* [PATCH 5.15 000/356] 5.15.162-rc1 review
@ 2024-07-03 10:35 Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 001/356] wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects Greg Kroah-Hartman
` (363 more replies)
0 siblings, 364 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
This is the start of the stable review cycle for the 5.15.162 release.
There are 356 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Fri, 05 Jul 2024 10:28:09 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.162-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 5.15.162-rc1
Alex Bee <knaerzche@gmail.com>
arm64: dts: rockchip: Add sound-dai-cells for RK3368
FUKAUMI Naoki <naoki@radxa.com>
arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E
Johan Jonker <jbx6244@gmail.com>
ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node
Marc Zyngier <maz@kernel.org>
KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption
Ard Biesheuvel <ardb@kernel.org>
efi/x86: Free EFI memory map only when installing a new one.
Ard Biesheuvel <ardb@kernel.org>
efi: xen: Set EFI_PARAVIRT for Xen dom0 boot on all architectures
Ard Biesheuvel <ardb@kernel.org>
efi: memmap: Move manipulation routines into x86 arch tree
Liu Zixian <liuzixian4@huawei.com>
efi: Correct comment on efi_memmap_alloc
Zheng Zhi Yuan <kevinjone25@g.ncu.edu.tw>
drivers: fix typo in firmware/efi/memmap.c
Kuniyuki Iwashima <kuniyu@amazon.com>
tcp: Fix data races around icsk->icsk_af_ops.
Kuniyuki Iwashima <kuniyu@amazon.com>
ipv6: Fix data races around sk->sk_prot.
Eric Dumazet <edumazet@google.com>
ipv6: annotate some data-races around sk->sk_prot
Matthew Wilcox (Oracle) <willy@infradead.org>
nfs: Leave pages in the pagecache if readpage failed
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
pwm: stm32: Refuse too small period requests
Arnd Bergmann <arnd@arndb.de>
syscalls: fix sys_fanotify_mark prototype
Arnd Bergmann <arnd@arndb.de>
syscalls: fix compat_sys_io_pgetevents_time64 usage
Arnd Bergmann <arnd@arndb.de>
ftruncate: pass a signed offset
Niklas Cassel <cassel@kernel.org>
ata: libata-core: Fix double free on error
Niklas Cassel <cassel@kernel.org>
ata: ahci: Clean up sysfs file on error
Sven Eckelmann <sven@narfation.org>
batman-adv: Don't accept TT entries for out-of-spec VIDs
Ma Ke <make24@iscas.ac.cn>
drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes
Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
drm/i915/gt: Fix potential UAF by revoke of fence registers
Julia Zhang <julia.zhang@amd.com>
drm/amdgpu: avoid using null object of framebuffer
Ma Ke <make24@iscas.ac.cn>
drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes
Arnd Bergmann <arnd@arndb.de>
hexagon: fix fadvise64_64 calling conventions
Arnd Bergmann <arnd@arndb.de>
csky, hexagon: fix broken sys_sync_file_range
Arnd Bergmann <arnd@arndb.de>
sh: rework sync_file_range ABI
Dragan Simic <dsimic@manjaro.org>
kbuild: Install dtb files as 0644 in Makefile.dtbinst
Yuntao Wang <ytcoode@gmail.com>
cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked()
Oleksij Rempel <linux@rempel-privat.de>
net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new
Oleksij Rempel <linux@rempel-privat.de>
net: can: j1939: recover socket queue on CAN bus error during BAM transmission
Shigeru Yoshida <syoshida@redhat.com>
net: can: j1939: Initialize unused data in j1939_send_one()
Jean-Michel Hautbois <jeanmichel.hautbois@yoseli.org>
tty: mcf: MCF54418 has 10 UARTS
Stefan Eichenberger <stefan.eichenberger@toradex.com>
serial: imx: set receiver level before starting uart
Udit Kumar <u-kumar1@ti.com>
serial: 8250_omap: Implementation of Errata i2310
Meng Li <Meng.Li@windriver.com>
usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
usb: atm: cxacru: fix endpoint checking in cxacru_bind()
Dan Carpenter <dan.carpenter@linaro.org>
usb: musb: da8xx: fix a resource leak in probe()
Oliver Neukum <oneukum@suse.com>
usb: gadget: printer: fix races against disable
Oliver Neukum <oneukum@suse.com>
usb: gadget: printer: SS+ support
Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
net: usb: ax88179_178a: improve link status logs
Vasileios Amoiridis <vassilisamir@gmail.com>
iio: chemical: bme680: Fix sensor data read operation
Vasileios Amoiridis <vassilisamir@gmail.com>
iio: chemical: bme680: Fix overflows in compensate() functions
Vasileios Amoiridis <vassilisamir@gmail.com>
iio: chemical: bme680: Fix calibration data variable
Vasileios Amoiridis <vassilisamir@gmail.com>
iio: chemical: bme680: Fix pressure value output
Alexander Sverdlin <alexander.sverdlin@siemens.com>
iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF
Fernando Yang <hagisf@usp.br>
iio: adc: ad7266: Fix variable checking bug
Wolfram Sang <wsa+renesas@sang-engineering.com>
i2c: testunit: discard write requests while old command is running
Wolfram Sang <wsa+renesas@sang-engineering.com>
i2c: testunit: don't erase registers after STOP
Adrian Hunter <adrian.hunter@intel.com>
mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()
Adrian Hunter <adrian.hunter@intel.com>
mmc: sdhci: Do not invert write-protect twice
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos
Jan Kara <jack@suse.cz>
ocfs2: fix DIO failure due to insufficient transaction credits
Arnd Bergmann <arnd@arndb.de>
parisc: use generic sys_fanotify_mark implementation
Linus Torvalds <torvalds@linux-foundation.org>
x86: stop playing stack games in profile_pc()
Kent Gibson <warthog618@gmail.com>
gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1)
Aleksandr Mishin <amishin@t-argos.ru>
gpio: davinci: Validate the obtained number of IRQs
Liu Ying <victor.liu@nxp.com>
drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA
Hannes Reinecke <hare@suse.de>
nvme: fixup comment for nvme RDMA Provider Type
Erick Archer <erick.archer@outlook.com>
drm/radeon/radeon_display: Decrease the size of allocated memory
Andrew Davis <afd@ti.com>
soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message
Ricardo Ribalda <ribalda@chromium.org>
media: dvbdev: Initialize sbuf
Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
ALSA: emux: improve patch ioctl data validation
Joachim Vandersmissen <git@jvdsn.com>
crypto: ecdh - explicitly zeroize private_key
Dawei Li <dawei.li@shingroup.cn>
net/dpaa2: Avoid explicit cpumask var allocation on stack
Dawei Li <dawei.li@shingroup.cn>
net/iucv: Avoid explicit cpumask var allocation on stack
Wenchao Hao <haowenchao2@huawei.com>
RDMA/restrack: Fix potential invalid address access
Anton Protopopov <aspsk@isovalent.com>
bpf: Add a check for struct bpf_fib_lookup size
Denis Arefev <arefev@swemel.ru>
mtd: partitions: redboot: Added conversion of operands to a larger type
Uros Bizjak <ubizjak@gmail.com>
x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup
Maxime Coquelin <maxime.coquelin@redhat.com>
vduse: Temporarily fail if control queue feature requested
Maxime Coquelin <maxime.coquelin@redhat.com>
vduse: validate block features only with block devices
Laurent Pinchart <laurent.pinchart@ideasonboard.com>
drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep
Christophe Leroy <christophe.leroy@csgroup.eu>
bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()
Yunseong Kim <yskelg@gmail.com>
tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset()
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers
Neal Cardwell <ncardwell@google.com>
tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO
Arnd Bergmann <arnd@arndb.de>
parisc: use correct compat recv/recvfrom syscalls
Arnd Bergmann <arnd@arndb.de>
sparc: fix compat recv/recvfrom syscalls
Arnd Bergmann <arnd@arndb.de>
sparc: fix old compat_sys_select()
luoxuanqiang <luoxuanqiang@kylinos.cn>
Fix race for duplicate reqsk on identical SYN
Akhmat Karakotov <hmukos@yandex-team.ru>
tcp: Use BPF timeout setting for SYN ACK RTO
Daniil Dulov <d.dulov@aladdin.ru>
xdp: Remove WARN() from __xdp_reg_mem_model()
Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
net: phy: micrel: add Microchip KSZ 9477 to the device table
Nick Child <nnac123@linux.ibm.com>
ibmvnic: Free any outstanding tx skbs during scrq reset
Tristram Ha <tristram.ha@microchip.com>
net: dsa: microchip: fix initial port flush problem
Elinor Montmasson <elinor.montmasson@savoirfairelinux.com>
ASoC: fsl-asoc-card: set priv->pdev before using it
Oleksij Rempel <linux@rempel-privat.de>
net: stmmac: Assign configured channel value to EXTTS event
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
net: mdio: add helpers to extract clause 45 regad and devad fields
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu: fix UBSAN warning in kv_dpm.c
Steve French <stfrench@microsoft.com>
cifs: fix typo in module parameter enable_gcm_256
Huang-Huang Bao <i@eh5.me>
pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set
Huang-Huang Bao <i@eh5.me>
pinctrl: rockchip: use dedicated pinctrl type for RK3328
Huang-Huang Bao <i@eh5.me>
pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins
Huang-Huang Bao <i@eh5.me>
pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins
Hagar Hemdan <hagarhem@amazon.com>
pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER
John Keeping <jkeeping@inmusicbrands.com>
Input: ili210x - fix ili251x_read_touch_data() return value
Ziwei Xiao <ziweixiao@google.com>
gve: Clear napi->skb before dev_kfree_skb_any()
David Awogbemila <awogbemila@google.com>
gve: Add RX context.
Mario Limonciello <mario.limonciello@amd.com>
ACPI: x86: Force StorageD3Enable on more products
Mario Limonciello <mario.limonciello@amd.com>
ACPI: x86: utils: Add Picasso to the list for forcing StorageD3Enable
Jan Beulich <jbeulich@suse.com>
x86/mm/numa: Use NUMA_NO_NODE when calling memblock_set_node()
Enzo Matsumiya <ematsumiya@suse.de>
smb: client: fix deadlock in smb2_find_smb_tcon()
Yazen Ghannam <yazen.ghannam@amd.com>
x86/amd_nb: Check for invalid SMN reads
Naveen Naidu <naveennaidu479@gmail.com>
PCI: Add PCI_ERROR_RESPONSE and related definitions
Haifeng Xu <haifeng.xu@shopee.com>
perf/core: Fix missing wakeup when waiting for context reference
Nam Cao <namcao@linutronix.de>
riscv: fix overlap of allocated page and PTR_ERR
Jisheng Zhang <jszhang@kernel.org>
riscv: mm: init: try best to use IS_ENABLED(CONFIG_64BIT) instead of #ifdef
Matthias Maennich <maennich@google.com>
kheaders: explicitly define file modes for archived headers
Masahiro Yamada <masahiroy@kernel.org>
Revert "kheaders: substituting --sort in archive creation"
Chris Wilson <chris@chris-wilson.co.uk>
drm/i915/gt: Disarm breadcrumbs if engines are already idle
Chris Wilson <chris@chris-wilson.co.uk>
drm/i915/gt: Only kick the signal worker if there's been an update
Nandor Kracser <bonifaido@gmail.com>
ksmbd: ignore trailing slashes in share paths
Tony Luck <tony.luck@intel.com>
x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL
Tony Luck <tony.luck@intel.com>
x86/cpu/vfm: Add new macros to work with (vendor/family/model) values
Jeff Johnson <quic_jjohnson@quicinc.com>
tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test
Matthew Mirvish <matthew@mm12.xyz>
bcache: fix variable length array abuse in btree_iter
Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
pmdomain: ti-sci: Fix duplicate PD referrals
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtlwifi: rtl8192de: Fix 5 GHz TX power
Kees Cook <keescook@chromium.org>
rtlwifi: rtl8192de: Style clean-ups
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
ARM: dts: samsung: smdk4412: fix keypad no-autorepeat
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
ARM: dts: samsung: smdkv310: fix keypad no-autorepeat
Adrian Hunter <adrian.hunter@intel.com>
perf script: Show also errors for --insn-trace option
Changbin Du <changbin.du@huawei.com>
perf: script: add raw|disasm arguments to --insn-trace option
Martin Leung <martin.leung@amd.com>
drm/amd/display: revert Exit idle optimizations before HDCP execution
Frank Li <Frank.Li@nxp.com>
arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller schema
Grygorii Tertychnyi <grembeter@gmail.com>
i2c: ocores: set IACK bit after core is enabled
Eric Dumazet <edumazet@google.com>
tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack()
Aleksandr Nogikh <nogikh@google.com>
kcov: don't lose track of remote references during softirqs
Peter Oberparleiter <oberpar@linux.ibm.com>
gcov: add support for GCC 14
Alex Deucher <alexander.deucher@amd.com>
drm/radeon: fix UBSAN warning in kv_dpm.c
Jani Nikula <jani.nikula@intel.com>
drm/i915/mso: using joiner is not possible with eDP MSO
Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
ALSA: hda/realtek: Limit mic boost on N14AP7
Sean Christopherson <seanjc@google.com>
KVM: x86: Always sync PIR to IRR prior to scanning I/O APIC routes
Boris Burkov <boris@bur.io>
btrfs: retry block group reclaim without infinite loop
Ignat Korchagin <ignat@cloudflare.com>
net: do not leave a dangling sk pointer, when socket creation fails
Erwan Le Ray <erwan.leray@foss.st.com>
serial: stm32: rework RX over DMA
Patrisious Haddad <phaddad@nvidia.com>
RDMA/mlx5: Add check for srq max_sge attribute
Raju Rangoju <Raju.Rangoju@amd.com>
ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."
Kalle Niemi <kaleposti@gmail.com>
regulator: bd71815: fix ramp values
Nikita Shubin <n.shubin@yadro.com>
dmaengine: ioatdma: Fix missing kmem_cache_destroy()
Nikita Shubin <n.shubin@yadro.com>
dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe()
Nikita Shubin <n.shubin@yadro.com>
dmaengine: ioatdma: Fix error path in ioat3_dma_probe()
Bjorn Helgaas <bhelgaas@google.com>
dmaengine: ioat: use PCI core macros for PCIe Capability
Nikita Shubin <n.shubin@yadro.com>
dmaengine: ioatdma: Fix leaking on version mismatch
Bjorn Helgaas <bhelgaas@google.com>
dmaengine: ioat: Drop redundant pci_enable_pcie_error_reporting()
Qing Wang <wangqing@vivo.com>
dmaengine: ioat: switch from 'pci_' to 'dma_' API
Li RongQing <lirongqing@baidu.com>
dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list
Biju Das <biju.das.jz@bp.renesas.com>
regulator: core: Fix modpost error "regulator_get_regmap" undefined
Oliver Neukum <oneukum@suse.com>
net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings
Pavan Chebbi <pavan.chebbi@broadcom.com>
bnxt_en: Restore PTP tx_avail count in case of skb_pad() error
Jianguo Wu <wujianguo@chinatelecom.cn>
seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors
Jozsef Kadlecsik <kadlec@netfilter.org>
netfilter: ipset: Fix suspicious rcu_dereference_protected()
Simon Horman <horms@kernel.org>
octeontx2-pf: Add error handling to VLAN unoffload handling
Heng Qi <hengqi@linux.alibaba.com>
virtio_net: checksum offloading handling fix
Xiaolei Wang <xiaolei.wang@windriver.com>
net: stmmac: No need to calculate speed divider when offload is disabled
Dan Carpenter <dan.carpenter@linaro.org>
ptp: fix integer overflow in max_vclocks_store
Xin Long <lucien.xin@gmail.com>
sched: act_ct: add netns into the key of tcf_ct_flow_table
Vlad Buslov <vladbu@nvidia.com>
net/sched: act_ct: set 'net' pointer when creating new nf_flow_table
Xin Long <lucien.xin@gmail.com>
tipc: force a dst refcount before doing decryption
David Ruth <druth@chromium.org>
net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()
Pedro Tammela <pctammela@mojatatu.com>
net/sched: act_api: rely on rcu in tcf_idr_check_alloc
Stefan Wahren <wahrenst@gmx.net>
qca_spi: Make interrupt remembering atomic
Yue Haibing <yuehaibing@huawei.com>
netns: Make get_net_ns() handle zero refcount net
Eric Dumazet <edumazet@google.com>
xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()
Eric Dumazet <edumazet@google.com>
ipv6: prevent possible NULL dereference in rt6_probe()
Eric Dumazet <edumazet@google.com>
ipv6: prevent possible NULL deref in fib6_nh_init()
Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
netrom: Fix a memory leak in nr_heartbeat_expiry()
Ondrej Mosnacek <omosnace@redhat.com>
cipso: fix total option length computation
Masami Hiramatsu (Google) <mhiramat@kernel.org>
tracing: Build event generation tests only as modules
Christian Marangi <ansuelsmth@gmail.com>
mips: bmips: BCM6358: make sure CBR is correctly set
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
MIPS: Routerboard 532: Fix vendor retry check code
Parker Newman <pnewman@connecttech.com>
serial: exar: adding missing CTI and Exar PCI ids
Esben Haabendal <esben@geanix.com>
serial: imx: Introduce timeout when waiting on transmitter empty
Songyang Li <leesongyang@outlook.com>
MIPS: Octeon: Add PCIe link status check
Mario Limonciello <mario.limonciello@amd.com>
PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports
Roman Smirnov <r.smirnov@omp.ru>
udf: udftime: prevent overflow in udf_disk_stamp_to_time()
Joao Pinto <Joao.Pinto@synopsys.com>
Avoid hw_desc array overrun in dw-axi-dmac
Alex Henrie <alexhenrie24@gmail.com>
usb: misc: uss720: check for incompatible versions of the Belkin F5U002
Yunlei He <heyunlei@oppo.com>
f2fs: remove clear SB_INLINECRYPT flag in default_options
Aleksandr Aprelkov <aaprelkov@usergate.com>
iommu/arm-smmu-v3: Free MSIs in case of ENOMEM
Tzung-Bi Shih <tzungbi@kernel.org>
power: supply: cros_usbpd: provide ID table for avoiding fallback match
Michael Ellerman <mpe@ellerman.id.au>
powerpc/io: Avoid clang null pointer arithmetic warnings
Nathan Lynch <nathanl@linux.ibm.com>
powerpc/pseries: Enforce hcall result buffer validity and size
Erico Nunes <nunes.erico@gmail.com>
drm/lima: mask irqs in timeout path before hard reset
Erico Nunes <nunes.erico@gmail.com>
drm/lima: add mask irq callback to gp and pp
Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
drm/amd/display: Exit idle optimizations before HDCP execution
Uri Arev <me@wantyapps.xyz>
Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl
Takashi Iwai <tiwai@suse.de>
ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7
Sean O'Brien <seobrien@chromium.org>
HID: Add quirk for Logitech Casa touchpad
Breno Leitao <leitao@debian.org>
netpoll: Fix race condition in netpoll_owner_active
Kunwu Chan <chentao@kylinos.cn>
kselftest: arm64: Add a null pointer check
Manish Rangankar <mrangankar@marvell.com>
scsi: qedi: Fix crash while reading debugfs attribute
Wander Lairson Costa <wander@redhat.com>
drop_monitor: replace spin_lock by raw_spin_lock
Eric Dumazet <edumazet@google.com>
af_packet: avoid a false positive warning in packet_setsockopt()
Arnd Bergmann <arnd@arndb.de>
wifi: ath9k: work around memset overflow warning
Eric Dumazet <edumazet@google.com>
batman-adv: bypass empty buckets in batadv_purge_orig_ref()
Yonghong Song <yonghong.song@linux.dev>
selftests/bpf: Fix flaky test btf_map_in_map/lookup_update
Alessandro Carminati (Red Hat) <alessandro.carminati@gmail.com>
selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh
Justin Stitt <justinstitt@google.com>
block/ioctl: prefer different overflow check
Zqiang <qiang.zhang1211@gmail.com>
rcutorture: Fix invalid context warning when enable srcu barrier testing
Zqiang <qiang.zhang1211@gmail.com>
rcutorture: Make stall-tasks directly exit when rcutorture tests end
Paul E. McKenney <paulmck@kernel.org>
rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment
Chenghai Huang <huangchenghai2@huawei.com>
crypto: hisilicon/sec - Fix memory leak for sec resource release
Herbert Xu <herbert@gondor.apana.org.au>
padata: Disable BH when taking works lock on MT path
Johan Hovold <johan+linaro@kernel.org>
Bluetooth: qca: fix info leak when fetching board id
Dan Carpenter <dan.carpenter@linaro.org>
Bluetooth: qca: Fix error code in qca_read_fw_build_info()
Oleg Nesterov <oleg@redhat.com>
zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING
Jean Delvare <jdelvare@suse.de>
i2c: designware: Fix the functionality flags of the slave-only interface
Jean Delvare <jdelvare@suse.de>
i2c: at91: Fix the functionality flags of the slave-only interface
Shichao Lai <shichaorai@gmail.com>
usb-storage: alauda: Check whether the media is initialized
Sicong Huang <congei42@163.com>
greybus: Fix use-after-free bug in gb_interface_release due to race condition.
