);
- soc_dev_attr->soc_id = product_id_to_soc_id(product_id);
+ "%x", soc_info.revision);
+ soc_dev_attr->soc_id = product_id_to_soc_id(soc_info.product_id);
if (!soc_dev_attr->soc_id) {
pr_err("Unknown SoC\n");
return -ENODEV;
@@ -104,7 +142,7 @@ static int exynos_chipid_probe(struct platform_device *pdev)
platform_set_drvdata(pdev, soc_dev);
dev_info(&pdev->dev, "Exynos: CPU[%s] PRO_ID[0x%x] REV[0x%x] Detected\n",
- soc_dev_attr->soc_id, product_id, revision);
+ soc_dev_attr->soc_id, soc_info.product_id, soc_info.revision);
return 0;
@@ -123,9 +161,18 @@ static int exynos_chipid_remove(struct platform_device *pdev)
return 0;
}
+static const struct exynos_chipid_variant exynos4210_chipid_drv_data = {
+ .rev_reg = 0x0,
+ .main_rev_shift = 4,
+ .sub_rev_shift = 0,
+};
+
static const struct of_device_id exynos_chipid_of_device_ids[] = {
- { .compatible = "samsung,exynos4210-chipid" },
- {}
+ {
+ .compatible = "samsung,exynos4210-chipid",
+ .data = &exynos4210_chipid_drv_data,
+ },
+ { }
};
static struct platform_driver exynos_chipid_driver = {
diff --git a/include/linux/soc/samsung/exynos-chipid.h b/include/linux/soc/samsung/exynos-chipid.h
index 8bca6763f99c1..62f0e25310687 100644
--- a/include/linux/soc/samsung/exynos-chipid.h
+++ b/include/linux/soc/samsung/exynos-chipid.h
@@ -9,10 +9,8 @@
#define __LINUX_SOC_EXYNOS_CHIPID_H
#define EXYNOS_CHIPID_REG_PRO_ID 0x00
-#define EXYNOS_SUBREV_MASK (0xf << 4)
-#define EXYNOS_MAINREV_MASK (0xf << 0)
-#define EXYNOS_REV_MASK (EXYNOS_SUBREV_MASK | \
- EXYNOS_MAINREV_MASK)
+#define EXYNOS_REV_PART_MASK 0xf
+#define EXYNOS_REV_PART_SHIFT 4
#define EXYNOS_MASK 0xfffff000
#define EXYNOS_CHIPID_REG_PKG_ID 0x04
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 216/286] soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2025-04-29 16:41 ` [PATCH 5.10 215/286] soc: samsung: exynos-chipid: Pass revision reg offsets Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 217/286] iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check Greg Kroah-Hartman
` (74 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Krzysztof Kozlowski,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenyuan Yang <chenyuan0y@gmail.com>
[ Upstream commit c8222ef6cf29dd7cad21643228f96535cc02b327 ]
soc_dev_attr->revision could be NULL, thus,
a pointer check is added to prevent potential NULL pointer dereference.
This is similar to the fix in commit 3027e7b15b02
("ice: Fix some null pointer dereference issues in ice_ptp.c").
This issue is found by our static analysis tool.
Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
Link: https://lore.kernel.org/r/20250212213518.69432-1-chenyuan0y@gmail.com
Fixes: 3253b7b7cd44 ("soc: samsung: Add exynos chipid driver support")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/samsung/exynos-chipid.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/soc/samsung/exynos-chipid.c b/drivers/soc/samsung/exynos-chipid.c
index a2d163a1b4e11..fb9e80b63b917 100644
--- a/drivers/soc/samsung/exynos-chipid.c
+++ b/drivers/soc/samsung/exynos-chipid.c
@@ -124,6 +124,8 @@ static int exynos_chipid_probe(struct platform_device *pdev)
soc_dev_attr->revision = devm_kasprintf(&pdev->dev, GFP_KERNEL,
"%x", soc_info.revision);
+ if (!soc_dev_attr->revision)
+ return -ENOMEM;
soc_dev_attr->soc_id = product_id_to_soc_id(soc_info.product_id);
if (!soc_dev_attr->soc_id) {
pr_err("Unknown SoC\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 217/286] iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 216/286] soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 218/286] iio: adc: ad7768-1: Fix conversion result sign Greg Kroah-Hartman
` (73 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nuno Sá, Jonathan Cameron,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ Upstream commit 0af1c801a15225304a6328258efbf2bee245c654 ]
The data used is all in local variables so there is no advantage
in setting *val = ret with the direct mode claim held.
Move it later to after error check.
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Link: https://patch.msgid.link/20250217141630.897334-13-jic23@kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: 8236644f5ecb ("iio: adc: ad7768-1: Fix conversion result sign")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/adc/ad7768-1.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/iio/adc/ad7768-1.c b/drivers/iio/adc/ad7768-1.c
index 4afa50e5c058a..c409b498fc313 100644
--- a/drivers/iio/adc/ad7768-1.c
+++ b/drivers/iio/adc/ad7768-1.c
@@ -369,12 +369,11 @@ static int ad7768_read_raw(struct iio_dev *indio_dev,
return ret;
ret = ad7768_scan_direct(indio_dev);
- if (ret >= 0)
- *val = ret;
iio_device_release_direct_mode(indio_dev);
if (ret < 0)
return ret;
+ *val = ret;
return IIO_VAL_INT;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 218/286] iio: adc: ad7768-1: Fix conversion result sign
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 217/286] iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 219/286] backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() Greg Kroah-Hartman
` (72 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Marcelo Schmitt,
Sergiu Cuciurean, Jonathan Santos, Stable, Jonathan Cameron,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergiu Cuciurean <sergiu.cuciurean@analog.com>
[ Upstream commit 8236644f5ecb180e80ad92d691c22bc509b747bb ]
The ad7768-1 ADC output code is two's complement, meaning that the voltage
conversion result is a signed value.. Since the value is a 24 bit one,
stored in a 32 bit variable, the sign should be extended in order to get
the correct representation.
Also the channel description has been updated to signed representation,
to match the ADC specifications.
Fixes: a5f8c7da3dbe ("iio: adc: Add AD7768-1 ADC basic support")
Reviewed-by: David Lechner <dlechner@baylibre.com>
Reviewed-by: Marcelo Schmitt <marcelo.schmitt@analog.com>
Signed-off-by: Sergiu Cuciurean <sergiu.cuciurean@analog.com>
Signed-off-by: Jonathan Santos <Jonathan.Santos@analog.com>
Cc: <Stable@vger.kernel.org>
Link: https://patch.msgid.link/505994d3b71c2aa38ba714d909a68e021f12124c.1741268122.git.Jonathan.Santos@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/adc/ad7768-1.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/iio/adc/ad7768-1.c b/drivers/iio/adc/ad7768-1.c
index c409b498fc313..2445ebc551dd1 100644
--- a/drivers/iio/adc/ad7768-1.c
+++ b/drivers/iio/adc/ad7768-1.c
@@ -142,7 +142,7 @@ static const struct iio_chan_spec ad7768_channels[] = {
.channel = 0,
.scan_index = 0,
.scan_type = {
- .sign = 'u',
+ .sign = 's',
.realbits = 24,
.storagebits = 32,
.shift = 8,
@@ -373,7 +373,7 @@ static int ad7768_read_raw(struct iio_dev *indio_dev,
iio_device_release_direct_mode(indio_dev);
if (ret < 0)
return ret;
- *val = ret;
+ *val = sign_extend32(ret, chan->scan_type.realbits - 1);
return IIO_VAL_INT;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 219/286] backlight: led_bl: Hold led_access lock when calling led_sysfs_disable()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 218/286] iio: adc: ad7768-1: Fix conversion result sign Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 220/286] cifs: print TIDs as hex Greg Kroah-Hartman
` (71 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herve Codina, Lee Jones, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herve Codina <herve.codina@bootlin.com>
[ Upstream commit 276822a00db3c1061382b41e72cafc09d6a0ec30 ]
Lockdep detects the following issue on led-backlight removal:
[ 142.315935] ------------[ cut here ]------------
[ 142.315954] WARNING: CPU: 2 PID: 292 at drivers/leds/led-core.c:455 led_sysfs_enable+0x54/0x80
...
[ 142.500725] Call trace:
[ 142.503176] led_sysfs_enable+0x54/0x80 (P)
[ 142.507370] led_bl_remove+0x80/0xa8 [led_bl]
[ 142.511742] platform_remove+0x30/0x58
[ 142.515501] device_remove+0x54/0x90
...
Indeed, led_sysfs_enable() has to be called with the led_access
lock held.
Hold the lock when calling led_sysfs_disable().
Fixes: ae232e45acf9 ("backlight: add led-backlight driver")
Cc: stable@vger.kernel.org
Signed-off-by: Herve Codina <herve.codina@bootlin.com>
Link: https://lore.kernel.org/r/20250122091914.309533-1-herve.codina@bootlin.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/backlight/led_bl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/video/backlight/led_bl.c
+++ b/drivers/video/backlight/led_bl.c
@@ -226,8 +226,11 @@ static int led_bl_remove(struct platform
backlight_device_unregister(bl);
led_bl_power_off(priv);
- for (i = 0; i < priv->nb_leds; i++)
+ for (i = 0; i < priv->nb_leds; i++) {
+ mutex_lock(&priv->leds[i]->led_access);
led_sysfs_enable(priv->leds[i]);
+ mutex_unlock(&priv->leds[i]->led_access);
+ }
return 0;
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 220/286] cifs: print TIDs as hex
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 219/286] backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 221/286] cifs: avoid NULL pointer dereference in dbg call Greg Kroah-Hartman
` (70 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Enzo Matsumiya,
Paulo Alcantara (SUSE), Steve French, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Enzo Matsumiya <ematsumiya@suse.de>
[ Upstream commit 71081e7ac16c93acdd18afa65daa468620bb1b64 ]
Makes these debug messages easier to read
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
Stable-dep-of: b4885bd5935b ("cifs: avoid NULL pointer dereference in dbg call")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/connect.c | 2 +-
fs/cifs/smb2misc.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index a3c0e6a4e4847..2c0522d97e037 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -2770,7 +2770,7 @@ cifs_setup_ipc(struct cifs_ses *ses, struct smb_vol *volume_info)
goto out;
}
- cifs_dbg(FYI, "IPC tcon rc = %d ipc tid = %d\n", rc, tcon->tid);
+ cifs_dbg(FYI, "IPC tcon rc=%d ipc tid=0x%x\n", rc, tcon->tid);
ses->tcon_ipc = tcon;
out:
diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
index 64887856331ae..d21b27e68f2a8 100644
--- a/fs/cifs/smb2misc.c
+++ b/fs/cifs/smb2misc.c
@@ -812,7 +812,7 @@ smb2_handle_cancelled_close(struct cifs_tcon *tcon, __u64 persistent_fid,
if (tcon->ses)
server = tcon->ses->server;
- cifs_server_dbg(FYI, "tid=%u: tcon is closing, skipping async close retry of fid %llu %llu\n",
+ cifs_server_dbg(FYI, "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n",
tcon->tid, persistent_fid, volatile_fid);
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 221/286] cifs: avoid NULL pointer dereference in dbg call
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 220/286] cifs: print TIDs as hex Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 222/286] PCI: Introduce domain_nr in pci_host_bridge Greg Kroah-Hartman
` (69 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandra Diupina, Steve French,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandra Diupina <adiupina@astralinux.ru>
[ Upstream commit b4885bd5935bb26f0a414ad55679a372e53f9b9b ]
cifs_server_dbg() implies server to be non-NULL so
move call under condition to avoid NULL pointer dereference.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: e79b0332ae06 ("cifs: ignore cached share root handle closing errors")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/smb2misc.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
index d21b27e68f2a8..c0b80ba8875af 100644
--- a/fs/cifs/smb2misc.c
+++ b/fs/cifs/smb2misc.c
@@ -809,11 +809,12 @@ smb2_handle_cancelled_close(struct cifs_tcon *tcon, __u64 persistent_fid,
WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative");
spin_unlock(&cifs_tcp_ses_lock);
- if (tcon->ses)
+ if (tcon->ses) {
server = tcon->ses->server;
-
- cifs_server_dbg(FYI, "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n",
- tcon->tid, persistent_fid, volatile_fid);
+ cifs_server_dbg(FYI,
+ "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n",
+ tcon->tid, persistent_fid, volatile_fid);
+ }
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 222/286] PCI: Introduce domain_nr in pci_host_bridge
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 221/286] cifs: avoid NULL pointer dereference in dbg call Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 223/286] PCI: Coalesce host bridge contiguous apertures Greg Kroah-Hartman
` (68 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boqun Feng, Lorenzo Pieralisi,
Bjorn Helgaas, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boqun Feng <boqun.feng@gmail.com>
[ Upstream commit 15d82ca23c996d50062286d27ed6a42a8105c04a ]
Currently we retrieve the PCI domain number of the host bridge from the
bus sysdata (or pci_config_window if PCI_DOMAINS_GENERIC=y). Actually
we have the information at PCI host bridge probing time, and it makes
sense that we store it into pci_host_bridge. One benefit of doing so is
the requirement for supporting PCI on Hyper-V for ARM64, because the
host bridge of Hyper-V doesn't have pci_config_window, whereas ARM64 is
a PCI_DOMAINS_GENERIC=y arch, so we cannot retrieve the PCI domain
number from pci_config_window on ARM64 Hyper-V guest.
As the preparation for ARM64 Hyper-V PCI support, we introduce the
domain_nr in pci_host_bridge and a sentinel value to allow drivers to
set domain numbers properly at probing time. Currently
CONFIG_PCI_DOMAINS_GENERIC=y archs are only users of this
newly-introduced field.
Link: https://lore.kernel.org/r/20210726180657.142727-2-boqun.feng@gmail.com
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Stable-dep-of: 804443c1f278 ("PCI: Fix reference leak in pci_register_host_bridge()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/probe.c | 6 +++++-
include/linux/pci.h | 11 +++++++++++
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 6439fc2e526c7..be7973e249cd7 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -595,6 +595,7 @@ static void pci_init_host_bridge(struct pci_host_bridge *bridge)
bridge->native_pme = 1;
bridge->native_ltr = 1;
bridge->native_dpc = 1;
+ bridge->domain_nr = PCI_DOMAIN_NR_NOT_SET;
device_initialize(&bridge->dev);
}
@@ -899,7 +900,10 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
bus->ops = bridge->ops;
bus->number = bus->busn_res.start = bridge->busnr;
#ifdef CONFIG_PCI_DOMAINS_GENERIC
- bus->domain_nr = pci_bus_find_domain_nr(bus, parent);
+ if (bridge->domain_nr == PCI_DOMAIN_NR_NOT_SET)
+ bus->domain_nr = pci_bus_find_domain_nr(bus, parent);
+ else
+ bus->domain_nr = bridge->domain_nr;
#endif
b = pci_find_bus(pci_domain_nr(bus), bridge->busnr);
diff --git a/include/linux/pci.h b/include/linux/pci.h
index 30bc462fb1964..a0fd1fe4189e4 100644
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
@@ -538,6 +538,16 @@ static inline int pci_channel_offline(struct pci_dev *pdev)
return (pdev->error_state != pci_channel_io_normal);
}
+/*
+ * Currently in ACPI spec, for each PCI host bridge, PCI Segment
+ * Group number is limited to a 16-bit value, therefore (int)-1 is
+ * not a valid PCI domain number, and can be used as a sentinel
+ * value indicating ->domain_nr is not set by the driver (and
+ * CONFIG_PCI_DOMAINS_GENERIC=y archs will set it with
+ * pci_bus_find_domain_nr()).
+ */
+#define PCI_DOMAIN_NR_NOT_SET (-1)
+
struct pci_host_bridge {
struct device dev;
struct pci_bus *bus; /* Root bus */
@@ -545,6 +555,7 @@ struct pci_host_bridge {
struct pci_ops *child_ops;
void *sysdata;
int busnr;
+ int domain_nr;
struct list_head windows; /* resource_entry */
struct list_head dma_ranges; /* dma ranges resource list */
u8 (*swizzle_irq)(struct pci_dev *, u8 *); /* Platform IRQ swizzler */
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 223/286] PCI: Coalesce host bridge contiguous apertures
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 222/286] PCI: Introduce domain_nr in pci_host_bridge Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 224/286] PCI: Assign PCI domain IDs by ida_alloc() Greg Kroah-Hartman
` (67 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Helgaas, Kai-Heng Feng,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai-Heng Feng <kai.heng.feng@canonical.com>
[ Upstream commit 65db04053efea3f3e412a7e0cc599962999c96b4 ]
Built-in graphics on HP EliteDesk 805 G6 doesn't work because graphics
can't get the BAR it needs:
pci_bus 0000:00: root bus resource [mem 0x10020200000-0x100303fffff window]
pci_bus 0000:00: root bus resource [mem 0x10030400000-0x100401fffff window]
pci 0000:00:08.1: bridge window [mem 0xd2000000-0xd23fffff]
pci 0000:00:08.1: bridge window [mem 0x10030000000-0x100401fffff 64bit pref]
pci 0000:00:08.1: can't claim BAR 15 [mem 0x10030000000-0x100401fffff 64bit pref]: no compatible bridge window
pci 0000:00:08.1: [mem 0x10030000000-0x100401fffff 64bit pref] clipped to [mem 0x10030000000-0x100303fffff 64bit pref]
pci 0000:00:08.1: bridge window [mem 0x10030000000-0x100303fffff 64bit pref]
pci 0000:07:00.0: can't claim BAR 0 [mem 0x10030000000-0x1003fffffff 64bit pref]: no compatible bridge window
pci 0000:07:00.0: can't claim BAR 2 [mem 0x10040000000-0x100401fffff 64bit pref]: no compatible bridge window
However, the root bus has two contiguous apertures that can contain the
child resource requested.
Coalesce contiguous apertures so we can allocate from the entire contiguous
region.
[bhelgaas: fold in https://lore.kernel.org/r/20210528170242.1564038-1-kai.heng.feng@canonical.com]
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212013
Suggested-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://lore.kernel.org/r/20210401131252.531935-1-kai.heng.feng@canonical.com
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Stable-dep-of: 804443c1f278 ("PCI: Fix reference leak in pci_register_host_bridge()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/probe.c | 31 +++++++++++++++++++++++++++----
1 file changed, 27 insertions(+), 4 deletions(-)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index be7973e249cd7..a2c53f6d1848a 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -878,11 +878,11 @@ static void pci_set_bus_msi_domain(struct pci_bus *bus)
static int pci_register_host_bridge(struct pci_host_bridge *bridge)
{
struct device *parent = bridge->dev.parent;
- struct resource_entry *window, *n;
+ struct resource_entry *window, *next, *n;
struct pci_bus *bus, *b;
- resource_size_t offset;
+ resource_size_t offset, next_offset;
LIST_HEAD(resources);
- struct resource *res;
+ struct resource *res, *next_res;
char addr[64], *fmt;
const char *name;
int err;
@@ -962,11 +962,34 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
if (nr_node_ids > 1 && pcibus_to_node(bus) == NUMA_NO_NODE)
dev_warn(&bus->dev, "Unknown NUMA node; performance will be reduced\n");
+ /* Coalesce contiguous windows */
+ resource_list_for_each_entry_safe(window, n, &resources) {
+ if (list_is_last(&window->node, &resources))
+ break;
+
+ next = list_next_entry(window, node);
+ offset = window->offset;
+ res = window->res;
+ next_offset = next->offset;
+ next_res = next->res;
+
+ if (res->flags != next_res->flags || offset != next_offset)
+ continue;
+
+ if (res->end + 1 == next_res->start) {
+ next_res->start = res->start;
+ res->flags = res->start = res->end = 0;
+ }
+ }
+
/* Add initial resources to the bus */
resource_list_for_each_entry_safe(window, n, &resources) {
- list_move_tail(&window->node, &bridge->windows);
offset = window->offset;
res = window->res;
+ if (!res->end)
+ continue;
+
+ list_move_tail(&window->node, &bridge->windows);
if (res->flags & IORESOURCE_BUS)
pci_bus_insert_busn_res(bus, bus->number, res->end);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 224/286] PCI: Assign PCI domain IDs by ida_alloc()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 223/286] PCI: Coalesce host bridge contiguous apertures Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 225/286] PCI: Fix reference leak in pci_register_host_bridge() Greg Kroah-Hartman
` (66 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Bjorn Helgaas,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pali Rohár <pali@kernel.org>
[ Upstream commit c14f7ccc9f5dcf9d06ddeec706f85405b2c80600 ]
Replace assignment of PCI domain IDs from atomic_inc_return() to
ida_alloc().
Use two IDAs, one for static domain allocations (those which are defined in
device tree) and second for dynamic allocations (all other).
During removal of root bus / host bridge, also release the domain ID. The
released ID can be reused again, for example when dynamically loading and
unloading native PCI host bridge drivers.
This change also allows to mix static device tree assignment and dynamic by
kernel as all static allocations are reserved in dynamic pool.
[bhelgaas: set "err" if "bus->domain_nr < 0"]
Link: https://lore.kernel.org/r/20220714184130.5436-1-pali@kernel.org
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Stable-dep-of: 804443c1f278 ("PCI: Fix reference leak in pci_register_host_bridge()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pci.c | 103 +++++++++++++++++++++++++------------------
drivers/pci/probe.c | 7 +++
drivers/pci/remove.c | 6 +++
include/linux/pci.h | 1 +
4 files changed, 74 insertions(+), 43 deletions(-)
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index 1d4585b07de3b..24916e78c507c 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -6467,60 +6467,70 @@ static void pci_no_domains(void)
}
#ifdef CONFIG_PCI_DOMAINS_GENERIC
-static atomic_t __domain_nr = ATOMIC_INIT(-1);
+static DEFINE_IDA(pci_domain_nr_static_ida);
+static DEFINE_IDA(pci_domain_nr_dynamic_ida);
-static int pci_get_new_domain_nr(void)
+static void of_pci_reserve_static_domain_nr(void)
{
- return atomic_inc_return(&__domain_nr);
+ struct device_node *np;
+ int domain_nr;
+
+ for_each_node_by_type(np, "pci") {
+ domain_nr = of_get_pci_domain_nr(np);
+ if (domain_nr < 0)
+ continue;
+ /*
+ * Permanently allocate domain_nr in dynamic_ida
+ * to prevent it from dynamic allocation.
+ */
+ ida_alloc_range(&pci_domain_nr_dynamic_ida,
+ domain_nr, domain_nr, GFP_KERNEL);
+ }
}
static int of_pci_bus_find_domain_nr(struct device *parent)
{
- static int use_dt_domains = -1;
- int domain = -1;
+ static bool static_domains_reserved = false;
+ int domain_nr;
- if (parent)
- domain = of_get_pci_domain_nr(parent->of_node);
+ /* On the first call scan device tree for static allocations. */
+ if (!static_domains_reserved) {
+ of_pci_reserve_static_domain_nr();
+ static_domains_reserved = true;
+ }
+
+ if (parent) {
+ /*
+ * If domain is in DT, allocate it in static IDA. This
+ * prevents duplicate static allocations in case of errors
+ * in DT.