Nathan Chancellor <nathan@kernel.org>
kbuild: Remove support for Clang's ThinLTO caching
YonglongLi <liyonglong@chinatelecom.cn>
mptcp: pm: update add_addr counters after connect
YonglongLi <liyonglong@chinatelecom.cn>
mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID
Matthias Goergens <matthias.goergens@gmail.com>
hugetlb_encode.h: fix undefined behaviour (34 << 26)
Doug Brown <doug@schmorgal.com>
serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level
Miaohe Lin <linmiaohe@huawei.com>
mm/huge_memory: don't unpoison huge_zero_folio
Damien Le Moal <dlemoal@kernel.org>
scsi: mpi3mr: Fix ATA NCQ priority support
Oleg Nesterov <oleg@redhat.com>
tick/nohz_full: Don't abuse smp_call_function_single() in tick_setup_device()
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: fix potential kernel bug due to lack of writeback flag waiting
Alexander Shishkin <alexander.shishkin@linux.intel.com>
intel_th: pci: Add Lunar Lake support
Alexander Shishkin <alexander.shishkin@linux.intel.com>
intel_th: pci: Add Meteor Lake-S support
Alexander Shishkin <alexander.shishkin@linux.intel.com>
intel_th: pci: Add Sapphire Rapids SOC support
Alexander Shishkin <alexander.shishkin@linux.intel.com>
intel_th: pci: Add Granite Rapids SOC support
Alexander Shishkin <alexander.shishkin@linux.intel.com>
intel_th: pci: Add Granite Rapids support
Nuno Sa <nuno.sa@analog.com>
dmaengine: axi-dmac: fix possible race in remove()
Rick Wertenbroek <rick.wertenbroek@gmail.com>
PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id
Su Yue <glass.su@suse.com>
ocfs2: fix races between hole punching and AIO+DIO
Su Yue <glass.su@suse.com>
ocfs2: use coarse time for new created files
Rik van Riel <riel@surriel.com>
fs/proc: fix softlockup in __read_vmcore
Trond Myklebust <trond.myklebust@hammerspace.com>
knfsd: LOOKUP can return an illegal error value
Vamshi Gajjela <vamshigajjela@google.com>
spmi: hisi-spmi-controller: Do not override device identifier
Hagar Gamal Halim Hemdan <hagarhem@amazon.com>
vmci: prevent speculation leaks by sanitizing event in event_deliver()
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
sock_map: avoid race between sock_map_close and sk_psock_put
Damien Le Moal <dlemoal@kernel.org>
null_blk: Print correct max open zones limit in null_init_zoned_dev()
Steven Rostedt (Google) <rostedt@goodmis.org>
tracing/selftests: Fix kprobe event name test for .isra. functions
Paolo Abeni <pabeni@redhat.com>
mptcp: ensure snd_una is properly initialized on connect
Marek Szyprowski <m.szyprowski@samsung.com>
drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found
Jani Nikula <jani.nikula@intel.com>
drm/exynos/vidi: fix memory leak in .get_modes()
Dirk Behme <dirk.behme@de.bosch.com>
drivers: core: synchronize really_probe() and dev_uevent()
Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
iio: imu: inv_icm42600: delete unneeded update watermark call
Marc Ferland <marc.ferland@sonatest.com>
iio: dac: ad5592r: fix temperature channel scaling value
David Lechner <dlechner@baylibre.com>
iio: adc: ad9467: fix scan type sign
Rao Shoaib <Rao.Shoaib@oracle.com>
af_unix: Read with MSG_PEEK loops if the first unread byte is OOB
Taehee Yoo <ap420073@gmail.com>
ionic: fix use after netif_napi_del()
Petr Pavlu <petr.pavlu@suse.com>
net/ipv6: Fix the RT cache flush via sysctl using a previous delay
Xiaolei Wang <xiaolei.wang@windriver.com>
net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs parameters
Jozsef Kadlecsik <kadlec@netfilter.org>
netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ
Gal Pressman <gal@nvidia.com>
net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN) packets
Eric Dumazet <edumazet@google.com>
tcp: fix race in tcp_v6_syn_recv_sock()
Adam Miotk <adam.miotk@arm.com>
drm/bridge/panel: Fix runtime warning on panel bridge release
Amjad Ouled-Ameur <amjad.ouled-ameur@arm.com>
drm/komeda: check for error-valued pointer
Aleksandr Mishin <amishin@t-argos.ru>
liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet
Jie Wang <wangjie125@huawei.com>
net: hns3: add cond_resched() to hns3 ring buffer init process
Yonglong Liu <liuyonglong@huawei.com>
net: hns3: fix kernel crash problem in concurrent scenario
Csókás, Bence <csokas.bence@prolan.hu>
net: sfp: Always call `sfp_sm_mod_remove()` on remove
Ian Forbes <ian.forbes@broadcom.com>
drm/vmwgfx: 3D disabled should not effect STDU memory limits
José Expósito <jose.exposito89@gmail.com>
HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()
Lu Baolu <baolu.lu@linux.intel.com>
iommu: Return right value in iommu_sva_bind_device()
Kun(llfl) <llfl@linux.alibaba.com>
iommu/amd: Fix sysfs leak in iommu init
Vasant Hegde <vasant.hegde@amd.com>
iommu/amd: Introduce pci segment structure
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
HID: core: remove unnecessary WARN_ON() in implement()
Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
gpio: tqmx86: store IRQ trigger type and unmask status separately
Gregor Herburger <gregor.herburger@tq-group.com>
gpio: tqmx86: fix typo in Kconfig label
Armin Wolf <W_Armin@gmx.de>
platform/x86: dell-smbios: Fix wrong token data in sysfs
ye xingchen <ye.xingchen@zte.com.cn>
platform/x86: dell-smbios-base: Use sysfs_emit()
Chen Hanxiao <chenhx.fnst@fujitsu.com>
SUNRPC: return proper error from gss_wrap_req_priv
Samuel Holland <samuel.holland@sifive.com>
clk: sifive: Do not register clkdevs for PRCI clocks
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: try trimming too long modalias strings
Michael Ellerman <mpe@ellerman.id.au>
powerpc/uaccess: Fix build errors seen with GCC 13/14
Breno Leitao <leitao@debian.org>
scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory
Kuangyi Chiang <ki.chiang65@gmail.com>
xhci: Apply broken streams quirk to Etron EJ188 xHCI host
Hector Martin <marcan@marcan.st>
xhci: Handle TD clearing for multiple streams case
Kuangyi Chiang <ki.chiang65@gmail.com>
xhci: Apply reset resume quirk to Etron EJ188 xHCI host
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: Set correct transferred length for cancelled bulk transfers
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
jfs: xattr: fix buffer overflow for invalid xattr
Tomas Winkler <tomas.winkler@intel.com>
mei: me: release irq in mei_me_pci_resume error path
Kyle Tso <kyletso@google.com>
usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state
Alan Stern <stern@rowland.harvard.edu>
USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors
Matthew Wilcox (Oracle) <willy@infradead.org>
nilfs2: return the mapped address from nilfs_get_page()
Matthew Wilcox (Oracle) <willy@infradead.org>
nilfs2: Remove check for PageError
Filipe Manana <fdmanana@suse.com>
btrfs: fix leak of qgroup extent records after transaction abort
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
wifi: ath10k: fix QCOM_RPROC_COMMON dependency
Dev Jain <dev.jain@arm.com>
selftests/mm: compaction_test: fix bogus test success on Aarch64
Mark Brown <broonie@kernel.org>
selftests/mm: log a consistent test name for check_compaction
Muhammad Usama Anjum <usama.anjum@collabora.com>
selftests/mm: conform test to TAP format output
Dev Jain <dev.jain@arm.com>
selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages
Frank van der Linden <fvdl@google.com>
mm/cma: drop incorrect alignment check in cma_init_reserved_mem
David Hildenbrand <david@redhat.com>
cma: factor out minimum alignment requirement
Hamish Martin <hamish.martin@alliedtelesis.co.nz>
i2c: acpi: Unbind mux adapters before delete
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
i2c: add fwnode APIs
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
mmc: davinci: Don't strip remove function when driver is builtin
Yangtao Li <frank.li@vivo.com>
mmc: davinci_mmc: Convert to platform remove callback returning void
Zheng Yejian <zhengyejian1@huawei.com>
ftrace: Fix possible use-after-free issue in ftrace_location()
Peter Zijlstra <peterz@infradead.org>
x86/ibt,ftrace: Search for __fentry__ location
Hugo Villeneuve <hvilleneuve@dimonoff.com>
serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler
Hugo Villeneuve <hvilleneuve@dimonoff.com>
serial: sc16is7xx: replace hardcoded divisor value with BIT() macro
Johan Hovold <johan+linaro@kernel.org>
Bluetooth: qca: fix info leak when fetching fw build id
Tim Jiang <quic_tjiang@quicinc.com>
Bluetooth: qca: add support for QCA2066
Neil Armstrong <neil.armstrong@linaro.org>
Bluetooth: qca: use switch case for soc type behavior
Luca Weiss <luca.weiss@fairphone.com>
Bluetooth: btqca: Add WCN3988 support
Min-Hua Chen <minhuadotchen@gmail.com>
Bluetooth: btqca: use le32_to_cpu for ver.soc_id
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Bluetooth: hci_qca: mark OF related data as maybe unused
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
skbuff: introduce skb_pull_data
Thomas Weißschuh <linux@weissschuh.net>
misc/pvpanic-pci: register attributes via pci_driver
Thomas Weißschuh <linux@weissschuh.net>
misc/pvpanic: deduplicate common code
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
pvpanic: Indentation fixes here and there
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
pvpanic: Keep single style across modules
Hersen Wu <hersenxs.wu@amd.com>
drm/amd/display: Fix incorrect DSC instance for MST
Alexey Kodanev <aleksei.kodanev@bell-sw.com>
drm/amd/display: drop unnecessary NULL checks in debugfs
Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
drm/amd/display: Clean up some inconsistent indenting
George Shen <george.shen@amd.com>
drm/amd/display: Handle Y carry-over in VCP X.Y calculation
Hans de Goede <hdegoede@redhat.com>
iio: accel: mxc4005: Reset chip on probe() and resume()
Wesley Cheng <quic_wcheng@quicinc.com>
usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete
John Keeping <john@metanate.com>
usb: gadget: f_fs: use io_data->status consistently
Eric Dumazet <edumazet@google.com>
ipv6: fix possible race in __fib6_drop_pcpu_from()
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Use skb_queue_empty_lockless() in unix_release_sock().
Eric Dumazet <edumazet@google.com>
af_unix: annotate lockless accesses to sk->sk_err
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Annotate data-race of sk->sk_state in unix_stream_read_skb().
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg().
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().
Eric Dumazet <edumazet@google.com>
net: drop nopreempt requirement on sock_prot_inuse_add()
Eric Dumazet <edumazet@google.com>
net: inline sock_prot_inuse_add()
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll().
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Annotate data-race of sk->sk_state in unix_inq_len().
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Annodate data-races around sk->sk_state for writers.
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer.
Karol Kolacinski <karol.kolacinski@intel.com>
ptp: Fix error message on failed pin verification
Eric Dumazet <edumazet@google.com>
net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP
Jason Xing <kernelxing@tencent.com>
tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB
Daniel Borkmann <daniel@iogearbox.net>
vxlan: Fix regression when dropping packets due to invalid src addresses
Hangyu Hua <hbh25y@gmail.com>
net: sched: sch_multiq: fix possible OOB write in multiq_tune()
Subbaraya Sundeep <sbhatta@marvell.com>
octeontx2-af: Always allocate PF entries from low prioriy zone
Jiri Olsa <jolsa@kernel.org>
bpf: Set run context for rawtp test_run callback
Eric Dumazet <edumazet@google.com>
ipv6: sr: block BH in seg6_output_core() and seg6_input_core()
DelphineCCChiu <delphine_cc_chiu@wiwynn.com>
net/ncsi: Fix the multi thread manner of NCSI driver
Peter Delevoryas <peter@pjd.dev>
net/ncsi: Simplify Kconfig/dts control flow
Lingbo Kong <quic_lingbok@quicinc.com>
wifi: mac80211: correctly parse Spatial Reuse Parameter Set element
Emmanuel Grumbach <emmanuel.grumbach@intel.com>
wifi: iwlwifi: mvm: don't read past the mfuart notifcation
Miri Korenblit <miriam.rachel.korenblit@intel.com>
wifi: iwlwifi: mvm: check n_ssids before accessing the ssids
Shahar S Matityahu <shahar.s.matityahu@intel.com>
wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef
Johannes Berg <johannes.berg@intel.com>
wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64
Lin Ma <linma@zju.edu.cn>
wifi: cfg80211: pmsr: use correct nla_get_uX functions
Remi Pommarel <repk@triplefau.lt>
wifi: cfg80211: Lock wiphy in cfg80211_get_station
Remi Pommarel <repk@triplefau.lt>
wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()
Nicolas Escande <nico.escande@gmail.com>
wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
-------------
Diffstat:
.../bindings/i2c/google,cros-ec-i2c-tunnel.yaml | 2 +-
Makefile | 9 +-
arch/arm/boot/dts/exynos4210-smdkv310.dts | 2 +-
arch/arm/boot/dts/exynos4412-origen.dts | 2 +-
arch/arm/boot/dts/exynos4412-smdk4412.dts | 2 +-
arch/arm/boot/dts/rk3066a.dtsi | 1 +
arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 2 +-
arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts | 4 +-
arch/arm64/boot/dts/rockchip/rk3368.dtsi | 3 +
arch/arm64/include/asm/kvm_host.h | 1 +
arch/arm64/include/asm/unistd32.h | 2 +-
arch/arm64/kvm/arm.c | 6 +-
arch/arm64/kvm/vgic/vgic-v3.c | 2 +-
arch/arm64/kvm/vgic/vgic-v4.c | 8 +-
arch/csky/include/uapi/asm/unistd.h | 1 +
arch/hexagon/include/asm/syscalls.h | 6 +
arch/hexagon/include/uapi/asm/unistd.h | 1 +
arch/hexagon/kernel/syscalltab.c | 7 +
arch/mips/bmips/setup.c | 3 +-
arch/mips/kernel/syscalls/syscall_n32.tbl | 2 +-
arch/mips/kernel/syscalls/syscall_o32.tbl | 2 +-
arch/mips/pci/ops-rc32434.c | 4 +-
arch/mips/pci/pcie-octeon.c | 6 +
arch/parisc/Kconfig | 1 +
arch/parisc/kernel/sys_parisc32.c | 9 -
arch/parisc/kernel/syscalls/syscall.tbl | 6 +-
arch/powerpc/include/asm/fadump-internal.h | 5 -
arch/powerpc/include/asm/hvcall.h | 8 +-
arch/powerpc/include/asm/io.h | 24 +-
arch/powerpc/include/asm/uaccess.h | 15 +-
arch/powerpc/kernel/fadump.c | 2 +-
arch/powerpc/kernel/syscalls/syscall.tbl | 2 +-
arch/riscv/mm/init.c | 58 ++---
arch/s390/kernel/syscalls/syscall.tbl | 2 +-
arch/sh/kernel/sys_sh32.c | 11 +
arch/sh/kernel/syscalls/syscall.tbl | 3 +-
arch/sparc/kernel/sys32.S | 221 -----------------
arch/sparc/kernel/syscalls/syscall.tbl | 8 +-
arch/x86/entry/syscalls/syscall_32.tbl | 2 +-
arch/x86/include/asm/cpu_device_id.h | 98 ++++++++
arch/x86/include/asm/efi.h | 11 +
arch/x86/kernel/amd_nb.c | 9 +-
arch/x86/kernel/cpu/match.c | 4 +-
arch/x86/kernel/fpu/core.c | 4 +-
arch/x86/kernel/kprobes/core.c | 11 +-
arch/x86/kernel/time.c | 20 +-
arch/x86/kvm/x86.c | 9 +-
arch/x86/mm/numa.c | 6 +-
arch/x86/platform/efi/Makefile | 3 +-
arch/x86/platform/efi/efi.c | 8 +-
arch/x86/platform/efi/memmap.c | 249 +++++++++++++++++++
block/ioctl.c | 2 +-
crypto/ecdh.c | 2 +
drivers/acpi/acpica/exregion.c | 23 +-
drivers/acpi/video_detect.c | 8 +
drivers/acpi/x86/utils.c | 23 +-
drivers/ata/ahci.c | 17 +-
drivers/ata/libata-core.c | 8 +-
drivers/base/core.c | 3 +
drivers/block/null_blk/zoned.c | 2 +-
drivers/bluetooth/ath3k.c | 25 +-
drivers/bluetooth/btqca.c | 186 +++++++++++---
drivers/bluetooth/btqca.h | 36 +--
drivers/bluetooth/hci_qca.c | 266 ++++++++++++++++-----
drivers/clk/sifive/sifive-prci.c | 8 -
drivers/crypto/hisilicon/sec2/sec_crypto.c | 4 +-
drivers/dma/dma-axi-dmac.c | 2 +-
drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 6 +-
drivers/dma/dw-axi-dmac/dw-axi-dmac.h | 1 +
drivers/dma/idxd/irq.c | 4 +-
drivers/dma/ioat/init.c | 73 +++---
drivers/dma/ioat/registers.h | 7 -
drivers/firmware/efi/fdtparams.c | 4 +
drivers/firmware/efi/memmap.c | 239 +-----------------
drivers/gpio/Kconfig | 2 +-
drivers/gpio/gpio-davinci.c | 5 +
drivers/gpio/gpio-tqmx86.c | 46 ++--
drivers/gpio/gpiolib-cdev.c | 16 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c | 18 +-
.../drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 144 +++++------
.../amd/display/dc/dcn10/dcn10_stream_encoder.c | 6 +
drivers/gpu/drm/amd/pm/powerplay/kv_dpm.c | 2 +
.../drm/arm/display/komeda/komeda_pipeline_state.c | 2 +-
drivers/gpu/drm/bridge/panel.c | 7 +-
drivers/gpu/drm/exynos/exynos_drm_vidi.c | 7 +-
drivers/gpu/drm/exynos/exynos_hdmi.c | 7 +-
drivers/gpu/drm/i915/display/intel_dp.c | 4 +
drivers/gpu/drm/i915/gt/intel_breadcrumbs.c | 16 +-
drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c | 1 +
drivers/gpu/drm/lima/lima_bcast.c | 12 +
drivers/gpu/drm/lima/lima_bcast.h | 3 +
drivers/gpu/drm/lima/lima_gp.c | 8 +
drivers/gpu/drm/lima/lima_pp.c | 18 ++
drivers/gpu/drm/lima/lima_sched.c | 7 +
drivers/gpu/drm/lima/lima_sched.h | 1 +
drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 6 +
drivers/gpu/drm/panel/panel-ilitek-ili9881c.c | 6 +-
drivers/gpu/drm/panel/panel-simple.c | 1 +
drivers/gpu/drm/radeon/radeon.h | 1 -
drivers/gpu/drm/radeon/radeon_display.c | 8 +-
drivers/gpu/drm/radeon/sumo_dpm.c | 2 +
drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 7 -
drivers/greybus/interface.c | 1 +
drivers/hid/hid-core.c | 1 -
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-logitech-dj.c | 4 +-
drivers/hid/hid-multitouch.c | 6 +
drivers/hwtracing/intel_th/pci.c | 25 ++
drivers/i2c/busses/i2c-at91-slave.c | 3 +-
drivers/i2c/busses/i2c-designware-slave.c | 2 +-
drivers/i2c/busses/i2c-ocores.c | 2 +-
drivers/i2c/i2c-core-acpi.c | 30 +--
drivers/i2c/i2c-core-base.c | 98 ++++++++
drivers/i2c/i2c-core-of.c | 66 -----
drivers/i2c/i2c-slave-testunit.c | 5 +-
drivers/iio/accel/Kconfig | 2 +
drivers/iio/accel/mxc4005.c | 68 ++++++
drivers/iio/adc/ad7266.c | 2 +
drivers/iio/adc/ad9467.c | 4 +-
drivers/iio/chemical/bme680.h | 2 +
drivers/iio/chemical/bme680_core.c | 62 ++++-
drivers/iio/dac/ad5592r-base.c | 2 +-
drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 4 -
drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 4 -
drivers/infiniband/core/restrack.c | 51 +---
drivers/infiniband/hw/mlx5/srq.c | 13 +-
drivers/input/input.c | 105 ++++++--
drivers/input/touchscreen/ili210x.c | 4 +-
drivers/iommu/amd/amd_iommu_types.h | 24 +-
drivers/iommu/amd/init.c | 55 ++++-
drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 2 +-
drivers/md/bcache/bset.c | 44 ++--
drivers/md/bcache/bset.h | 28 ++-
drivers/md/bcache/btree.c | 40 ++--
drivers/md/bcache/super.c | 5 +-
drivers/md/bcache/sysfs.c | 2 +-
drivers/md/bcache/writeback.c | 10 +-
drivers/media/dvb-core/dvbdev.c | 2 +-
drivers/misc/mei/pci-me.c | 4 +-
drivers/misc/pvpanic/pvpanic-mmio.c | 59 +----
drivers/misc/pvpanic/pvpanic-pci.c | 80 +------
drivers/misc/pvpanic/pvpanic.c | 90 ++++++-
drivers/misc/pvpanic/pvpanic.h | 10 +-
drivers/misc/vmw_vmci/vmci_event.c | 6 +-
drivers/mmc/host/davinci_mmc.c | 6 +-
drivers/mmc/host/sdhci-pci-core.c | 11 +-
drivers/mmc/host/sdhci.c | 25 +-
drivers/mtd/parsers/redboot.c | 2 +-
drivers/net/dsa/microchip/ksz9477.c | 7 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 +-
drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c | 11 +-
drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 14 +-
drivers/net/ethernet/google/gve/gve.h | 13 +-
drivers/net/ethernet/google/gve/gve_rx_dqo.c | 76 +++---
drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 4 +
drivers/net/ethernet/hisilicon/hns3/hns3_enet.h | 2 +
.../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 21 +-
drivers/net/ethernet/ibm/ibmvnic.c | 6 +
.../net/ethernet/marvell/octeontx2/af/rvu_npc.c | 33 ++-
.../net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 5 +-
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +-
drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 +-
drivers/net/ethernet/qualcomm/qca_debug.c | 6 +-
drivers/net/ethernet/qualcomm/qca_spi.c | 16 +-
drivers/net/ethernet/qualcomm/qca_spi.h | 3 +-
.../net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 6 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 55 ++---
drivers/net/phy/micrel.c | 1 +
drivers/net/phy/sfp.c | 3 +-
drivers/net/usb/ax88179_178a.c | 6 +-
drivers/net/usb/rtl8150.c | 3 +-
drivers/net/virtio_net.c | 12 +-
drivers/net/vxlan/vxlan_core.c | 4 +
drivers/net/wireless/ath/ath.h | 6 +-
drivers/net/wireless/ath/ath10k/Kconfig | 1 +
drivers/net/wireless/ath/ath9k/main.c | 3 +-
drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 +-
drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 10 -
drivers/net/wireless/intel/iwlwifi/mvm/rs.h | 9 +-
drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 4 +-
.../net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 19 +-
drivers/net/wireless/realtek/rtlwifi/wifi.h | 1 -
drivers/of/of_reserved_mem.c | 9 +-
drivers/pci/controller/pcie-rockchip-ep.c | 6 +-
drivers/pci/pci.c | 12 +
drivers/pinctrl/core.c | 2 +-
drivers/pinctrl/pinctrl-rockchip.c | 68 +++++-
drivers/pinctrl/pinctrl-rockchip.h | 1 +
drivers/platform/x86/dell/dell-smbios-base.c | 91 +++----
drivers/power/supply/cros_usbpd-charger.c | 11 +-
drivers/ptp/ptp_chardev.c | 3 +-
drivers/ptp/ptp_sysfs.c | 3 +-
drivers/pwm/pwm-stm32.c | 3 +
drivers/regulator/bd71815-regulator.c | 2 +-
drivers/regulator/core.c | 1 +
drivers/scsi/mpi3mr/mpi3mr.h | 1 +
drivers/scsi/mpi3mr/mpi3mr_os.c | 67 ++++++
drivers/scsi/mpt3sas/mpt3sas_base.c | 19 ++
drivers/scsi/mpt3sas/mpt3sas_base.h | 3 -
drivers/scsi/mpt3sas/mpt3sas_ctl.c | 4 +-
drivers/scsi/mpt3sas/mpt3sas_scsih.c | 25 --
drivers/scsi/qedi/qedi_debugfs.c | 12 +-
drivers/scsi/scsi_transport_sas.c | 29 +++
drivers/soc/ti/ti_sci_pm_domains.c | 20 +-
drivers/soc/ti/wkup_m3_ipc.c | 7 +-
drivers/spmi/hisi-spmi-controller.c | 1 -
drivers/tty/serial/8250/8250_exar.c | 42 ++++
drivers/tty/serial/8250/8250_omap.c | 25 +-
drivers/tty/serial/8250/8250_pxa.c | 1 +
drivers/tty/serial/imx.c | 11 +-
drivers/tty/serial/mcf.c | 2 +-
drivers/tty/serial/sc16is7xx.c | 25 +-
drivers/tty/serial/stm32-usart.c | 208 ++++++++++++----
drivers/tty/serial/stm32-usart.h | 12 +-
drivers/usb/atm/cxacru.c | 14 ++
drivers/usb/class/cdc-wdm.c | 4 +-
drivers/usb/dwc3/core.c | 6 -
drivers/usb/gadget/function/f_fs.c | 9 +-
drivers/usb/gadget/function/f_printer.c | 40 +++-
drivers/usb/host/xhci-pci.c | 7 +
drivers/usb/host/xhci-ring.c | 59 +++--
drivers/usb/host/xhci.h | 1 +
drivers/usb/misc/uss720.c | 22 +-
drivers/usb/musb/da8xx.c | 8 +-
drivers/usb/storage/alauda.c | 9 +-
drivers/usb/typec/tcpm/tcpm.c | 1 +
drivers/vdpa/vdpa_user/vduse_dev.c | 14 +-
fs/btrfs/block-group.c | 11 +-
fs/btrfs/disk-io.c | 10 +-
fs/cifs/cifsfs.c | 2 +-
fs/cifs/smb2transport.c | 2 +-
fs/f2fs/super.c | 2 -
fs/jfs/xattr.c | 4 +-
fs/ksmbd/mgmt/share_config.c | 6 +-
fs/nfs/read.c | 4 -
fs/nfsd/nfsfh.c | 4 +-
fs/nilfs2/dir.c | 59 +++--
fs/nilfs2/segment.c | 3 +
fs/ocfs2/aops.c | 5 +
fs/ocfs2/file.c | 2 +
fs/ocfs2/journal.c | 17 ++
fs/ocfs2/journal.h | 2 +
fs/ocfs2/namei.c | 2 +-
fs/ocfs2/ocfs2_trace.h | 2 +
fs/open.c | 4 +-
fs/proc/vmcore.c | 2 +
fs/udf/udftime.c | 11 +-
include/kvm/arm_vgic.h | 2 +-
include/linux/cma.h | 9 +
include/linux/compat.h | 2 +-
include/linux/efi.h | 10 +-
include/linux/filter.h | 5 +-
include/linux/i2c.h | 26 +-
include/linux/iommu.h | 2 +-
include/linux/kcov.h | 2 +
include/linux/mdio.h | 12 +
include/linux/mod_devicetable.h | 2 +
include/linux/nvme.h | 4 +-
include/linux/pci.h | 9 +
include/linux/skbuff.h | 2 +
include/linux/syscalls.h | 8 +-
include/net/bluetooth/hci_core.h | 36 ++-
include/net/inet_connection_sock.h | 10 +-
include/net/netfilter/nf_tables.h | 5 +
include/net/request_sock.h | 2 +
include/net/sock.h | 16 +-
include/net/tcp.h | 2 +-
include/scsi/scsi_transport_sas.h | 2 +
include/trace/events/qdisc.h | 2 +-
include/uapi/asm-generic/hugetlb_encode.h | 26 +-
include/uapi/asm-generic/unistd.h | 2 +-
kernel/bpf/core.c | 4 +-
kernel/bpf/trampoline.c | 20 +-
kernel/bpf/verifier.c | 8 +-
kernel/cpu.c | 8 +-
kernel/dma/contiguous.c | 4 +-
kernel/events/core.c | 13 +
kernel/gcov/gcc_4_7.c | 4 +-
kernel/gen_kheaders.sh | 9 +-
kernel/kcov.c | 1 +
kernel/kprobes.c | 8 +-
kernel/padata.c | 8 +-
kernel/pid_namespace.c | 1 +
kernel/rcu/rcutorture.c | 16 +-
kernel/sys_ni.c | 2 +-
kernel/time/tick-common.c | 42 ++--
kernel/trace/Kconfig | 4 +-
kernel/trace/ftrace.c | 71 ++++--
kernel/trace/preemptirq_delay_test.c | 1 +
mm/cma.c | 20 +-
mm/memory-failure.c | 7 +
net/batman-adv/originator.c | 29 +++
net/bluetooth/l2cap_core.c | 8 +-
net/bpf/test_run.c | 6 +
net/can/j1939/main.c | 6 +-
net/can/j1939/transport.c | 21 +-
net/core/drop_monitor.c | 20 +-
net/core/filter.c | 3 +
net/core/net_namespace.c | 9 +-
net/core/netpoll.c | 2 +-
net/core/skbuff.c | 24 ++
net/core/sock.c | 20 +-
net/core/sock_map.c | 16 +-
net/core/xdp.c | 4 +-
net/dccp/ipv4.c | 7 +-
net/dccp/ipv6.c | 7 +-
net/ieee802154/socket.c | 4 +-
net/ipv4/af_inet.c | 23 +-
net/ipv4/cipso_ipv4.c | 12 +-
net/ipv4/inet_connection_sock.c | 22 +-
net/ipv4/raw.c | 2 +-
net/ipv4/tcp.c | 16 +-
net/ipv4/tcp_input.c | 50 +++-
net/ipv4/tcp_minisocks.c | 5 +-
net/ipv6/af_inet6.c | 24 +-
net/ipv6/ip6_fib.c | 6 +-
net/ipv6/ipv6_sockglue.c | 17 +-
net/ipv6/route.c | 9 +-
net/ipv6/seg6_iptunnel.c | 14 +-
net/ipv6/seg6_local.c | 8 +-
net/ipv6/tcp_ipv6.c | 9 +-
net/ipv6/xfrm6_policy.c | 8 +-
net/iucv/iucv.c | 26 +-
net/mac80211/he.c | 10 +-
net/mac80211/mesh_pathtbl.c | 13 +
net/mac80211/sta_info.c | 4 +-
net/mptcp/pm_netlink.c | 21 +-
net/mptcp/protocol.c | 1 +
net/ncsi/internal.h | 2 +
net/ncsi/ncsi-manage.c | 95 ++++----
net/ncsi/ncsi-rsp.c | 4 +-
net/netfilter/ipset/ip_set_core.c | 104 ++++----
net/netfilter/ipset/ip_set_list_set.c | 30 ++-
net/netfilter/nf_tables_api.c | 8 +-
net/netfilter/nft_lookup.c | 3 +-
net/netlink/af_netlink.c | 4 -
net/netrom/nr_timer.c | 3 +-
net/packet/af_packet.c | 30 ++-
net/sched/act_api.c | 66 +++--
net/sched/act_ct.c | 21 +-
net/sched/sch_multiq.c | 2 +-
net/sched/sch_taprio.c | 15 +-
net/sctp/socket.c | 5 -
net/smc/af_smc.c | 2 +-
net/sunrpc/auth_gss/auth_gss.c | 4 +-
net/tipc/node.c | 1 +
net/unix/af_unix.c | 113 +++++----
net/unix/diag.c | 12 +-
net/wireless/pmsr.c | 8 +-
net/wireless/util.c | 7 +-
net/xdp/xsk.c | 4 -
scripts/Makefile.dtbinst | 2 +-
sound/pci/hda/patch_realtek.c | 1 +
sound/soc/fsl/fsl-asoc-card.c | 3 +-
sound/synth/emux/soundfont.c | 17 +-
tools/include/asm-generic/hugetlb_encode.h | 26 +-
tools/perf/Documentation/perf-script.txt | 7 +-
tools/perf/builtin-script.c | 24 +-
tools/testing/selftests/arm64/tags/tags_test.c | 4 +
.../selftests/bpf/prog_tests/btf_map_in_map.c | 26 +-
tools/testing/selftests/bpf/test_tc_tunnel.sh | 13 +-
.../ftrace/test.d/kprobe/kprobe_eventname.tc | 3 +-
tools/testing/selftests/net/mptcp/mptcp_join.sh | 5 +-
tools/testing/selftests/vm/compaction_test.c | 108 +++++----
364 files changed, 3886 insertions(+), 2550 deletions(-)
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 001/356] wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 002/356] wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() Greg Kroah-Hartman
` (362 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolas Escande, Johannes Berg,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Escande <nico.escande@gmail.com>
[ Upstream commit b7d7f11a291830fdf69d3301075dd0fb347ced84 ]
The hwmp code use objects of type mesh_preq_queue, added to a list in
ieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath
gets deleted, ex mesh interface is removed, the entries in that list will
never get cleaned. Fix this by flushing all corresponding items of the
preq_queue in mesh_path_flush_pending().
This should take care of KASAN reports like this:
unreferenced object 0xffff00000668d800 (size 128):
comm "kworker/u8:4", pid 67, jiffies 4295419552 (age 1836.444s)
hex dump (first 32 bytes):
00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h.....
8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>...........
backtrace:
[<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c
[<00000000049bd418>] kmalloc_trace+0x34/0x80
[<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8
[<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c
[<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4
[<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764
[<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4
[<000000004c86e916>] dev_hard_start_xmit+0x174/0x440
[<0000000023495647>] __dev_queue_xmit+0xe24/0x111c
[<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4
[<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508
[<00000000adc3cd94>] process_one_work+0x4b8/0xa1c
[<00000000b36425d1>] worker_thread+0x9c/0x634
[<0000000005852dd5>] kthread+0x1bc/0x1c4
[<000000005fccd770>] ret_from_fork+0x10/0x20
unreferenced object 0xffff000009051f00 (size 128):
comm "kworker/u8:4", pid 67, jiffies 4295419553 (age 1836.440s)
hex dump (first 32 bytes):
90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h.....
36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy.....
backtrace:
[<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c
[<00000000049bd418>] kmalloc_trace+0x34/0x80
[<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8
[<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c
[<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4
[<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764
[<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4
[<000000004c86e916>] dev_hard_start_xmit+0x174/0x440
[<0000000023495647>] __dev_queue_xmit+0xe24/0x111c
[<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4
[<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508
[<00000000adc3cd94>] process_one_work+0x4b8/0xa1c
[<00000000b36425d1>] worker_thread+0x9c/0x634
[<0000000005852dd5>] kthread+0x1bc/0x1c4
[<000000005fccd770>] ret_from_fork+0x10/0x20
Fixes: 050ac52cbe1f ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol")
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
Link: https://msgid.link/20240528142605.1060566-1-nico.escande@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/mesh_pathtbl.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
index 69d5e1ec6edef..e7b9dcf30adc9 100644
--- a/net/mac80211/mesh_pathtbl.c
+++ b/net/mac80211/mesh_pathtbl.c
@@ -723,10 +723,23 @@ void mesh_path_discard_frame(struct ieee80211_sub_if_data *sdata,
*/
void mesh_path_flush_pending(struct mesh_path *mpath)
{
+ struct ieee80211_sub_if_data *sdata = mpath->sdata;
+ struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
+ struct mesh_preq_queue *preq, *tmp;
struct sk_buff *skb;
while ((skb = skb_dequeue(&mpath->frame_queue)) != NULL)
mesh_path_discard_frame(mpath->sdata, skb);
+
+ spin_lock_bh(&ifmsh->mesh_preq_queue_lock);
+ list_for_each_entry_safe(preq, tmp, &ifmsh->preq_queue.list, list) {
+ if (ether_addr_equal(mpath->dst, preq->dst)) {
+ list_del(&preq->list);
+ kfree(preq);
+ --ifmsh->preq_queue_len;
+ }
+ }
+ spin_unlock_bh(&ifmsh->mesh_preq_queue_lock);
}
/**
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 002/356] wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 001/356] wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 003/356] wifi: cfg80211: Lock wiphy in cfg80211_get_station Greg Kroah-Hartman
` (361 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Remi Pommarel, Johannes Berg,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Remi Pommarel <repk@triplefau.lt>
[ Upstream commit 44c06bbde6443de206b30f513100b5670b23fc5e ]
The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to
synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from
softirq context. However using only spin_lock() to get sta->ps_lock in
ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute
on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to
take this same lock ending in deadlock. Below is an example of rcu stall
that arises in such situation.
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996
rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)
CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742
Hardware name: RPT (r1) (DT)
pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : queued_spin_lock_slowpath+0x58/0x2d0
lr : invoke_tx_handlers_early+0x5b4/0x5c0
sp : ffff00001ef64660
x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8
x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000
x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000
x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000
x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80
x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da
x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440
x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880
x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8
Call trace:
queued_spin_lock_slowpath+0x58/0x2d0
ieee80211_tx+0x80/0x12c
ieee80211_tx_pending+0x110/0x278
tasklet_action_common.constprop.0+0x10c/0x144
tasklet_action+0x20/0x28
_stext+0x11c/0x284
____do_softirq+0xc/0x14
call_on_irq_stack+0x24/0x34
do_softirq_own_stack+0x18/0x20
do_softirq+0x74/0x7c
__local_bh_enable_ip+0xa0/0xa4
_ieee80211_wake_txqs+0x3b0/0x4b8
__ieee80211_wake_queue+0x12c/0x168
ieee80211_add_pending_skbs+0xec/0x138
ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480
ieee80211_mps_sta_status_update.part.0+0xd8/0x11c
ieee80211_mps_sta_status_update+0x18/0x24
sta_apply_parameters+0x3bc/0x4c0
ieee80211_change_station+0x1b8/0x2dc
nl80211_set_station+0x444/0x49c
genl_family_rcv_msg_doit.isra.0+0xa4/0xfc
genl_rcv_msg+0x1b0/0x244
netlink_rcv_skb+0x38/0x10c
genl_rcv+0x34/0x48
netlink_unicast+0x254/0x2bc
netlink_sendmsg+0x190/0x3b4
____sys_sendmsg+0x1e8/0x218
___sys_sendmsg+0x68/0x8c
__sys_sendmsg+0x44/0x84
__arm64_sys_sendmsg+0x20/0x28
do_el0_svc+0x6c/0xe8
el0_svc+0x14/0x48
el0t_64_sync_handler+0xb0/0xb4
el0t_64_sync+0x14c/0x150
Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise
on the same CPU that is holding the lock.
Fixes: 1d147bfa6429 ("mac80211: fix AP powersave TX vs. wakeup race")
Signed-off-by: Remi Pommarel <repk@triplefau.lt>
Link: https://msgid.link/8e36fe07d0fbc146f89196cd47a53c8a0afe84aa.1716910344.git.repk@triplefau.lt
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/sta_info.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index f4deee1926e58..6d2b42cb3ad58 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -1339,7 +1339,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
skb_queue_head_init(&pending);
/* sync with ieee80211_tx_h_unicast_ps_buf */
- spin_lock(&sta->ps_lock);
+ spin_lock_bh(&sta->ps_lock);
/* Send all buffered frames to the station */
for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
int count = skb_queue_len(&pending), tmp;
@@ -1368,7 +1368,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
*/
clear_sta_flag(sta, WLAN_STA_PSPOLL);
clear_sta_flag(sta, WLAN_STA_UAPSD);
- spin_unlock(&sta->ps_lock);
+ spin_unlock_bh(&sta->ps_lock);
atomic_dec(&ps->num_sta_ps);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 003/356] wifi: cfg80211: Lock wiphy in cfg80211_get_station
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 001/356] wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 002/356] wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 004/356] wifi: cfg80211: pmsr: use correct nla_get_uX functions Greg Kroah-Hartman
` (360 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Remi Pommarel, Nicolas Escande,
Antonio Quartulli, Johannes Berg, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Remi Pommarel <repk@triplefau.lt>
[ Upstream commit 642f89daa34567d02f312d03e41523a894906dae ]
Wiphy should be locked before calling rdev_get_station() (see lockdep
assert in ieee80211_get_station()).
This fixes the following kernel NULL dereference:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000
[0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000
Internal error: Oops: 0000000096000006 [#1] SMP
Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath
CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705
Hardware name: RPT (r1) (DT)
Workqueue: bat_events batadv_v_elp_throughput_metric_update
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core]
lr : sta_set_sinfo+0xcc/0xbd4
sp : ffff000007b43ad0
x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98
x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000
x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc
x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000
x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d
x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e
x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000
x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000
x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90
x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000
Call trace:
ath10k_sta_statistics+0x10/0x2dc [ath10k_core]
sta_set_sinfo+0xcc/0xbd4
ieee80211_get_station+0x2c/0x44
cfg80211_get_station+0x80/0x154
batadv_v_elp_get_throughput+0x138/0x1fc
batadv_v_elp_throughput_metric_update+0x1c/0xa4
process_one_work+0x1ec/0x414
worker_thread+0x70/0x46c
kthread+0xdc/0xe0
ret_from_fork+0x10/0x20
Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814)
This happens because STA has time to disconnect and reconnect before
batadv_v_elp_throughput_metric_update() delayed work gets scheduled. In
this situation, ath10k_sta_state() can be in the middle of resetting
arsta data when the work queue get chance to be scheduled and ends up
accessing it. Locking wiphy prevents that.