+ */
+ domain_nr = of_get_pci_domain_nr(parent->of_node);
+ if (domain_nr >= 0)
+ return ida_alloc_range(&pci_domain_nr_static_ida,
+ domain_nr, domain_nr,
+ GFP_KERNEL);
+ }
/*
- * Check DT domain and use_dt_domains values.
- *
- * If DT domain property is valid (domain >= 0) and
- * use_dt_domains != 0, the DT assignment is valid since this means
- * we have not previously allocated a domain number by using
- * pci_get_new_domain_nr(); we should also update use_dt_domains to
- * 1, to indicate that we have just assigned a domain number from
- * DT.
- *
- * If DT domain property value is not valid (ie domain < 0), and we
- * have not previously assigned a domain number from DT
- * (use_dt_domains != 1) we should assign a domain number by
- * using the:
- *
- * pci_get_new_domain_nr()
- *
- * API and update the use_dt_domains value to keep track of method we
- * are using to assign domain numbers (use_dt_domains = 0).
- *
- * All other combinations imply we have a platform that is trying
- * to mix domain numbers obtained from DT and pci_get_new_domain_nr(),
- * which is a recipe for domain mishandling and it is prevented by
- * invalidating the domain value (domain = -1) and printing a
- * corresponding error.
+ * If domain was not specified in DT, choose a free ID from dynamic
+ * allocations. All domain numbers from DT are permanently in
+ * dynamic allocations to prevent assigning them to other DT nodes
+ * without static domain.
*/
- if (domain >= 0 && use_dt_domains) {
- use_dt_domains = 1;
- } else if (domain < 0 && use_dt_domains != 1) {
- use_dt_domains = 0;
- domain = pci_get_new_domain_nr();
- } else {
- if (parent)
- pr_err("Node %pOF has ", parent->of_node);
- pr_err("Inconsistent \"linux,pci-domain\" property in DT\n");
- domain = -1;
- }
+ return ida_alloc(&pci_domain_nr_dynamic_ida, GFP_KERNEL);
+}
- return domain;
+static void of_pci_bus_release_domain_nr(struct pci_bus *bus, struct device *parent)
+{
+ if (bus->domain_nr < 0)
+ return;
+
+ /* Release domain from IDA where it was allocated. */
+ if (of_get_pci_domain_nr(parent->of_node) == bus->domain_nr)
+ ida_free(&pci_domain_nr_static_ida, bus->domain_nr);
+ else
+ ida_free(&pci_domain_nr_dynamic_ida, bus->domain_nr);
}
int pci_bus_find_domain_nr(struct pci_bus *bus, struct device *parent)
@@ -6528,6 +6538,13 @@ int pci_bus_find_domain_nr(struct pci_bus *bus, struct device *parent)
return acpi_disabled ? of_pci_bus_find_domain_nr(parent) :
acpi_pci_bus_find_domain_nr(bus);
}
+
+void pci_bus_release_domain_nr(struct pci_bus *bus, struct device *parent)
+{
+ if (!acpi_disabled)
+ return;
+ of_pci_bus_release_domain_nr(bus, parent);
+}
#endif
/**
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index a2c53f6d1848a..012ca242bedf4 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -904,6 +904,10 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
bus->domain_nr = pci_bus_find_domain_nr(bus, parent);
else
bus->domain_nr = bridge->domain_nr;
+ if (bus->domain_nr < 0) {
+ err = bus->domain_nr;
+ goto free;
+ }
#endif
b = pci_find_bus(pci_domain_nr(bus), bridge->busnr);
@@ -1022,6 +1026,9 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
device_del(&bridge->dev);
free:
+#ifdef CONFIG_PCI_DOMAINS_GENERIC
+ pci_bus_release_domain_nr(bus, parent);
+#endif
kfree(bus);
return err;
}
diff --git a/drivers/pci/remove.c b/drivers/pci/remove.c
index 95dec03d9f2a9..611547b52b46d 100644
--- a/drivers/pci/remove.c
+++ b/drivers/pci/remove.c
@@ -159,6 +159,12 @@ void pci_remove_root_bus(struct pci_bus *bus)
pci_remove_bus(bus);
host_bridge->bus = NULL;
+#ifdef CONFIG_PCI_DOMAINS_GENERIC
+ /* Release domain_nr if it was dynamically allocated */
+ if (host_bridge->domain_nr == PCI_DOMAIN_NR_NOT_SET)
+ pci_bus_release_domain_nr(bus, host_bridge->dev.parent);
+#endif
+
/* remove the host bridge */
device_del(&host_bridge->dev);
}
diff --git a/include/linux/pci.h b/include/linux/pci.h
index a0fd1fe4189e4..d3d84eb466f02 100644
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
@@ -1667,6 +1667,7 @@ static inline int acpi_pci_bus_find_domain_nr(struct pci_bus *bus)
{ return 0; }
#endif
int pci_bus_find_domain_nr(struct pci_bus *bus, struct device *parent);
+void pci_bus_release_domain_nr(struct pci_bus *bus, struct device *parent);
#endif
/* Some architectures require additional setup to direct VGA traffic */
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 225/286] PCI: Fix reference leak in pci_register_host_bridge()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 224/286] PCI: Assign PCI domain IDs by ida_alloc() Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 226/286] selftests/mm: generate a temporary mountpoint for cgroup filesystem Greg Kroah-Hartman
` (65 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Bjorn Helgaas, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
[ Upstream commit 804443c1f27883926de94c849d91f5b7d7d696e9 ]
If device_register() fails, call put_device() to give up the reference to
avoid a memory leak, per the comment at device_register().
Found by code review.
Link: https://lore.kernel.org/r/20250225021440.3130264-1-make24@iscas.ac.cn
Fixes: 37d6a0a6f470 ("PCI: Add pci_register_host_bridge() interface")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
[bhelgaas: squash Dan Carpenter's double free fix from
https://lore.kernel.org/r/db806a6c-a91b-4e5a-a84b-6b7e01bdac85@stanley.mountain]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/probe.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 012ca242bedf4..7f3d10957eca7 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -883,6 +883,7 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
resource_size_t offset, next_offset;
LIST_HEAD(resources);
struct resource *res, *next_res;
+ bool bus_registered = false;
char addr[64], *fmt;
const char *name;
int err;
@@ -944,6 +945,7 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
name = dev_name(&bus->dev);
err = device_register(&bus->dev);
+ bus_registered = true;
if (err)
goto unregister;
@@ -1024,12 +1026,15 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
unregister:
put_device(&bridge->dev);
device_del(&bridge->dev);
-
free:
#ifdef CONFIG_PCI_DOMAINS_GENERIC
pci_bus_release_domain_nr(bus, parent);
#endif
- kfree(bus);
+ if (bus_registered)
+ put_device(&bus->dev);
+ else
+ kfree(bus);
+
return err;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 226/286] selftests/mm: generate a temporary mountpoint for cgroup filesystem
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 225/286] PCI: Fix reference leak in pci_register_host_bridge() Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 227/286] drm/amd/amdgpu/amdgpu_vram_mgr: Add missing descriptions for dev and dir Greg Kroah-Hartman
` (64 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Brown, Aishwarya TCV,
Mina Almasry, Shuah Khan, Waiman Long, Andrew Morton, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
[ Upstream commit 9c02223e2d9df5cb37c51aedb78f3960294e09b5 ]
Currently if the filesystem for the cgroups version it wants to use is not
mounted charge_reserved_hugetlb.sh and hugetlb_reparenting_test.sh tests
will attempt to mount it on the hard coded path /dev/cgroup/memory,
deleting that directory when the test finishes. This will fail if there
is not a preexisting directory at that path, and since the directory is
deleted subsequent runs of the test will fail. Instead of relying on this
hard coded directory name use mktemp to generate a temporary directory to
use as a mountpoint, fixing both the assumption and the disruption caused
by deleting a preexisting directory.
This means that if the relevant cgroup filesystem is not already mounted
then we rely on having coreutils (which provides mktemp) installed. I
suspect that many current users are relying on having things automounted
by default, and given that the script relies on bash it's probably not an
unreasonable requirement.
Link: https://lkml.kernel.org/r/20250404-kselftest-mm-cgroup2-detection-v1-1-3dba6d32ba8c@kernel.org
Fixes: 209376ed2a84 ("selftests/vm: make charge_reserved_hugetlb.sh work with existing cgroup setting")
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: Aishwarya TCV <aishwarya.tcv@arm.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Mina Almasry <almasrymina@google.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Waiman Long <longman@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/vm/charge_reserved_hugetlb.sh | 4 ++--
tools/testing/selftests/vm/hugetlb_reparenting_test.sh | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/tools/testing/selftests/vm/charge_reserved_hugetlb.sh b/tools/testing/selftests/vm/charge_reserved_hugetlb.sh
index 28192ec98498f..c44226b4e0bfb 100644
--- a/tools/testing/selftests/vm/charge_reserved_hugetlb.sh
+++ b/tools/testing/selftests/vm/charge_reserved_hugetlb.sh
@@ -24,7 +24,7 @@ fi
if [[ $cgroup2 ]]; then
cgroup_path=$(mount -t cgroup2 | head -1 | awk '{print $3}')
if [[ -z "$cgroup_path" ]]; then
- cgroup_path=/dev/cgroup/memory
+ cgroup_path=$(mktemp -d)
mount -t cgroup2 none $cgroup_path
do_umount=1
fi
@@ -32,7 +32,7 @@ if [[ $cgroup2 ]]; then
else
cgroup_path=$(mount -t cgroup | grep ",hugetlb" | awk '{print $3}')
if [[ -z "$cgroup_path" ]]; then
- cgroup_path=/dev/cgroup/memory
+ cgroup_path=$(mktemp -d)
mount -t cgroup memory,hugetlb $cgroup_path
do_umount=1
fi
diff --git a/tools/testing/selftests/vm/hugetlb_reparenting_test.sh b/tools/testing/selftests/vm/hugetlb_reparenting_test.sh
index c665b16f1e370..a4123632942dd 100644
--- a/tools/testing/selftests/vm/hugetlb_reparenting_test.sh
+++ b/tools/testing/selftests/vm/hugetlb_reparenting_test.sh
@@ -19,7 +19,7 @@ fi
if [[ $cgroup2 ]]; then
CGROUP_ROOT=$(mount -t cgroup2 | head -1 | awk '{print $3}')
if [[ -z "$CGROUP_ROOT" ]]; then
- CGROUP_ROOT=/dev/cgroup/memory
+ CGROUP_ROOT=$(mktemp -d)
mount -t cgroup2 none $CGROUP_ROOT
do_umount=1
fi
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 227/286] drm/amd/amdgpu/amdgpu_vram_mgr: Add missing descriptions for dev and dir
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 226/286] selftests/mm: generate a temporary mountpoint for cgroup filesystem Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 228/286] drm/amdgpu: Remove amdgpu_device arg from free_sgt api (v2) Greg Kroah-Hartman
` (63 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Deucher, Christian König,
David Airlie, Daniel Vetter, amd-gfx, dri-devel, Lee Jones,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee.jones@linaro.org>
[ Upstream commit 2c8645b7a6974b33744b677e9ddc89650776af46 ]
Fixes the following W=1 kernel build warning(s):
drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c:648: warning: Function parameter or member 'dev' not described in 'amdgpu_vram_mgr_free_sgt'
drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c:648: warning: Function parameter or member 'dir' not described in 'amdgpu_vram_mgr_free_sgt'
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: "Christian König" <christian.koenig@amd.com>
Cc: David Airlie <airlied@linux.ie>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: amd-gfx@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Stable-dep-of: c0dd8a9253fa ("drm/amdgpu/dma_buf: fix page_link check")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c
index 0c6b7c5ecfec8..2c3a94e939bab 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c
@@ -531,6 +531,8 @@ int amdgpu_vram_mgr_alloc_sgt(struct amdgpu_device *adev,
* amdgpu_vram_mgr_alloc_sgt - allocate and fill a sg table
*
* @adev: amdgpu device pointer
+ * @dev: device pointer
+ * @dir: data direction of resource to unmap
* @sgt: sg table to free
*
* Free a previously allocate sg table.
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 228/286] drm/amdgpu: Remove amdgpu_device arg from free_sgt api (v2)
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 227/286] drm/amd/amdgpu/amdgpu_vram_mgr: Add missing descriptions for dev and dir Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 229/286] drm/amdgpu/dma_buf: fix page_link check Greg Kroah-Hartman
` (62 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König,
Ramesh Errabolu, Alex Deucher, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ramesh Errabolu <Ramesh.Errabolu@amd.com>
[ Upstream commit 5392b2af97dc5802991f953eb2687e538da4688c ]
Currently callers have to provide handle of amdgpu_device,
which is not used by the implementation. It is unlikely this
parameter will become useful in future, thus removing it
v2: squash in unused variable fix
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Ramesh Errabolu <Ramesh.Errabolu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Stable-dep-of: c0dd8a9253fa ("drm/amdgpu/dma_buf: fix page_link check")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 7 +------
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h | 3 +--
drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 4 +---
3 files changed, 3 insertions(+), 11 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
index e93ccdc5faf4e..bbbacc7b6c463 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
@@ -357,17 +357,12 @@ static void amdgpu_dma_buf_unmap(struct dma_buf_attachment *attach,
struct sg_table *sgt,
enum dma_data_direction dir)
{
- struct dma_buf *dma_buf = attach->dmabuf;
- struct drm_gem_object *obj = dma_buf->priv;
- struct amdgpu_bo *bo = gem_to_amdgpu_bo(obj);
- struct amdgpu_device *adev = amdgpu_ttm_adev(bo->tbo.bdev);
-
if (sgt->sgl->page_link) {
dma_unmap_sgtable(attach->dev, sgt, dir, 0);
sg_free_table(sgt);
kfree(sgt);
} else {
- amdgpu_vram_mgr_free_sgt(adev, attach->dev, dir, sgt);
+ amdgpu_vram_mgr_free_sgt(attach->dev, dir, sgt);
}
}
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h
index a87951b2f06dd..bd873b1b760cf 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h
@@ -113,8 +113,7 @@ int amdgpu_vram_mgr_alloc_sgt(struct amdgpu_device *adev,
struct device *dev,
enum dma_data_direction dir,
struct sg_table **sgt);
-void amdgpu_vram_mgr_free_sgt(struct amdgpu_device *adev,
- struct device *dev,
+void amdgpu_vram_mgr_free_sgt(struct device *dev,
enum dma_data_direction dir,
struct sg_table *sgt);
uint64_t amdgpu_vram_mgr_usage(struct ttm_resource_manager *man);
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c
index 2c3a94e939bab..ad72db21b8d62 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c
@@ -530,15 +530,13 @@ int amdgpu_vram_mgr_alloc_sgt(struct amdgpu_device *adev,
/**
* amdgpu_vram_mgr_alloc_sgt - allocate and fill a sg table
*
- * @adev: amdgpu device pointer
* @dev: device pointer
* @dir: data direction of resource to unmap
* @sgt: sg table to free
*
* Free a previously allocate sg table.
*/
-void amdgpu_vram_mgr_free_sgt(struct amdgpu_device *adev,
- struct device *dev,
+void amdgpu_vram_mgr_free_sgt(struct device *dev,
enum dma_data_direction dir,
struct sg_table *sgt)
{
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 229/286] drm/amdgpu/dma_buf: fix page_link check
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 228/286] drm/amdgpu: Remove amdgpu_device arg from free_sgt api (v2) Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 230/286] dma/contiguous: avoid warning about unused size_bytes Greg Kroah-Hartman
` (61 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Auld, Christian König,
amd-gfx, Alex Deucher, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Auld <matthew.auld@intel.com>
[ Upstream commit c0dd8a9253fadfb8e5357217d085f1989da4ef0a ]
The page_link lower bits of the first sg could contain something like
SG_END, if we are mapping a single VRAM page or contiguous blob which
fits into one sg entry. Rather pull out the struct page, and use that in
our check to know if we mapped struct pages vs VRAM.
Fixes: f44ffd677fb3 ("drm/amdgpu: add support for exporting VRAM using DMA-buf v3")
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Christian König <christian.koenig@amd.com>
Cc: amd-gfx@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v5.8+
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
index bbbacc7b6c463..e4d0a9377e712 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
@@ -357,7 +357,7 @@ static void amdgpu_dma_buf_unmap(struct dma_buf_attachment *attach,
struct sg_table *sgt,
enum dma_data_direction dir)
{
- if (sgt->sgl->page_link) {
+ if (sg_page(sgt->sgl)) {
dma_unmap_sgtable(attach->dev, sgt, dir, 0);
sg_free_table(sgt);
kfree(sgt);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 230/286] dma/contiguous: avoid warning about unused size_bytes
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 229/286] drm/amdgpu/dma_buf: fix page_link check Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 231/286] cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() Greg Kroah-Hartman
` (60 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Marek Szyprowski,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit d7b98ae5221007d3f202746903d4c21c7caf7ea9 ]
When building with W=1, this variable is unused for configs with
CONFIG_CMA_SIZE_SEL_PERCENTAGE=y:
kernel/dma/contiguous.c:67:26: error: 'size_bytes' defined but not used [-Werror=unused-const-variable=]
Change this to a macro to avoid the warning.
Fixes: c64be2bb1c6e ("drivers: add Contiguous Memory Allocator")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lore.kernel.org/r/20250409151557.3890443-1-arnd@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/dma/contiguous.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/kernel/dma/contiguous.c b/kernel/dma/contiguous.c
index 16b95ff12e4df..3a4e094e4b1fb 100644
--- a/kernel/dma/contiguous.c
+++ b/kernel/dma/contiguous.c
@@ -69,8 +69,7 @@ struct cma *dma_contiguous_default_area;
* Users, who want to set the size of global CMA area for their system
* should use cma= kernel parameter.
*/
-static const phys_addr_t size_bytes __initconst =
- (phys_addr_t)CMA_SIZE_MBYTES * SZ_1M;
+#define size_bytes ((phys_addr_t)CMA_SIZE_MBYTES * SZ_1M)
static phys_addr_t size_cmdline __initdata = -1;
static phys_addr_t base_cmdline __initdata;
static phys_addr_t limit_cmdline __initdata;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 231/286] cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 230/286] dma/contiguous: avoid warning about unused size_bytes Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 232/286] net: phy: leds: fix memory leak Greg Kroah-Hartman
` (59 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henry Martin, Sudeep Holla,
Viresh Kumar, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit 73b24dc731731edf762f9454552cb3a5b7224949 ]
cpufreq_cpu_get_raw() can return NULL when the target CPU is not present
in the policy->cpus mask. scpi_cpufreq_get_rate() does not check for
this case, which results in a NULL pointer dereference.
Fixes: 343a8d17fa8d ("cpufreq: scpi: remove arm_big_little dependency")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Acked-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/scpi-cpufreq.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/drivers/cpufreq/scpi-cpufreq.c b/drivers/cpufreq/scpi-cpufreq.c
index c79cdf1be7803..f990de8c6ed03 100644
--- a/drivers/cpufreq/scpi-cpufreq.c
+++ b/drivers/cpufreq/scpi-cpufreq.c
@@ -37,9 +37,16 @@ static struct scpi_ops *scpi_ops;
static unsigned int scpi_cpufreq_get_rate(unsigned int cpu)
{
- struct cpufreq_policy *policy = cpufreq_cpu_get_raw(cpu);
- struct scpi_data *priv = policy->driver_data;
- unsigned long rate = clk_get_rate(priv->clk);
+ struct cpufreq_policy *policy;
+ struct scpi_data *priv;
+ unsigned long rate;
+
+ policy = cpufreq_cpu_get_raw(cpu);
+ if (unlikely(!policy))
+ return 0;
+
+ priv = policy->driver_data;
+ rate = clk_get_rate(priv->clk);
return rate / 1000;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 232/286] net: phy: leds: fix memory leak
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 231/286] cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 233/286] tipc: fix NULL pointer dereference in tipc_mon_reinit_self() Greg Kroah-Hartman
` (58 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hao Guan, Qingfang Deng, Andrew Lunn,
Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingfang Deng <qingfang.deng@siflower.com.cn>
[ Upstream commit b7f0ee992adf601aa00c252418266177eb7ac2bc ]
A network restart test on a router led to an out-of-memory condition,
which was traced to a memory leak in the PHY LED trigger code.
The root cause is misuse of the devm API. The registration function
(phy_led_triggers_register) is called from phy_attach_direct, not
phy_probe, and the unregister function (phy_led_triggers_unregister)
is called from phy_detach, not phy_remove. This means the register and
unregister functions can be called multiple times for the same PHY
device, but devm-allocated memory is not freed until the driver is
unbound.
This also prevents kmemleak from detecting the leak, as the devm API
internally stores the allocated pointer.
Fix this by replacing devm_kzalloc/devm_kcalloc with standard
kzalloc/kcalloc, and add the corresponding kfree calls in the unregister
path.