Fixes: 7406353d43c8 ("cfg80211: implement cfg80211_get_station cfg80211 API")
Signed-off-by: Remi Pommarel <repk@triplefau.lt>
Reviewed-by: Nicolas Escande <nico.escande@gmail.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Link: https://msgid.link/983b24a6a176e0800c01aedcd74480d9b551cb13.1716046653.git.repk@triplefau.lt
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/util.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/wireless/util.c b/net/wireless/util.c
index cb15d7f4eb05a..d40c2cf777dc0 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -2033,6 +2033,7 @@ int cfg80211_get_station(struct net_device *dev, const u8 *mac_addr,
{
struct cfg80211_registered_device *rdev;
struct wireless_dev *wdev;
+ int ret;
wdev = dev->ieee80211_ptr;
if (!wdev)
@@ -2044,7 +2045,11 @@ int cfg80211_get_station(struct net_device *dev, const u8 *mac_addr,
memset(sinfo, 0, sizeof(*sinfo));
- return rdev_get_station(rdev, dev, mac_addr, sinfo);
+ wiphy_lock(&rdev->wiphy);
+ ret = rdev_get_station(rdev, dev, mac_addr, sinfo);
+ wiphy_unlock(&rdev->wiphy);
+
+ return ret;
}
EXPORT_SYMBOL(cfg80211_get_station);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 004/356] wifi: cfg80211: pmsr: use correct nla_get_uX functions
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 003/356] wifi: cfg80211: Lock wiphy in cfg80211_get_station Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 005/356] wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 Greg Kroah-Hartman
` (359 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lin Ma, Johannes Berg, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lin Ma <linma@zju.edu.cn>
[ Upstream commit ab904521f4de52fef4f179d2dfc1877645ef5f5c ]
The commit 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM
initiator API") defines four attributes NL80211_PMSR_FTM_REQ_ATTR_
{NUM_BURSTS_EXP}/{BURST_PERIOD}/{BURST_DURATION}/{FTMS_PER_BURST} in
following ways.
static const struct nla_policy
nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
...
[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
NLA_POLICY_MAX(NLA_U8, 15),
[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
NLA_POLICY_MAX(NLA_U8, 15),
[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
NLA_POLICY_MAX(NLA_U8, 31),
...
};
That is, those attributes are expected to be NLA_U8 and NLA_U16 types.
However, the consumers of these attributes in `pmsr_parse_ftm` blindly
all use `nla_get_u32`, which is incorrect and causes functionality issues
on little-endian platforms. Hence, fix them with the correct `nla_get_u8`
and `nla_get_u16` functions.
Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Link: https://msgid.link/20240521075059.47999-1-linma@zju.edu.cn
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/pmsr.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c
index 328cf54bda826..65fa39275f73f 100644
--- a/net/wireless/pmsr.c
+++ b/net/wireless/pmsr.c
@@ -58,7 +58,7 @@ static int pmsr_parse_ftm(struct cfg80211_registered_device *rdev,
out->ftm.burst_period = 0;
if (tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD])
out->ftm.burst_period =
- nla_get_u32(tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD]);
+ nla_get_u16(tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD]);
out->ftm.asap = !!tb[NL80211_PMSR_FTM_REQ_ATTR_ASAP];
if (out->ftm.asap && !capa->ftm.asap) {
@@ -77,7 +77,7 @@ static int pmsr_parse_ftm(struct cfg80211_registered_device *rdev,
out->ftm.num_bursts_exp = 0;
if (tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP])
out->ftm.num_bursts_exp =
- nla_get_u32(tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP]);
+ nla_get_u8(tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP]);
if (capa->ftm.max_bursts_exponent >= 0 &&
out->ftm.num_bursts_exp > capa->ftm.max_bursts_exponent) {
@@ -90,7 +90,7 @@ static int pmsr_parse_ftm(struct cfg80211_registered_device *rdev,
out->ftm.burst_duration = 15;
if (tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION])
out->ftm.burst_duration =
- nla_get_u32(tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION]);
+ nla_get_u8(tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION]);
out->ftm.ftms_per_burst = 0;
if (tb[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST])
@@ -109,7 +109,7 @@ static int pmsr_parse_ftm(struct cfg80211_registered_device *rdev,
out->ftm.ftmr_retries = 3;
if (tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES])
out->ftm.ftmr_retries =
- nla_get_u32(tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES]);
+ nla_get_u8(tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES]);
out->ftm.request_lci = !!tb[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI];
if (out->ftm.request_lci && !capa->ftm.request_lci) {
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 005/356] wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 004/356] wifi: cfg80211: pmsr: use correct nla_get_uX functions Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 006/356] wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef Greg Kroah-Hartman
` (358 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Berg, Liad Kaufman,
Luciano Coelho, Miri Korenblit, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 4a7aace2899711592327463c1a29ffee44fcc66e ]
We don't actually support >64 even for HE devices, so revert
back to 64. This fixes an issue where the session is refused
because the queue is configured differently from the actual
session later.
Fixes: 514c30696fbc ("iwlwifi: add support for IEEE802.11ax")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Reviewed-by: Liad Kaufman <liad.kaufman@intel.com>
Reviewed-by: Luciano Coelho <luciano.coelho@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20240510170500.52f7b4cf83aa.If47e43adddf7fe250ed7f5571fbb35d8221c7c47@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/rs.h | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rs.h b/drivers/net/wireless/intel/iwlwifi/mvm/rs.h
index 32104c9f8f5ee..d59a47637d120 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.h
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.h
@@ -133,13 +133,8 @@ enum {
#define LINK_QUAL_AGG_FRAME_LIMIT_DEF (63)
#define LINK_QUAL_AGG_FRAME_LIMIT_MAX (63)
-/*
- * FIXME - various places in firmware API still use u8,
- * e.g. LQ command and SCD config command.
- * This should be 256 instead.
- */
-#define LINK_QUAL_AGG_FRAME_LIMIT_GEN2_DEF (255)
-#define LINK_QUAL_AGG_FRAME_LIMIT_GEN2_MAX (255)
+#define LINK_QUAL_AGG_FRAME_LIMIT_GEN2_DEF (64)
+#define LINK_QUAL_AGG_FRAME_LIMIT_GEN2_MAX (64)
#define LINK_QUAL_AGG_FRAME_LIMIT_MIN (0)
#define LQ_SIZE 2 /* 2 mode tables: "Active" and "Search" */
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 006/356] wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 005/356] wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 007/356] wifi: iwlwifi: mvm: check n_ssids before accessing the ssids Greg Kroah-Hartman
` (357 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shahar S Matityahu, Luciano Coelho,
Miri Korenblit, Johannes Berg, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shahar S Matityahu <shahar.s.matityahu@intel.com>
[ Upstream commit 87821b67dea87addbc4ab093ba752753b002176a ]
The driver should call iwl_dbg_tlv_free even if debugfs is not defined
since ini mode does not depend on debugfs ifdef.
Fixes: 68f6f492c4fa ("iwlwifi: trans: support loading ini TLVs from external file")
Signed-off-by: Shahar S Matityahu <shahar.s.matityahu@intel.com>
Reviewed-by: Luciano Coelho <luciano.coelho@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20240510170500.c8e3723f55b0.I5e805732b0be31ee6b83c642ec652a34e974ff10@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
index 524b0ad873578..afa89deb7bc3a 100644
--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
@@ -1667,8 +1667,8 @@ struct iwl_drv *iwl_drv_start(struct iwl_trans *trans)
err_fw:
#ifdef CONFIG_IWLWIFI_DEBUGFS
debugfs_remove_recursive(drv->dbgfs_drv);
- iwl_dbg_tlv_free(drv->trans);
#endif
+ iwl_dbg_tlv_free(drv->trans);
kfree(drv);
err:
return ERR_PTR(ret);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 007/356] wifi: iwlwifi: mvm: check n_ssids before accessing the ssids
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 006/356] wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 008/356] wifi: iwlwifi: mvm: dont read past the mfuart notifcation Greg Kroah-Hartman
` (356 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miri Korenblit, Ilan Peer,
Johannes Berg, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
[ Upstream commit 60d62757df30b74bf397a2847a6db7385c6ee281 ]
In some versions of cfg80211, the ssids poinet might be a valid one even
though n_ssids is 0. Accessing the pointer in this case will cuase an
out-of-bound access. Fix this by checking n_ssids first.
Fixes: c1a7515393e4 ("iwlwifi: mvm: add adaptive dwell support")
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Link: https://msgid.link/20240513132416.6e4d1762bf0d.I5a0e6cc8f02050a766db704d15594c61fe583d45@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
index c0ffa26bc5aaa..0605363b62720 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
@@ -1312,7 +1312,7 @@ static void iwl_mvm_scan_umac_dwell(struct iwl_mvm *mvm,
if (IWL_MVM_ADWELL_MAX_BUDGET)
cmd->v7.adwell_max_budget =
cpu_to_le16(IWL_MVM_ADWELL_MAX_BUDGET);
- else if (params->ssids && params->ssids[0].ssid_len)
+ else if (params->n_ssids && params->ssids[0].ssid_len)
cmd->v7.adwell_max_budget =
cpu_to_le16(IWL_SCAN_ADWELL_MAX_BUDGET_DIRECTED_SCAN);
else
@@ -1414,7 +1414,7 @@ iwl_mvm_scan_umac_dwell_v10(struct iwl_mvm *mvm,
if (IWL_MVM_ADWELL_MAX_BUDGET)
general_params->adwell_max_budget =
cpu_to_le16(IWL_MVM_ADWELL_MAX_BUDGET);
- else if (params->ssids && params->ssids[0].ssid_len)
+ else if (params->n_ssids && params->ssids[0].ssid_len)
general_params->adwell_max_budget =
cpu_to_le16(IWL_SCAN_ADWELL_MAX_BUDGET_DIRECTED_SCAN);
else
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 008/356] wifi: iwlwifi: mvm: dont read past the mfuart notifcation
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 007/356] wifi: iwlwifi: mvm: check n_ssids before accessing the ssids Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 009/356] wifi: mac80211: correctly parse Spatial Reuse Parameter Set element Greg Kroah-Hartman
` (355 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emmanuel Grumbach, Johannes Berg,
Miri Korenblit, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
[ Upstream commit 4bb95f4535489ed830cf9b34b0a891e384d1aee4 ]
In case the firmware sends a notification that claims it has more data
than it has, we will read past that was allocated for the notification.
Remove the print of the buffer, we won't see it by default. If needed,
we can see the content with tracing.
This was reported by KFENCE.
Fixes: bdccdb854f2f ("iwlwifi: mvm: support MFUART dump in case of MFUART assert")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20240513132416.ba82a01a559e.Ia91dd20f5e1ca1ad380b95e68aebf2794f553d9b@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
index d22a5628f9e0d..578956032e08b 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
@@ -95,20 +95,10 @@ void iwl_mvm_mfu_assert_dump_notif(struct iwl_mvm *mvm,
{
struct iwl_rx_packet *pkt = rxb_addr(rxb);
struct iwl_mfu_assert_dump_notif *mfu_dump_notif = (void *)pkt->data;
- __le32 *dump_data = mfu_dump_notif->data;
- int n_words = le32_to_cpu(mfu_dump_notif->data_size) / sizeof(__le32);
- int i;
if (mfu_dump_notif->index_num == 0)
IWL_INFO(mvm, "MFUART assert id 0x%x occurred\n",
le32_to_cpu(mfu_dump_notif->assert_id));
-
- for (i = 0; i < n_words; i++)
- IWL_DEBUG_INFO(mvm,
- "MFUART assert dump, dword %u: 0x%08x\n",
- le16_to_cpu(mfu_dump_notif->index_num) *
- n_words + i,
- le32_to_cpu(dump_data[i]));
}
static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait,
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 009/356] wifi: mac80211: correctly parse Spatial Reuse Parameter Set element
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 008/356] wifi: iwlwifi: mvm: dont read past the mfuart notifcation Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 010/356] net/ncsi: Simplify Kconfig/dts control flow Greg Kroah-Hartman
` (354 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lingbo Kong, Johannes Berg,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lingbo Kong <quic_lingbok@quicinc.com>
[ Upstream commit a26d8dc5227f449a54518a8b40733a54c6600a8b ]
Currently, the way of parsing Spatial Reuse Parameter Set element is
incorrect and some members of struct ieee80211_he_obss_pd are not assigned.
To address this issue, it must be parsed in the order of the elements of
Spatial Reuse Parameter Set defined in the IEEE Std 802.11ax specification.
The diagram of the Spatial Reuse Parameter Set element (IEEE Std 802.11ax
-2021-9.4.2.252).
-------------------------------------------------------------------------
| | | | |Non-SRG| SRG | SRG | SRG | SRG |
|Element|Length| Element | SR |OBSS PD|OBSS PD|OBSS PD| BSS |Partial|
| ID | | ID |Control| Max | Min | Max |Color | BSSID |
| | |Extension| | Offset| Offset|Offset |Bitmap|Bitmap |
-------------------------------------------------------------------------
Fixes: 1ced169cc1c2 ("mac80211: allow setting spatial reuse parameters from bss_conf")
Signed-off-by: Lingbo Kong <quic_lingbok@quicinc.com>
Link: https://msgid.link/20240516021854.5682-3-quic_lingbok@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/he.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/mac80211/he.c b/net/mac80211/he.c
index c05af7018f79f..c730ce5132cbc 100644
--- a/net/mac80211/he.c
+++ b/net/mac80211/he.c
@@ -223,15 +223,21 @@ ieee80211_he_spr_ie_to_bss_conf(struct ieee80211_vif *vif,
if (!he_spr_ie_elem)
return;
+
+ he_obss_pd->sr_ctrl = he_spr_ie_elem->he_sr_control;
data = he_spr_ie_elem->optional;
if (he_spr_ie_elem->he_sr_control &
IEEE80211_HE_SPR_NON_SRG_OFFSET_PRESENT)
- data++;
+ he_obss_pd->non_srg_max_offset = *data++;
+
if (he_spr_ie_elem->he_sr_control &
IEEE80211_HE_SPR_SRG_INFORMATION_PRESENT) {
- he_obss_pd->max_offset = *data++;
he_obss_pd->min_offset = *data++;
+ he_obss_pd->max_offset = *data++;
+ memcpy(he_obss_pd->bss_color_bitmap, data, 8);
+ data += 8;
+ memcpy(he_obss_pd->partial_bssid_bitmap, data, 8);
he_obss_pd->enable = true;
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 010/356] net/ncsi: Simplify Kconfig/dts control flow
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 009/356] wifi: mac80211: correctly parse Spatial Reuse Parameter Set element Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 011/356] net/ncsi: Fix the multi thread manner of NCSI driver Greg Kroah-Hartman
` (353 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Delevoryas, David S. Miller,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Delevoryas <peter@pjd.dev>
[ Upstream commit c797ce168930ce3d62a9b7fc4d7040963ee6a01e ]
Background:
1. CONFIG_NCSI_OEM_CMD_KEEP_PHY
If this is enabled, we send an extra OEM Intel command in the probe
sequence immediately after discovering a channel (e.g. after "Clear
Initial State").
2. CONFIG_NCSI_OEM_CMD_GET_MAC
If this is enabled, we send one of 3 OEM "Get MAC Address" commands from
Broadcom, Mellanox (Nvidida), and Intel in the *configuration* sequence
for a channel.
3. mellanox,multi-host (or mlx,multi-host)
Introduced by this patch:
https://lore.kernel.org/all/20200108234341.2590674-1-vijaykhemka@fb.com/
Which was actually originally from cosmo.chou@quantatw.com:
https://github.com/facebook/openbmc-linux/commit/9f132a10ec48db84613519258cd8a317fb9c8f1b
Cosmo claimed that the Nvidia ConnectX-4 and ConnectX-6 NIC's don't
respond to Get Version ID, et. al in the probe sequence unless you send
the Set MC Affinity command first.
Problem Statement:
We've been using a combination of #ifdef code blocks and IS_ENABLED()
conditions to conditionally send these OEM commands.
It makes adding any new code around these commands hard to understand.
Solution:
In this patch, I just want to remove the conditionally compiled blocks
of code, and always use IS_ENABLED(...) to do dynamic control flow.
I don't think the small amount of code this adds to non-users of the OEM
Kconfigs is a big deal.
Signed-off-by: Peter Delevoryas <peter@pjd.dev>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: e85e271dec02 ("net/ncsi: Fix the multi thread manner of NCSI driver")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ncsi/ncsi-manage.c | 20 +++-----------------
1 file changed, 3 insertions(+), 17 deletions(-)
diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c
index 7121ce2a47c0b..734feb2352fbc 100644
--- a/net/ncsi/ncsi-manage.c
+++ b/net/ncsi/ncsi-manage.c
@@ -689,8 +689,6 @@ static int set_one_vid(struct ncsi_dev_priv *ndp, struct ncsi_channel *nc,
return 0;
}
-#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY)
-
static int ncsi_oem_keep_phy_intel(struct ncsi_cmd_arg *nca)
{
unsigned char data[NCSI_OEM_INTEL_CMD_KEEP_PHY_LEN];
@@ -716,10 +714,6 @@ static int ncsi_oem_keep_phy_intel(struct ncsi_cmd_arg *nca)
return ret;
}
-#endif
-
-#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC)
-
/* NCSI OEM Command APIs */
static int ncsi_oem_gma_handler_bcm(struct ncsi_cmd_arg *nca)
{
@@ -856,8 +850,6 @@ static int ncsi_gma_handler(struct ncsi_cmd_arg *nca, unsigned int mf_id)
return nch->handler(nca);
}
-#endif /* CONFIG_NCSI_OEM_CMD_GET_MAC */
-
/* Determine if a given channel from the channel_queue should be used for Tx */
static bool ncsi_channel_is_tx(struct ncsi_dev_priv *ndp,
struct ncsi_channel *nc)
@@ -1039,20 +1031,18 @@ static void ncsi_configure_channel(struct ncsi_dev_priv *ndp)
goto error;
}
- nd->state = ncsi_dev_state_config_oem_gma;
+ nd->state = IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC)
+ ? ncsi_dev_state_config_oem_gma
+ : ncsi_dev_state_config_clear_vids;
break;
case ncsi_dev_state_config_oem_gma:
nd->state = ncsi_dev_state_config_clear_vids;
- ret = -1;
-#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC)
nca.type = NCSI_PKT_CMD_OEM;
nca.package = np->id;
nca.channel = nc->id;
ndp->pending_req_num = 1;
ret = ncsi_gma_handler(&nca, nc->version.mf_id);
-#endif /* CONFIG_NCSI_OEM_CMD_GET_MAC */
-
if (ret < 0)
schedule_work(&ndp->work);
@@ -1404,7 +1394,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp)
schedule_work(&ndp->work);
break;
-#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC)
case ncsi_dev_state_probe_mlx_gma:
ndp->pending_req_num = 1;
@@ -1429,7 +1418,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp)
nd->state = ncsi_dev_state_probe_cis;
break;
-#endif /* CONFIG_NCSI_OEM_CMD_GET_MAC */
case ncsi_dev_state_probe_cis:
ndp->pending_req_num = NCSI_RESERVED_CHANNEL;
@@ -1447,7 +1435,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp)
if (IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY))
nd->state = ncsi_dev_state_probe_keep_phy;
break;
-#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY)
case ncsi_dev_state_probe_keep_phy:
ndp->pending_req_num = 1;
@@ -1460,7 +1447,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp)
nd->state = ncsi_dev_state_probe_gvi;
break;
-#endif /* CONFIG_NCSI_OEM_CMD_KEEP_PHY */
case ncsi_dev_state_probe_gvi:
case ncsi_dev_state_probe_gc:
case ncsi_dev_state_probe_gls:
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 011/356] net/ncsi: Fix the multi thread manner of NCSI driver
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 010/356] net/ncsi: Simplify Kconfig/dts control flow Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 012/356] ipv6: sr: block BH in seg6_output_core() and seg6_input_core() Greg Kroah-Hartman
` (352 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DelphineCCChiu, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: DelphineCCChiu <delphine_cc_chiu@wiwynn.com>
[ Upstream commit e85e271dec0270982afed84f70dc37703fcc1d52 ]
Currently NCSI driver will send several NCSI commands back to back without
waiting the response of previous NCSI command or timeout in some state
when NIC have multi channel. This operation against the single thread
manner defined by NCSI SPEC(section 6.3.2.3 in DSP0222_1.1.1)
According to NCSI SPEC(section 6.2.13.1 in DSP0222_1.1.1), we should probe
one channel at a time by sending NCSI commands (Clear initial state, Get
version ID, Get capabilities...), than repeat this steps until the max
number of channels which we got from NCSI command (Get capabilities) has
been probed.
Fixes: e6f44ed6d04d ("net/ncsi: Package and channel management")
Signed-off-by: DelphineCCChiu <delphine_cc_chiu@wiwynn.com>
Link: https://lore.kernel.org/r/20240529065856.825241-1-delphine_cc_chiu@wiwynn.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ncsi/internal.h | 2 ++
net/ncsi/ncsi-manage.c | 73 +++++++++++++++++++++---------------------
net/ncsi/ncsi-rsp.c | 4 ++-
3 files changed, 41 insertions(+), 38 deletions(-)
diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
index 374412ed780b6..ef0f8f73826f5 100644
--- a/net/ncsi/internal.h
+++ b/net/ncsi/internal.h
@@ -325,6 +325,7 @@ struct ncsi_dev_priv {
spinlock_t lock; /* Protect the NCSI device */
unsigned int package_probe_id;/* Current ID during probe */
unsigned int package_num; /* Number of packages */
+ unsigned int channel_probe_id;/* Current cahnnel ID during probe */
struct list_head packages; /* List of packages */
struct ncsi_channel *hot_channel; /* Channel was ever active */
struct ncsi_request requests[256]; /* Request table */
@@ -343,6 +344,7 @@ struct ncsi_dev_priv {
bool multi_package; /* Enable multiple packages */
bool mlx_multi_host; /* Enable multi host Mellanox */
u32 package_whitelist; /* Packages to configure */
+ unsigned char channel_count; /* Num of channels to probe */
};
struct ncsi_cmd_arg {
diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c
index 734feb2352fbc..30f5502530374 100644
--- a/net/ncsi/ncsi-manage.c
+++ b/net/ncsi/ncsi-manage.c
@@ -510,17 +510,19 @@ static void ncsi_suspend_channel(struct ncsi_dev_priv *ndp)
break;
case ncsi_dev_state_suspend_gls:
- ndp->pending_req_num = np->channel_num;
+ ndp->pending_req_num = 1;
nca.type = NCSI_PKT_CMD_GLS;
nca.package = np->id;
+ nca.channel = ndp->channel_probe_id;
+ ret = ncsi_xmit_cmd(&nca);
+ if (ret)
+ goto error;
+ ndp->channel_probe_id++;
- nd->state = ncsi_dev_state_suspend_dcnt;
- NCSI_FOR_EACH_CHANNEL(np, nc) {
- nca.channel = nc->id;
- ret = ncsi_xmit_cmd(&nca);
- if (ret)
- goto error;
+ if (ndp->channel_probe_id == ndp->channel_count) {
+ ndp->channel_probe_id = 0;
+ nd->state = ncsi_dev_state_suspend_dcnt;
}
break;
@@ -1340,7 +1342,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp)
{
struct ncsi_dev *nd = &ndp->ndev;
struct ncsi_package *np;
- struct ncsi_channel *nc;
struct ncsi_cmd_arg nca;
unsigned char index;
int ret;
@@ -1418,23 +1419,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp)
nd->state = ncsi_dev_state_probe_cis;
break;
- case ncsi_dev_state_probe_cis:
- ndp->pending_req_num = NCSI_RESERVED_CHANNEL;
-
- /* Clear initial state */
- nca.type = NCSI_PKT_CMD_CIS;
- nca.package = ndp->active_package->id;
- for (index = 0; index < NCSI_RESERVED_CHANNEL; index++) {
- nca.channel = index;
- ret = ncsi_xmit_cmd(&nca);
- if (ret)
- goto error;
- }
-
- nd->state = ncsi_dev_state_probe_gvi;
- if (IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY))
- nd->state = ncsi_dev_state_probe_keep_phy;
- break;
case ncsi_dev_state_probe_keep_phy:
ndp->pending_req_num = 1;
@@ -1447,14 +1431,17 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp)
nd->state = ncsi_dev_state_probe_gvi;
break;
+ case ncsi_dev_state_probe_cis:
case ncsi_dev_state_probe_gvi:
case ncsi_dev_state_probe_gc:
case ncsi_dev_state_probe_gls:
np = ndp->active_package;
- ndp->pending_req_num = np->channel_num;
+ ndp->pending_req_num = 1;
- /* Retrieve version, capability or link status */
- if (nd->state == ncsi_dev_state_probe_gvi)
+ /* Clear initial state Retrieve version, capability or link status */
+ if (nd->state == ncsi_dev_state_probe_cis)
+ nca.type = NCSI_PKT_CMD_CIS;
+ else if (nd->state == ncsi_dev_state_probe_gvi)
nca.type = NCSI_PKT_CMD_GVI;
else if (nd->state == ncsi_dev_state_probe_gc)
nca.type = NCSI_PKT_CMD_GC;
@@ -1462,19 +1449,29 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp)
nca.type = NCSI_PKT_CMD_GLS;
nca.package = np->id;
- NCSI_FOR_EACH_CHANNEL(np, nc) {
- nca.channel = nc->id;
- ret = ncsi_xmit_cmd(&nca);
- if (ret)
- goto error;
- }
+ nca.channel = ndp->channel_probe_id;
- if (nd->state == ncsi_dev_state_probe_gvi)
+ ret = ncsi_xmit_cmd(&nca);
+ if (ret)
+ goto error;
+
+ if (nd->state == ncsi_dev_state_probe_cis) {
+ nd->state = ncsi_dev_state_probe_gvi;
+ if (IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY) && ndp->channel_probe_id == 0)
+ nd->state = ncsi_dev_state_probe_keep_phy;
+ } else if (nd->state == ncsi_dev_state_probe_gvi) {
nd->state = ncsi_dev_state_probe_gc;
- else if (nd->state == ncsi_dev_state_probe_gc)
+ } else if (nd->state == ncsi_dev_state_probe_gc) {
nd->state = ncsi_dev_state_probe_gls;
- else
+ } else {
+ nd->state = ncsi_dev_state_probe_cis;
+ ndp->channel_probe_id++;
+ }
+
+ if (ndp->channel_probe_id == ndp->channel_count) {
+ ndp->channel_probe_id = 0;
nd->state = ncsi_dev_state_probe_dp;
+ }
break;
case ncsi_dev_state_probe_dp:
ndp->pending_req_num = 1;
@@ -1775,6 +1772,7 @@ struct ncsi_dev *ncsi_register_dev(struct net_device *dev,
ndp->requests[i].ndp = ndp;
timer_setup(&ndp->requests[i].timer, ncsi_request_timeout, 0);
}
+ ndp->channel_count = NCSI_RESERVED_CHANNEL;
spin_lock_irqsave(&ncsi_dev_lock, flags);
list_add_tail_rcu(&ndp->node, &ncsi_dev_list);
@@ -1807,6 +1805,7 @@ int ncsi_start_dev(struct ncsi_dev *nd)
if (!(ndp->flags & NCSI_DEV_PROBED)) {
ndp->package_probe_id = 0;
+ ndp->channel_probe_id = 0;
nd->state = ncsi_dev_state_probe;
schedule_work(&ndp->work);
return 0;
diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
index 480e80e3c2836..f22d67cb04d37 100644
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -795,12 +795,13 @@ static int ncsi_rsp_handler_gc(struct ncsi_request *nr)
struct ncsi_rsp_gc_pkt *rsp;
struct ncsi_dev_priv *ndp = nr->ndp;
struct ncsi_channel *nc;
+ struct ncsi_package *np;
size_t size;
/* Find the channel */
rsp = (struct ncsi_rsp_gc_pkt *)skb_network_header(nr->rsp);
ncsi_find_package_and_channel(ndp, rsp->rsp.common.channel,
- NULL, &nc);
+ &np, &nc);
if (!nc)
return -ENODEV;
@@ -835,6 +836,7 @@ static int ncsi_rsp_handler_gc(struct ncsi_request *nr)
*/
nc->vlan_filter.bitmap = U64_MAX;
nc->vlan_filter.n_vids = rsp->vlan_cnt;
+ np->ndp->channel_count = rsp->channel_cnt;
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 012/356] ipv6: sr: block BH in seg6_output_core() and seg6_input_core()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 011/356] net/ncsi: Fix the multi thread manner of NCSI driver Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 013/356] bpf: Set run context for rawtp test_run callback Greg Kroah-Hartman
` (351 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David Lebrun,
Paolo Abeni, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit c0b98ac1cc104f48763cdb27b1e9ac25fd81fc90 ]
As explained in commit 1378817486d6 ("tipc: block BH
before using dst_cache"), net/core/dst_cache.c
helpers need to be called with BH disabled.
Disabling preemption in seg6_output_core() is not good enough,
because seg6_output_core() is called from process context,
lwtunnel_output() only uses rcu_read_lock().
We might be interrupted by a softirq, re-enter seg6_output_core()
and corrupt dst_cache data structures.
Fix the race by using local_bh_disable() instead of
preempt_disable().
Apply a similar change in seg6_input_core().
Fixes: fa79581ea66c ("ipv6: sr: fix several BUGs when preemption is enabled")
Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: David Lebrun <dlebrun@google.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Link: https://lore.kernel.org/r/20240531132636.2637995-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/seg6_iptunnel.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c
index f98bb719190be..135712649d25f 100644
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -332,9 +332,8 @@ static int seg6_input_core(struct net *net, struct sock *sk,
slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate);
- preempt_disable();
+ local_bh_disable();
dst = dst_cache_get(&slwt->cache);
- preempt_enable();
skb_dst_drop(skb);
@@ -342,14 +341,13 @@ static int seg6_input_core(struct net *net, struct sock *sk,
ip6_route_input(skb);
dst = skb_dst(skb);
if (!dst->error) {
- preempt_disable();
dst_cache_set_ip6(&slwt->cache, dst,
&ipv6_hdr(skb)->saddr);
- preempt_enable();
}
} else {
skb_dst_set(skb, dst);
}
+ local_bh_enable();
err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
if (unlikely(err))
@@ -405,9 +403,9 @@ static int seg6_output_core(struct net *net, struct sock *sk,
slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate);
- preempt_disable();
+ local_bh_disable();
dst = dst_cache_get(&slwt->cache);
- preempt_enable();
+ local_bh_enable();
if (unlikely(!dst)) {
struct ipv6hdr *hdr = ipv6_hdr(skb);
@@ -427,9 +425,9 @@ static int seg6_output_core(struct net *net, struct sock *sk,
goto drop;
}
- preempt_disable();
+ local_bh_disable();
dst_cache_set_ip6(&slwt->cache, dst, &fl6.saddr);
- preempt_enable();
+ local_bh_enable();
}
skb_dst_drop(skb);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 013/356] bpf: Set run context for rawtp test_run callback
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 012/356] ipv6: sr: block BH in seg6_output_core() and seg6_input_core() Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 014/356] octeontx2-af: Always allocate PF entries from low prioriy zone Greg Kroah-Hartman
` (350 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3ab78ff125b7979e45f9,
Jiri Olsa, Andrii Nakryiko, Daniel Borkmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Olsa <jolsa@kernel.org>
[ Upstream commit d0d1df8ba18abc57f28fb3bc053b2bf319367f2c ]
syzbot reported crash when rawtp program executed through the
test_run interface calls bpf_get_attach_cookie helper or any
other helper that touches task->bpf_ctx pointer.
Setting the run context (task->bpf_ctx pointer) for test_run
callback.
Fixes: 7adfc6c9b315 ("bpf: Add bpf_get_attach_cookie() BPF helper to access bpf_cookie value")
Reported-by: syzbot+3ab78ff125b7979e45f9@syzkaller.appspotmail.com
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Closes: https://syzkaller.appspot.com/bug?extid=3ab78ff125b7979e45f9
Link: https://lore.kernel.org/bpf/20240604150024.359247-1-jolsa@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bpf/test_run.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 11d254ce3581c..a0d75c33b5d6a 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -326,10 +326,16 @@ static void
__bpf_prog_test_run_raw_tp(void *data)
{
struct bpf_raw_tp_test_run_info *info = data;
+ struct bpf_trace_run_ctx run_ctx = {};
+ struct bpf_run_ctx *old_run_ctx;
+
+ old_run_ctx = bpf_set_run_ctx(&run_ctx.run_ctx);
rcu_read_lock();
info->retval = bpf_prog_run(info->prog, info->ctx);
rcu_read_unlock();
+
+ bpf_reset_run_ctx(old_run_ctx);
}
int bpf_prog_test_run_raw_tp(struct bpf_prog *prog,
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 014/356] octeontx2-af: Always allocate PF entries from low prioriy zone
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 013/356] bpf: Set run context for rawtp test_run callback Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 015/356] net: sched: sch_multiq: fix possible OOB write in multiq_tune() Greg Kroah-Hartman
` (349 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Subbaraya Sundeep, Jacob Keller,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Subbaraya Sundeep <sbhatta@marvell.com>
[ Upstream commit 8b0f7410942cdc420c4557eda02bfcdf60ccec17 ]
PF mcam entries has to be at low priority always so that VF
can install longest prefix match rules at higher priority.
This was taken care currently but when priority allocation
wrt reference entry is requested then entries are allocated
from mid-zone instead of low priority zone. Fix this and
always allocate entries from low priority zone for PFs.
Fixes: 7df5b4b260dd ("octeontx2-af: Allocate low priority entries for PF")
Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/marvell/octeontx2/af/rvu_npc.c | 33 ++++++++++++-------
1 file changed, 22 insertions(+), 11 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
index c6b6d709e5908..84003243e3b75 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
@@ -2459,7 +2459,17 @@ static int npc_mcam_alloc_entries(struct npc_mcam *mcam, u16 pcifunc,
* - when available free entries are less.
* Lower priority ones out of avaialble free entries are always
* chosen when 'high vs low' question arises.
+ *
+ * For a VF base MCAM match rule is set by its PF. And all the
+ * further MCAM rules installed by VF on its own are
+ * concatenated with the base rule set by its PF. Hence PF entries
+ * should be at lower priority compared to VF entries. Otherwise
+ * base rule is hit always and rules installed by VF will be of
+ * no use. Hence if the request is from PF then allocate low
+ * priority entries.
*/
+ if (!(pcifunc & RVU_PFVF_FUNC_MASK))
+ goto lprio_alloc;
/* Get the search range for priority allocation request */
if (req->priority) {
@@ -2468,17 +2478,6 @@ static int npc_mcam_alloc_entries(struct npc_mcam *mcam, u16 pcifunc,
goto alloc;
}
- /* For a VF base MCAM match rule is set by its PF. And all the
- * further MCAM rules installed by VF on its own are
- * concatenated with the base rule set by its PF. Hence PF entries
- * should be at lower priority compared to VF entries. Otherwise
- * base rule is hit always and rules installed by VF will be of
- * no use. Hence if the request is from PF and NOT a priority
- * allocation request then allocate low priority entries.
- */
- if (!(pcifunc & RVU_PFVF_FUNC_MASK))
- goto lprio_alloc;
-
/* Find out the search range for non-priority allocation request
*
* Get MCAM free entry count in middle zone.
@@ -2508,6 +2507,18 @@ static int npc_mcam_alloc_entries(struct npc_mcam *mcam, u16 pcifunc,
reverse = true;
start = 0;
end = mcam->bmap_entries;
+ /* Ensure PF requests are always at bottom and if PF requests
+ * for higher/lower priority entry wrt reference entry then
+ * honour that criteria and start search for entries from bottom
+ * and not in mid zone.
+ */
+ if (!(pcifunc & RVU_PFVF_FUNC_MASK) &&
+ req->priority == NPC_MCAM_HIGHER_PRIO)
+ end = req->ref_entry;
+
+ if (!(pcifunc & RVU_PFVF_FUNC_MASK) &&
+ req->priority == NPC_MCAM_LOWER_PRIO)
+ start = req->ref_entry;
}
alloc:
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 015/356] net: sched: sch_multiq: fix possible OOB write in multiq_tune()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 014/356] octeontx2-af: Always allocate PF entries from low prioriy zone Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 016/356] vxlan: Fix regression when dropping packets due to invalid src addresses Greg Kroah-Hartman
` (348 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hangyu Hua, Cong Wang,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangyu Hua <hbh25y@gmail.com>
[ Upstream commit affc18fdc694190ca7575b9a86632a73b9fe043d ]
q->bands will be assigned to qopt->bands to execute subsequent code logic
after kmalloc. So the old q->bands should not be used in kmalloc.
Otherwise, an out-of-bounds write will occur.
Fixes: c2999f7fb05b ("net: sched: multiq: don't call qdisc_put() while holding tree lock")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Acked-by: Cong Wang <cong.wang@bytedance.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_multiq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_multiq.c b/net/sched/sch_multiq.c
index 8b99f07aa3a76..caa76c96b02ba 100644
--- a/net/sched/sch_multiq.c
+++ b/net/sched/sch_multiq.c
@@ -185,7 +185,7 @@ static int multiq_tune(struct Qdisc *sch, struct nlattr *opt,
qopt->bands = qdisc_dev(sch)->real_num_tx_queues;
- removed = kmalloc(sizeof(*removed) * (q->max_bands - q->bands),
+ removed = kmalloc(sizeof(*removed) * (q->max_bands - qopt->bands),
GFP_KERNEL);
if (!removed)
return -ENOMEM;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 016/356] vxlan: Fix regression when dropping packets due to invalid src addresses
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 015/356] net: sched: sch_multiq: fix possible OOB write in multiq_tune() Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 017/356] tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB Greg Kroah-Hartman
` (347 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Borkmann, David Bauer,
Ido Schimmel, Nikolay Aleksandrov, Martin KaFai Lau,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit 1cd4bc987abb2823836cbb8f887026011ccddc8a ]
Commit f58f45c1e5b9 ("vxlan: drop packets from invalid src-address")
has recently been added to vxlan mainly in the context of source
address snooping/learning so that when it is enabled, an entry in the
FDB is not being created for an invalid address for the corresponding
tunnel endpoint.
Before commit f58f45c1e5b9 vxlan was similarly behaving as geneve in
that it passed through whichever macs were set in the L2 header. It
turns out that this change in behavior breaks setups, for example,
Cilium with netkit in L3 mode for Pods as well as tunnel mode has been
passing before the change in f58f45c1e5b9 for both vxlan and geneve.
After mentioned change it is only passing for geneve as in case of
vxlan packets are dropped due to vxlan_set_mac() returning false as
source and destination macs are zero which for E/W traffic via tunnel
is totally fine.
Fix it by only opting into the is_valid_ether_addr() check in
vxlan_set_mac() when in fact source address snooping/learning is
actually enabled in vxlan. This is done by moving the check into
vxlan_snoop(). With this change, the Cilium connectivity test suite
passes again for both tunnel flavors.
Fixes: f58f45c1e5b9 ("vxlan: drop packets from invalid src-address")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: David Bauer <mail@david-bauer.net>
Cc: Ido Schimmel <idosch@nvidia.com>
Cc: Nikolay Aleksandrov <razor@blackwall.org>
Cc: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: David Bauer <mail@david-bauer.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vxlan/vxlan_core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
index 41b1b23fdd3e9..65a2f4ab89970 100644
--- a/drivers/net/vxlan/vxlan_core.c
+++ b/drivers/net/vxlan/vxlan_core.c
@@ -1493,6 +1493,10 @@ static bool vxlan_snoop(struct net_device *dev,
struct vxlan_fdb *f;
u32 ifindex = 0;
+ /* Ignore packets from invalid src-address */
+ if (!is_valid_ether_addr(src_mac))
+ return true;
+
#if IS_ENABLED(CONFIG_IPV6)
if (src_ip->sa.sa_family == AF_INET6 &&
(ipv6_addr_type(&src_ip->sin6.sin6_addr) & IPV6_ADDR_LINKLOCAL))
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 017/356] tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 016/356] vxlan: Fix regression when dropping packets due to invalid src addresses Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 018/356] net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP Greg Kroah-Hartman
` (346 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Xing, Eric Dumazet,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Xing <kernelxing@tencent.com>
[ Upstream commit a46d0ea5c94205f40ecf912d1bb7806a8a64704f ]
According to RFC 1213, we should also take CLOSE-WAIT sockets into
consideration:
"tcpCurrEstab OBJECT-TYPE
...
The number of TCP connections for which the current state
is either ESTABLISHED or CLOSE- WAIT."
After this, CurrEstab counter will display the total number of
ESTABLISHED and CLOSE-WAIT sockets.
The logic of counting
When we increment the counter?
a) if we change the state to ESTABLISHED.
b) if we change the state from SYN-RECEIVED to CLOSE-WAIT.
When we decrement the counter?
a) if the socket leaves ESTABLISHED and will never go into CLOSE-WAIT,
say, on the client side, changing from ESTABLISHED to FIN-WAIT-1.
b) if the socket leaves CLOSE-WAIT, say, on the server side, changing
from CLOSE-WAIT to LAST-ACK.
Please note: there are two chances that old state of socket can be changed
to CLOSE-WAIT in tcp_fin(). One is SYN-RECV, the other is ESTABLISHED.
So we have to take care of the former case.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jason Xing <kernelxing@tencent.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 9c7998377d6bd..31c572882b41f 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2619,6 +2619,10 @@ void tcp_set_state(struct sock *sk, int state)
if (oldstate != TCP_ESTABLISHED)
TCP_INC_STATS(sock_net(sk), TCP_MIB_CURRESTAB);
break;
+ case TCP_CLOSE_WAIT:
+ if (oldstate == TCP_SYN_RECV)
+ TCP_INC_STATS(sock_net(sk), TCP_MIB_CURRESTAB);
+ break;
case TCP_CLOSE:
if (oldstate == TCP_CLOSE_WAIT || oldstate == TCP_ESTABLISHED)
@@ -2630,7 +2634,7 @@ void tcp_set_state(struct sock *sk, int state)
inet_put_port(sk);
fallthrough;
default:
- if (oldstate == TCP_ESTABLISHED)
+ if (oldstate == TCP_ESTABLISHED || oldstate == TCP_CLOSE_WAIT)
TCP_DEC_STATS(sock_net(sk), TCP_MIB_CURRESTAB);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 018/356] net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 017/356] tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 019/356] ptp: Fix error message on failed pin verification Greg Kroah-Hartman
` (345 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Noam Rathaus, Eric Dumazet,
Vinicius Costa Gomes, Vladimir Oltean, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit f921a58ae20852d188f70842431ce6519c4fdc36 ]
If one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided,
taprio_parse_mqprio_opt() must validate it, or userspace
can inject arbitrary data to the kernel, the second time
taprio_change() is called.