Fixes: 3928ee6485a3 ("net: phy: leds: Add support for "link" trigger")
Fixes: 2e0bc452f472 ("net: phy: leds: add support for led triggers on phy link state change")
Signed-off-by: Hao Guan <hao.guan@siflower.com.cn>
Signed-off-by: Qingfang Deng <qingfang.deng@siflower.com.cn>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20250417032557.2929427-1-dqfext@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/phy_led_triggers.c | 23 +++++++++++++----------
1 file changed, 13 insertions(+), 10 deletions(-)
diff --git a/drivers/net/phy/phy_led_triggers.c b/drivers/net/phy/phy_led_triggers.c
index 59a94e07e7c55..ae28aa2f9a392 100644
--- a/drivers/net/phy/phy_led_triggers.c
+++ b/drivers/net/phy/phy_led_triggers.c
@@ -91,9 +91,8 @@ int phy_led_triggers_register(struct phy_device *phy)
if (!phy->phy_num_led_triggers)
return 0;
- phy->led_link_trigger = devm_kzalloc(&phy->mdio.dev,
- sizeof(*phy->led_link_trigger),
- GFP_KERNEL);
+ phy->led_link_trigger = kzalloc(sizeof(*phy->led_link_trigger),
+ GFP_KERNEL);
if (!phy->led_link_trigger) {
err = -ENOMEM;
goto out_clear;
@@ -108,10 +107,9 @@ int phy_led_triggers_register(struct phy_device *phy)
if (err)
goto out_free_link;
- phy->phy_led_triggers = devm_kcalloc(&phy->mdio.dev,
- phy->phy_num_led_triggers,
- sizeof(struct phy_led_trigger),
- GFP_KERNEL);
+ phy->phy_led_triggers = kcalloc(phy->phy_num_led_triggers,
+ sizeof(struct phy_led_trigger),
+ GFP_KERNEL);
if (!phy->phy_led_triggers) {
err = -ENOMEM;
goto out_unreg_link;
@@ -131,11 +129,11 @@ int phy_led_triggers_register(struct phy_device *phy)
out_unreg:
while (i--)
phy_led_trigger_unregister(&phy->phy_led_triggers[i]);
- devm_kfree(&phy->mdio.dev, phy->phy_led_triggers);
+ kfree(phy->phy_led_triggers);
out_unreg_link:
phy_led_trigger_unregister(phy->led_link_trigger);
out_free_link:
- devm_kfree(&phy->mdio.dev, phy->led_link_trigger);
+ kfree(phy->led_link_trigger);
phy->led_link_trigger = NULL;
out_clear:
phy->phy_num_led_triggers = 0;
@@ -149,8 +147,13 @@ void phy_led_triggers_unregister(struct phy_device *phy)
for (i = 0; i < phy->phy_num_led_triggers; i++)
phy_led_trigger_unregister(&phy->phy_led_triggers[i]);
+ kfree(phy->phy_led_triggers);
+ phy->phy_led_triggers = NULL;
- if (phy->led_link_trigger)
+ if (phy->led_link_trigger) {
phy_led_trigger_unregister(phy->led_link_trigger);
+ kfree(phy->led_link_trigger);
+ phy->led_link_trigger = NULL;
+ }
}
EXPORT_SYMBOL_GPL(phy_led_triggers_unregister);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 233/286] tipc: fix NULL pointer dereference in tipc_mon_reinit_self()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 232/286] net: phy: leds: fix memory leak Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 234/286] net_sched: hfsc: Fix a UAF vulnerability in class handling Greg Kroah-Hartman
` (57 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ed60da8d686dc709164c,
Tung Nguyen, Simon Horman, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tung Nguyen <tung.quang.nguyen@est.tech>
[ Upstream commit d63527e109e811ef11abb1c2985048fdb528b4cb ]
syzbot reported:
tipc: Node number set to 1055423674
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 3 UID: 0 PID: 6017 Comm: kworker/3:5 Not tainted 6.15.0-rc1-syzkaller-00246-g900241a5cc15 #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events tipc_net_finalize_work
RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719
...
RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba
RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010
RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007
R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010
FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tipc_net_finalize+0x10b/0x180 net/tipc/net.c:140
process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c2/0x780 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
...
RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719
...
RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba
RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010
RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007
R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010
FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
There is a racing condition between workqueue created when enabling
bearer and another thread created when disabling bearer right after
that as follow:
enabling_bearer | disabling_bearer
--------------- | ----------------
tipc_disc_timeout() |
{ | bearer_disable()
... | {
schedule_work(&tn->work); | tipc_mon_delete()
... | {
} | ...
| write_lock_bh(&mon->lock);
| mon->self = NULL;
| write_unlock_bh(&mon->lock);
| ...
| }
tipc_net_finalize_work() | }
{ |
... |
tipc_net_finalize() |
{ |
... |
tipc_mon_reinit_self() |
{ |
... |
write_lock_bh(&mon->lock); |
mon->self->addr = tipc_own_addr(net); |
write_unlock_bh(&mon->lock); |
... |
} |
... |
} |
... |
} |
'mon->self' is set to NULL in disabling_bearer thread and dereferenced
later in enabling_bearer thread.
This commit fixes this issue by validating 'mon->self' before assigning
node address to it.
Reported-by: syzbot+ed60da8d686dc709164c@syzkaller.appspotmail.com
Fixes: 46cb01eeeb86 ("tipc: update mon's self addr when node addr generated")
Signed-off-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250417074826.578115-1-tung.quang.nguyen@est.tech
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/monitor.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c
index 1d90f39129ca0..ba0a308d41d85 100644
--- a/net/tipc/monitor.c
+++ b/net/tipc/monitor.c
@@ -685,7 +685,8 @@ void tipc_mon_reinit_self(struct net *net)
if (!mon)
continue;
write_lock_bh(&mon->lock);
- mon->self->addr = tipc_own_addr(net);
+ if (mon->self)
+ mon->self->addr = tipc_own_addr(net);
write_unlock_bh(&mon->lock);
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 234/286] net_sched: hfsc: Fix a UAF vulnerability in class handling
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 233/286] tipc: fix NULL pointer dereference in tipc_mon_reinit_self() Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 235/286] net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Greg Kroah-Hartman
` (56 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Konstantin Khlebnikov,
Cong Wang, Jamal Hadi Salim, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
[ Upstream commit 3df275ef0a6ae181e8428a6589ef5d5231e58b5c ]
This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class
handling. The issue occurs due to a time-of-check/time-of-use condition
in hfsc_change_class() when working with certain child qdiscs like netem
or codel.
The vulnerability works as follows:
1. hfsc_change_class() checks if a class has packets (q.qlen != 0)
2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,
codel, netem) might drop packets and empty the queue
3. The code continues assuming the queue is still non-empty, adding
the class to vttree
4. This breaks HFSC scheduler assumptions that only non-empty classes
are in vttree
5. Later, when the class is destroyed, this can lead to a Use-After-Free
The fix adds a second queue length check after qdisc_peek_len() to verify
the queue wasn't emptied.
Fixes: 21f4d5cc25ec ("net_sched/hfsc: fix curve activation in hfsc_change_class()")
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Reviewed-by: Konstantin Khlebnikov <koct9i@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20250417184732.943057-2-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_hfsc.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
index adcf87d417ae4..ed8211c8d1f4c 100644
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -959,6 +959,7 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
if (cl != NULL) {
int old_flags;
+ int len = 0;
if (parentid) {
if (cl->cl_parent &&
@@ -989,9 +990,13 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
if (usc != NULL)
hfsc_change_usc(cl, usc, cur_time);
+ if (cl->qdisc->q.qlen != 0)
+ len = qdisc_peek_len(cl->qdisc);
+ /* Check queue length again since some qdisc implementations
+ * (e.g., netem/codel) might empty the queue during the peek
+ * operation.
+ */
if (cl->qdisc->q.qlen != 0) {
- int len = qdisc_peek_len(cl->qdisc);
-
if (cl->cl_flags & HFSC_RSC) {
if (old_flags & HFSC_RSC)
update_ed(cl, len);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 235/286] net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 234/286] net_sched: hfsc: Fix a UAF vulnerability in class handling Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 236/286] iommu/amd: Return an error if vCPU affinity is set for non-vCPU IRTE Greg Kroah-Hartman
` (55 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Cong Wang,
Jamal Hadi Salim, Jakub Kicinski, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
[ Upstream commit 6ccbda44e2cc3d26fd22af54c650d6d5d801addf ]
Similarly to the previous patch, we need to safe guard hfsc_dequeue()
too. But for this one, we don't have a reliable reproducer.
Fixes: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ("Linux-2.6.12-rc2")
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20250417184732.943057-3-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_hfsc.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
index ed8211c8d1f4c..aad090fd165b0 100644
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -1643,10 +1643,16 @@ hfsc_dequeue(struct Qdisc *sch)
if (cl->qdisc->q.qlen != 0) {
/* update ed */
next_len = qdisc_peek_len(cl->qdisc);
- if (realtime)
- update_ed(cl, next_len);
- else
- update_d(cl, next_len);
+ /* Check queue length again since some qdisc implementations
+ * (e.g., netem/codel) might empty the queue during the peek
+ * operation.
+ */
+ if (cl->qdisc->q.qlen != 0) {
+ if (realtime)
+ update_ed(cl, next_len);
+ else
+ update_d(cl, next_len);
+ }
} else {
/* the class becomes passive */
eltree_remove(cl);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 236/286] iommu/amd: Return an error if vCPU affinity is set for non-vCPU IRTE
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 235/286] net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 237/286] virtio_console: fix missing byte order handling for cols and rows Greg Kroah-Hartman
` (54 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Paolo Bonzini,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 07172206a26dcf3f0bf7c3ecaadd4242b008ea54 ]
Return -EINVAL instead of success if amd_ir_set_vcpu_affinity() is
invoked without use_vapic; lying to KVM about whether or not the IRTE was
configured to post IRQs is all kinds of bad.
Fixes: d98de49a53e4 ("iommu/amd: Enable vAPIC interrupt remapping mode by default")
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20250404193923.1413163-6-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/amd/iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
index 0a061a196b531..a9a3f9c649c7e 100644
--- a/drivers/iommu/amd/iommu.c
+++ b/drivers/iommu/amd/iommu.c
@@ -3979,7 +3979,7 @@ static int amd_ir_set_vcpu_affinity(struct irq_data *data, void *vcpu_info)
* we should not modify the IRTE
*/
if (!dev_data || !dev_data->use_vapic)
- return 0;
+ return -EINVAL;
ir_data->cfg = irqd_cfg(data);
pi_data->ir_data = ir_data;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 237/286] virtio_console: fix missing byte order handling for cols and rows
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 236/286] iommu/amd: Return an error if vCPU affinity is set for non-vCPU IRTE Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 238/286] KVM: SVM: Allocate IR data using atomic allocation Greg Kroah-Hartman
` (53 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Halil Pasic, Michael S. Tsirkin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Halil Pasic <pasic@linux.ibm.com>
commit fbd3039a64b01b769040677c4fc68badeca8e3b2 upstream.
As per virtio spec the fields cols and rows are specified as little
endian. Although there is no legacy interface requirement that would
state that cols and rows need to be handled as native endian when legacy
interface is used, unlike for the fields of the adjacent struct
virtio_console_control, I decided to err on the side of caution based
on some non-conclusive virtio spec repo archaeology and opt for using
virtio16_to_cpu() much like for virtio_console_control.event. Strictly
by the letter of the spec virtio_le_to_cpu() would have been sufficient.
But when the legacy interface is not used, it boils down to the same.
And when using the legacy interface, the device formatting these as
little endian when the guest is big endian would surprise me more than
it using guest native byte order (which would make it compatible with
the current implementation). Nevertheless somebody trying to implement
the spec following it to the letter could end up forcing little endian
byte order when the legacy interface is in use. So IMHO this ultimately
needs a judgement call by the maintainers.
Fixes: 8345adbf96fc1 ("virtio: console: Accept console size along with resize control message")
Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Cc: stable@vger.kernel.org # v2.6.35+
Message-Id: <20250322002954.3129282-1-pasic@linux.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/virtio_console.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1617,8 +1617,8 @@ static void handle_control_message(struc
break;
case VIRTIO_CONSOLE_RESIZE: {
struct {
- __u16 rows;
- __u16 cols;
+ __virtio16 rows;
+ __virtio16 cols;
} size;
if (!is_console_port(port))
@@ -1626,7 +1626,8 @@ static void handle_control_message(struc
memcpy(&size, buf->buf + buf->offset + sizeof(*cpkt),
sizeof(size));
- set_console_size(port, size.rows, size.cols);
+ set_console_size(port, virtio16_to_cpu(vdev, size.rows),
+ virtio16_to_cpu(vdev, size.cols));
port->cons.hvc->irq_requested = 1;
resize_console(port);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 238/286] KVM: SVM: Allocate IR data using atomic allocation
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 237/286] virtio_console: fix missing byte order handling for cols and rows Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 239/286] mcb: fix a double free bug in chameleon_parse_gdd() Greg Kroah-Hartman
` (52 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Paolo Bonzini
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 7537deda36521fa8fff9133b39c46e31893606f2 upstream.
Allocate SVM's interrupt remapping metadata using GFP_ATOMIC as
svm_ir_list_add() is called with IRQs are disabled and irqfs.lock held
when kvm_irq_routing_update() reacts to GSI routing changes.
Fixes: 411b44ba80ab ("svm: Implements update_pi_irte hook to setup posted interrupt")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20250404193923.1413163-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/avic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -742,7 +742,7 @@ static int svm_ir_list_add(struct vcpu_s
* Allocating new amd_iommu_pi_data, which will get
* add to the per-vcpu ir_list.
*/
- ir = kzalloc(sizeof(struct amd_svm_iommu_ir), GFP_KERNEL_ACCOUNT);
+ ir = kzalloc(sizeof(struct amd_svm_iommu_ir), GFP_ATOMIC | __GFP_ACCOUNT);
if (!ir) {
ret = -ENOMEM;
goto out;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 239/286] mcb: fix a double free bug in chameleon_parse_gdd()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 238/286] KVM: SVM: Allocate IR data using atomic allocation Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 240/286] USB: storage: quirk for ADATA Portable HDD CH94 Greg Kroah-Hartman
` (51 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Haoxiang Li,
Johannes Thumshirn
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit 7c7f1bfdb2249f854a736d9b79778c7e5a29a150 upstream.
In chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev'
would be released in mcb_device_register() via put_device().
Thus, goto 'err' label and free 'mdev' again causes a double free.
Just return if mcb_device_register() fails.
Fixes: 3764e82e5150 ("drivers: Introduce MEN Chameleon Bus")
Cc: stable <stable@kernel.org>
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Signed-off-by: Johannes Thumshirn <jth@kernel.org>
Link: https://lore.kernel.org/r/6201d09e2975ae5789879f79a6de4c38de9edd4a.1741596225.git.jth@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mcb/mcb-parse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mcb/mcb-parse.c
+++ b/drivers/mcb/mcb-parse.c
@@ -101,7 +101,7 @@ static int chameleon_parse_gdd(struct mc
ret = mcb_device_register(bus, mdev);
if (ret < 0)
- goto err;
+ return ret;
return 0;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 240/286] USB: storage: quirk for ADATA Portable HDD CH94
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 239/286] mcb: fix a double free bug in chameleon_parse_gdd() Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 241/286] mei: me: add panther lake H DID Greg Kroah-Hartman
` (50 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Oliver Neukum
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 9ab75eee1a056f896b87d139044dd103adc532b9 upstream.
Version 1.60 specifically needs this quirk.
Version 2.00 is known good.
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20250403180004.343133-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/unusual_uas.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -83,6 +83,13 @@ UNUSUAL_DEV(0x0bc2, 0x331a, 0x0000, 0x99
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_NO_REPORT_LUNS),
+/* Reported-by: Oliver Neukum <oneukum@suse.com> */
+UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x0160,
+ "ADATA",
+ "Portable HDD CH94",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_ATA_1X),
+
/* Reported-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> */
UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x9999,
"Initio Corporation",
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 241/286] mei: me: add panther lake H DID
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 240/286] USB: storage: quirk for ADATA Portable HDD CH94 Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 242/286] KVM: x86: Reset IRTE to host control if *new* route isnt postable Greg Kroah-Hartman
` (49 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Tomas Winkler,
Alexander Usyskin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Usyskin <alexander.usyskin@intel.com>
commit 86ce5c0a1dec02e21b4c864b2bc0cc5880a2c13c upstream.
Add Panther Lake H device id.
Cc: stable <stable@kernel.org>
Co-developed-by: Tomas Winkler <tomasw@gmail.com>
Signed-off-by: Tomas Winkler <tomasw@gmail.com>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Link: https://lore.kernel.org/r/20250408130005.1358140-1-alexander.usyskin@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/mei/hw-me-regs.h | 1 +
drivers/misc/mei/pci-me.c | 1 +
2 files changed, 2 insertions(+)
--- a/drivers/misc/mei/hw-me-regs.h
+++ b/drivers/misc/mei/hw-me-regs.h
@@ -117,6 +117,7 @@
#define MEI_DEV_ID_LNL_M 0xA870 /* Lunar Lake Point M */
+#define MEI_DEV_ID_PTL_H 0xE370 /* Panther Lake H */
#define MEI_DEV_ID_PTL_P 0xE470 /* Panther Lake P */
/*
--- a/drivers/misc/mei/pci-me.c
+++ b/drivers/misc/mei/pci-me.c
@@ -123,6 +123,7 @@ static const struct pci_device_id mei_me
{MEI_PCI_DEVICE(MEI_DEV_ID_LNL_M, MEI_ME_PCH15_CFG)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_PTL_H, MEI_ME_PCH15_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_PTL_P, MEI_ME_PCH15_CFG)},
/* required last entry */
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 242/286] KVM: x86: Reset IRTE to host control if *new* route isnt postable
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 241/286] mei: me: add panther lake H DID Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 243/286] serial: sifive: lock port in startup()/shutdown() callbacks Greg Kroah-Hartman
` (48 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Paolo Bonzini
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 9bcac97dc42d2f4da8229d18feb0fe2b1ce523a2 upstream.
Restore an IRTE back to host control (remapped or posted MSI mode) if the
*new* GSI route prevents posting the IRQ directly to a vCPU, regardless of
the GSI routing type. Updating the IRTE if and only if the new GSI is an
MSI results in KVM leaving an IRTE posting to a vCPU.
The dangling IRTE can result in interrupts being incorrectly delivered to
the guest, and in the worst case scenario can result in use-after-free,
e.g. if the VM is torn down, but the underlying host IRQ isn't freed.
Fixes: efc644048ecd ("KVM: x86: Update IRTE for posted-interrupts")
Fixes: 411b44ba80ab ("svm: Implements update_pi_irte hook to setup posted interrupt")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20250404193923.1413163-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/avic.c | 58 +++++++++++++++++++++--------------------
arch/x86/kvm/vmx/posted_intr.c | 28 +++++++------------
2 files changed, 41 insertions(+), 45 deletions(-)
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -806,6 +806,7 @@ int svm_update_pi_irte(struct kvm *kvm,
{
struct kvm_kernel_irq_routing_entry *e;
struct kvm_irq_routing_table *irq_rt;
+ bool enable_remapped_mode = true;
int idx, ret = 0;
if (!kvm_arch_has_assigned_device(kvm) ||
@@ -843,6 +844,8 @@ int svm_update_pi_irte(struct kvm *kvm,
kvm_vcpu_apicv_active(&svm->vcpu)) {
struct amd_iommu_pi_data pi;
+ enable_remapped_mode = false;
+
/* Try to enable guest_mode in IRTE */
pi.base = __sme_set(page_to_phys(svm->avic_backing_page) &
AVIC_HPA_MASK);
@@ -861,33 +864,6 @@ int svm_update_pi_irte(struct kvm *kvm,
*/
if (!ret && pi.is_guest_mode)
svm_ir_list_add(svm, &pi);
- } else {
- /* Use legacy mode in IRTE */
- struct amd_iommu_pi_data pi;
-
- /**
- * Here, pi is used to:
- * - Tell IOMMU to use legacy mode for this interrupt.
- * - Retrieve ga_tag of prior interrupt remapping data.
- */
- pi.prev_ga_tag = 0;
- pi.is_guest_mode = false;
- ret = irq_set_vcpu_affinity(host_irq, &pi);
-
- /**
- * Check if the posted interrupt was previously
- * setup with the guest_mode by checking if the ga_tag
- * was cached. If so, we need to clean up the per-vcpu
- * ir_list.
- */
- if (!ret && pi.prev_ga_tag) {
- int id = AVIC_GATAG_TO_VCPUID(pi.prev_ga_tag);
- struct kvm_vcpu *vcpu;
-
- vcpu = kvm_get_vcpu_by_id(kvm, id);
- if (vcpu)
- svm_ir_list_del(to_svm(vcpu), &pi);
- }
}
if (!ret && svm) {
@@ -903,6 +879,34 @@ int svm_update_pi_irte(struct kvm *kvm,
}
ret = 0;
+ if (enable_remapped_mode) {
+ /* Use legacy mode in IRTE */
+ struct amd_iommu_pi_data pi;
+
+ /**
+ * Here, pi is used to:
+ * - Tell IOMMU to use legacy mode for this interrupt.
+ * - Retrieve ga_tag of prior interrupt remapping data.
+ */
+ pi.prev_ga_tag = 0;
+ pi.is_guest_mode = false;
+ ret = irq_set_vcpu_affinity(host_irq, &pi);
+
+ /**
+ * Check if the posted interrupt was previously
+ * setup with the guest_mode by checking if the ga_tag
+ * was cached. If so, we need to clean up the per-vcpu
+ * ir_list.
+ */
+ if (!ret && pi.prev_ga_tag) {
+ int id = AVIC_GATAG_TO_VCPUID(pi.prev_ga_tag);
+ struct kvm_vcpu *vcpu;
+
+ vcpu = kvm_get_vcpu_by_id(kvm, id);
+ if (vcpu)
+ svm_ir_list_del(to_svm(vcpu), &pi);
+ }
+ }
out:
srcu_read_unlock(&kvm->irq_srcu, idx);
return ret;
--- a/arch/x86/kvm/vmx/posted_intr.c
+++ b/arch/x86/kvm/vmx/posted_intr.c
@@ -255,6 +255,7 @@ int pi_update_irte(struct kvm *kvm, unsi
{
struct kvm_kernel_irq_routing_entry *e;
struct kvm_irq_routing_table *irq_rt;
+ bool enable_remapped_mode = true;
struct kvm_lapic_irq irq;
struct kvm_vcpu *vcpu;
struct vcpu_data vcpu_info;
@@ -293,21 +294,8 @@ int pi_update_irte(struct kvm *kvm, unsi
kvm_set_msi_irq(kvm, e, &irq);
if (!kvm_intr_is_single_vcpu(kvm, &irq, &vcpu) ||
- !kvm_irq_is_postable(&irq)) {
- /*
- * Make sure the IRTE is in remapped mode if
- * we don't handle it in posted mode.
- */
- ret = irq_set_vcpu_affinity(host_irq, NULL);
- if (ret < 0) {
- printk(KERN_INFO
- "failed to back to remapped mode, irq: %u\n",
- host_irq);
- goto out;
- }
-
+ !kvm_irq_is_postable(&irq))
continue;
- }
vcpu_info.pi_desc_addr = __pa(&to_vmx(vcpu)->pi_desc);
vcpu_info.vector = irq.vector;
@@ -315,11 +303,12 @@ int pi_update_irte(struct kvm *kvm, unsi
trace_kvm_pi_irte_update(host_irq, vcpu->vcpu_id, e->gsi,
vcpu_info.vector, vcpu_info.pi_desc_addr, set);
- if (set)
- ret = irq_set_vcpu_affinity(host_irq, &vcpu_info);
- else
- ret = irq_set_vcpu_affinity(host_irq, NULL);
+ if (!set)
+ continue;
+ enable_remapped_mode = false;
+
+ ret = irq_set_vcpu_affinity(host_irq, &vcpu_info);
if (ret < 0) {
printk(KERN_INFO "%s: failed to update PI IRTE\n",
__func__);
@@ -327,6 +316,9 @@ int pi_update_irte(struct kvm *kvm, unsi
}
}
+ if (enable_remapped_mode)
+ ret = irq_set_vcpu_affinity(host_irq, NULL);
+
ret = 0;
out:
srcu_read_unlock(&kvm->irq_srcu, idx);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 243/286] serial: sifive: lock port in startup()/shutdown() callbacks
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 242/286] KVM: x86: Reset IRTE to host control if *new* route isnt postable Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 244/286] USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe Greg Kroah-Hartman
` (47 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ryo Takakura, Petr Mladek,
John Ogness
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryo Takakura <ryotkkr98@gmail.com>
commit e1ca3ff28ab1e2c1e70713ef3fa7943c725742c3 upstream.
startup()/shutdown() callbacks access SIFIVE_SERIAL_IE_OFFS.