First call (with valid attributes) sets dev->num_tc
to a non zero value.
Second call (with arbitrary mqprio attributes)
returns early from taprio_parse_mqprio_opt()
and bad things can happen.
Fixes: a3d43c0d56f1 ("taprio: Add support adding an admin schedule")
Reported-by: Noam Rathaus <noamr@ssd-disclosure.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://lore.kernel.org/r/20240604181511.769870-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_taprio.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
index e40b4425eb6b5..4a0986843fb5d 100644
--- a/net/sched/sch_taprio.c
+++ b/net/sched/sch_taprio.c
@@ -947,16 +947,13 @@ static int taprio_parse_mqprio_opt(struct net_device *dev,
{
int i, j;
- if (!qopt && !dev->num_tc) {
- NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary");
- return -EINVAL;
- }
-
- /* If num_tc is already set, it means that the user already
- * configured the mqprio part
- */
- if (dev->num_tc)
+ if (!qopt) {
+ if (!dev->num_tc) {
+ NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary");
+ return -EINVAL;
+ }
return 0;
+ }
/* Verify num_tc is not out of max range */
if (qopt->num_tc > TC_MAX_QUEUE) {
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 019/356] ptp: Fix error message on failed pin verification
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 018/356] net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 020/356] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer Greg Kroah-Hartman
` (344 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Karol Kolacinski, Richard Cochran,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karol Kolacinski <karol.kolacinski@intel.com>
[ Upstream commit 323a359f9b077f382f4483023d096a4d316fd135 ]
On failed verification of PTP clock pin, error message prints channel
number instead of pin index after "pin", which is incorrect.
Fix error message by adding channel number to the message and printing
pin number instead of channel number.
Fixes: 6092315dfdec ("ptp: introduce programmable pins.")
Signed-off-by: Karol Kolacinski <karol.kolacinski@intel.com>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Link: https://lore.kernel.org/r/20240604120555.16643-1-karol.kolacinski@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ptp/ptp_chardev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
index 9311f3d09c8fc..8eb902fe73a98 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -84,7 +84,8 @@ int ptp_set_pinfunc(struct ptp_clock *ptp, unsigned int pin,
}
if (info->verify(info, pin, func, chan)) {
- pr_err("driver cannot use function %u on pin %u\n", func, chan);
+ pr_err("driver cannot use function %u and channel %u on pin %u\n",
+ func, chan, pin);
return -EOPNOTSUPP;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 020/356] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer.
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 019/356] ptp: Fix error message on failed pin verification Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 021/356] af_unix: Annodate data-races around sk->sk_state for writers Greg Kroah-Hartman
` (343 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 26bfb8b57063f52b867f9b6c8d1742fcb5bd656c ]
When a SOCK_DGRAM socket connect()s to another socket, the both sockets'
sk->sk_state are changed to TCP_ESTABLISHED so that we can register them
to BPF SOCKMAP.
When the socket disconnects from the peer by connect(AF_UNSPEC), the state
is set back to TCP_CLOSE.
Then, the peer's state is also set to TCP_CLOSE, but the update is done
locklessly and unconditionally.
Let's say socket A connect()ed to B, B connect()ed to C, and A disconnects
from B.
After the first two connect()s, all three sockets' sk->sk_state are
TCP_ESTABLISHED:
$ ss -xa
Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
u_dgr ESTAB 0 0 @A 641 * 642
u_dgr ESTAB 0 0 @B 642 * 643
u_dgr ESTAB 0 0 @C 643 * 0
And after the disconnect, B's state is TCP_CLOSE even though it's still
connected to C and C's state is TCP_ESTABLISHED.
$ ss -xa
Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
u_dgr UNCONN 0 0 @A 641 * 0
u_dgr UNCONN 0 0 @B 642 * 643
u_dgr ESTAB 0 0 @C 643 * 0
In this case, we cannot register B to SOCKMAP.
So, when a socket disconnects from the peer, we should not set TCP_CLOSE to
the peer if the peer is connected to yet another socket, and this must be
done under unix_state_lock().
Note that we use WRITE_ONCE() for sk->sk_state as there are many lockless
readers. These data-races will be fixed in the following patches.
Fixes: 83301b5367a9 ("af_unix: Set TCP_ESTABLISHED for datagram sockets too")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 80f91b5ab4012..914e40697f00a 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -495,7 +495,6 @@ static void unix_dgram_disconnected(struct sock *sk, struct sock *other)
sk_error_report(other);
}
}
- other->sk_state = TCP_CLOSE;
}
static void unix_sock_destructor(struct sock *sk)
@@ -1277,8 +1276,15 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
unix_state_double_unlock(sk, other);
- if (other != old_peer)
+ if (other != old_peer) {
unix_dgram_disconnected(sk, old_peer);
+
+ unix_state_lock(old_peer);
+ if (!unix_peer(old_peer))
+ WRITE_ONCE(old_peer->sk_state, TCP_CLOSE);
+ unix_state_unlock(old_peer);
+ }
+
sock_put(old_peer);
} else {
unix_peer(sk) = other;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 021/356] af_unix: Annodate data-races around sk->sk_state for writers.
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 020/356] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 022/356] af_unix: Annotate data-race of sk->sk_state in unix_inq_len() Greg Kroah-Hartman
` (342 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 942238f9735a4a4ebf8274b218d9a910158941d1 ]
sk->sk_state is changed under unix_state_lock(), but it's read locklessly
in many places.
This patch adds WRITE_ONCE() on the writer side.
We will add READ_ONCE() to the lockless readers in the following patches.
Fixes: 83301b5367a9 ("af_unix: Set TCP_ESTABLISHED for datagram sockets too")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 914e40697f00a..616d6c34d6102 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -542,7 +542,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
u->path.dentry = NULL;
u->path.mnt = NULL;
state = sk->sk_state;
- sk->sk_state = TCP_CLOSE;
+ WRITE_ONCE(sk->sk_state, TCP_CLOSE);
skpair = unix_peer(sk);
unix_peer(sk) = NULL;
@@ -664,7 +664,8 @@ static int unix_listen(struct socket *sock, int backlog)
if (backlog > sk->sk_max_ack_backlog)
wake_up_interruptible_all(&u->peer_wait);
sk->sk_max_ack_backlog = backlog;
- sk->sk_state = TCP_LISTEN;
+ WRITE_ONCE(sk->sk_state, TCP_LISTEN);
+
/* set credentials so connect can copy them */
init_peercred(sk);
err = 0;
@@ -1254,7 +1255,8 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
if (err)
goto out_unlock;
- sk->sk_state = other->sk_state = TCP_ESTABLISHED;
+ WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED);
+ WRITE_ONCE(other->sk_state, TCP_ESTABLISHED);
} else {
/*
* 1003.1g breaking connected state with AF_UNSPEC
@@ -1271,7 +1273,7 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
unix_peer(sk) = other;
if (!other)
- sk->sk_state = TCP_CLOSE;
+ WRITE_ONCE(sk->sk_state, TCP_CLOSE);
unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer);
unix_state_double_unlock(sk, other);
@@ -1484,7 +1486,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
copy_peercred(sk, other);
sock->state = SS_CONNECTED;
- sk->sk_state = TCP_ESTABLISHED;
+ WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED);
sock_hold(newsk);
smp_mb__after_atomic(); /* sock_hold() does an atomic_inc() */
@@ -1880,7 +1882,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
unix_peer(sk) = NULL;
unix_dgram_peer_wake_disconnect_wakeup(sk, other);
- sk->sk_state = TCP_CLOSE;
+ WRITE_ONCE(sk->sk_state, TCP_CLOSE);
unix_state_unlock(sk);
unix_dgram_disconnected(sk, other);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 022/356] af_unix: Annotate data-race of sk->sk_state in unix_inq_len().
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 021/356] af_unix: Annodate data-races around sk->sk_state for writers Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 023/356] af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll() Greg Kroah-Hartman
` (341 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 3a0f38eb285c8c2eead4b3230c7ac2983707599d ]
ioctl(SIOCINQ) calls unix_inq_len() that checks sk->sk_state first
and returns -EINVAL if it's TCP_LISTEN.
Then, for SOCK_STREAM sockets, unix_inq_len() returns the number of
bytes in recvq.
However, unix_inq_len() does not hold unix_state_lock(), and the
concurrent listen() might change the state after checking sk->sk_state.
If the race occurs, 0 is returned for the listener, instead of -EINVAL,
because the length of skb with embryo is 0.
We could hold unix_state_lock() in unix_inq_len(), but it's overkill
given the result is true for pre-listen() TCP_CLOSE state.
So, let's use READ_ONCE() for sk->sk_state in unix_inq_len().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 616d6c34d6102..18e2dea699720 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2957,7 +2957,7 @@ long unix_inq_len(struct sock *sk)
struct sk_buff *skb;
long amount = 0;
- if (sk->sk_state == TCP_LISTEN)
+ if (READ_ONCE(sk->sk_state) == TCP_LISTEN)
return -EINVAL;
spin_lock(&sk->sk_receive_queue.lock);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 023/356] af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll().
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 022/356] af_unix: Annotate data-race of sk->sk_state in unix_inq_len() Greg Kroah-Hartman
@ 2024-07-03 10:35 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 024/356] net: inline sock_prot_inuse_add() Greg Kroah-Hartman
` (340 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit eb0718fb3e97ad0d6f4529b810103451c90adf94 ]
unix_poll() and unix_dgram_poll() read sk->sk_state locklessly and
calls unix_writable() which also reads sk->sk_state without holding
unix_state_lock().
Let's use READ_ONCE() in unix_poll() and unix_dgram_poll() and pass
it to unix_writable().
While at it, we remove TCP_SYN_SENT check in unix_dgram_poll() as
that state does not exist for AF_UNIX socket since the code was added.
Fixes: 1586a5877db9 ("af_unix: do not report POLLOUT on listeners")
Fixes: 3c73419c09a5 ("af_unix: fix 'poll for write'/ connected DGRAM sockets")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 25 ++++++++++++-------------
1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 18e2dea699720..73b287b7a1154 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -455,9 +455,9 @@ static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other)
return 0;
}
-static int unix_writable(const struct sock *sk)
+static int unix_writable(const struct sock *sk, unsigned char state)
{
- return sk->sk_state != TCP_LISTEN &&
+ return state != TCP_LISTEN &&
(refcount_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf;
}
@@ -466,7 +466,7 @@ static void unix_write_space(struct sock *sk)
struct socket_wq *wq;
rcu_read_lock();
- if (unix_writable(sk)) {
+ if (unix_writable(sk, READ_ONCE(sk->sk_state))) {
wq = rcu_dereference(sk->sk_wq);
if (skwq_has_sleeper(wq))
wake_up_interruptible_sync_poll(&wq->wait,
@@ -3069,12 +3069,14 @@ static int unix_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned lon
static __poll_t unix_poll(struct file *file, struct socket *sock, poll_table *wait)
{
struct sock *sk = sock->sk;
+ unsigned char state;
__poll_t mask;
u8 shutdown;
sock_poll_wait(file, sock, wait);
mask = 0;
shutdown = READ_ONCE(sk->sk_shutdown);
+ state = READ_ONCE(sk->sk_state);
/* exceptional events? */
if (sk->sk_err)
@@ -3096,14 +3098,14 @@ static __poll_t unix_poll(struct file *file, struct socket *sock, poll_table *wa
/* Connection-based need to check for termination and startup */
if ((sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) &&
- sk->sk_state == TCP_CLOSE)
+ state == TCP_CLOSE)
mask |= EPOLLHUP;
/*
* we set writable also when the other side has shut down the
* connection. This prevents stuck sockets.
*/
- if (unix_writable(sk))
+ if (unix_writable(sk, state))
mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND;
return mask;
@@ -3114,12 +3116,14 @@ static __poll_t unix_dgram_poll(struct file *file, struct socket *sock,
{
struct sock *sk = sock->sk, *other;
unsigned int writable;
+ unsigned char state;
__poll_t mask;
u8 shutdown;
sock_poll_wait(file, sock, wait);
mask = 0;
shutdown = READ_ONCE(sk->sk_shutdown);
+ state = READ_ONCE(sk->sk_state);
/* exceptional events? */
if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue))
@@ -3138,19 +3142,14 @@ static __poll_t unix_dgram_poll(struct file *file, struct socket *sock,
mask |= EPOLLIN | EPOLLRDNORM;
/* Connection-based need to check for termination and startup */
- if (sk->sk_type == SOCK_SEQPACKET) {
- if (sk->sk_state == TCP_CLOSE)
- mask |= EPOLLHUP;
- /* connection hasn't started yet? */
- if (sk->sk_state == TCP_SYN_SENT)
- return mask;
- }
+ if (sk->sk_type == SOCK_SEQPACKET && state == TCP_CLOSE)
+ mask |= EPOLLHUP;
/* No write status requested, avoid expensive OUT tests. */
if (!(poll_requested_events(wait) & (EPOLLWRBAND|EPOLLWRNORM|EPOLLOUT)))
return mask;
- writable = unix_writable(sk);
+ writable = unix_writable(sk, state);
if (writable) {
unix_state_lock(sk);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 024/356] net: inline sock_prot_inuse_add()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2024-07-03 10:35 ` [PATCH 5.15 023/356] af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll() Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 025/356] net: drop nopreempt requirement on sock_prot_inuse_add() Greg Kroah-Hartman
` (339 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David S. Miller,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 2a12ae5d433df3d3c3f1a930799ec09cb2b8058f ]
sock_prot_inuse_add() is very small, we can inline it.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/sock.h | 14 +++++++++++---
net/core/sock.c | 11 -----------
2 files changed, 11 insertions(+), 14 deletions(-)
diff --git a/include/net/sock.h b/include/net/sock.h
index b8de579b916e8..c13c284222424 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1460,13 +1460,21 @@ proto_memory_pressure(struct proto *prot)
#ifdef CONFIG_PROC_FS
+#define PROTO_INUSE_NR 64 /* should be enough for the first time */
+struct prot_inuse {
+ int val[PROTO_INUSE_NR];
+};
/* Called with local bh disabled */
-void sock_prot_inuse_add(struct net *net, struct proto *prot, int inc);
+static inline void sock_prot_inuse_add(const struct net *net,
+ const struct proto *prot, int val)
+{
+ __this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val);
+}
int sock_prot_inuse_get(struct net *net, struct proto *proto);
int sock_inuse_get(struct net *net);
#else
-static inline void sock_prot_inuse_add(struct net *net, struct proto *prot,
- int inc)
+static inline void sock_prot_inuse_add(const struct net *net,
+ const struct proto *prot, int val)
{
}
#endif
diff --git a/net/core/sock.c b/net/core/sock.c
index 62e376f09f957..e79e1c7933537 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -3497,19 +3497,8 @@ void sk_get_meminfo(const struct sock *sk, u32 *mem)
}
#ifdef CONFIG_PROC_FS
-#define PROTO_INUSE_NR 64 /* should be enough for the first time */
-struct prot_inuse {
- int val[PROTO_INUSE_NR];
-};
-
static DECLARE_BITMAP(proto_inuse_idx, PROTO_INUSE_NR);
-void sock_prot_inuse_add(struct net *net, struct proto *prot, int val)
-{
- __this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val);
-}
-EXPORT_SYMBOL_GPL(sock_prot_inuse_add);
-
int sock_prot_inuse_get(struct net *net, struct proto *prot)
{
int cpu, idx = prot->inuse_idx;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 025/356] net: drop nopreempt requirement on sock_prot_inuse_add()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 024/356] net: inline sock_prot_inuse_add() Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 026/356] af_unix: Annotate data-race of sk->sk_state in unix_stream_connect() Greg Kroah-Hartman
` (338 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David S. Miller,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit b3cb764aa1d753cf6a58858f9e2097ba71e8100b ]
This is distracting really, let's make this simpler,
because many callers had to take care of this
by themselves, even if on x86 this adds more
code than really needed.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/sock.h | 4 ++--
net/ieee802154/socket.c | 4 ++--
net/ipv4/raw.c | 2 +-
net/ipv6/ipv6_sockglue.c | 8 ++++----
net/netlink/af_netlink.c | 4 ----
net/packet/af_packet.c | 4 ----
net/sctp/socket.c | 5 -----
net/smc/af_smc.c | 2 +-
net/unix/af_unix.c | 4 ----
net/xdp/xsk.c | 4 ----
10 files changed, 10 insertions(+), 31 deletions(-)
diff --git a/include/net/sock.h b/include/net/sock.h
index c13c284222424..146f1b9c30636 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1464,11 +1464,11 @@ proto_memory_pressure(struct proto *prot)
struct prot_inuse {
int val[PROTO_INUSE_NR];
};
-/* Called with local bh disabled */
+
static inline void sock_prot_inuse_add(const struct net *net,
const struct proto *prot, int val)
{
- __this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val);
+ this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val);
}
int sock_prot_inuse_get(struct net *net, struct proto *proto);
int sock_inuse_get(struct net *net);
diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
index c33f46c9b6b34..586a6c4adf246 100644
--- a/net/ieee802154/socket.c
+++ b/net/ieee802154/socket.c
@@ -174,8 +174,8 @@ static int raw_hash(struct sock *sk)
{
write_lock_bh(&raw_lock);
sk_add_node(sk, &raw_head);
- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
write_unlock_bh(&raw_lock);
+ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
return 0;
}
@@ -458,8 +458,8 @@ static int dgram_hash(struct sock *sk)
{
write_lock_bh(&dgram_lock);
sk_add_node(sk, &dgram_head);
- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
write_unlock_bh(&dgram_lock);
+ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
return 0;
}
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index f532589d26926..cc8e946768e43 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -99,8 +99,8 @@ int raw_hash_sk(struct sock *sk)
write_lock_bh(&h->lock);
sk_add_node(sk, head);
- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
write_unlock_bh(&h->lock);
+ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
return 0;
}
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 197e12d5607f1..2071a212a2679 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -471,10 +471,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
if (sk->sk_protocol == IPPROTO_TCP) {
struct inet_connection_sock *icsk = inet_csk(sk);
- local_bh_disable();
+
sock_prot_inuse_add(net, sk->sk_prot, -1);
sock_prot_inuse_add(net, &tcp_prot, 1);
- local_bh_enable();
+
sk->sk_prot = &tcp_prot;
icsk->icsk_af_ops = &ipv4_specific;
sk->sk_socket->ops = &inet_stream_ops;
@@ -485,10 +485,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
if (sk->sk_protocol == IPPROTO_UDPLITE)
prot = &udplite_prot;
- local_bh_disable();
+
sock_prot_inuse_add(net, sk->sk_prot, -1);
sock_prot_inuse_add(net, prot, 1);
- local_bh_enable();
+
sk->sk_prot = prot;
sk->sk_socket->ops = &inet_dgram_ops;
sk->sk_family = PF_INET;
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 216445dd44db9..18a38db2b27eb 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -711,9 +711,7 @@ static int netlink_create(struct net *net, struct socket *sock, int protocol,
if (err < 0)
goto out_module;
- local_bh_disable();
sock_prot_inuse_add(net, &netlink_proto, 1);
- local_bh_enable();
nlk = nlk_sk(sock->sk);
nlk->module = module;
@@ -813,9 +811,7 @@ static int netlink_release(struct socket *sock)
netlink_table_ungrab();
}
- local_bh_disable();
sock_prot_inuse_add(sock_net(sk), &netlink_proto, -1);
- local_bh_enable();
call_rcu(&nlk->rcu, deferred_put_nlk_sk);
return 0;
}
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 0ab3b09f863ba..4f920502f92fe 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3092,9 +3092,7 @@ static int packet_release(struct socket *sock)
sk_del_node_init_rcu(sk);
mutex_unlock(&net->packet.sklist_lock);
- preempt_disable();
sock_prot_inuse_add(net, sk->sk_prot, -1);
- preempt_enable();
spin_lock(&po->bind_lock);
unregister_prot_hook(sk, false);
@@ -3361,9 +3359,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
sk_add_node_tail_rcu(sk, &net->packet.sklist);
mutex_unlock(&net->packet.sklist_lock);
- preempt_disable();
sock_prot_inuse_add(net, &packet_proto, 1);
- preempt_enable();
return 0;
out2:
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 57acf7ed80de3..d9271ffb29781 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -5073,12 +5073,9 @@ static int sctp_init_sock(struct sock *sk)
SCTP_DBG_OBJCNT_INC(sock);
- local_bh_disable();
sk_sockets_allocated_inc(sk);
sock_prot_inuse_add(net, sk->sk_prot, 1);
- local_bh_enable();
-
return 0;
}
@@ -5104,10 +5101,8 @@ static void sctp_destroy_sock(struct sock *sk)
list_del(&sp->auto_asconf_list);
}
sctp_endpoint_free(sp->ep);
- local_bh_disable();
sk_sockets_allocated_dec(sk);
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
- local_bh_enable();
}
/* Triggered when there are no references on the socket anymore */
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 8c11eb70c0f69..bd0b3a8b95d50 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -88,8 +88,8 @@ int smc_hash_sk(struct sock *sk)
write_lock_bh(&h->lock);
sk_add_node(sk, head);
- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
write_unlock_bh(&h->lock);
+ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
return 0;
}
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 73b287b7a1154..262aeaea9861c 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -515,9 +515,7 @@ static void unix_sock_destructor(struct sock *sk)
unix_release_addr(u->addr);
atomic_long_dec(&unix_nr_socks);
- local_bh_disable();
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
- local_bh_enable();
#ifdef UNIX_REFCNT_DEBUG
pr_debug("UNIX %p is destroyed, %ld are still alive.\n", sk,
atomic_long_read(&unix_nr_socks));
@@ -890,9 +888,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern,
memset(&u->scm_stat, 0, sizeof(struct scm_stat));
unix_insert_socket(unix_sockets_unbound(sk), sk);
- local_bh_disable();
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
- local_bh_enable();
return sk;
diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index 1f61d15b3d1d4..da31a99ce6521 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -842,9 +842,7 @@ static int xsk_release(struct socket *sock)
sk_del_node_init_rcu(sk);
mutex_unlock(&net->xdp.lock);
- local_bh_disable();
sock_prot_inuse_add(net, sk->sk_prot, -1);
- local_bh_enable();
xsk_delete_from_maps(xs);
mutex_lock(&xs->mutex);
@@ -1465,9 +1463,7 @@ static int xsk_create(struct net *net, struct socket *sock, int protocol,
sk_add_node_rcu(sk, &net->xdp.list);
mutex_unlock(&net->xdp.lock);
- local_bh_disable();
sock_prot_inuse_add(net, &xsk_proto, 1);
- local_bh_enable();
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 026/356] af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 025/356] net: drop nopreempt requirement on sock_prot_inuse_add() Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 027/356] af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg() Greg Kroah-Hartman
` (337 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit a9bf9c7dc6a5899c01cb8f6e773a66315a5cd4b7 ]
As small optimisation, unix_stream_connect() prefetches the client's
sk->sk_state without unix_state_lock() and checks if it's TCP_CLOSE.