The register is also accessed from write() callback.
If console were printing and startup()/shutdown() callback
gets called, its access to the register could be overwritten.
Add port->lock to startup()/shutdown() callbacks to make sure
their access to SIFIVE_SERIAL_IE_OFFS is synchronized against
write() callback.
Fixes: 45c054d0815b ("tty: serial: add driver for the SiFive UART")
Signed-off-by: Ryo Takakura <ryotkkr98@gmail.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Cc: stable@vger.kernel.org
Reviewed-by: John Ogness <john.ogness@linutronix.de>
Rule: add
Link: https://lore.kernel.org/stable/20250330003522.386632-1-ryotkkr98%40gmail.com
Link: https://lore.kernel.org/r/20250412001847.183221-1-ryotkkr98@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/sifive.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/tty/serial/sifive.c
+++ b/drivers/tty/serial/sifive.c
@@ -596,8 +596,11 @@ static void sifive_serial_break_ctl(stru
static int sifive_serial_startup(struct uart_port *port)
{
struct sifive_serial_port *ssp = port_to_sifive_serial_port(port);
+ unsigned long flags;
+ uart_port_lock_irqsave(&ssp->port, &flags);
__ssp_enable_rxwm(ssp);
+ uart_port_unlock_irqrestore(&ssp->port, flags);
return 0;
}
@@ -605,9 +608,12 @@ static int sifive_serial_startup(struct
static void sifive_serial_shutdown(struct uart_port *port)
{
struct sifive_serial_port *ssp = port_to_sifive_serial_port(port);
+ unsigned long flags;
+ uart_port_lock_irqsave(&ssp->port, &flags);
__ssp_disable_rxwm(ssp);
__ssp_disable_txwm(ssp);
+ uart_port_unlock_irqrestore(&ssp->port, flags);
}
/**
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 244/286] USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 243/286] serial: sifive: lock port in startup()/shutdown() callbacks Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 245/286] USB: serial: option: add Sierra Wireless EM9291 Greg Kroah-Hartman
` (46 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Ehrenreich, Johan Hovold
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Ehrenreich <michideep@gmail.com>
commit b399078f882b6e5d32da18b6c696cc84b12f90d5 upstream.
Abacus Electrics makes optical probes for interacting with smart meters
over an optical interface.
At least one version uses an FT232B chip (as detected by ftdi_sio) with
a custom USB PID, which needs to be added to the list to make the device
work in a plug-and-play fashion.
Signed-off-by: Michael Ehrenreich <michideep@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/ftdi_sio.c | 2 ++
drivers/usb/serial/ftdi_sio_ids.h | 5 +++++
2 files changed, 7 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1071,6 +1071,8 @@ static const struct usb_device_id id_tab
{ USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_602E_PID, 1) },
{ USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_602E_PID, 2) },
{ USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_602E_PID, 3) },
+ /* Abacus Electrics */
+ { USB_DEVICE(FTDI_VID, ABACUS_OPTICAL_PROBE_PID) },
{ } /* Terminating entry */
};
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -436,6 +436,11 @@
#define LINX_FUTURE_2_PID 0xF44C /* Linx future device */
/*
+ * Abacus Electrics
+ */
+#define ABACUS_OPTICAL_PROBE_PID 0xf458 /* ABACUS ELECTRICS Optical Probe */
+
+/*
* Oceanic product ids
*/
#define FTDI_OCEANIC_PID 0xF460 /* Oceanic dive instrument */
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 245/286] USB: serial: option: add Sierra Wireless EM9291
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 244/286] USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 246/286] USB: serial: simple: add OWON HDS200 series oscilloscope support Greg Kroah-Hartman
` (45 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adam Xue, Johan Hovold
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adam Xue <zxue@semtech.com>
commit 968e1cbb1f6293c3add9607f80b5ce3d29f57583 upstream.
Add Sierra Wireless EM9291.
Interface 0: MBIM control
1: MBIM data
3: AT port
4: Diagnostic port
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1199 ProdID=90e3 Rev=00.06
S: Manufacturer=Sierra Wireless, Incorporated
S: Product=Sierra Wireless EM9291
S: SerialNumber=xxxxxxxxxxxxxxxx
C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=(none)
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none)
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Signed-off-by: Adam Xue <zxue@semtech.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -611,6 +611,7 @@ static void option_instat_callback(struc
/* Sierra Wireless products */
#define SIERRA_VENDOR_ID 0x1199
#define SIERRA_PRODUCT_EM9191 0x90d3
+#define SIERRA_PRODUCT_EM9291 0x90e3
/* UNISOC (Spreadtrum) products */
#define UNISOC_VENDOR_ID 0x1782
@@ -2432,6 +2433,8 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0xff, 0x30) },
{ USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0xff, 0x40) },
{ USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0, 0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9291, 0xff, 0xff, 0x30) },
+ { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9291, 0xff, 0xff, 0x40) },
{ USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, TOZED_PRODUCT_LT70C, 0xff, 0, 0) },
{ USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, LUAT_PRODUCT_AIR720U, 0xff, 0, 0) },
{ USB_DEVICE_INTERFACE_CLASS(0x1bbb, 0x0530, 0xff), /* TCL IK512 MBIM */
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 246/286] USB: serial: simple: add OWON HDS200 series oscilloscope support
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 245/286] USB: serial: option: add Sierra Wireless EM9291 Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 247/286] usb: cdns3: Fix deadlock when using NCM gadget Greg Kroah-Hartman
` (44 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Craig Hesling, Johan Hovold
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Craig Hesling <craig@hesling.com>
commit 4cc01410e1c1dd075df10f750775c81d1cb6672b upstream.
Add serial support for OWON HDS200 series oscilloscopes and likely
many other pieces of OWON test equipment.
OWON HDS200 series devices host two USB endpoints, designed to
facilitate bidirectional SCPI. SCPI is a predominately ASCII text
protocol for test/measurement equipment. Having a serial/tty interface
for these devices lowers the barrier to entry for anyone trying to
write programs to communicate with them.
The following shows the USB descriptor for the OWON HDS272S running
firmware V5.7.1:
Bus 001 Device 068: ID 5345:1234 Owon PDS6062T Oscilloscope
Negotiated speed: Full Speed (12Mbps)
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0 [unknown]
bDeviceSubClass 0 [unknown]
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x5345 Owon
idProduct 0x1234 PDS6062T Oscilloscope
bcdDevice 1.00
iManufacturer 1 oscilloscope
iProduct 2 oscilloscope
iSerial 3 oscilloscope
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0029
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 100mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 5 Physical Interface Device
bInterfaceSubClass 0 [unknown]
bInterfaceProtocol 0
iInterface 0
** UNRECOGNIZED: 09 21 11 01 00 01 22 5f 00
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 32
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 32
Device Status: 0x0000
(Bus Powered)
OWON appears to be using the same USB Vendor and Product ID for many
of their oscilloscopes. Looking at the discussion about the USB
vendor/product ID, in the link bellow, suggests that this VID/PID is
shared with VDS, SDS, PDS, and now the HDS series oscilloscopes.
Available documentation for these devices seems to indicate that all
use a similar SCPI protocol, some with RS232 options. It is likely that
this same simple serial setup would work correctly for them all.
Link: https://usb-ids.gowdy.us/read/UD/5345/1234
Signed-off-by: Craig Hesling <craig@hesling.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/usb-serial-simple.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/serial/usb-serial-simple.c
+++ b/drivers/usb/serial/usb-serial-simple.c
@@ -101,6 +101,11 @@ DEVICE(nokia, NOKIA_IDS);
{ USB_DEVICE(0x09d7, 0x0100) } /* NovAtel FlexPack GPS */
DEVICE_N(novatel_gps, NOVATEL_IDS, 3);
+/* OWON electronic test and measurement equipment driver */
+#define OWON_IDS() \
+ { USB_DEVICE(0x5345, 0x1234) } /* HDS200 oscilloscopes and others */
+DEVICE(owon, OWON_IDS);
+
/* Siemens USB/MPI adapter */
#define SIEMENS_IDS() \
{ USB_DEVICE(0x908, 0x0004) }
@@ -135,6 +140,7 @@ static struct usb_serial_driver * const
&motorola_tetra_device,
&nokia_device,
&novatel_gps_device,
+ &owon_device,
&siemens_mpi_device,
&suunto_device,
&vivopay_device,
@@ -154,6 +160,7 @@ static const struct usb_device_id id_tab
MOTOROLA_TETRA_IDS(),
NOKIA_IDS(),
NOVATEL_IDS(),
+ OWON_IDS(),
SIEMENS_IDS(),
SUUNTO_IDS(),
VIVOPAY_IDS(),
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 247/286] usb: cdns3: Fix deadlock when using NCM gadget
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 246/286] USB: serial: simple: add OWON HDS200 series oscilloscope support Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 248/286] USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) Greg Kroah-Hartman
` (43 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Ralph Siemsen, Peter Chen,
Sebastian Andrzej Siewior
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ralph Siemsen <ralph.siemsen@linaro.org>
commit a1059896f2bfdcebcdc7153c3be2307ea319501f upstream.
The cdns3 driver has the same NCM deadlock as fixed in cdnsp by commit
58f2fcb3a845 ("usb: cdnsp: Fix deadlock issue during using NCM gadget").
Under PREEMPT_RT the deadlock can be readily triggered by heavy network
traffic, for example using "iperf --bidir" over NCM ethernet link.
The deadlock occurs because the threaded interrupt handler gets
preempted by a softirq, but both are protected by the same spinlock.
Prevent deadlock by disabling softirq during threaded irq handler.
Cc: stable <stable@kernel.org>
Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Acked-by: Peter Chen <peter.chen@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: https://lore.kernel.org/r/20250318-rfs-cdns3-deadlock-v2-1-bfd9cfcee732@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/gadget.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/cdns3/gadget.c
+++ b/drivers/usb/cdns3/gadget.c
@@ -1961,6 +1961,7 @@ static irqreturn_t cdns3_device_thread_i
unsigned int bit;
unsigned long reg;
+ local_bh_disable();
spin_lock_irqsave(&priv_dev->lock, flags);
reg = readl(&priv_dev->regs->usb_ists);
@@ -2002,6 +2003,7 @@ static irqreturn_t cdns3_device_thread_i
irqend:
writel(~0, &priv_dev->regs->ep_ien);
spin_unlock_irqrestore(&priv_dev->lock, flags);
+ local_bh_enable();
return ret;
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 248/286] USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02)
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 247/286] usb: cdns3: Fix deadlock when using NCM gadget Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 249/286] usb: dwc3: gadget: check that event count does not exceed event buffer length Greg Kroah-Hartman
` (42 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Bjorn Helgaas, Alan Stern,
Mingcong Bai, Huacai Chen
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit bcb60d438547355b8f9ad48645909139b64d3482 upstream.
The OHCI controller (rev 0x02) under LS7A PCI host has a hardware flaw.
MMIO register with offset 0x60/0x64 is treated as legacy PS2-compatible
keyboard/mouse interface, which confuse the OHCI controller. Since OHCI
only use a 4KB BAR resource indeed, the LS7A OHCI controller's 32KB BAR
is wrapped around (the second 4KB BAR space is the same as the first 4KB
internally). So we can add an 4KB offset (0x1000) to the OHCI registers
(from the PCI BAR resource) as a quirk.
Cc: stable <stable@kernel.org>
Suggested-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Mingcong Bai <baimingcong@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Link: https://lore.kernel.org/r/20250328040059.3672979-1-chenhuacai@loongson.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/ohci-pci.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
--- a/drivers/usb/host/ohci-pci.c
+++ b/drivers/usb/host/ohci-pci.c
@@ -165,6 +165,25 @@ static int ohci_quirk_amd700(struct usb_
return 0;
}
+static int ohci_quirk_loongson(struct usb_hcd *hcd)
+{
+ struct pci_dev *pdev = to_pci_dev(hcd->self.controller);
+
+ /*
+ * Loongson's LS7A OHCI controller (rev 0x02) has a
+ * flaw. MMIO register with offset 0x60/64 is treated
+ * as legacy PS2-compatible keyboard/mouse interface.
+ * Since OHCI only use 4KB BAR resource, LS7A OHCI's
+ * 32KB BAR is wrapped around (the 2nd 4KB BAR space
+ * is the same as the 1st 4KB internally). So add 4KB
+ * offset (0x1000) to the OHCI registers as a quirk.
+ */
+ if (pdev->revision == 0x2)
+ hcd->regs += SZ_4K; /* SZ_4K = 0x1000 */
+
+ return 0;
+}
+
static int ohci_quirk_qemu(struct usb_hcd *hcd)
{
struct ohci_hcd *ohci = hcd_to_ohci(hcd);
@@ -225,6 +244,10 @@ static const struct pci_device_id ohci_p
.driver_data = (unsigned long)ohci_quirk_amd700,
},
{
+ PCI_DEVICE(PCI_VENDOR_ID_LOONGSON, 0x7a24),
+ .driver_data = (unsigned long)ohci_quirk_loongson,
+ },
+ {
.vendor = PCI_VENDOR_ID_APPLE,
.device = 0x003f,
.subvendor = PCI_SUBVENDOR_ID_REDHAT_QUMRANET,
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 249/286] usb: dwc3: gadget: check that event count does not exceed event buffer length
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 248/286] USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 250/286] usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive Greg Kroah-Hartman
` (41 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Frode Isaksen, stable, Thinh Nguyen
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frode Isaksen <frode@meta.com>
commit 63ccd26cd1f6600421795f6ca3e625076be06c9f upstream.
The event count is read from register DWC3_GEVNTCOUNT.
There is a check for the count being zero, but not for exceeding the
event buffer length.
Check that event count does not exceed event buffer length,
avoiding an out-of-bounds access when memcpy'ing the event.
Crash log:
Unable to handle kernel paging request at virtual address ffffffc0129be000
pc : __memcpy+0x114/0x180
lr : dwc3_check_event_buf+0xec/0x348
x3 : 0000000000000030 x2 : 000000000000dfc4
x1 : ffffffc0129be000 x0 : ffffff87aad60080
Call trace:
__memcpy+0x114/0x180
dwc3_interrupt+0x24/0x34
Signed-off-by: Frode Isaksen <frode@meta.com>
Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
Cc: stable <stable@kernel.org>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/20250403072907.448524-1-fisaksen@baylibre.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/gadget.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -3896,6 +3896,12 @@ static irqreturn_t dwc3_check_event_buf(
if (!count)
return IRQ_NONE;
+ if (count > evt->length) {
+ dev_err_ratelimited(dwc->dev, "invalid count(%u) > evt->length(%u)\n",
+ count, evt->length);
+ return IRQ_NONE;
+ }
+
evt->count = count;
evt->flags |= DWC3_EVENT_PENDING;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 250/286] usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 249/286] usb: dwc3: gadget: check that event count does not exceed event buffer length Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 251/286] usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 " Greg Kroah-Hartman
` (40 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miao Li, stable
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miao Li <limiao@kylinos.cn>
commit 2932b6b547ec36ad2ed60fbf2117c0e46bb7d40a upstream.
Silicon Motion Flash Drive connects to Huawei hisi platforms and
performs a system reboot test for two thousand circles, it will
randomly work incorrectly on boot, set DELAY_INIT quirk can workaround
this issue.
Signed-off-by: Miao Li <limiao@kylinos.cn>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20250401023027.44894-1-limiao870622@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -380,6 +380,9 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x0904, 0x6103), .driver_info =
USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL },
+ /* Silicon Motion Flash Drive */
+ { USB_DEVICE(0x090c, 0x1000), .driver_info = USB_QUIRK_DELAY_INIT },
+
/* Sound Devices USBPre2 */
{ USB_DEVICE(0x0926, 0x0202), .driver_info =
USB_QUIRK_ENDPOINT_IGNORE },
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 251/286] usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 250/286] usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 252/286] USB: VLI disk crashes if LPM is used Greg Kroah-Hartman
` (39 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Miao Li, Lei Huang
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miao Li <limiao@kylinos.cn>
commit 37ffdbd695c02189dbf23d6e7d2385e0299587ca upstream.
The SanDisk 3.2Gen1 Flash Drive, which VID:PID is in 0781:55a3,
just like Silicon Motion Flash Drive:
https://lore.kernel.org/r/20250401023027.44894-1-limiao870622@163.com
also needs the DELAY_INIT quirk, or it will randomly work incorrectly
(e.g.: lsusb and can't list this device info) when connecting Huawei
hisi platforms and doing thousand of reboot test circles.
Cc: stable <stable@kernel.org>
Signed-off-by: Miao Li <limiao@kylinos.cn>
Signed-off-by: Lei Huang <huanglei@kylinos.cn>
Link: https://lore.kernel.org/r/20250414062935.159024-1-limiao870622@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -366,6 +366,9 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x0781, 0x5583), .driver_info = USB_QUIRK_NO_LPM },
{ USB_DEVICE(0x0781, 0x5591), .driver_info = USB_QUIRK_NO_LPM },
+ /* SanDisk Corp. SanDisk 3.2Gen1 */
+ { USB_DEVICE(0x0781, 0x55a3), .driver_info = USB_QUIRK_DELAY_INIT },
+
/* Realforce 87U Keyboard */
{ USB_DEVICE(0x0853, 0x011b), .driver_info = USB_QUIRK_NO_LPM },
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 252/286] USB: VLI disk crashes if LPM is used
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 251/286] usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 " Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 253/286] MIPS: cm: Detect CM quirks from device tree Greg Kroah-Hartman
` (38 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Oliver Neukum
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit e00b39a4f3552c730f1e24c8d62c4a8c6aad4e5d upstream.
This device needs the NO_LPM quirk.
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20250408135800.792515-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -540,6 +540,9 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x2040, 0x7200), .driver_info =
USB_QUIRK_CONFIG_INTF_STRINGS },
+ /* VLI disk */
+ { USB_DEVICE(0x2109, 0x0711), .driver_info = USB_QUIRK_NO_LPM },
+
/* Raydium Touchscreen */
{ USB_DEVICE(0x2386, 0x3114), .driver_info = USB_QUIRK_NO_LPM },
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 253/286] MIPS: cm: Detect CM quirks from device tree
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 252/286] USB: VLI disk crashes if LPM is used Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 254/286] crypto: null - Use spin lock instead of mutex Greg Kroah-Hartman
` (37 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gregory CLEMENT, Thomas Bogendoerfer,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gregory CLEMENT <gregory.clement@bootlin.com>
[ Upstream commit e27fbe16af5cfc40639de4ced67d1a866a1953e9 ]
Some information that should be retrieved at runtime for the Coherence
Manager can be either absent or wrong. This patch allows checking if
some of this information is available from the device tree and updates
the internal variable accordingly.
For now, only the compatible string associated with the broken HCI is
being retrieved.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/include/asm/mips-cm.h | 22 ++++++++++++++++++++++
arch/mips/kernel/mips-cm.c | 14 ++++++++++++++
2 files changed, 36 insertions(+)
diff --git a/arch/mips/include/asm/mips-cm.h b/arch/mips/include/asm/mips-cm.h
index 696b40beb774f..0f31324998c0a 100644
--- a/arch/mips/include/asm/mips-cm.h
+++ b/arch/mips/include/asm/mips-cm.h
@@ -47,6 +47,16 @@ extern phys_addr_t __mips_cm_phys_base(void);
*/
extern int mips_cm_is64;
+/*
+ * mips_cm_is_l2_hci_broken - determine if HCI is broken
+ *
+ * Some CM reports show that Hardware Cache Initialization is
+ * complete, but in reality it's not the case. They also incorrectly
+ * indicate that Hardware Cache Initialization is supported. This
+ * flags allows warning about this broken feature.
+ */
+extern bool mips_cm_is_l2_hci_broken;
+
/**
* mips_cm_error_report - Report CM cache errors
*/
@@ -85,6 +95,18 @@ static inline bool mips_cm_present(void)
#endif
}
+/**
+ * mips_cm_update_property - update property from the device tree
+ *
+ * Retrieve the properties from the device tree if a CM node exist and
+ * update the internal variable based on this.
+ */
+#ifdef CONFIG_MIPS_CM
+extern void mips_cm_update_property(void);
+#else
+static void mips_cm_update_property(void) {}
+#endif
+
/**
* mips_cm_has_l2sync - determine whether an L2-only sync region is present
*
diff --git a/arch/mips/kernel/mips-cm.c b/arch/mips/kernel/mips-cm.c
index 72c8374a39002..a0d9cde26dc5b 100644
--- a/arch/mips/kernel/mips-cm.c
+++ b/arch/mips/kernel/mips-cm.c
@@ -5,6 +5,7 @@
*/
#include <linux/errno.h>
+#include <linux/of.h>
#include <linux/percpu.h>
#include <linux/spinlock.h>
@@ -14,6 +15,7 @@
void __iomem *mips_gcr_base;
void __iomem *mips_cm_l2sync_base;
int mips_cm_is64;
+bool mips_cm_is_l2_hci_broken;
static char *cm2_tr[8] = {
"mem", "gcr", "gic", "mmio",
@@ -238,6 +240,18 @@ static void mips_cm_probe_l2sync(void)
mips_cm_l2sync_base = ioremap(addr, MIPS_CM_L2SYNC_SIZE);
}
+void mips_cm_update_property(void)
+{
+ struct device_node *cm_node;
+
+ cm_node = of_find_compatible_node(of_root, NULL, "mobileye,eyeq6-cm");
+ if (!cm_node)
+ return;
+ pr_info("HCI (Hardware Cache Init for the L2 cache) in GCR_L2_RAM_CONFIG from the CM3 is broken");
+ mips_cm_is_l2_hci_broken = true;
+ of_node_put(cm_node);
+}
+
int mips_cm_probe(void)
{
phys_addr_t addr;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 254/286] crypto: null - Use spin lock instead of mutex
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 253/286] MIPS: cm: Detect CM quirks from device tree Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 255/286] clk: check for disabled clock-provider in of_clk_get_hw_from_clkspec() Greg Kroah-Hartman
` (36 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b3e02953598f447d4d2a,
Herbert Xu, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit dcc47a028c24e793ce6d6efebfef1a1e92f80297 ]
As the null algorithm may be freed in softirq context through
af_alg, use spin locks instead of mutexes to protect the default
null algorithm.