Later, sk->sk_state is checked again under unix_state_lock().
Let's use READ_ONCE() for the first check and TCP_CLOSE directly for
the second check.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1331,7 +1331,6 @@ static int unix_stream_connect(struct so
struct sock *other = NULL;
struct sk_buff *skb = NULL;
unsigned int hash;
- int st;
int err;
long timeo;
@@ -1413,9 +1412,7 @@ restart:
Well, and we have to recheck the state after socket locked.
*/
- st = sk->sk_state;
-
- switch (st) {
+ switch (READ_ONCE(sk->sk_state)) {
case TCP_CLOSE:
/* This is ok... continue with connect */
break;
@@ -1430,7 +1427,7 @@ restart:
unix_state_lock_nested(sk, U_LOCK_SECOND);
- if (sk->sk_state != st) {
+ if (sk->sk_state != TCP_CLOSE) {
unix_state_unlock(sk);
unix_state_unlock(other);
sock_put(other);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 027/356] af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg().
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 026/356] af_unix: Annotate data-race of sk->sk_state in unix_stream_connect() Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 028/356] af_unix: Annotate data-race of sk->sk_state in unix_stream_read_skb() Greg Kroah-Hartman
` (336 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 8a34d4e8d9742a24f74998f45a6a98edd923319b ]
The following functions read sk->sk_state locklessly and proceed only if
the state is TCP_ESTABLISHED.
* unix_stream_sendmsg
* unix_stream_read_generic
* unix_seqpacket_sendmsg
* unix_seqpacket_recvmsg
Let's use READ_ONCE() there.
Fixes: a05d2ad1c1f3 ("af_unix: Only allow recv on connected seqpacket sockets.")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2051,7 +2051,7 @@ static int unix_stream_sendmsg(struct so
}
if (msg->msg_namelen) {
- err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP;
+ err = READ_ONCE(sk->sk_state) == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP;
goto out_err;
} else {
err = -ENOTCONN;
@@ -2263,7 +2263,7 @@ static int unix_seqpacket_sendmsg(struct
if (err)
return err;
- if (sk->sk_state != TCP_ESTABLISHED)
+ if (READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)
return -ENOTCONN;
if (msg->msg_namelen)
@@ -2277,7 +2277,7 @@ static int unix_seqpacket_recvmsg(struct
{
struct sock *sk = sock->sk;
- if (sk->sk_state != TCP_ESTABLISHED)
+ if (READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)
return -ENOTCONN;
return unix_dgram_recvmsg(sock, msg, size, flags);
@@ -2624,7 +2624,7 @@ static int unix_stream_read_generic(stru
size_t size = state->size;
unsigned int last_len;
- if (unlikely(sk->sk_state != TCP_ESTABLISHED)) {
+ if (unlikely(READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)) {
err = -EINVAL;
goto out;
}
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 028/356] af_unix: Annotate data-race of sk->sk_state in unix_stream_read_skb().
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 027/356] af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg() Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 029/356] af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG Greg Kroah-Hartman
` (335 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit af4c733b6b1aded4dc808fafece7dfe6e9d2ebb3 ]
unix_stream_read_skb() is called from sk->sk_data_ready() context
where unix_state_lock() is not held.
Let's use READ_ONCE() there.
Fixes: 77462de14a43 ("af_unix: Add read_sock for stream socket types")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2600,7 +2600,7 @@ static struct sk_buff *manage_oob(struct
static int unix_stream_read_sock(struct sock *sk, read_descriptor_t *desc,
sk_read_actor_t recv_actor)
{
- if (unlikely(sk->sk_state != TCP_ESTABLISHED))
+ if (unlikely(READ_ONCE(sk->sk_state) != TCP_ESTABLISHED))
return -ENOTCONN;
return unix_read_sock(sk, desc, recv_actor);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 029/356] af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 028/356] af_unix: Annotate data-race of sk->sk_state in unix_stream_read_skb() Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 030/356] af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen Greg Kroah-Hartman
` (334 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 0aa3be7b3e1f8f997312cc4705f8165e02806f8f ]
While dumping AF_UNIX sockets via UNIX_DIAG, sk->sk_state is read
locklessly.
Let's use READ_ONCE() there.
Note that the result could be inconsistent if the socket is dumped
during the state change. This is common for other SOCK_DIAG and
similar interfaces.
Fixes: c9da99e6475f ("unix_diag: Fixup RQLEN extension report")
Fixes: 2aac7a2cb0d9 ("unix_diag: Pending connections IDs NLA")
Fixes: 45a96b9be6ec ("unix_diag: Dumping all sockets core")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/diag.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/unix/diag.c
+++ b/net/unix/diag.c
@@ -64,7 +64,7 @@ static int sk_diag_dump_icons(struct soc
u32 *buf;
int i;
- if (sk->sk_state == TCP_LISTEN) {
+ if (READ_ONCE(sk->sk_state) == TCP_LISTEN) {
spin_lock(&sk->sk_receive_queue.lock);
attr = nla_reserve(nlskb, UNIX_DIAG_ICONS,
@@ -102,7 +102,7 @@ static int sk_diag_show_rqlen(struct soc
{
struct unix_diag_rqlen rql;
- if (sk->sk_state == TCP_LISTEN) {
+ if (READ_ONCE(sk->sk_state) == TCP_LISTEN) {
rql.udiag_rqueue = sk->sk_receive_queue.qlen;
rql.udiag_wqueue = sk->sk_max_ack_backlog;
} else {
@@ -135,7 +135,7 @@ static int sk_diag_fill(struct sock *sk,
rep = nlmsg_data(nlh);
rep->udiag_family = AF_UNIX;
rep->udiag_type = sk->sk_type;
- rep->udiag_state = sk->sk_state;
+ rep->udiag_state = READ_ONCE(sk->sk_state);
rep->pad = 0;
rep->udiag_ino = sk_ino;
sock_diag_save_cookie(sk, rep->udiag_cookie);
@@ -218,7 +218,7 @@ static int unix_diag_dump(struct sk_buff
continue;
if (num < s_num)
goto next;
- if (!(req->udiag_states & (1 << sk->sk_state)))
+ if (!(req->udiag_states & (1 << READ_ONCE(sk->sk_state))))
goto next;
if (sk_diag_dump(sk, skb, req, sk_user_ns(skb->sk),
NETLINK_CB(cb->skb).portid,
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 030/356] af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 029/356] af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 031/356] af_unix: Use unix_recvq_full_lockless() in unix_stream_connect() Greg Kroah-Hartman
` (333 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit bd9f2d05731f6a112d0c7391a0d537bfc588dbe6 ]
net->unx.sysctl_max_dgram_qlen is exposed as a sysctl knob and can be
changed concurrently.
Let's use READ_ONCE() in unix_create1().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -873,7 +873,7 @@ static struct sock *unix_create1(struct
sk->sk_allocation = GFP_KERNEL_ACCOUNT;
sk->sk_write_space = unix_write_space;
- sk->sk_max_ack_backlog = net->unx.sysctl_max_dgram_qlen;
+ sk->sk_max_ack_backlog = READ_ONCE(net->unx.sysctl_max_dgram_qlen);
sk->sk_destruct = unix_sock_destructor;
u = unix_sk(sk);
u->inflight = 0;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 031/356] af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 030/356] af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 032/356] af_unix: annotate lockless accesses to sk->sk_err Greg Kroah-Hartman
` (332 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 45d872f0e65593176d880ec148f41ad7c02e40a7 ]
Once sk->sk_state is changed to TCP_LISTEN, it never changes.
unix_accept() takes advantage of this characteristics; it does not
hold the listener's unix_state_lock() and only acquires recvq lock
to pop one skb.
It means unix_state_lock() does not prevent the queue length from
changing in unix_stream_connect().
Thus, we need to use unix_recvq_full_lockless() to avoid data-race.
Now we remove unix_recvq_full() as no one uses it.
Note that we can remove READ_ONCE() for sk->sk_max_ack_backlog in
unix_recvq_full_lockless() because of the following reasons:
(1) For SOCK_DGRAM, it is a written-once field in unix_create1()
(2) For SOCK_STREAM and SOCK_SEQPACKET, it is changed under the
listener's unix_state_lock() in unix_listen(), and we hold
the lock in unix_stream_connect()
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -190,15 +190,9 @@ static inline int unix_may_send(struct s
return unix_peer(osk) == NULL || unix_our_peer(sk, osk);
}
-static inline int unix_recvq_full(const struct sock *sk)
-{
- return skb_queue_len(&sk->sk_receive_queue) > sk->sk_max_ack_backlog;
-}
-
static inline int unix_recvq_full_lockless(const struct sock *sk)
{
- return skb_queue_len_lockless(&sk->sk_receive_queue) >
- READ_ONCE(sk->sk_max_ack_backlog);
+ return skb_queue_len_lockless(&sk->sk_receive_queue) > sk->sk_max_ack_backlog;
}
struct sock *unix_peer_get(struct sock *s)
@@ -1387,7 +1381,7 @@ restart:
if (other->sk_shutdown & RCV_SHUTDOWN)
goto out_unlock;
- if (unix_recvq_full(other)) {
+ if (unix_recvq_full_lockless(other)) {
err = -EAGAIN;
if (!timeo)
goto out_unlock;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 032/356] af_unix: annotate lockless accesses to sk->sk_err
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 031/356] af_unix: Use unix_recvq_full_lockless() in unix_stream_connect() Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 033/356] af_unix: Use skb_queue_empty_lockless() in unix_release_sock() Greg Kroah-Hartman
` (331 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David S. Miller,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit cc04410af7de348234ac36a5f50c4ce416efdb4b ]
unix_poll() and unix_dgram_poll() read sk->sk_err
without any lock held.
Add relevant READ_ONCE()/WRITE_ONCE() annotations.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 83690b82d228 ("af_unix: Use skb_queue_empty_lockless() in unix_release_sock().")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -485,7 +485,7 @@ static void unix_dgram_disconnected(stru
* when peer was not connected to us.
*/
if (!sock_flag(other, SOCK_DEAD) && unix_peer(other) == sk) {
- other->sk_err = ECONNRESET;
+ WRITE_ONCE(other->sk_err, ECONNRESET);
sk_error_report(other);
}
}
@@ -556,7 +556,7 @@ static void unix_release_sock(struct soc
/* No more writes */
WRITE_ONCE(skpair->sk_shutdown, SHUTDOWN_MASK);
if (!skb_queue_empty(&sk->sk_receive_queue) || embrion)
- skpair->sk_err = ECONNRESET;
+ WRITE_ONCE(skpair->sk_err, ECONNRESET);
unix_state_unlock(skpair);
skpair->sk_state_change(skpair);
sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP);
@@ -3066,7 +3066,7 @@ static __poll_t unix_poll(struct file *f
state = READ_ONCE(sk->sk_state);
/* exceptional events? */
- if (sk->sk_err)
+ if (READ_ONCE(sk->sk_err))
mask |= EPOLLERR;
if (shutdown == SHUTDOWN_MASK)
mask |= EPOLLHUP;
@@ -3113,7 +3113,8 @@ static __poll_t unix_dgram_poll(struct f
state = READ_ONCE(sk->sk_state);
/* exceptional events? */
- if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue))
+ if (READ_ONCE(sk->sk_err) ||
+ !skb_queue_empty_lockless(&sk->sk_error_queue))
mask |= EPOLLERR |
(sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? EPOLLPRI : 0);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 033/356] af_unix: Use skb_queue_empty_lockless() in unix_release_sock().
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 032/356] af_unix: annotate lockless accesses to sk->sk_err Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 034/356] af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen() Greg Kroah-Hartman
` (330 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 83690b82d228b3570565ebd0b41873933238b97f ]
If the socket type is SOCK_STREAM or SOCK_SEQPACKET, unix_release_sock()
checks the length of the peer socket's recvq under unix_state_lock().
However, unix_stream_read_generic() calls skb_unlink() after releasing
the lock. Also, for SOCK_SEQPACKET, __skb_try_recv_datagram() unlinks
skb without unix_state_lock().
Thues, unix_state_lock() does not protect qlen.
Let's use skb_queue_empty_lockless() in unix_release_sock().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -555,7 +555,7 @@ static void unix_release_sock(struct soc
unix_state_lock(skpair);
/* No more writes */
WRITE_ONCE(skpair->sk_shutdown, SHUTDOWN_MASK);
- if (!skb_queue_empty(&sk->sk_receive_queue) || embrion)
+ if (!skb_queue_empty_lockless(&sk->sk_receive_queue) || embrion)
WRITE_ONCE(skpair->sk_err, ECONNRESET);
unix_state_unlock(skpair);
skpair->sk_state_change(skpair);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 034/356] af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 033/356] af_unix: Use skb_queue_empty_lockless() in unix_release_sock() Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 035/356] af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill() Greg Kroah-Hartman
` (329 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 5d915e584d8408211d4567c22685aae8820bfc55 ]
We can dump the socket queue length via UNIX_DIAG by specifying
UDIAG_SHOW_RQLEN.
If sk->sk_state is TCP_LISTEN, we return the recv queue length,
but here we do not hold recvq lock.
Let's use skb_queue_len_lockless() in sk_diag_show_rqlen().
Fixes: c9da99e6475f ("unix_diag: Fixup RQLEN extension report")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/diag.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/unix/diag.c
+++ b/net/unix/diag.c
@@ -103,7 +103,7 @@ static int sk_diag_show_rqlen(struct soc
struct unix_diag_rqlen rql;
if (READ_ONCE(sk->sk_state) == TCP_LISTEN) {
- rql.udiag_rqueue = sk->sk_receive_queue.qlen;
+ rql.udiag_rqueue = skb_queue_len_lockless(&sk->sk_receive_queue);
rql.udiag_wqueue = sk->sk_max_ack_backlog;
} else {
rql.udiag_rqueue = (u32) unix_inq_len(sk);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 035/356] af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 034/356] af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen() Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 036/356] ipv6: fix possible race in __fib6_drop_pcpu_from() Greg Kroah-Hartman
` (328 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit efaf24e30ec39ebbea9112227485805a48b0ceb1 ]
While dumping sockets via UNIX_DIAG, we do not hold unix_state_lock().
Let's use READ_ONCE() to read sk->sk_shutdown.
Fixes: e4e541a84863 ("sock-diag: Report shutdown for inet and unix sockets (v2)")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/diag.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/unix/diag.c
+++ b/net/unix/diag.c
@@ -164,7 +164,7 @@ static int sk_diag_fill(struct sock *sk,
sock_diag_put_meminfo(sk, skb, UNIX_DIAG_MEMINFO))
goto out_nlmsg_trim;
- if (nla_put_u8(skb, UNIX_DIAG_SHUTDOWN, sk->sk_shutdown))
+ if (nla_put_u8(skb, UNIX_DIAG_SHUTDOWN, READ_ONCE(sk->sk_shutdown)))
goto out_nlmsg_trim;
if ((req->udiag_show & UDIAG_SHOW_UID) &&
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 036/356] ipv6: fix possible race in __fib6_drop_pcpu_from()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 035/356] af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill() Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 037/356] usb: gadget: f_fs: use io_data->status consistently Greg Kroah-Hartman
` (327 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Martin KaFai Lau,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit b01e1c030770ff3b4fe37fc7cc6bca03f594133f ]
syzbot found a race in __fib6_drop_pcpu_from() [1]
If compiler reads more than once (*ppcpu_rt),
second read could read NULL, if another cpu clears
the value in rt6_get_pcpu_route().
Add a READ_ONCE() to prevent this race.
Also add rcu_read_lock()/rcu_read_unlock() because
we rely on RCU protection while dereferencing pcpu_rt.
[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]
CPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Workqueue: netns cleanup_net
RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984
Code: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48
RSP: 0018:ffffc900040df070 EFLAGS: 00010206
RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16
RDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091
RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007
R10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8
R13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]
fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]
fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038
fib6_del_route net/ipv6/ip6_fib.c:1998 [inline]
fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043
fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205
fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127
fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175
fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255
__fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271
rt6_sync_down_dev net/ipv6/route.c:4906 [inline]
rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911
addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855
addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778
notifier_call_chain+0xb9/0x410 kernel/notifier.c:93
call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992
call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]
call_netdevice_notifiers net/core/dev.c:2044 [inline]
dev_close_many+0x333/0x6a0 net/core/dev.c:1585
unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193
unregister_netdevice_many net/core/dev.c:11276 [inline]
default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759
ops_exit_list+0x128/0x180 net/core/net_namespace.c:178
cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640
process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Fixes: d52d3997f843 ("ipv6: Create percpu rt6_info")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Martin KaFai Lau <kafai@fb.com>
Link: https://lore.kernel.org/r/20240604193549.981839-1-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_fib.c | 6 +++++-
net/ipv6/route.c | 1 +
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index c0ff5ee490e7b..7d09193c14445 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -961,6 +961,7 @@ static void __fib6_drop_pcpu_from(struct fib6_nh *fib6_nh,
if (!fib6_nh->rt6i_pcpu)
return;
+ rcu_read_lock();
/* release the reference to this fib entry from
* all of its cached pcpu routes
*/
@@ -969,7 +970,9 @@ static void __fib6_drop_pcpu_from(struct fib6_nh *fib6_nh,
struct rt6_info *pcpu_rt;
ppcpu_rt = per_cpu_ptr(fib6_nh->rt6i_pcpu, cpu);
- pcpu_rt = *ppcpu_rt;
+
+ /* Paired with xchg() in rt6_get_pcpu_route() */
+ pcpu_rt = READ_ONCE(*ppcpu_rt);
/* only dropping the 'from' reference if the cached route
* is using 'match'. The cached pcpu_rt->from only changes
@@ -983,6 +986,7 @@ static void __fib6_drop_pcpu_from(struct fib6_nh *fib6_nh,
fib6_info_release(from);
}
}
+ rcu_read_unlock();
}
struct fib6_nh_pcpu_arg {
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 3bc3a30363e19..2c60270c5798b 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1398,6 +1398,7 @@ static struct rt6_info *rt6_get_pcpu_route(const struct fib6_result *res)
struct rt6_info *prev, **p;
p = this_cpu_ptr(res->nh->rt6i_pcpu);
+ /* Paired with READ_ONCE() in __fib6_drop_pcpu_from() */
prev = xchg(p, NULL);
if (prev) {
dst_dev_put(&prev->dst);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 037/356] usb: gadget: f_fs: use io_data->status consistently
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 036/356] ipv6: fix possible race in __fib6_drop_pcpu_from() Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 038/356] usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete Greg Kroah-Hartman
` (326 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Linyu Yuan, John Keeping,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Keeping <john@metanate.com>
[ Upstream commit b566d38857fcb6777f25b674b90a831eec0817a2 ]
Commit fb1f16d74e26 ("usb: gadget: f_fs: change ep->status safe in
ffs_epfile_io()") added a new ffs_io_data::status field to fix lifetime
issues in synchronous requests.