Reported-by: syzbot+b3e02953598f447d4d2a@syzkaller.appspotmail.com
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/crypto_null.c | 39 ++++++++++++++++++++++++++-------------
1 file changed, 26 insertions(+), 13 deletions(-)
diff --git a/crypto/crypto_null.c b/crypto/crypto_null.c
index 5b84b0f7cc178..3378670286535 100644
--- a/crypto/crypto_null.c
+++ b/crypto/crypto_null.c
@@ -17,10 +17,10 @@
#include <crypto/internal/skcipher.h>
#include <linux/init.h>
#include <linux/module.h>
-#include <linux/mm.h>
+#include <linux/spinlock.h>
#include <linux/string.h>
-static DEFINE_MUTEX(crypto_default_null_skcipher_lock);
+static DEFINE_SPINLOCK(crypto_default_null_skcipher_lock);
static struct crypto_sync_skcipher *crypto_default_null_skcipher;
static int crypto_default_null_skcipher_refcnt;
@@ -152,23 +152,32 @@ MODULE_ALIAS_CRYPTO("cipher_null");
struct crypto_sync_skcipher *crypto_get_default_null_skcipher(void)
{
+ struct crypto_sync_skcipher *ntfm = NULL;
struct crypto_sync_skcipher *tfm;
- mutex_lock(&crypto_default_null_skcipher_lock);
+ spin_lock_bh(&crypto_default_null_skcipher_lock);
tfm = crypto_default_null_skcipher;
if (!tfm) {
- tfm = crypto_alloc_sync_skcipher("ecb(cipher_null)", 0, 0);
- if (IS_ERR(tfm))
- goto unlock;
-
- crypto_default_null_skcipher = tfm;
+ spin_unlock_bh(&crypto_default_null_skcipher_lock);
+
+ ntfm = crypto_alloc_sync_skcipher("ecb(cipher_null)", 0, 0);
+ if (IS_ERR(ntfm))
+ return ntfm;
+
+ spin_lock_bh(&crypto_default_null_skcipher_lock);
+ tfm = crypto_default_null_skcipher;
+ if (!tfm) {
+ tfm = ntfm;
+ ntfm = NULL;
+ crypto_default_null_skcipher = tfm;
+ }
}
crypto_default_null_skcipher_refcnt++;
+ spin_unlock_bh(&crypto_default_null_skcipher_lock);
-unlock:
- mutex_unlock(&crypto_default_null_skcipher_lock);
+ crypto_free_sync_skcipher(ntfm);
return tfm;
}
@@ -176,12 +185,16 @@ EXPORT_SYMBOL_GPL(crypto_get_default_null_skcipher);
void crypto_put_default_null_skcipher(void)
{
- mutex_lock(&crypto_default_null_skcipher_lock);
+ struct crypto_sync_skcipher *tfm = NULL;
+
+ spin_lock_bh(&crypto_default_null_skcipher_lock);
if (!--crypto_default_null_skcipher_refcnt) {
- crypto_free_sync_skcipher(crypto_default_null_skcipher);
+ tfm = crypto_default_null_skcipher;
crypto_default_null_skcipher = NULL;
}
- mutex_unlock(&crypto_default_null_skcipher_lock);
+ spin_unlock_bh(&crypto_default_null_skcipher_lock);
+
+ crypto_free_sync_skcipher(tfm);
}
EXPORT_SYMBOL_GPL(crypto_put_default_null_skcipher);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 255/286] clk: check for disabled clock-provider in of_clk_get_hw_from_clkspec()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 254/286] crypto: null - Use spin lock instead of mutex Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 256/286] parisc: PDT: Fix missing prototype warning Greg Kroah-Hartman
` (35 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Reichel,
Cristian Ciocaltea, Heiko Stuebner, Stephen Boyd, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Stuebner <heiko@sntech.de>
[ Upstream commit b20150d499b3ee5c2d632fbc5ac94f98dd33accf ]
of_clk_get_hw_from_clkspec() checks all available clock-providers by
comparing their of nodes to the one from the clkspec. If no matching
clock provider is found, the function returns -EPROBE_DEFER to cause a
re-check at a later date. If a matching clock provider is found, an
authoritative answer can be retrieved from it whether the clock exists
or not.
This does not take into account that the clock-provider may never
appear, because it's node is disabled. This can happen when a clock is
optional, provided by a separate block which never gets enabled.
One example of this happening is the rk3588's VOP, which has optional
additional display clocks coming from PLLs inside the hdmiphy blocks.
These can be used for better rates, but the system will also work
without them.
The problem around that is described in the followups to[1]. As we
already know the of node of the presumed clock provider, add a check via
of_device_is_available() whether this is a "valid" device node. This
prevents eternal defer loops.
Link: https://lore.kernel.org/dri-devel/20250215-vop2-hdmi1-disp-modes-v1-3-81962a7151d6@collabora.com/ [1]
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Tested-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Link: https://lore.kernel.org/r/20250222223733.2990179-1-heiko@sntech.de
[sboyd@kernel.org: Reword commit text a bit]
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/clk.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
index 7dc3b0cca252a..950dfa059a209 100644
--- a/drivers/clk/clk.c
+++ b/drivers/clk/clk.c
@@ -4858,6 +4858,10 @@ of_clk_get_hw_from_clkspec(struct of_phandle_args *clkspec)
if (!clkspec)
return ERR_PTR(-EINVAL);
+ /* Check if node in clkspec is in disabled/fail state */
+ if (!of_device_is_available(clkspec->np))
+ return ERR_PTR(-ENOENT);
+
mutex_lock(&of_clk_mutex);
list_for_each_entry(provider, &of_clk_providers, link) {
if (provider->node == clkspec->np) {
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 256/286] parisc: PDT: Fix missing prototype warning
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 255/286] clk: check for disabled clock-provider in of_clk_get_hw_from_clkspec() Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 257/286] usb: host: max3421-hcd: Add missing spi_device_id table Greg Kroah-Hartman
` (34 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Yu-Chun Lin,
Helge Deller, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu-Chun Lin <eleanor15x@gmail.com>
[ Upstream commit b899981750dcb958ceffa4462d903963ee494aa2 ]
As reported by the kernel test robot, the following error occurs:
arch/parisc/kernel/pdt.c:65:6: warning: no previous prototype for 'arch_report_meminfo' [-Wmissing-prototypes]
65 | void arch_report_meminfo(struct seq_file *m)
| ^~~~~~~~~~~~~~~~~~~
arch_report_meminfo() is declared in include/linux/proc_fs.h and only
defined when CONFIG_PROC_FS is enabled. Wrap its definition in #ifdef
CONFIG_PROC_FS to fix the -Wmissing-prototypes warning.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202502082315.IPaHaTyM-lkp@intel.com/
Signed-off-by: Yu-Chun Lin <eleanor15x@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/parisc/kernel/pdt.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/parisc/kernel/pdt.c b/arch/parisc/kernel/pdt.c
index fcc761b0e11b9..d20e8283c5b8a 100644
--- a/arch/parisc/kernel/pdt.c
+++ b/arch/parisc/kernel/pdt.c
@@ -62,6 +62,7 @@ static unsigned long pdt_entry[MAX_PDT_ENTRIES] __page_aligned_bss;
#define PDT_ADDR_PERM_ERR (pdt_type != PDT_PDC ? 2UL : 0UL)
#define PDT_ADDR_SINGLE_ERR 1UL
+#ifdef CONFIG_PROC_FS
/* report PDT entries via /proc/meminfo */
void arch_report_meminfo(struct seq_file *m)
{
@@ -73,6 +74,7 @@ void arch_report_meminfo(struct seq_file *m)
seq_printf(m, "PDT_cur_entries: %7lu\n",
pdt_status.pdt_entries);
}
+#endif
static int get_info_pat_new(void)
{
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 257/286] usb: host: max3421-hcd: Add missing spi_device_id table
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 256/286] parisc: PDT: Fix missing prototype warning Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 258/286] dmaengine: dmatest: Fix dmatest waiting less when interrupted Greg Kroah-Hartman
` (33 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexander Stein, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Stein <alexander.stein@mailbox.org>
[ Upstream commit 41d5e3806cf589f658f92c75195095df0b66f66a ]
"maxim,max3421" DT compatible is missing its SPI device ID entry, not
allowing module autoloading and leading to the following message:
"SPI driver max3421-hcd has no spi_device_id for maxim,max3421"
Fix this by adding the spi_device_id table.
Signed-off-by: Alexander Stein <alexander.stein@mailbox.org>
Link: https://lore.kernel.org/r/20250128195114.56321-1-alexander.stein@mailbox.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/max3421-hcd.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/usb/host/max3421-hcd.c b/drivers/usb/host/max3421-hcd.c
index 44a35629d68c6..db1b73486e90b 100644
--- a/drivers/usb/host/max3421-hcd.c
+++ b/drivers/usb/host/max3421-hcd.c
@@ -1956,6 +1956,12 @@ max3421_remove(struct spi_device *spi)
return 0;
}
+static const struct spi_device_id max3421_spi_ids[] = {
+ { "max3421" },
+ { },
+};
+MODULE_DEVICE_TABLE(spi, max3421_spi_ids);
+
static const struct of_device_id max3421_of_match_table[] = {
{ .compatible = "maxim,max3421", },
{},
@@ -1965,6 +1971,7 @@ MODULE_DEVICE_TABLE(of, max3421_of_match_table);
static struct spi_driver max3421_driver = {
.probe = max3421_probe,
.remove = max3421_remove,
+ .id_table = max3421_spi_ids,
.driver = {
.name = "max3421-hcd",
.of_match_table = of_match_ptr(max3421_of_match_table),
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 258/286] dmaengine: dmatest: Fix dmatest waiting less when interrupted
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 257/286] usb: host: max3421-hcd: Add missing spi_device_id table Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 259/286] usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() Greg Kroah-Hartman
` (32 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot,
Vinicius Costa Gomes, Dave Jiang, Vinod Koul, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
[ Upstream commit e87ca16e99118ab4e130a41bdf12abbf6a87656c ]
Change the "wait for operation finish" logic to take interrupts into
account.
When using dmatest with idxd DMA engine, it's possible that during
longer tests, the interrupt notifying the finish of an operation
happens during wait_event_freezable_timeout(), which causes dmatest to
cleanup all the resources, some of which might still be in use.
This fix ensures that the wait logic correctly handles interrupts,
preventing premature cleanup of resources.
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202502171134.8c403348-lkp@intel.com
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/20250305230007.590178-1-vinicius.gomes@intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/dmatest.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c
index a3a172173e345..915724fd7ea6f 100644
--- a/drivers/dma/dmatest.c
+++ b/drivers/dma/dmatest.c
@@ -825,9 +825,9 @@ static int dmatest_func(void *data)
} else {
dma_async_issue_pending(chan);
- wait_event_freezable_timeout(thread->done_wait,
- done->done,
- msecs_to_jiffies(params->timeout));
+ wait_event_timeout(thread->done_wait,
+ done->done,
+ msecs_to_jiffies(params->timeout));
status = dma_async_is_tx_complete(chan, cookie, NULL,
NULL);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 259/286] usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 258/286] dmaengine: dmatest: Fix dmatest waiting less when interrupted Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 260/286] objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior in wcd934x_slim_irq_handler() Greg Kroah-Hartman
` (31 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenyuan Yang <chenyuan0y@gmail.com>
[ Upstream commit 8c75f3e6a433d92084ad4e78b029ae680865420f ]
The variable d->name, returned by devm_kasprintf(), could be NULL.
A pointer check is added to prevent potential NULL pointer dereference.
This is similar to the fix in commit 3027e7b15b02
("ice: Fix some null pointer dereference issues in ice_ptp.c").
This issue is found by our static analysis tool
Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
Link: https://lore.kernel.org/r/20250311012705.1233829-1-chenyuan0y@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/udc/aspeed-vhub/dev.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/gadget/udc/aspeed-vhub/dev.c b/drivers/usb/gadget/udc/aspeed-vhub/dev.c
index d268306a7bfee..92755a2fe4ff7 100644
--- a/drivers/usb/gadget/udc/aspeed-vhub/dev.c
+++ b/drivers/usb/gadget/udc/aspeed-vhub/dev.c
@@ -543,6 +543,9 @@ int ast_vhub_init_dev(struct ast_vhub *vhub, unsigned int idx)
d->vhub = vhub;
d->index = idx;
d->name = devm_kasprintf(parent, GFP_KERNEL, "port%d", idx+1);
+ if (!d->name)
+ return -ENOMEM;
+
d->regs = vhub->regs + 0x100 + 0x10 * idx;
ast_vhub_init_ep0(vhub, &d->ep0, d);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 260/286] objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior in wcd934x_slim_irq_handler()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 259/286] usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 261/286] qibfs: fix _another_ leak Greg Kroah-Hartman
` (30 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Josh Poimboeuf,
Ingo Molnar, Mark Brown, Srinivas Kandagatla, Liam Girdwood,
Jaroslav Kysela, Takashi Iwai, Linus Torvalds, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit 060aed9c0093b341480770457093449771cf1496 ]
If 'port_id' is negative, the shift counts in wcd934x_slim_irq_handler()
also become negative, resulting in undefined behavior due to shift out
of bounds.
If I'm reading the code correctly, that appears to be not possible, but
with KCOV enabled, Clang's range analysis isn't always able to determine
that and generates undefined behavior.
As a result the code generation isn't optimal, and undefined behavior
should be avoided regardless. Improve code generation and remove the
undefined behavior by converting the signed variables to unsigned.
Fixes the following warning with UBSAN:
sound/soc/codecs/snd-soc-wcd934x.o: warning: objtool: .text.wcd934x_slim_irq_handler: unexpected end of section
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Mark Brown <broonie@kernel.org>
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/r/7e863839ec7301bf9c0f429a03873d44e484c31c.1742852847.git.jpoimboe@kernel.org
Closes: https://lore.kernel.org/oe-kbuild-all/202503180044.oH9gyPeg-lkp@intel.com/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/wcd934x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c
index 104751ac6cd14..8580f5e95ccf6 100644
--- a/sound/soc/codecs/wcd934x.c
+++ b/sound/soc/codecs/wcd934x.c
@@ -2188,7 +2188,7 @@ static irqreturn_t wcd934x_slim_irq_handler(int irq, void *data)
{
struct wcd934x_codec *wcd = data;
unsigned long status = 0;
- int i, j, port_id;
+ unsigned int i, j, port_id;
unsigned int val, int_val = 0;
irqreturn_t ret = IRQ_NONE;
bool tx;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 261/286] qibfs: fix _another_ leak
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 260/286] objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior in wcd934x_slim_irq_handler() Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 262/286] ntb: reduce stack usage in idt_scan_mws Greg Kroah-Hartman
` (29 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Al Viro, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit bdb43af4fdb39f844ede401bdb1258f67a580a27 ]
failure to allocate inode => leaked dentry...
this one had been there since the initial merge; to be fair,
if we are that far OOM, the odds of failing at that particular
allocation are low...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/qib/qib_fs.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/infiniband/hw/qib/qib_fs.c b/drivers/infiniband/hw/qib/qib_fs.c
index e336d778e076e..5ec67e3c2d03c 100644
--- a/drivers/infiniband/hw/qib/qib_fs.c
+++ b/drivers/infiniband/hw/qib/qib_fs.c
@@ -56,6 +56,7 @@ static int qibfs_mknod(struct inode *dir, struct dentry *dentry,
struct inode *inode = new_inode(dir->i_sb);
if (!inode) {
+ dput(dentry);
error = -EPERM;
goto bail;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 262/286] ntb: reduce stack usage in idt_scan_mws
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 261/286] qibfs: fix _another_ leak Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 263/286] sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP Greg Kroah-Hartman
` (28 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Arnd Bergmann,
Dave Jiang, Damien Le Moal, Jon Mason, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit aff12700b8dd7422bfe2277696e192af4df9de8f ]
idt_scan_mws() puts a large fixed-size array on the stack and copies
it into a smaller dynamically allocated array at the end. On 32-bit
targets, the fixed size can easily exceed the warning limit for
possible stack overflow:
drivers/ntb/hw/idt/ntb_hw_idt.c:1041:27: error: stack frame size (1032) exceeds limit (1024) in 'idt_scan_mws' [-Werror,-Wframe-larger-than]
Change it to instead just always use dynamic allocation for the
array from the start. It's too big for the stack, but not actually
all that much for a permanent allocation.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/all/202205111109.PiKTruEj-lkp@intel.com/
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ntb/hw/idt/ntb_hw_idt.c | 18 +++++++-----------
1 file changed, 7 insertions(+), 11 deletions(-)
diff --git a/drivers/ntb/hw/idt/ntb_hw_idt.c b/drivers/ntb/hw/idt/ntb_hw_idt.c
index 99711dd0b6e8e..d39fc55f8b0cc 100644
--- a/drivers/ntb/hw/idt/ntb_hw_idt.c
+++ b/drivers/ntb/hw/idt/ntb_hw_idt.c
@@ -1041,7 +1041,7 @@ static inline char *idt_get_mw_name(enum idt_mw_type mw_type)
static struct idt_mw_cfg *idt_scan_mws(struct idt_ntb_dev *ndev, int port,
unsigned char *mw_cnt)
{
- struct idt_mw_cfg mws[IDT_MAX_NR_MWS], *ret_mws;
+ struct idt_mw_cfg *mws;
const struct idt_ntb_bar *bars;
enum idt_mw_type mw_type;
unsigned char widx, bidx, en_cnt;
@@ -1049,6 +1049,11 @@ static struct idt_mw_cfg *idt_scan_mws(struct idt_ntb_dev *ndev, int port,
int aprt_size;
u32 data;
+ mws = devm_kcalloc(&ndev->ntb.pdev->dev, IDT_MAX_NR_MWS,
+ sizeof(*mws), GFP_KERNEL);
+ if (!mws)
+ return ERR_PTR(-ENOMEM);
+
/* Retrieve the array of the BARs registers */
bars = portdata_tbl[port].bars;
@@ -1103,16 +1108,7 @@ static struct idt_mw_cfg *idt_scan_mws(struct idt_ntb_dev *ndev, int port,
}
}
- /* Allocate memory for memory window descriptors */
- ret_mws = devm_kcalloc(&ndev->ntb.pdev->dev, *mw_cnt, sizeof(*ret_mws),
- GFP_KERNEL);
- if (!ret_mws)
- return ERR_PTR(-ENOMEM);
-
- /* Copy the info of detected memory windows */
- memcpy(ret_mws, mws, (*mw_cnt)*sizeof(*ret_mws));
-
- return ret_mws;
+ return mws;
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 263/286] sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 262/286] ntb: reduce stack usage in idt_scan_mws Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 264/286] KVM: s390: Dont use %pK through tracepoints Greg Kroah-Hartman
` (27 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Oleg Nesterov,
Ingo Molnar, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
[ Upstream commit 975776841e689dd8ba36df9fa72ac3eca3c2957a ]
kernel/sched/isolation.c obviously makes no sense without CONFIG_SMP, but
the Kconfig entry we have right now:
config CPU_ISOLATION
bool "CPU isolation"
depends on SMP || COMPILE_TEST
allows the creation of pointless .config's which cause
build failures.
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://lore.kernel.org/r/20250330134955.GA7910@redhat.com
Closes: https://lore.kernel.org/oe-kbuild-all/202503260646.lrUqD3j5-lkp@intel.com/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
init/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/init/Kconfig b/init/Kconfig
index 4e7775279356d..233166e54df35 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -656,7 +656,7 @@ endmenu # "CPU/Task time and stats accounting"
config CPU_ISOLATION
bool "CPU isolation"
- depends on SMP || COMPILE_TEST
+ depends on SMP
default y
help
Make sure that CPUs running critical tasks are not disturbed by
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 264/286] KVM: s390: Dont use %pK through tracepoints
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 263/286] sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 265/286] udmabuf: fix a buf size overflow issue during udmabuf creation Greg Kroah-Hartman
` (26 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Michael Mueller, Janosch Frank, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
[ Upstream commit 6c9567e0850be2f0f94ab64fa6512413fd1a1eb1 ]
Restricted pointers ("%pK") are not meant to be used through TP_format().
It can unintentionally expose security sensitive, raw pointer values.
Use regular pointer formatting instead.
Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c7070468023@linutronix.de/
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Michael Mueller <mimu@linux.ibm.com>
Link: https://lore.kernel.org/r/20250217-restricted-pointers-s390-v1-1-0e4ace75d8aa@linutronix.de
Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
Message-ID: <20250217-restricted-pointers-s390-v1-1-0e4ace75d8aa@linutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/kvm/trace-s390.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/s390/kvm/trace-s390.h b/arch/s390/kvm/trace-s390.h
index 6f0209d45164f..9c5f546a2e1a3 100644
--- a/arch/s390/kvm/trace-s390.h
+++ b/arch/s390/kvm/trace-s390.h
@@ -56,7 +56,7 @@ TRACE_EVENT(kvm_s390_create_vcpu,
__entry->sie_block = sie_block;
),
- TP_printk("create cpu %d at 0x%pK, sie block at 0x%pK",
+ TP_printk("create cpu %d at 0x%p, sie block at 0x%p",
__entry->id, __entry->vcpu, __entry->sie_block)
);
@@ -255,7 +255,7 @@ TRACE_EVENT(kvm_s390_enable_css,
__entry->kvm = kvm;
),
- TP_printk("enabling channel I/O support (kvm @ %pK)\n",
+ TP_printk("enabling channel I/O support (kvm @ %p)\n",
__entry->kvm)
);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 265/286] udmabuf: fix a buf size overflow issue during udmabuf creation
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 264/286] KVM: s390: Dont use %pK through tracepoints Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 266/286] selftests: ublk: fix test_stripe_04 Greg Kroah-Hartman
` (25 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaogang Chen, Christian König,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaogang Chen <xiaogang.chen@amd.com>
[ Upstream commit 021ba7f1babd029e714d13a6bf2571b08af96d0f ]
by casting size_limit_mb to u64 when calculate pglimit.
Signed-off-by: Xiaogang Chen<Xiaogang.Chen@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250321164126.329638-1-xiaogang.chen@amd.com
Signed-off-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma-buf/udmabuf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
index 14b79458ac7f4..597a92438afc1 100644
--- a/drivers/dma-buf/udmabuf.c
+++ b/drivers/dma-buf/udmabuf.c
@@ -177,7 +177,7 @@ static long udmabuf_create(struct miscdevice *device,
if (!ubuf)
return -ENOMEM;
- pglimit = (size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
+ pglimit = ((u64)size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
for (i = 0; i < head->count; i++) {
if (!IS_ALIGNED(list[i].offset, PAGE_SIZE))
goto err;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 266/286] selftests: ublk: fix test_stripe_04
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 265/286] udmabuf: fix a buf size overflow issue during udmabuf creation Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 267/286] nvme: requeue namespace scan on missed AENs Greg Kroah-Hartman
` (24 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uday Shankar, Ming Lei, Jens Axboe,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
[ Upstream commit 72070e57b0a518ec8e562a2b68fdfc796ef5c040 ]
Commit 57ed58c13256 ("selftests: ublk: enable zero copy for stripe target")
added test entry of test_stripe_04, but forgot to add the test script.
So fix the test by adding the script file.
Reported-by: Uday Shankar <ushankar@purestorage.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Uday Shankar <ushankar@purestorage.com>
Link: https://lore.kernel.org/r/20250404001849.1443064-1-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../testing/selftests/ublk/test_stripe_04.sh | 24 +++++++++++++++++++
1 file changed, 24 insertions(+)
create mode 100755 tools/testing/selftests/ublk/test_stripe_04.sh
diff --git a/tools/testing/selftests/ublk/test_stripe_04.sh b/tools/testing/selftests/ublk/test_stripe_04.sh
new file mode 100755
index 0000000000000..1f2b642381d17
--- /dev/null
+++ b/tools/testing/selftests/ublk/test_stripe_04.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+
+. "$(cd "$(dirname "$0")" && pwd)"/test_common.sh
+
+TID="stripe_04"
+ERR_CODE=0
+
+_prep_test "stripe" "mkfs & mount & umount on zero copy"
+
+backfile_0=$(_create_backfile 256M)
+backfile_1=$(_create_backfile 256M)
+dev_id=$(_add_ublk_dev -t stripe -z -q 2 "$backfile_0" "$backfile_1")
+_check_add_dev $TID $? "$backfile_0" "$backfile_1"
+
+_mkfs_mount_test /dev/ublkb"${dev_id}"
+ERR_CODE=$?
+
+_cleanup_test "stripe"
+
+_remove_backfile "$backfile_0"
+_remove_backfile "$backfile_1"
+
+_show_result $TID $ERR_CODE
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 267/286] nvme: requeue namespace scan on missed AENs
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 266/286] selftests: ublk: fix test_stripe_04 Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 268/286] ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls Greg Kroah-Hartman
` (23 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hannes Reinecke, Keith Busch,
Christoph Hellwig, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hannes Reinecke <hare@kernel.org>
[ Upstream commit 9546ad1a9bda7362492114f5866b95b0ac4a100e ]
Scanning for namespaces can take some time, so if the target is
reconfigured while the scan is running we may miss a Attached Namespace
Attribute Changed AEN.
Check if the NVME_AER_NOTICE_NS_CHANGED bit is set once the scan has
finished, and requeue scanning to pick up any missed change.
Signed-off-by: Hannes Reinecke <hare@kernel.org>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index e63d3ca11cc9a..94225ffd4643d 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -4266,6 +4266,10 @@ static void nvme_scan_work(struct work_struct *work)
if (nvme_scan_ns_list(ctrl) != 0)
nvme_scan_ns_sequential(ctrl);
mutex_unlock(&ctrl->scan_lock);
+
+ /* Requeue if we have missed AENs */
+ if (test_bit(NVME_AER_NOTICE_NS_CHANGED, &ctrl->events))
+ nvme_queue_scan(ctrl);
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 268/286] ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 267/286] nvme: requeue namespace scan on missed AENs Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 269/286] nvme: re-read ANA log page after ns scan completes Greg Kroah-Hartman
` (22 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean-Marc Eurin, Rafael J. Wysocki,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean-Marc Eurin <jmeurin@google.com>
[ Upstream commit 7ab4f0e37a0f4207e742a8de69be03984db6ebf0 ]
The end of table checks should be done with the structure size,
but 2 of the 3 similar calls use the pointer size.
Signed-off-by: Jean-Marc Eurin <jmeurin@google.com>
Link: https://patch.msgid.link/20250402001542.2600671-1-jmeurin@google.com
[ rjw: Subject edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/pptt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/acpi/pptt.c b/drivers/acpi/pptt.c
index 4ae93350b70de..38581001811b4 100644
--- a/drivers/acpi/pptt.c
+++ b/drivers/acpi/pptt.c
@@ -217,7 +217,7 @@ static int acpi_pptt_leaf_node(struct acpi_table_header *table_hdr,
node_entry = ACPI_PTR_DIFF(node, table_hdr);
entry = ACPI_ADD_PTR(struct acpi_subtable_header, table_hdr,
sizeof(struct acpi_table_pptt));
- proc_sz = sizeof(struct acpi_pptt_processor *);
+ proc_sz = sizeof(struct acpi_pptt_processor);
while ((unsigned long)entry + proc_sz < table_end) {
cpu_node = (struct acpi_pptt_processor *)entry;
@@ -258,7 +258,7 @@ static struct acpi_pptt_processor *acpi_find_processor_node(struct acpi_table_he
table_end = (unsigned long)table_hdr + table_hdr->length;
entry = ACPI_ADD_PTR(struct acpi_subtable_header, table_hdr,
sizeof(struct acpi_table_pptt));
- proc_sz = sizeof(struct acpi_pptt_processor *);
+ proc_sz = sizeof(struct acpi_pptt_processor);
/* find the processor structure associated with this cpuid */
while ((unsigned long)entry + proc_sz < table_end) {
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 269/286] nvme: re-read ANA log page after ns scan completes
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 268/286] ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 270/286] objtool: Stop UNRET validation on UD2 Greg Kroah-Hartman
` (21 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hannes Reinecke, Keith Busch,
Christoph Hellwig, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hannes Reinecke <hare@kernel.org>
[ Upstream commit 62baf70c327444338c34703c71aa8cc8e4189bd6 ]
When scanning for new namespaces we might have missed an ANA AEN.
The NVMe base spec (NVMe Base Specification v2.1, Figure 151 'Asynchonous
Event Information - Notice': Asymmetric Namespace Access Change) states:
A controller shall not send this even if an Attached Namespace
Attribute Changed asynchronous event [...] is sent for the same event.
so we need to re-read the ANA log page after we rescanned the namespace
list to update the ANA states of the new namespaces.
Signed-off-by: Hannes Reinecke <hare@kernel.org>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/core.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 94225ffd4643d..5f22f8e8dce7c 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -4270,6 +4270,11 @@ static void nvme_scan_work(struct work_struct *work)
/* Requeue if we have missed AENs */
if (test_bit(NVME_AER_NOTICE_NS_CHANGED, &ctrl->events))
nvme_queue_scan(ctrl);
+#ifdef CONFIG_NVME_MULTIPATH
+ else
+ /* Re-read the ANA log page to not miss updates */
+ queue_work(nvme_wq, &ctrl->ana_work);
+#endif
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 270/286] objtool: Stop UNRET validation on UD2
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 269/286] nvme: re-read ANA log page after ns scan completes Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 271/286] selftests/mincore: Allow read-ahead pages to reach the end of the file Greg Kroah-Hartman
` (20 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josh Poimboeuf, Ingo Molnar,
Linus Torvalds, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit 9f9cc012c2cbac4833746a0182e06a8eec940d19 ]
In preparation for simplifying INSN_SYSCALL, make validate_unret()
terminate control flow on UD2 just like validate_branch() already does.
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/r/ce841269e7e28c8b7f32064464a9821034d724ff.1744095216.git.jpoimboe@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/objtool/check.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/objtool/check.c b/tools/objtool/check.c
index bcc9948645a00..20ccdd60353be 100644
--- a/tools/objtool/check.c
+++ b/tools/objtool/check.c
@@ -3249,6 +3249,9 @@ static int validate_entry(struct objtool_file *file, struct instruction *insn)
break;
}
+ if (insn->dead_end)
+ return 0;
+
if (!next) {
WARN_FUNC("teh end!", insn->sec, insn->offset);
return -1;
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 271/286] selftests/mincore: Allow read-ahead pages to reach the end of the file
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 270/286] objtool: Stop UNRET validation on UD2 Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 272/286] x86/bugs: Use SBPB in write_ibpb() if applicable Greg Kroah-Hartman
` (19 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yi Lai, Qiuxu Zhuo, Shuah Khan,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
[ Upstream commit 197c1eaa7ba633a482ed7588eea6fd4aa57e08d4 ]
When running the mincore_selftest on a system with an XFS file system, it
failed the "check_file_mmap" test case due to the read-ahead pages reaching
the end of the file. The failure log is as below:
RUN global.check_file_mmap ...
mincore_selftest.c:264:check_file_mmap:Expected i (1024) < vec_size (1024)
mincore_selftest.c:265:check_file_mmap:Read-ahead pages reached the end of the file
check_file_mmap: Test failed
FAIL global.check_file_mmap
This is because the read-ahead window size of the XFS file system on this
machine is 4 MB, which is larger than the size from the #PF address to the
end of the file. As a result, all the pages for this file are populated.
blockdev --getra /dev/nvme0n1p5
8192
blockdev --getbsz /dev/nvme0n1p5
512
This issue can be fixed by extending the current FILE_SIZE 4MB to a larger
number, but it will still fail if the read-ahead window size of the file
system is larger enough. Additionally, in the real world, read-ahead pages
reaching the end of the file can happen and is an expected behavior.
Therefore, allowing read-ahead pages to reach the end of the file is a
better choice for the "check_file_mmap" test case.
Link: https://lore.kernel.org/r/20250311080940.21413-1-qiuxu.zhuo@intel.com
Reported-by: Yi Lai <yi1.lai@intel.com>
Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/mincore/mincore_selftest.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/tools/testing/selftests/mincore/mincore_selftest.c b/tools/testing/selftests/mincore/mincore_selftest.c
index 2cf6f2f277ab8..31820435825b1 100644
--- a/tools/testing/selftests/mincore/mincore_selftest.c
+++ b/tools/testing/selftests/mincore/mincore_selftest.c
@@ -262,9 +262,6 @@ TEST(check_file_mmap)
TH_LOG("No read-ahead pages found in memory");
}
- EXPECT_LT(i, vec_size) {
- TH_LOG("Read-ahead pages reached the end of the file");
- }
/*
* End of the readahead window. The rest of the pages shouldn't
* be in memory.
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 272/286] x86/bugs: Use SBPB in write_ibpb() if applicable
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 271/286] selftests/mincore: Allow read-ahead pages to reach the end of the file Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 273/286] x86/bugs: Dont fill RSB on VMEXIT with eIBRS+retpoline Greg Kroah-Hartman
` (18 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josh Poimboeuf, Ingo Molnar,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit fc9fd3f98423367c79e0bd85a9515df26dc1b3cc ]
write_ibpb() does IBPB, which (among other things) flushes branch type
predictions on AMD. If the CPU has SRSO_NO, or if the SRSO mitigation
has been disabled, branch type flushing isn't needed, in which case the
lighter-weight SBPB can be used.
The 'x86_pred_cmd' variable already keeps track of whether IBPB or SBPB
should be used. Use that instead of hardcoding IBPB.
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://lore.kernel.org/r/17c5dcd14b29199b75199d67ff7758de9d9a4928.1744148254.git.jpoimboe@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/entry/entry.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/entry/entry.S b/arch/x86/entry/entry.S
index f4419afc7147d..bda217961172b 100644
--- a/arch/x86/entry/entry.S
+++ b/arch/x86/entry/entry.S
@@ -16,7 +16,7 @@
SYM_FUNC_START(entry_ibpb)
movl $MSR_IA32_PRED_CMD, %ecx
- movl $PRED_CMD_IBPB, %eax
+ movl _ASM_RIP(x86_pred_cmd), %eax
xorl %edx, %edx
wrmsr
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 273/286] x86/bugs: Dont fill RSB on VMEXIT with eIBRS+retpoline
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 272/286] x86/bugs: Use SBPB in write_ibpb() if applicable Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 274/286] ext4: make block validity check resistent to sb bh corruption Greg Kroah-Hartman
` (17 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pawan Gupta, Josh Poimboeuf,
Ingo Molnar, Amit Shah, Nikolay Borisov, Paolo Bonzini,
Vitaly Kuznetsov, Sean Christopherson, David Woodhouse,
Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit 18bae0dfec15b24ec14ca17dc18603372f5f254f ]
eIBRS protects against guest->host RSB underflow/poisoning attacks.
Adding retpoline to the mix doesn't change that. Retpoline has a
balanced CALL/RET anyway.
So the current full RSB filling on VMEXIT with eIBRS+retpoline is
overkill. Disable it or do the VMEXIT_LITE mitigation if needed.
Suggested-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Reviewed-by: Amit Shah <amit.shah@amd.com>
Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
Cc: Sean Christopherson <seanjc@google.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Link: https://lore.kernel.org/r/84a1226e5c9e2698eae1b5ade861f1b8bf3677dc.1744148254.git.jpoimboe@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/bugs.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 725f827718a71..045ab6d0a98bb 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1543,20 +1543,20 @@ static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_
case SPECTRE_V2_NONE:
return;
- case SPECTRE_V2_EIBRS_LFENCE:
case SPECTRE_V2_EIBRS:
+ case SPECTRE_V2_EIBRS_LFENCE:
+ case SPECTRE_V2_EIBRS_RETPOLINE:
if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
- setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE);
pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n");
+ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE);
}
return;
- case SPECTRE_V2_EIBRS_RETPOLINE:
case SPECTRE_V2_RETPOLINE:
case SPECTRE_V2_LFENCE:
case SPECTRE_V2_IBRS:
- setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n");
+ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
return;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 274/286] ext4: make block validity check resistent to sb bh corruption
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 273/286] x86/bugs: Dont fill RSB on VMEXIT with eIBRS+retpoline Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 275/286] scsi: pm80xx: Set phy_attached to zero when device is gone Greg Kroah-Hartman
` (16 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Zhang Yi,
Ojaswin Mujoo, Theodore Tso, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
[ Upstream commit ccad447a3d331a239477c281533bacb585b54a98 ]
Block validity checks need to be skipped in case they are called
for journal blocks since they are part of system's protected
zone.
Currently, this is done by checking inode->ino against
sbi->s_es->s_journal_inum, which is a direct read from the ext4 sb
buffer head. If someone modifies this underneath us then the
s_journal_inum field might get corrupted. To prevent against this,
change the check to directly compare the inode with journal->j_inode.
**Slight change in behavior**: During journal init path,
check_block_validity etc might be called for journal inode when
sbi->s_journal is not set yet. In this case we now proceed with
ext4_inode_block_valid() instead of returning early. Since systems zones
have not been set yet, it is okay to proceed so we can perform basic
checks on the blocks.
Suggested-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/0c06bc9ebfcd6ccfed84a36e79147bf45ff5adc1.1743142920.git.ojaswin@linux.ibm.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/block_validity.c | 5 ++---
fs/ext4/inode.c | 7 ++++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c
index 295e89d93295e..5d5befac5622b 100644
--- a/fs/ext4/block_validity.c
+++ b/fs/ext4/block_validity.c
@@ -353,10 +353,9 @@ int ext4_check_blockref(const char *function, unsigned int line,
{
__le32 *bref = p;
unsigned int blk;
+ journal_t *journal = EXT4_SB(inode->i_sb)->s_journal;
- if (ext4_has_feature_journal(inode->i_sb) &&
- (inode->i_ino ==
- le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum)))
+ if (journal && inode == journal->j_inode)
return 0;
while (bref < p+max) {
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 52d68edb6a09b..15d020279d3bd 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -409,10 +409,11 @@ static int __check_block_validity(struct inode *inode, const char *func,
unsigned int line,
struct ext4_map_blocks *map)
{
- if (ext4_has_feature_journal(inode->i_sb) &&
- (inode->i_ino ==
- le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum)))
+ journal_t *journal = EXT4_SB(inode->i_sb)->s_journal;
+
+ if (journal && inode == journal->j_inode)
return 0;
+
if (!ext4_inode_block_valid(inode, map->m_pblk, map->m_len)) {
ext4_error_inode(inode, func, line, map->m_pblk,
"lblock %lu mapped to illegal pblock %llu "
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 275/286] scsi: pm80xx: Set phy_attached to zero when device is gone
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 274/286] ext4: make block validity check resistent to sb bh corruption Greg Kroah-Hartman
@ 2025-04-29 16:42 ` Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 276/286] md/raid1: Add check for missing source disk in process_checks() Greg Kroah-Hartman
` (15 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Igor Pylypiv, Salomon Dushimirimana,
Martin K. Petersen, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Igor Pylypiv <ipylypiv@google.com>
[ Upstream commit f7b705c238d1483f0a766e2b20010f176e5c0fb7 ]
When a fatal error occurs, a phy down event may not be received to set
phy->phy_attached to zero.
Signed-off-by: Igor Pylypiv <ipylypiv@google.com>
Signed-off-by: Salomon Dushimirimana <salomondush@google.com>
Link: https://lore.kernel.org/r/20250319230305.3172920-1-salomondush@google.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/pm8001/pm8001_sas.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c
index a16ed0695f1ae..3244f30dffec2 100644
--- a/drivers/scsi/pm8001/pm8001_sas.c
+++ b/drivers/scsi/pm8001/pm8001_sas.c
@@ -892,6 +892,7 @@ static void pm8001_dev_gone_notify(struct domain_device *dev)
spin_lock_irqsave(&pm8001_ha->lock, flags);
}
PM8001_CHIP_DISP->dereg_dev_req(pm8001_ha, device_id);
+ pm8001_ha->phy[pm8001_dev->attached_phy].phy_attached = 0;
pm8001_free_dev(pm8001_dev);
} else {
pm8001_dbg(pm8001_ha, DISC, "Found dev has gone.\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 276/286] md/raid1: Add check for missing source disk in process_checks()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2025-04-29 16:42 ` [PATCH 5.10 275/286] scsi: pm80xx: Set phy_attached to zero when device is gone Greg Kroah-Hartman
@ 2025-04-29 16:43 ` Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 277/286] s390/virtio_ccw: Dont allocate/assign airqs for non-existing queues Greg Kroah-Hartman
` (14 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Meir Elisha, Yu Kuai, Sasha Levin
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Meir Elisha <meir.elisha@volumez.com>
[ Upstream commit b7c178d9e57c8fd4238ff77263b877f6f16182ba ]
During recovery/check operations, the process_checks function loops
through available disks to find a 'primary' source with successfully
read data.
If no suitable source disk is found after checking all possibilities,
the 'primary' index will reach conf->raid_disks * 2. Add an explicit
check for this condition after the loop. If no source disk was found,
print an error message and return early to prevent further processing
without a valid primary source.
Link: https://lore.kernel.org/linux-raid/20250408143808.1026534-1-meir.elisha@volumez.com
Signed-off-by: Meir Elisha <meir.elisha@volumez.com>
Suggested-and-reviewed-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/raid1.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
index 3619db7e382a0..dada9b2258a61 100644
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -2034,14 +2034,9 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
if (!rdev_set_badblocks(rdev, sect, s, 0))
abort = 1;
}
- if (abort) {
- conf->recovery_disabled =
- mddev->recovery_disabled;
- set_bit(MD_RECOVERY_INTR, &mddev->recovery);
- md_done_sync(mddev, r1_bio->sectors, 0);
- put_buf(r1_bio);
+ if (abort)
return 0;
- }
+
/* Try next page */
sectors -= s;
sect += s;
@@ -2181,10 +2176,21 @@ static void sync_request_write(struct mddev *mddev, struct r1bio *r1_bio)
int disks = conf->raid_disks * 2;
struct bio *wbio;
- if (!test_bit(R1BIO_Uptodate, &r1_bio->state))
- /* ouch - failed to read all of that. */
- if (!fix_sync_read_error(r1_bio))
+ if (!test_bit(R1BIO_Uptodate, &r1_bio->state)) {
+ /*
+ * ouch - failed to read all of that.
+ * No need to fix read error for check/repair
+ * because all member disks are read.
+ */
+ if (test_bit(MD_RECOVERY_REQUESTED, &mddev->recovery) ||
+ !fix_sync_read_error(r1_bio)) {
+ conf->recovery_disabled = mddev->recovery_disabled;
+ set_bit(MD_RECOVERY_INTR, &mddev->recovery);
+ md_done_sync(mddev, r1_bio->sectors, 0);
+ put_buf(r1_bio);
return;
+ }
+ }
if (test_bit(MD_RECOVERY_REQUESTED, &mddev->recovery))
process_checks(r1_bio);
--
2.39.5
^ permalink raw reply related [flat|nested] 292+ messages in thread
* [PATCH 5.10 277/286] s390/virtio_ccw: Dont allocate/assign airqs for non-existing queues
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2025-04-29 16:43 ` [PATCH 5.10 276/286] md/raid1: Add check for missing source disk in process_checks() Greg Kroah-Hartman
@ 2025-04-29 16:43 ` Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 278/286] comedi: jr3_pci: Fix synchronous deletion of timer Greg Kroah-Hartman
` (13 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chandra Merla, David Hildenbrand,
Thomas Huth, Cornelia Huck, Michael S. Tsirkin,
Christian Borntraeger, Heiko Carstens
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
commit 2ccd42b959aaf490333dbd3b9b102eaf295c036a upstream.
If we finds a vq without a name in our input array in
virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer
to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq.
Consequently, we create only a queue if it actually exists (name != NULL)
and assign an incremental queue index to each such existing queue.
However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we
will not ignore these "non-existing queues", but instead assign an airq
indicator to them.
Besides never releasing them in virtio_ccw_drop_indicators() (because
there is no virtqueue), the bigger issue seems to be that there will be a
disagreement between the device and the Linux guest about the airq
indicator to be used for notifying a queue, because the indicator bit
for adapter I/O interrupt is derived from the queue index.
The virtio spec states under "Setting Up Two-Stage Queue Indicators":
... indicator contains the guest address of an area wherein the
indicators for the devices are contained, starting at bit_nr, one
bit per virtqueue of the device.
And further in "Notification via Adapter I/O Interrupts":
For notifying the driver of virtqueue buffers, the device sets the
bit in the guest-provided indicator area at the corresponding
offset.
For example, QEMU uses in virtio_ccw_notify() the queue index (passed as
"vector") to select the relevant indicator bit. If a queue does not exist,
it does not have a corresponding indicator bit assigned, because it
effectively doesn't have a queue index.
Using a virtio-balloon-ccw device under QEMU with free-page-hinting
disabled ("free-page-hint=off") but free-page-reporting enabled
("free-page-reporting=on") will result in free page reporting
not working as expected: in the virtio_balloon driver, we'll be stuck
forever in virtballoon_free_page_report()->wait_event(), because the
waitqueue will not be woken up as the notification from the device is
lost: it would use the wrong indicator bit.
Free page reporting stops working and we get splats (when configured to
detect hung wqs) like:
INFO: task kworker/1:3:463 blocked for more than 61 seconds.
Not tainted 6.14.0 #4
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:3 [...]
Workqueue: events page_reporting_process
Call Trace:
[<000002f404e6dfb2>] __schedule+0x402/0x1640
[<000002f404e6f22e>] schedule+0x3e/0xe0
[<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110 [virtio_balloon]
[<000002f40435c8a4>] page_reporting_process+0x2e4/0x740
[<000002f403fd3ee2>] process_one_work+0x1c2/0x400
[<000002f403fd4b96>] worker_thread+0x296/0x420
[<000002f403fe10b4>] kthread+0x124/0x290
[<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60
[<000002f404e77272>] ret_from_fork+0xa/0x38
There was recently a discussion [1] whether the "holes" should be
treated differently again, effectively assigning also non-existing
queues a queue index: that should also fix the issue, but requires other
workarounds to not break existing setups.
Let's fix it without affecting existing setups for now by properly ignoring
the non-existing queues, so the indicator bits will match the queue
indexes.
[1] https://lore.kernel.org/all/cover.1720611677.git.mst@redhat.com/
Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL")
Reported-by: Chandra Merla <cmerla@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: David Hildenbrand <david@redhat.com>
Tested-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Link: https://lore.kernel.org/r/20250402203621.940090-1-david@redhat.com
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/virtio/virtio_ccw.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- a/drivers/s390/virtio/virtio_ccw.c
+++ b/drivers/s390/virtio/virtio_ccw.c
@@ -261,11 +261,17 @@ static struct airq_info *new_airq_info(i
static unsigned long get_airq_indicator(struct virtqueue *vqs[], int nvqs,
u64 *first, void **airq_info)
{
- int i, j;
+ int i, j, queue_idx, highest_queue_idx = -1;
struct airq_info *info;
unsigned long indicator_addr = 0;
unsigned long bit, flags;
+ /* Array entries without an actual queue pointer must be ignored. */
+ for (i = 0; i < nvqs; i++) {
+ if (vqs[i])
+ highest_queue_idx++;
+ }
+
for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) {
mutex_lock(&airq_areas_lock);
if (!airq_areas[i])
@@ -275,7 +281,7 @@ static unsigned long get_airq_indicator(
if (!info)
return 0;
write_lock_irqsave(&info->lock, flags);
- bit = airq_iv_alloc(info->aiv, nvqs);
+ bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1);
if (bit == -1UL) {
/* Not enough vacancies. */
write_unlock_irqrestore(&info->lock, flags);
@@ -284,8 +290,10 @@ static unsigned long get_airq_indicator(
*first = bit;
*airq_info = info;
indicator_addr = (unsigned long)info->aiv->vector;
- for (j = 0; j < nvqs; j++) {
- airq_iv_set_ptr(info->aiv, bit + j,
+ for (j = 0, queue_idx = 0; j < nvqs; j++) {
+ if (!vqs[j])
+ continue;
+ airq_iv_set_ptr(info->aiv, bit + queue_idx++,
(unsigned long)vqs[j]);
}
write_unlock_irqrestore(&info->lock, flags);
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 278/286] comedi: jr3_pci: Fix synchronous deletion of timer
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2025-04-29 16:43 ` [PATCH 5.10 277/286] s390/virtio_ccw: Dont allocate/assign airqs for non-existing queues Greg Kroah-Hartman
@ 2025-04-29 16:43 ` Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 279/286] crypto: atmel-sha204a - Set hwrng quality to lowest possible Greg Kroah-Hartman
` (12 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ian Abbott
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 44d9b3f584c59a606b521e7274e658d5b866c699 upstream.
When `jr3_pci_detach()` is called during device removal, it calls
`timer_delete_sync()` to stop the timer, but the timer expiry function
always reschedules the timer, so the synchronization is ineffective.
Call `timer_shutdown_sync()` instead. It does not matter that the timer
expiry function pointer is cleared, because the device is being removed.
Fixes: 07b509e6584a5 ("Staging: comedi: add jr3_pci driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20250415123901.13483-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/comedi/drivers/jr3_pci.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/drivers/staging/comedi/drivers/jr3_pci.c
+++ b/drivers/staging/comedi/drivers/jr3_pci.c
@@ -88,6 +88,7 @@ struct jr3_pci_poll_delay {
struct jr3_pci_dev_private {
struct timer_list timer;
struct comedi_device *dev;
+ bool timer_enable;
};
union jr3_pci_single_range {
@@ -612,10 +613,11 @@ static void jr3_pci_poll_dev(struct time
delay = sub_delay.max;
}
}
+ if (devpriv->timer_enable) {
+ devpriv->timer.expires = jiffies + msecs_to_jiffies(delay);
+ add_timer(&devpriv->timer);
+ }
spin_unlock_irqrestore(&dev->spinlock, flags);
-
- devpriv->timer.expires = jiffies + msecs_to_jiffies(delay);
- add_timer(&devpriv->timer);
}
static struct jr3_pci_subdev_private *
@@ -764,6 +766,7 @@ static int jr3_pci_auto_attach(struct co
devpriv->dev = dev;
timer_setup(&devpriv->timer, jr3_pci_poll_dev, 0);
devpriv->timer.expires = jiffies + msecs_to_jiffies(1000);
+ devpriv->timer_enable = true;
add_timer(&devpriv->timer);
return 0;
@@ -773,8 +776,12 @@ static void jr3_pci_detach(struct comedi
{
struct jr3_pci_dev_private *devpriv = dev->private;
- if (devpriv)
+ if (devpriv) {
+ spin_lock_bh(&dev->spinlock);
+ devpriv->timer_enable = false;
+ spin_unlock_bh(&dev->spinlock);
del_timer_sync(&devpriv->timer);
+ }
comedi_pci_detach(dev);
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 279/286] crypto: atmel-sha204a - Set hwrng quality to lowest possible
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2025-04-29 16:43 ` [PATCH 5.10 278/286] comedi: jr3_pci: Fix synchronous deletion of timer Greg Kroah-Hartman
@ 2025-04-29 16:43 ` Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 280/286] xdp: Reset bpf_redirect_info before running a xdps BPF prog Greg Kroah-Hartman
` (11 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Behún, Ard Biesheuvel,
Linus Walleij, Herbert Xu
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Behún <kabel@kernel.org>
commit 8006aff15516a170640239c5a8e6696c0ba18d8e upstream.
According to the review by Bill Cox [1], the Atmel SHA204A random number
generator produces random numbers with very low entropy.
Set the lowest possible entropy for this chip just to be safe.
[1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html
Fixes: da001fb651b00e1d ("crypto: atmel-i2c - add support for SHA204A random number generator")
Cc: <stable@vger.kernel.org>
Signed-off-by: Marek Behún <kabel@kernel.org>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Marek Behún <kabel@kernel.org>
---
drivers/crypto/atmel-sha204a.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/crypto/atmel-sha204a.c
+++ b/drivers/crypto/atmel-sha204a.c
@@ -107,7 +107,12 @@ static int atmel_sha204a_probe(struct i2
i2c_priv->hwrng.name = dev_name(&client->dev);
i2c_priv->hwrng.read = atmel_sha204a_rng_read;
- i2c_priv->hwrng.quality = 1024;
+
+ /*
+ * According to review by Bill Cox [1], this HWRNG has very low entropy.
+ * [1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html
+ */
+ i2c_priv->hwrng.quality = 1;
ret = devm_hwrng_register(&client->dev, &i2c_priv->hwrng);
if (ret)
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 280/286] xdp: Reset bpf_redirect_info before running a xdps BPF prog.
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2025-04-29 16:43 ` [PATCH 5.10 279/286] crypto: atmel-sha204a - Set hwrng quality to lowest possible Greg Kroah-Hartman
@ 2025-04-29 16:43 ` Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 281/286] MIPS: cm: Fix warning if MIPS_CM is disabled Greg Kroah-Hartman
` (10 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Toke H�iland-J�rgensen,
Ricardo Ca�uelo Navarro, Sebastian Andrzej Siewior
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 2281 bytes --]
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Ricardo reported a KASAN discovered use after free in v6.6-stable.
The syzbot starts a BPF program via xdp_test_run_batch() which assigns
ri->tgt_value via dev_hash_map_redirect() and the return code isn't
XDP_REDIRECT it looks like nonsense. So the output in
bpf_warn_invalid_xdp_action() appears once.
Then the TUN driver runs another BPF program (on the same CPU) which
returns XDP_REDIRECT without setting ri->tgt_value first. It invokes
bpf_trace_printk() to print four characters and obtain the required
return value. This is enough to get xdp_do_redirect() invoked which
then accesses the pointer in tgt_value which might have been already
deallocated.
This problem does not affect upstream because since commit
401cb7dae8130 ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.")
the per-CPU variable is referenced via task's task_struct and exists on
the stack during NAPI callback. Therefore it is cleared once before the
first invocation and remains valid within the RCU section of the NAPI
callback.
Instead of performing the huge backport of the commit (plus its fix ups)
here is an alternative version which only resets the variable in
question prior invoking the BPF program.
Acked-by: Toke Høiland-Jørgensen <toke@kernel.org>
Reported-by: Ricardo Cañuelo Navarro <rcn@igalia.com>
Closes: https://lore.kernel.org/all/20250226-20250204-kasan-slab-use-after-free-read-in-dev_map_enqueue__submit-v3-0-360efec441ba@igalia.com/
Fixes: 97f91a7cf04ff ("bpf: add bpf_redirect_map helper routine")
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/filter.h | 4 ++++
1 file changed, 4 insertions(+)
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -758,6 +758,10 @@ static __always_inline u32 bpf_prog_run_
* already takes rcu_read_lock() when fetching the program, so
* it's not necessary here anymore.
*/
+ struct bpf_redirect_info *ri = this_cpu_ptr(&bpf_redirect_info);
+
+ if (ri->map)
+ ri->map = NULL;
return __BPF_PROG_RUN(prog, xdp, BPF_DISPATCHER_FUNC(xdp));
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 281/286] MIPS: cm: Fix warning if MIPS_CM is disabled
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2025-04-29 16:43 ` [PATCH 5.10 280/286] xdp: Reset bpf_redirect_info before running a xdps BPF prog Greg Kroah-Hartman
@ 2025-04-29 16:43 ` Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 282/286] nvme: fixup scan failure for non-ANA multipath controllers Greg Kroah-Hartman
` (9 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Bogendoerfer
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
commit b73c3ccdca95c237750c981054997c71d33e09d7 upstream.
Commit e27fbe16af5c ("MIPS: cm: Detect CM quirks from device tree")
introduced
arch/mips/include/asm/mips-cm.h:119:13: error: ‘mips_cm_update_property’
defined but not used [-Werror=unused-function]
Fix this by making empty function implementation inline
Fixes: e27fbe16af5c ("MIPS: cm: Detect CM quirks from device tree")
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/include/asm/mips-cm.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/include/asm/mips-cm.h
+++ b/arch/mips/include/asm/mips-cm.h
@@ -104,7 +104,7 @@ static inline bool mips_cm_present(void)
#ifdef CONFIG_MIPS_CM
extern void mips_cm_update_property(void);
#else
-static void mips_cm_update_property(void) {}
+static inline void mips_cm_update_property(void) {}
#endif
/**
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 282/286] nvme: fixup scan failure for non-ANA multipath controllers
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2025-04-29 16:43 ` [PATCH 5.10 281/286] MIPS: cm: Fix warning if MIPS_CM is disabled Greg Kroah-Hartman
@ 2025-04-29 16:43 ` Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 283/286] PCI: Fix use-after-free in pci_bus_release_domain_nr() Greg Kroah-Hartman
` (8 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hannes Reinecke, Srikanth Aithal,
Christoph Hellwig, Sagi Grimberg
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hannes Reinecke <hare@kernel.org>
commit 26d7fb4fd4ca1180e2fa96587dea544563b4962a upstream.
Commit 62baf70c3274 caused the ANA log page to be re-read, even on
controllers that do not support ANA. While this should generally
harmless, some controllers hang on the unsupported log page and
never finish probing.
Fixes: 62baf70c3274 ("nvme: re-read ANA log page after ns scan completes")
Signed-off-by: Hannes Reinecke <hare@kernel.org>
Tested-by: Srikanth Aithal <sraithal@amd.com>
[hch: more detailed commit message]
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -4271,7 +4271,7 @@ static void nvme_scan_work(struct work_s
if (test_bit(NVME_AER_NOTICE_NS_CHANGED, &ctrl->events))
nvme_queue_scan(ctrl);
#ifdef CONFIG_NVME_MULTIPATH
- else
+ else if (ctrl->ana_log_buf)
/* Re-read the ANA log page to not miss updates */
queue_work(nvme_wq, &ctrl->ana_work);
#endif
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 283/286] PCI: Fix use-after-free in pci_bus_release_domain_nr()
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2025-04-29 16:43 ` [PATCH 5.10 282/286] nvme: fixup scan failure for non-ANA multipath controllers Greg Kroah-Hartman
@ 2025-04-29 16:43 ` Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 284/286] soc: samsung: exynos-chipid: correct helpers __init annotation Greg Kroah-Hartman
` (7 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jon Hunter, Rob Herring,
Bjorn Helgaas, Kuppuswamy Sathyanarayanan, Pali Rohár
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Herring <robh@kernel.org>
commit 30ba2d09edb5ea857a1473ae3d820911347ada62 upstream.
Commit c14f7ccc9f5d ("PCI: Assign PCI domain IDs by ida_alloc()")
introduced a use-after-free bug in the bus removal cleanup. The issue was
found with kfence:
[ 19.293351] BUG: KFENCE: use-after-free read in pci_bus_release_domain_nr+0x10/0x70
[ 19.302817] Use-after-free read at 0x000000007f3b80eb (in kfence-#115):
[ 19.309677] pci_bus_release_domain_nr+0x10/0x70
[ 19.309691] dw_pcie_host_deinit+0x28/0x78
[ 19.309702] tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194]
[ 19.309734] tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194]
[ 19.309752] platform_probe+0x90/0xd8
...
[ 19.311457] kfence-#115: 0x00000000063a155a-0x00000000ba698da8, size=1072, cache=kmalloc-2k
[ 19.311469] allocated by task 96 on cpu 10 at 19.279323s:
[ 19.311562] __kmem_cache_alloc_node+0x260/0x278
[ 19.311571] kmalloc_trace+0x24/0x30
[ 19.311580] pci_alloc_bus+0x24/0xa0
[ 19.311590] pci_register_host_bridge+0x48/0x4b8
[ 19.311601] pci_scan_root_bus_bridge+0xc0/0xe8
[ 19.311613] pci_host_probe+0x18/0xc0
[ 19.311623] dw_pcie_host_init+0x2c0/0x568
[ 19.311630] tegra_pcie_dw_probe+0x610/0xb28 [pcie_tegra194]
[ 19.311647] platform_probe+0x90/0xd8
...
[ 19.311782] freed by task 96 on cpu 10 at 19.285833s:
[ 19.311799] release_pcibus_dev+0x30/0x40
[ 19.311808] device_release+0x30/0x90
[ 19.311814] kobject_put+0xa8/0x120
[ 19.311832] device_unregister+0x20/0x30
[ 19.311839] pci_remove_bus+0x78/0x88
[ 19.311850] pci_remove_root_bus+0x5c/0x98
[ 19.311860] dw_pcie_host_deinit+0x28/0x78
[ 19.311866] tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194]
[ 19.311883] tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194]
[ 19.311900] platform_probe+0x90/0xd8
...
[ 19.313579] CPU: 10 PID: 96 Comm: kworker/u24:2 Not tainted 6.2.0 #4
[ 19.320171] Hardware name: /, BIOS 1.0-d7fb19b 08/10/2022
[ 19.325852] Workqueue: events_unbound deferred_probe_work_func
The stack trace is a bit misleading as dw_pcie_host_deinit() doesn't
directly call pci_bus_release_domain_nr(). The issue turns out to be in
pci_remove_root_bus() which first calls pci_remove_bus() which frees the
struct pci_bus when its struct device is released. Then
pci_bus_release_domain_nr() is called and accesses the freed struct
pci_bus. Reordering these fixes the issue.
Fixes: c14f7ccc9f5d ("PCI: Assign PCI domain IDs by ida_alloc()")
Link: https://lore.kernel.org/r/20230329123835.2724518-1-robh@kernel.org
Link: https://lore.kernel.org/r/b529cb69-0602-9eed-fc02-2f068707a006@nvidia.com
Reported-by: Jon Hunter <jonathanh@nvidia.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Cc: stable@vger.kernel.org # v6.2+
Cc: Pali Rohár <pali@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/remove.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/pci/remove.c
+++ b/drivers/pci/remove.c
@@ -156,8 +156,6 @@ void pci_remove_root_bus(struct pci_bus
list_for_each_entry_safe(child, tmp,
&bus->devices, bus_list)
pci_remove_bus_device(child);
- pci_remove_bus(bus);
- host_bridge->bus = NULL;
#ifdef CONFIG_PCI_DOMAINS_GENERIC
/* Release domain_nr if it was dynamically allocated */
@@ -165,6 +163,9 @@ void pci_remove_root_bus(struct pci_bus
pci_bus_release_domain_nr(bus, host_bridge->dev.parent);
#endif
+ pci_remove_bus(bus);
+ host_bridge->bus = NULL;
+
/* remove the host bridge */
device_del(&host_bridge->dev);
}
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 284/286] soc: samsung: exynos-chipid: correct helpers __init annotation
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2025-04-29 16:43 ` [PATCH 5.10 283/286] PCI: Fix use-after-free in pci_bus_release_domain_nr() Greg Kroah-Hartman
@ 2025-04-29 16:43 ` Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 285/286] media: venus: Fix uninitialized variable count being checked for zero Greg Kroah-Hartman
` (6 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, kernel test robot,
Krzysztof Kozlowski
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzk@kernel.org>
commit 6166174afc2bc74ca550af388508384b57d5163d upstream.
After converting to builtin driver, the probe function should not call
__init functions anymore:
>> WARNING: modpost: vmlinux.o(.text+0x8884d4):
Section mismatch in reference from the function exynos_chipid_probe() to the function .init.text:product_id_to_soc_id()
Reported-by: kernel test robot <lkp@intel.com>
Fixes: 352bfbb3e023 ("soc: samsung: exynos-chipid: convert to driver and merge exynos-asv")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Link: https://lore.kernel.org/r/20210105174440.120041-1-krzk@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/samsung/exynos-chipid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/soc/samsung/exynos-chipid.c
+++ b/drivers/soc/samsung/exynos-chipid.c
@@ -55,7 +55,7 @@ static const struct exynos_soc_id {
{ "EXYNOS5433", 0xE5433000 },
};
-static const char * __init product_id_to_soc_id(unsigned int product_id)
+static const char *product_id_to_soc_id(unsigned int product_id)
{
int i;
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 285/286] media: venus: Fix uninitialized variable count being checked for zero
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2025-04-29 16:43 ` [PATCH 5.10 284/286] soc: samsung: exynos-chipid: correct helpers __init annotation Greg Kroah-Hartman
@ 2025-04-29 16:43 ` Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 286/286] media: venus: hfi_parser: Check for instance after hfi platform get Greg Kroah-Hartman
` (5 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Colin Ian King, Stanimir Varbanov,
Mauro Carvalho Chehab
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King <colin.king@canonical.com>
commit c5b14df7a80acadbbd184808dc3f519fbb2ab96c upstream.
In the case where plat->codecs is NULL the variable count is uninitialized
but is being checked to see if it is 0. Fix this by initializing
count to 0.
Addresses-Coverity: ("Uninitialized scalar variable")
Fixes: e29929266be1 ("media: venus: Get codecs and capabilities from hfi platform")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_parser.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/platform/qcom/venus/hfi_parser.c
+++ b/drivers/media/platform/qcom/venus/hfi_parser.c
@@ -266,7 +266,7 @@ static int hfi_platform_parser(struct ve
{
const struct hfi_platform *plat;
const struct hfi_plat_caps *caps = NULL;
- u32 enc_codecs, dec_codecs, count;
+ u32 enc_codecs, dec_codecs, count = 0;
unsigned int entries;
if (inst)
^ permalink raw reply [flat|nested] 292+ messages in thread
* [PATCH 5.10 286/286] media: venus: hfi_parser: Check for instance after hfi platform get
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2025-04-29 16:43 ` [PATCH 5.10 285/286] media: venus: Fix uninitialized variable count being checked for zero Greg Kroah-Hartman
@ 2025-04-29 16:43 ` Greg Kroah-Hartman
2025-04-29 20:16 ` [PATCH 5.10 000/286] 5.10.237-rc1 review Pavel Machek
` (4 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-29 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanimir Varbanov, Bryan ODonoghue,
Mauro Carvalho Chehab
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanimir Varbanov <stanimir.varbanov@linaro.org>
commit 9b5d8fd580caa898c6e1b8605c774f2517f786ab upstream.
The inst function argument is != NULL only for Venus v1 and
we did not migrate v1 to a hfi_platform abstraction yet. So
check for instance != NULL only after hfi_platform_get returns
no error.
Fixes: e29929266be1 ("media: venus: Get codecs and capabilities from hfi platform")
Cc: stable@vger.kernel.org # v5.12
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_parser.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/media/platform/qcom/venus/hfi_parser.c
+++ b/drivers/media/platform/qcom/venus/hfi_parser.c
@@ -269,13 +269,13 @@ static int hfi_platform_parser(struct ve
u32 enc_codecs, dec_codecs, count = 0;
unsigned int entries;
- if (inst)
- return 0;
-
plat = hfi_platform_get(core->res->hfi_version);
if (!plat)
return -EINVAL;
+ if (inst)
+ return 0;
+
if (plat->codecs)
plat->codecs(&enc_codecs, &dec_codecs, &count);
^ permalink raw reply [flat|nested] 292+ messages in thread
* Re: [PATCH 5.10 000/286] 5.10.237-rc1 review
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2025-04-29 16:43 ` [PATCH 5.10 286/286] media: venus: hfi_parser: Check for instance after hfi platform get Greg Kroah-Hartman
@ 2025-04-29 20:16 ` Pavel Machek
2025-04-30 3:52 ` Dominique Martinet
` (3 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Pavel Machek @ 2025-04-29 20:16 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, jonathanh, f.fainelli, sudipm.mukherjee,
srw, rwarsow, conor, hargar, broonie
[-- Attachment #1: Type: text/plain, Size: 664 bytes --]
Hi!
> This is the start of the stable review cycle for the 5.10.237 release.
> There are 286 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-5.10.y
Tested-by: Pavel Machek (CIP) <pavel@denx.de>
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 292+ messages in thread
* Re: [PATCH 5.10 000/286] 5.10.237-rc1 review
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2025-04-29 20:16 ` [PATCH 5.10 000/286] 5.10.237-rc1 review Pavel Machek
@ 2025-04-30 3:52 ` Dominique Martinet
2025-04-30 15:03 ` Jon Hunter
` (2 subsequent siblings)
290 siblings, 0 replies; 292+ messages in thread
From: Dominique Martinet @ 2025-04-30 3:52 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie
Greg Kroah-Hartman wrote on Tue, Apr 29, 2025:
> This is the start of the stable review cycle for the 5.10.237 release.
> There are 286 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 01 May 2025 16:10:15 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.237-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
Tested ce0fd5a9f1a4 ("Linux 5.10.237-rc1") on:
- arm i.MX6ULL (Armadillo 640)
- arm64 i.MX8MP (Armadillo G4)
No obvious regression in dmesg or basic tests:
Tested-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
--
Dominique Martinet
^ permalink raw reply [flat|nested] 292+ messages in thread
* Re: [PATCH 5.10 000/286] 5.10.237-rc1 review
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2025-04-30 3:52 ` Dominique Martinet
@ 2025-04-30 15:03 ` Jon Hunter
2025-04-30 15:50 ` Naresh Kamboju
2025-05-02 12:18 ` Florian Fainelli
290 siblings, 0 replies; 292+ messages in thread
From: Jon Hunter @ 2025-04-30 15:03 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie,
linux-tegra, stable
On Tue, 29 Apr 2025 18:38:24 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.237 release.
> There are 286 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 01 May 2025 16:10:15 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.237-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v5.10:
10 builds: 10 pass, 0 fail
26 boots: 26 pass, 0 fail
67 tests: 67 pass, 0 fail
Linux version: 5.10.237-rc1-gce0fd5a9f1a4
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra194-p2972-0000, tegra194-p3509-0000+p3668-0000,
tegra20-ventana, tegra210-p2371-2180,
tegra210-p3450-0000, tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 292+ messages in thread
* Re: [PATCH 5.10 000/286] 5.10.237-rc1 review
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2025-04-30 15:03 ` Jon Hunter
@ 2025-04-30 15:50 ` Naresh Kamboju
2025-05-02 12:18 ` Florian Fainelli
290 siblings, 0 replies; 292+ messages in thread
From: Naresh Kamboju @ 2025-04-30 15:50 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie
On Tue, 29 Apr 2025 at 22:41, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.10.237 release.
> There are 286 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 01 May 2025 16:10:15 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.237-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build
* kernel: 5.10.237-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git commit: ce0fd5a9f1a4e7c9d2c59cffe033ca7d1d7e1688
* git describe: v5.10.236-287-gce0fd5a9f1a4
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.10.y/build/v5.10.236-287-gce0fd5a9f1a4
## Test Regressions (compared to v5.10.235-229-g5b68aafded4a)
## Metric Regressions (compared to v5.10.235-229-g5b68aafded4a)
## Test Fixes (compared to v5.10.235-229-g5b68aafded4a)
## Metric Fixes (compared to v5.10.235-229-g5b68aafded4a)
## Test result summary
total: 45273, pass: 32910, fail: 3086, skip: 9042, xfail: 235
## Build Summary
* arc: 5 total, 5 passed, 0 failed
* arm: 102 total, 102 passed, 0 failed
* arm64: 30 total, 30 passed, 0 failed
* i386: 22 total, 22 passed, 0 failed
* mips: 22 total, 22 passed, 0 failed
* parisc: 3 total, 0 passed, 3 failed
* powerpc: 21 total, 21 passed, 0 failed
* riscv: 9 total, 9 passed, 0 failed
* s390: 9 total, 9 passed, 0 failed
* sh: 10 total, 10 passed, 0 failed
* sparc: 6 total, 6 passed, 0 failed
* x86_64: 26 total, 26 passed, 0 failed
## Test suites summary
* boot
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-efivarfs
* kselftest-exec
* kselftest-fpu
* kselftest-ftrace
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-kcmp
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-mincore
* kselftest-mqueue
* kselftest-net
* kselftest-net-mptcp
* kselftest-openat2
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-sigaltstack
* kselftest-size
* kselftest-tc-testing
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user_events
* kselftest-vDSO
* kselftest-x86
* kunit
* lava
* libgpiod
* libhugetlbfs
* log-parser-boot
* log-parser-build-clang
* log-parser-build-gcc
* log-parser-test
* ltp-capability
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-hugetlb
* ltp-ipc
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-pty
* ltp-sched
* ltp-smoke
* ltp-syscalls
* ltp-tracing
* perf
* rcutorture
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 292+ messages in thread
* Re: [PATCH 5.10 000/286] 5.10.237-rc1 review
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2025-04-30 15:50 ` Naresh Kamboju
@ 2025-05-02 12:18 ` Florian Fainelli
290 siblings, 0 replies; 292+ messages in thread
From: Florian Fainelli @ 2025-05-02 12:18 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, srw, rwarsow,
conor, hargar, broonie
On 4/29/2025 6:38 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.237 release.
> There are 286 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 01 May 2025 16:10:15 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.237-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 292+ messages in thread
end of thread, other threads:[~2025-05-02 12:18 UTC | newest]
Thread overview: 292+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-29 16:38 [PATCH 5.10 000/286] 5.10.237-rc1 review Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 001/286] ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 002/286] tipc: fix memory leak in tipc_link_xmit Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 003/286] codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 004/286] net: tls: explicitly disallow disconnect Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 005/286] ata: sata_sx4: Drop pointless VPRINTK() calls and convert the remaining ones Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 006/286] ata: sata_sx4: Add error handling in pdc20621_i2c_read() Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 007/286] nvmet-fcloop: swap list_add_tail arguments Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 008/286] net: ppp: Add bound checking for skb data on ppp_sync_txmung Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 009/286] nft_set_pipapo: fix incorrect avx2 match of 5th field octet Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 010/286] umount: Allow superblock owners to force umount Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 011/286] pm: cpupower: bench: Prevent NULL dereference on malloc failure Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 012/286] x86/cpu: Dont clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 013/286] perf: arm_pmu: Dont disable counter in armpmu_add() Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 014/286] arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 015/286] xen/mcelog: Add __nonstring annotations for unterminated strings Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 016/286] HID: pidff: Convert infinite length from Linux API to PID standard Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 017/286] HID: pidff: Do not send effect envelope if its empty Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 018/286] HID: pidff: Fix null pointer dereference in pidff_find_fields Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 019/286] ALSA: hda: intel: Fix Optimus when GPU has no sound Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 020/286] ALSA: usb-audio: Fix CME quirk for UF series keyboards Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 021/286] page_pool: avoid infinite loop to schedule delayed worker Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 022/286] fs/jfs: cast inactags to s64 to prevent potential overflow Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 023/286] fs/jfs: Prevent integer overflow in AG size calculation Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 024/286] jfs: Prevent copying of nlink with value 0 from disk inode Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 025/286] jfs: add sanity check for agwidth in dbMount Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 026/286] ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 027/286] f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 028/286] ahci: add PCI ID for Marvell 88SE9215 SATA Controller Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 029/286] ext4: protect ext4_release_dquot against freezing Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 030/286] ext4: ignore xattrs past end Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 031/286] scsi: st: Fix array overflow in st_setup() Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 032/286] wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 033/286] net: vlan: dont propagate flags on open Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 034/286] tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Greg Kroah-Hartman
2025-04-29 16:38 ` [PATCH 5.10 035/286] Bluetooth: hci_uart: fix race during initialization Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 036/286] drm: allow encoder mode_set even when connectors change for crtc Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 037/286] drm: panel-orientation-quirks: Add support for AYANEO 2S Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 038/286] drm: panel-orientation-quirks: Add new quirk for GPD Win 2 Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 039/286] drm/bridge: panel: forbid initializing a panel with unknown connector type Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 040/286] drm/amdkfd: clamp queue size to minimum Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 041/286] drm/amdkfd: Fix pqm_destroy_queue race with GPU reset Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 042/286] drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 043/286] fbdev: omapfb: Add plane value check Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 044/286] pwm: mediatek: Always use bus clock Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 045/286] pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 046/286] pwm: rcar: Simplify multiplication/shift logic Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 047/286] pwm: rcar: Improve register calculation Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 048/286] pwm: fsl-ftm: Handle clk_get_rate() returning 0 Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 049/286] bpf: Add endian modifiers to fix endian warnings Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 050/286] bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 051/286] ext4: reject casefold inode flag without casefold feature Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 052/286] ext4: dont treat fhandle lookup of ea_inode as FS corruption Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 053/286] media: i2c: adv748x: Fix test pattern selection mask Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 054/286] media: venus: hfi: add a check to handle OOB in sfr region Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 055/286] media: venus: hfi: add check to handle incorrect queue size Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 056/286] media: vim2m: print device name after registering device Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 057/286] media: siano: Fix error handling in smsdvb_module_init() Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 058/286] xenfs/xensyms: respect hypervisors "next" indication Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 059/286] arm64: cputype: Add MIDR_CORTEX_A76AE Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 060/286] arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 061/286] spi: cadence-qspi: Fix probe on AM62A LP SK Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 062/286] mtd: rawnand: brcmnand: fix PM resume warning Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 063/286] media: streamzap: prevent processing IR data on URB failure Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 064/286] media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 065/286] media: i2c: ov7251: Set enable GPIO low in probe Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 066/286] media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 067/286] media: venus: hfi_parser: add check to avoid out of bound access Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 068/286] net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 069/286] mtd: Replace kcalloc() with devm_kcalloc() Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 070/286] clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 071/286] wifi: mac80211: fix integer overflow in hwmp_route_info_get() Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 072/286] ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 073/286] ext4: fix off-by-one error in do_split Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 074/286] vdpa/mlx5: Fix oversized null mkey longer than 32bit Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 075/286] i3c: Add NULL pointer check in i3c_master_queue_ibi() Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 076/286] jbd2: remove wrong sb->s_sequence check Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 077/286] mfd: ene-kb3930: Fix a potential NULL pointer dereference Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 078/286] locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 079/286] lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 080/286] mtd: inftlcore: Add error check for inftl_read_oob() Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 081/286] mtd: rawnand: Add status chack in r852_ready() Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 082/286] arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 083/286] sparc/mm: disable preemption in lazy mmu mode Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 084/286] mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 085/286] sctp: detect and prevent references to a freed transport in sendmsg Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 086/286] thermal/drivers/rockchip: Add missing rk3328 mapping entry Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 087/286] crypto: ccp - Fix check for the primary ASP device Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 088/286] dm-integrity: set ti->error on memory allocation failure Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 089/286] ftrace: Add cond_resched() to ftrace_graph_set_hash() Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 090/286] gpio: zynq: Fix wakeup source leaks on device unbind Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 091/286] ntb: use 64-bit arithmetic for the MSI doorbell mask Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 092/286] of/irq: Fix device node refcount leakages in of_irq_count() Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 093/286] of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 094/286] of/irq: Fix device node refcount leakages in of_irq_init() Greg Kroah-Hartman
2025-04-29 16:39 ` [PATCH 5.10 095/286] PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 096/286] PCI: Fix reference leak in pci_alloc_child_bus() Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 097/286] pinctrl: qcom: Clear latched interrupt status when changing IRQ type Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 098/286] x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 099/286] Bluetooth: hci_uart: Fix another race during initialization Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 100/286] pwm: mediatek: always use bus clock for PWM on MT7622 Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 101/286] HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 102/286] wifi: at76c50x: fix use after free access in at76_disconnect Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 103/286] wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue() Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 104/286] wifi: mac80211: Purge vif txq in ieee80211_do_stop() Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 105/286] wifi: wl1251: fix memory leak in wl1251_tx_work Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 106/286] scsi: iscsi: Fix missing scsi_host_put() in error path Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 107/286] RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 108/286] RDMA/hns: Fix wrong maximum DMA segment size Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 109/286] RDMA/core: Silence oversized kvmalloc() warning Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 110/286] Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 111/286] Bluetooth: btrtl: Prevent potential NULL dereference Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 112/286] Revert "wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue()" Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 113/286] igc: handle the IGC_PTP_ENABLED flag correctly Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 114/286] igc: cleanup PTP module if probe fails Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 115/286] net: openvswitch: fix nested key length validation in the set() action Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 116/286] cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 117/286] net: b53: enable BPDU reception for management port Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 118/286] riscv: KGDB: Do not inline arch_kgdb_breakpoint() Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 119/286] riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 120/286] cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 121/286] writeback: fix false warning in inode_to_wb() Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 122/286] asus-laptop: Fix an uninitialized variable Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 123/286] nfs: move nfs_fhandle_hash to common include file Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 124/286] nfs: add missing selections of CONFIG_CRC32 Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 125/286] nfsd: decrease sc_count directly if fail to queue dl_recall Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 126/286] btrfs: correctly escape subvol in btrfs_show_options() Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 127/286] crypto: caam/qi - Fix drv_ctx refcount bug Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 128/286] hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 129/286] i2c: cros-ec-tunnel: defer probe if parent EC is not present Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 130/286] isofs: Prevent the use of too small fid Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 131/286] riscv: Avoid fortify warning in syscall_get_arguments() Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 132/286] tracing: Fix filter string testing Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 133/286] virtiofs: add filesystem context source name check Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 134/286] perf/x86/intel: Allow to update user space GPRs from PEBS records Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 135/286] perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 136/286] perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 137/286] module: sign with sha512 instead of sha1 by default Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 138/286] drm/repaper: fix integer overflows in repeat functions Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 139/286] drm/amd/pm/powerplay: Prevent division by zero Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 140/286] drm/amd/pm/powerplay/hwmgr/smu7_thermal: " Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 141/286] drm/amd/pm/powerplay/hwmgr/vega20_thermal: " Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 142/286] drm/nouveau: prime: fix ttm_bo_delayed_delete oops Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 143/286] drm/sti: remove duplicate object names Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 144/286] cpufreq: Reference count policy in cpufreq_update_limits() Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 145/286] kbuild: Add -fno-builtin-wcslen Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 146/286] tcp/dccp: Dont use timer_pending() in reqsk_queue_unlink() Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 147/286] mptcp: fix NULL pointer in can_accept_new_subflow Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 148/286] mptcp: only inc MPJoinAckHMacFailure for HMAC failures Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 149/286] mptcp: sockopt: fix getting IPV6_V6ONLY Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 150/286] misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 151/286] misc: pci_endpoint_test: Fix displaying irq_type " Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 152/286] misc: pci_endpoint_test: Fix irq_type to convey the correct type Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 153/286] x86/pvh: Call C code via the kernel virtual mapping Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 154/286] nvme: avoid double free special payload Greg Kroah-Hartman
2025-04-29 16:40 ` [PATCH 5.10 155/286] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 156/286] phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node function Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 157/286] wifi: ath10k: avoid NULL pointer error during sdio remove Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 158/286] drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 159/286] drm/amd/display: Fix out-of-bounds access in dcn21_link_encoder_create Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 160/286] nvmet-fc: Remove unused functions Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 161/286] smb: client: fix potential UAF in cifs_debug_files_proc_show() Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 162/286] smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 163/286] cifs: Fix UAF in cifs_demultiplex_thread() Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 164/286] smb: client: fix potential deadlock when releasing mids Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 165/286] smb: client: fix potential UAF in cifs_stats_proc_show() Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 166/286] smb: client: fix UAF in async decryption Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 167/286] smb: client: fix NULL ptr deref in crypto_aead_setkey() Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 168/286] bpf: avoid holding freeze_mutex during mmap operation Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 169/286] bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 170/286] blk-cgroup: support to track if policy is online Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 171/286] blk-iocost: do not WARN if iocg was already offlined Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 172/286] ext4: fix timer use-after-free on failed mount Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 173/286] net/mlx5e: Fix use-after-free of encap entry in neigh update handler Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 174/286] ipvs: properly dereference pe in ip_vs_add_service Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 175/286] net: openvswitch: fix race on port output Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 176/286] openvswitch: fix lockup on tx to unregistering netdev with carrier Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 177/286] scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan() Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 178/286] scsi: ufs: bsg: Set bsg_queue to NULL after removal Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 179/286] net: defer final struct net free in netns dismantle Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 180/286] MIPS: dec: Declare which_prom() as static Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 181/286] MIPS: cevt-ds1287: Add missing ds1287.h include Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 182/286] MIPS: ds1287: Match ds1287_set_base_clock() function types Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 183/286] jfs: Fix shift-out-of-bounds in dbDiscardAG Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 184/286] dm cache: fix flushing uninitialized delayed_work on cache_ctr error Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 185/286] vfio/pci: fix memory leak during D3hot to D0 transition Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 186/286] kernel/resource: fix kfree() of bootmem memory again Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 187/286] drm/i915/gt: Cleanup partial engine discovery failures Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 188/286] fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 189/286] mm: fix apply_to_existing_page_range() Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 190/286] drivers: staging: rtl8723bs: Fix deadlock in rtw_surveydone_event_callback() Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 191/286] s390/dasd: fix double module refcount decrement Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 192/286] pmdomain: ti: Add a null pointer check to the omap_prm_domain_init Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 193/286] drivers: staging: rtl8723bs: Fix locking in rtw_scan_timeout_handler() Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 194/286] platform/x86: ISST: Correct command storage data length Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 195/286] tracing: Allow synthetic events to pass around stacktraces Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 196/286] tracing: Fix synth event printk format for str fields Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 197/286] media: streamzap: remove unnecessary ir_raw_event_reset and handle Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 198/286] media: streamzap: no need for usb pid/vid in device name Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 199/286] media: streamzap: less chatter Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 200/286] media: streamzap: remove unused struct members Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 201/286] media: streamzap: fix race between device disconnection and urb callback Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 202/286] media: venus: venc: Init the session only once in queue_setup Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 203/286] media: venus: Limit HFI sessions to the maximum supported Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 204/286] media: venus: hfi: Correct session init return error Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 205/286] media: venus: pm_helpers: Check instance state when calculate instance frequency Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 206/286] media: venus: Create hfi platform and move vpp/vsp there Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 207/286] media: venus: Rename venus_caps to hfi_plat_caps Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 208/286] media: venus: hfi_plat: Add codecs and capabilities ops Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 209/286] media: venus: Get codecs and capabilities from hfi platform Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 210/286] media: venus: hfi_parser: refactor hfi packet parsing logic Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 211/286] net: dsa: mv88e6xxx: fix VTU methods for 6320 family Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 212/286] soc: samsung: exynos-chipid: initialize later - with arch_initcall Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 213/286] soc: samsung: exynos-chipid: convert to driver and merge exynos-asv Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 214/286] soc: samsung: exynos-chipid: avoid soc_device_to_device() Greg Kroah-Hartman
2025-04-29 16:41 ` [PATCH 5.10 215/286] soc: samsung: exynos-chipid: Pass revision reg offsets Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 216/286] soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 217/286] iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 218/286] iio: adc: ad7768-1: Fix conversion result sign Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 219/286] backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 220/286] cifs: print TIDs as hex Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 221/286] cifs: avoid NULL pointer dereference in dbg call Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 222/286] PCI: Introduce domain_nr in pci_host_bridge Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 223/286] PCI: Coalesce host bridge contiguous apertures Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 224/286] PCI: Assign PCI domain IDs by ida_alloc() Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 225/286] PCI: Fix reference leak in pci_register_host_bridge() Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 226/286] selftests/mm: generate a temporary mountpoint for cgroup filesystem Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 227/286] drm/amd/amdgpu/amdgpu_vram_mgr: Add missing descriptions for dev and dir Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 228/286] drm/amdgpu: Remove amdgpu_device arg from free_sgt api (v2) Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 229/286] drm/amdgpu/dma_buf: fix page_link check Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 230/286] dma/contiguous: avoid warning about unused size_bytes Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 231/286] cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 232/286] net: phy: leds: fix memory leak Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 233/286] tipc: fix NULL pointer dereference in tipc_mon_reinit_self() Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 234/286] net_sched: hfsc: Fix a UAF vulnerability in class handling Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 235/286] net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 236/286] iommu/amd: Return an error if vCPU affinity is set for non-vCPU IRTE Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 237/286] virtio_console: fix missing byte order handling for cols and rows Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 238/286] KVM: SVM: Allocate IR data using atomic allocation Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 239/286] mcb: fix a double free bug in chameleon_parse_gdd() Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 240/286] USB: storage: quirk for ADATA Portable HDD CH94 Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 241/286] mei: me: add panther lake H DID Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 242/286] KVM: x86: Reset IRTE to host control if *new* route isnt postable Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 243/286] serial: sifive: lock port in startup()/shutdown() callbacks Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 244/286] USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 245/286] USB: serial: option: add Sierra Wireless EM9291 Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 246/286] USB: serial: simple: add OWON HDS200 series oscilloscope support Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 247/286] usb: cdns3: Fix deadlock when using NCM gadget Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 248/286] USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 249/286] usb: dwc3: gadget: check that event count does not exceed event buffer length Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 250/286] usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 251/286] usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 " Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 252/286] USB: VLI disk crashes if LPM is used Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 253/286] MIPS: cm: Detect CM quirks from device tree Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 254/286] crypto: null - Use spin lock instead of mutex Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 255/286] clk: check for disabled clock-provider in of_clk_get_hw_from_clkspec() Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 256/286] parisc: PDT: Fix missing prototype warning Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 257/286] usb: host: max3421-hcd: Add missing spi_device_id table Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 258/286] dmaengine: dmatest: Fix dmatest waiting less when interrupted Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 259/286] usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 260/286] objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior in wcd934x_slim_irq_handler() Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 261/286] qibfs: fix _another_ leak Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 262/286] ntb: reduce stack usage in idt_scan_mws Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 263/286] sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 264/286] KVM: s390: Dont use %pK through tracepoints Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 265/286] udmabuf: fix a buf size overflow issue during udmabuf creation Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 266/286] selftests: ublk: fix test_stripe_04 Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 267/286] nvme: requeue namespace scan on missed AENs Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 268/286] ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 269/286] nvme: re-read ANA log page after ns scan completes Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 270/286] objtool: Stop UNRET validation on UD2 Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 271/286] selftests/mincore: Allow read-ahead pages to reach the end of the file Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 272/286] x86/bugs: Use SBPB in write_ibpb() if applicable Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 273/286] x86/bugs: Dont fill RSB on VMEXIT with eIBRS+retpoline Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 274/286] ext4: make block validity check resistent to sb bh corruption Greg Kroah-Hartman
2025-04-29 16:42 ` [PATCH 5.10 275/286] scsi: pm80xx: Set phy_attached to zero when device is gone Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 276/286] md/raid1: Add check for missing source disk in process_checks() Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 277/286] s390/virtio_ccw: Dont allocate/assign airqs for non-existing queues Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 278/286] comedi: jr3_pci: Fix synchronous deletion of timer Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 279/286] crypto: atmel-sha204a - Set hwrng quality to lowest possible Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 280/286] xdp: Reset bpf_redirect_info before running a xdps BPF prog Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 281/286] MIPS: cm: Fix warning if MIPS_CM is disabled Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 282/286] nvme: fixup scan failure for non-ANA multipath controllers Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 283/286] PCI: Fix use-after-free in pci_bus_release_domain_nr() Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 284/286] soc: samsung: exynos-chipid: correct helpers __init annotation Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 285/286] media: venus: Fix uninitialized variable count being checked for zero Greg Kroah-Hartman
2025-04-29 16:43 ` [PATCH 5.10 286/286] media: venus: hfi_parser: Check for instance after hfi platform get Greg Kroah-Hartman
2025-04-29 20:16 ` [PATCH 5.10 000/286] 5.10.237-rc1 review Pavel Machek
2025-04-30 3:52 ` Dominique Martinet
2025-04-30 15:03 ` Jon Hunter
2025-04-30 15:50 ` Naresh Kamboju
2025-05-02 12:18 ` Florian Fainelli
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).