While there are no similar lifetime issues for asynchronous requests
(the separate ep member in ffs_io_data avoids them) using the status
field means the USB request can be freed earlier and that there is more
consistency between the synchronous and asynchronous I/O paths.
Cc: Linyu Yuan <quic_linyyuan@quicinc.com>
Signed-off-by: John Keeping <john@metanate.com>
Reviewed-by: Linyu Yuan <quic_linyyuan@quicinc.com>
Link: https://lore.kernel.org/r/20221124170430.3998755-1-john@metanate.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 24729b307eef ("usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/f_fs.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index a4367a43cdd87..37d18e27ddc64 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -830,8 +830,7 @@ static void ffs_user_copy_worker(struct work_struct *work)
{
struct ffs_io_data *io_data = container_of(work, struct ffs_io_data,
work);
- int ret = io_data->req->status ? io_data->req->status :
- io_data->req->actual;
+ int ret = io_data->status;
bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD;
if (io_data->read && ret > 0) {
@@ -845,8 +844,6 @@ static void ffs_user_copy_worker(struct work_struct *work)
if (io_data->ffs->ffs_eventfd && !kiocb_has_eventfd)
eventfd_signal(io_data->ffs->ffs_eventfd, 1);
- usb_ep_free_request(io_data->ep, io_data->req);
-
if (io_data->read)
kfree(io_data->to_free);
ffs_free_buffer(io_data);
@@ -861,6 +858,9 @@ static void ffs_epfile_async_io_complete(struct usb_ep *_ep,
ENTER();
+ io_data->status = req->status ? req->status : req->actual;
+ usb_ep_free_request(_ep, req);
+
INIT_WORK(&io_data->work, ffs_user_copy_worker);
queue_work(ffs->io_completion_wq, &io_data->work);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 038/356] usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 037/356] usb: gadget: f_fs: use io_data->status consistently Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 039/356] iio: accel: mxc4005: Reset chip on probe() and resume() Greg Kroah-Hartman
` (325 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wesley Cheng, Sasha Levin, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wesley Cheng <quic_wcheng@quicinc.com>
[ Upstream commit 24729b307eefcd7c476065cd7351c1a018082c19 ]
FFS based applications can utilize the aio_cancel() callback to dequeue
pending USB requests submitted to the UDC. There is a scenario where the
FFS application issues an AIO cancel call, while the UDC is handling a
soft disconnect. For a DWC3 based implementation, the callstack looks
like the following:
DWC3 Gadget FFS Application
dwc3_gadget_soft_disconnect() ...
--> dwc3_stop_active_transfers()
--> dwc3_gadget_giveback(-ESHUTDOWN)
--> ffs_epfile_async_io_complete() ffs_aio_cancel()
--> usb_ep_free_request() --> usb_ep_dequeue()
There is currently no locking implemented between the AIO completion
handler and AIO cancel, so the issue occurs if the completion routine is
running in parallel to an AIO cancel call coming from the FFS application.
As the completion call frees the USB request (io_data->req) the FFS
application is also referencing it for the usb_ep_dequeue() call. This can
lead to accessing a stale/hanging pointer.
commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently")
relocated the usb_ep_free_request() into ffs_epfile_async_io_complete().
However, in order to properly implement locking to mitigate this issue, the
spinlock can't be added to ffs_epfile_async_io_complete(), as
usb_ep_dequeue() (if successfully dequeuing a USB request) will call the
function driver's completion handler in the same context. Hence, leading
into a deadlock.
Fix this issue by moving the usb_ep_free_request() back to
ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req
to NULL after freeing it within the ffs->eps_lock. This resolves the race
condition above, as the ffs_aio_cancel() routine will not continue
attempting to dequeue a request that has already been freed, or the
ffs_user_copy_work() not freeing the USB request until the AIO cancel is
done referencing it.
This fix depends on
commit b566d38857fc ("usb: gadget: f_fs: use io_data->status
consistently")
Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support")
Cc: stable <stable@kernel.org> # b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently")
Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
Link: https://lore.kernel.org/r/20240409014059.6740-1-quic_wcheng@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/f_fs.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 37d18e27ddc64..ad858044e0bfd 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -832,6 +832,7 @@ static void ffs_user_copy_worker(struct work_struct *work)
work);
int ret = io_data->status;
bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD;
+ unsigned long flags;
if (io_data->read && ret > 0) {
kthread_use_mm(io_data->mm);
@@ -844,6 +845,11 @@ static void ffs_user_copy_worker(struct work_struct *work)
if (io_data->ffs->ffs_eventfd && !kiocb_has_eventfd)
eventfd_signal(io_data->ffs->ffs_eventfd, 1);
+ spin_lock_irqsave(&io_data->ffs->eps_lock, flags);
+ usb_ep_free_request(io_data->ep, io_data->req);
+ io_data->req = NULL;
+ spin_unlock_irqrestore(&io_data->ffs->eps_lock, flags);
+
if (io_data->read)
kfree(io_data->to_free);
ffs_free_buffer(io_data);
@@ -859,7 +865,6 @@ static void ffs_epfile_async_io_complete(struct usb_ep *_ep,
ENTER();
io_data->status = req->status ? req->status : req->actual;
- usb_ep_free_request(_ep, req);
INIT_WORK(&io_data->work, ffs_user_copy_worker);
queue_work(ffs->io_completion_wq, &io_data->work);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 039/356] iio: accel: mxc4005: Reset chip on probe() and resume()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 038/356] usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 040/356] drm/amd/display: Handle Y carry-over in VCP X.Y calculation Greg Kroah-Hartman
` (324 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Stable,
Jonathan Cameron, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit 6b8cffdc4a31e4a72f75ecd1bc13fbf0dafee390 ]
On some designs the chip is not properly reset when powered up at boot or
after a suspend/resume cycle.
Use the sw-reset feature to ensure that the chip is in a clean state
after probe() / resume() and in the case of resume() restore the settings
(scale, trigger-enabled).
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218578
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20240326113700.56725-3-hdegoede@redhat.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/accel/mxc4005.c | 68 +++++++++++++++++++++++++++++++++++++
1 file changed, 68 insertions(+)
diff --git a/drivers/iio/accel/mxc4005.c b/drivers/iio/accel/mxc4005.c
index ffae30e5eb5be..8db5611134da4 100644
--- a/drivers/iio/accel/mxc4005.c
+++ b/drivers/iio/accel/mxc4005.c
@@ -5,6 +5,7 @@
* Copyright (c) 2014, Intel Corporation.
*/
+#include <linux/delay.h>
#include <linux/module.h>
#include <linux/i2c.h>
#include <linux/iio/iio.h>
@@ -36,6 +37,7 @@
#define MXC4005_REG_INT_CLR1 0x01
#define MXC4005_REG_INT_CLR1_BIT_DRDYC 0x01
+#define MXC4005_REG_INT_CLR1_SW_RST 0x10
#define MXC4005_REG_CONTROL 0x0D
#define MXC4005_REG_CONTROL_MASK_FSR GENMASK(6, 5)
@@ -43,6 +45,9 @@
#define MXC4005_REG_DEVICE_ID 0x0E
+/* Datasheet does not specify a reset time, this is a conservative guess */
+#define MXC4005_RESET_TIME_US 2000
+
enum mxc4005_axis {
AXIS_X,
AXIS_Y,
@@ -66,6 +71,8 @@ struct mxc4005_data {
s64 timestamp __aligned(8);
} scan;
bool trigger_enabled;
+ unsigned int control;
+ unsigned int int_mask1;
};
/*
@@ -349,6 +356,7 @@ static int mxc4005_set_trigger_state(struct iio_trigger *trig,
return ret;
}
+ data->int_mask1 = val;
data->trigger_enabled = state;
mutex_unlock(&data->mutex);
@@ -384,6 +392,13 @@ static int mxc4005_chip_init(struct mxc4005_data *data)
dev_dbg(data->dev, "MXC4005 chip id %02x\n", reg);
+ ret = regmap_write(data->regmap, MXC4005_REG_INT_CLR1,
+ MXC4005_REG_INT_CLR1_SW_RST);
+ if (ret < 0)
+ return dev_err_probe(data->dev, ret, "resetting chip\n");
+
+ fsleep(MXC4005_RESET_TIME_US);
+
ret = regmap_write(data->regmap, MXC4005_REG_INT_MASK0, 0);
if (ret < 0)
return dev_err_probe(data->dev, ret, "writing INT_MASK0\n");
@@ -480,6 +495,58 @@ static int mxc4005_probe(struct i2c_client *client,
return devm_iio_device_register(&client->dev, indio_dev);
}
+static int mxc4005_suspend(struct device *dev)
+{
+ struct iio_dev *indio_dev = dev_get_drvdata(dev);
+ struct mxc4005_data *data = iio_priv(indio_dev);
+ int ret;
+
+ /* Save control to restore it on resume */
+ ret = regmap_read(data->regmap, MXC4005_REG_CONTROL, &data->control);
+ if (ret < 0)
+ dev_err(data->dev, "failed to read reg_control\n");
+
+ return ret;
+}
+
+static int mxc4005_resume(struct device *dev)
+{
+ struct iio_dev *indio_dev = dev_get_drvdata(dev);
+ struct mxc4005_data *data = iio_priv(indio_dev);
+ int ret;
+
+ ret = regmap_write(data->regmap, MXC4005_REG_INT_CLR1,
+ MXC4005_REG_INT_CLR1_SW_RST);
+ if (ret) {
+ dev_err(data->dev, "failed to reset chip: %d\n", ret);
+ return ret;
+ }
+
+ fsleep(MXC4005_RESET_TIME_US);
+
+ ret = regmap_write(data->regmap, MXC4005_REG_CONTROL, data->control);
+ if (ret) {
+ dev_err(data->dev, "failed to restore control register\n");
+ return ret;
+ }
+
+ ret = regmap_write(data->regmap, MXC4005_REG_INT_MASK0, 0);
+ if (ret) {
+ dev_err(data->dev, "failed to restore interrupt 0 mask\n");
+ return ret;
+ }
+
+ ret = regmap_write(data->regmap, MXC4005_REG_INT_MASK1, data->int_mask1);
+ if (ret) {
+ dev_err(data->dev, "failed to restore interrupt 1 mask\n");
+ return ret;
+ }
+
+ return 0;
+}
+
+static DEFINE_SIMPLE_DEV_PM_OPS(mxc4005_pm_ops, mxc4005_suspend, mxc4005_resume);
+
static const struct acpi_device_id mxc4005_acpi_match[] = {
{"MXC4005", 0},
{"MXC6655", 0},
@@ -498,6 +565,7 @@ static struct i2c_driver mxc4005_driver = {
.driver = {
.name = MXC4005_DRV_NAME,
.acpi_match_table = ACPI_PTR(mxc4005_acpi_match),
+ .pm = pm_sleep_ptr(&mxc4005_pm_ops),
},
.probe = mxc4005_probe,
.id_table = mxc4005_id,
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 040/356] drm/amd/display: Handle Y carry-over in VCP X.Y calculation
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 039/356] iio: accel: mxc4005: Reset chip on probe() and resume() Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 041/356] drm/amd/display: Clean up some inconsistent indenting Greg Kroah-Hartman
` (323 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenjing Liu, Anson Jacob,
George Shen, Daniel Wheeler, Alex Deucher, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: George Shen <george.shen@amd.com>
[ Upstream commit 3626a6aebe62ce7067cdc460c0c644e9445386bb ]
[Why/How]
Theoretically rare corner case where ceil(Y) results in rounding
up to an integer. If this happens, the 1 should be carried over to
the X value.
Reviewed-by: Wenjing Liu <wenjing.liu@amd.com>
Acked-by: Anson Jacob <Anson.Jacob@amd.com>
Signed-off-by: George Shen <george.shen@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c
index cf364ae931386..d0799c426a84d 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c
@@ -644,6 +644,12 @@ void enc1_stream_encoder_set_throttled_vcp_size(
x),
26));
+ // If y rounds up to integer, carry it over to x.
+ if (y >> 26) {
+ x += 1;
+ y = 0;
+ }
+
REG_SET_2(DP_MSE_RATE_CNTL, 0,
DP_MSE_RATE_X, x,
DP_MSE_RATE_Y, y);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 041/356] drm/amd/display: Clean up some inconsistent indenting
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 040/356] drm/amd/display: Handle Y carry-over in VCP X.Y calculation Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 042/356] drm/amd/display: drop unnecessary NULL checks in debugfs Greg Kroah-Hartman
` (322 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abaci Robot, Christian König,
Jiapeng Chong, Alex Deucher, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
[ Upstream commit 1da2fcc435114ea5a65d7e15fc31b4d0ce11113c ]
Eliminate the follow smatch warning:
drivers/gpu/drm/amd/amdgpu/../display/dmub/src/dmub_srv.c:622
dmub_srv_cmd_execute() warn: inconsistent indenting.
Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Stable-dep-of: 892b41b16f61 ("drm/amd/display: Fix incorrect DSC instance for MST")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 72 +++++++++----------
1 file changed, 36 insertions(+), 36 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
index ed2f6802b0e20..fc0f6b0089ba0 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -1315,9 +1315,9 @@ static ssize_t dp_dsc_clock_en_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
- break;
+ if (pipe_ctx && pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
}
if (!pipe_ctx) {
@@ -1421,9 +1421,9 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
- break;
+ if (pipe_ctx && pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
}
if (!pipe_ctx || !pipe_ctx->stream)
@@ -1506,9 +1506,9 @@ static ssize_t dp_dsc_slice_width_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
- break;
+ if (pipe_ctx && pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
}
if (!pipe_ctx) {
@@ -1610,9 +1610,9 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
- break;
+ if (pipe_ctx && pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
}
if (!pipe_ctx || !pipe_ctx->stream)
@@ -1695,9 +1695,9 @@ static ssize_t dp_dsc_slice_height_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
- break;
+ if (pipe_ctx && pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
}
if (!pipe_ctx) {
@@ -1799,9 +1799,9 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
- break;
+ if (pipe_ctx && pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
}
if (!pipe_ctx || !pipe_ctx->stream)
@@ -1880,9 +1880,9 @@ static ssize_t dp_dsc_bits_per_pixel_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
- break;
+ if (pipe_ctx && pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
}
if (!pipe_ctx) {
@@ -1981,9 +1981,9 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
- break;
+ if (pipe_ctx && pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
}
if (!pipe_ctx || !pipe_ctx->stream)
@@ -2060,9 +2060,9 @@ static ssize_t dp_dsc_pic_width_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
- break;
+ if (pipe_ctx && pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
}
if (!pipe_ctx) {
@@ -2121,9 +2121,9 @@ static ssize_t dp_dsc_pic_height_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
- break;
+ if (pipe_ctx && pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
}
if (!pipe_ctx) {
@@ -2197,9 +2197,9 @@ static ssize_t dp_dsc_chunk_size_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
- break;
+ if (pipe_ctx && pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
}
if (!pipe_ctx) {
@@ -2273,9 +2273,9 @@ static ssize_t dp_dsc_slice_bpg_offset_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
- break;
+ if (pipe_ctx && pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
}
if (!pipe_ctx) {
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 042/356] drm/amd/display: drop unnecessary NULL checks in debugfs
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 041/356] drm/amd/display: Clean up some inconsistent indenting Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 043/356] drm/amd/display: Fix incorrect DSC instance for MST Greg Kroah-Hartman
` (321 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Kodanev, Hamza Mahfooz,
Alex Deucher, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
[ Upstream commit f8e12e770e8049917f82387033b3cf44bc43b915 ]
pipe_ctx pointer cannot be NULL when getting the address of
an element of the pipe_ctx array. Moreover, the MAX_PIPES is
defined as 6, so pipe_ctx is not NULL after the loop either.
Detected using the static analysis tool - Svace.
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
Signed-off-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Stable-dep-of: 892b41b16f61 ("drm/amd/display: Fix incorrect DSC instance for MST")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 72 +++++--------------
1 file changed, 16 insertions(+), 56 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
index fc0f6b0089ba0..939734eecf709 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -1315,16 +1315,11 @@ static ssize_t dp_dsc_clock_en_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
+ if (pipe_ctx->stream &&
pipe_ctx->stream->link == aconnector->dc_link)
break;
}
- if (!pipe_ctx) {
- kfree(rd_buf);
- return -ENXIO;
- }
-
dsc = pipe_ctx->stream_res.dsc;
if (dsc)
dsc->funcs->dsc_read_state(dsc, &dsc_state);
@@ -1421,12 +1416,12 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
+ if (pipe_ctx->stream &&
pipe_ctx->stream->link == aconnector->dc_link)
break;
}
- if (!pipe_ctx || !pipe_ctx->stream)
+ if (!pipe_ctx->stream)
goto done;
// Get CRTC state
@@ -1506,16 +1501,11 @@ static ssize_t dp_dsc_slice_width_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
+ if (pipe_ctx->stream &&
pipe_ctx->stream->link == aconnector->dc_link)
break;
}
- if (!pipe_ctx) {
- kfree(rd_buf);
- return -ENXIO;
- }
-
dsc = pipe_ctx->stream_res.dsc;
if (dsc)
dsc->funcs->dsc_read_state(dsc, &dsc_state);
@@ -1610,12 +1600,12 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
+ if (pipe_ctx->stream &&
pipe_ctx->stream->link == aconnector->dc_link)
break;
}
- if (!pipe_ctx || !pipe_ctx->stream)
+ if (!pipe_ctx->stream)
goto done;
// Safely get CRTC state
@@ -1695,16 +1685,11 @@ static ssize_t dp_dsc_slice_height_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
+ if (pipe_ctx->stream &&
pipe_ctx->stream->link == aconnector->dc_link)
break;
}
- if (!pipe_ctx) {
- kfree(rd_buf);
- return -ENXIO;
- }
-
dsc = pipe_ctx->stream_res.dsc;
if (dsc)
dsc->funcs->dsc_read_state(dsc, &dsc_state);
@@ -1799,12 +1784,12 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
+ if (pipe_ctx->stream &&
pipe_ctx->stream->link == aconnector->dc_link)
break;
}
- if (!pipe_ctx || !pipe_ctx->stream)
+ if (!pipe_ctx->stream)
goto done;
// Get CRTC state
@@ -1880,16 +1865,11 @@ static ssize_t dp_dsc_bits_per_pixel_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
+ if (pipe_ctx->stream &&
pipe_ctx->stream->link == aconnector->dc_link)
break;
}
- if (!pipe_ctx) {
- kfree(rd_buf);
- return -ENXIO;
- }
-
dsc = pipe_ctx->stream_res.dsc;
if (dsc)
dsc->funcs->dsc_read_state(dsc, &dsc_state);
@@ -1981,12 +1961,12 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
+ if (pipe_ctx->stream &&
pipe_ctx->stream->link == aconnector->dc_link)
break;
}
- if (!pipe_ctx || !pipe_ctx->stream)
+ if (!pipe_ctx->stream)
goto done;
// Get CRTC state
@@ -2060,16 +2040,11 @@ static ssize_t dp_dsc_pic_width_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
+ if (pipe_ctx->stream &&
pipe_ctx->stream->link == aconnector->dc_link)
break;
}
- if (!pipe_ctx) {
- kfree(rd_buf);
- return -ENXIO;
- }
-
dsc = pipe_ctx->stream_res.dsc;
if (dsc)
dsc->funcs->dsc_read_state(dsc, &dsc_state);
@@ -2121,16 +2096,11 @@ static ssize_t dp_dsc_pic_height_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
+ if (pipe_ctx->stream &&
pipe_ctx->stream->link == aconnector->dc_link)
break;
}
- if (!pipe_ctx) {
- kfree(rd_buf);
- return -ENXIO;
- }
-
dsc = pipe_ctx->stream_res.dsc;
if (dsc)
dsc->funcs->dsc_read_state(dsc, &dsc_state);
@@ -2197,16 +2167,11 @@ static ssize_t dp_dsc_chunk_size_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
+ if (pipe_ctx->stream &&
pipe_ctx->stream->link == aconnector->dc_link)
break;
}
- if (!pipe_ctx) {
- kfree(rd_buf);
- return -ENXIO;
- }
-
dsc = pipe_ctx->stream_res.dsc;
if (dsc)
dsc->funcs->dsc_read_state(dsc, &dsc_state);
@@ -2273,16 +2238,11 @@ static ssize_t dp_dsc_slice_bpg_offset_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
- if (pipe_ctx && pipe_ctx->stream &&
+ if (pipe_ctx->stream &&
pipe_ctx->stream->link == aconnector->dc_link)
break;
}
- if (!pipe_ctx) {
- kfree(rd_buf);
- return -ENXIO;
- }
-
dsc = pipe_ctx->stream_res.dsc;
if (dsc)
dsc->funcs->dsc_read_state(dsc, &dsc_state);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 043/356] drm/amd/display: Fix incorrect DSC instance for MST
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 042/356] drm/amd/display: drop unnecessary NULL checks in debugfs Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 044/356] pvpanic: Keep single style across modules Greg Kroah-Hartman
` (320 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aurabindo Pillai, Hersen Wu,
Daniel Wheeler, Alex Deucher, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hersen Wu <hersenxs.wu@amd.com>
[ Upstream commit 892b41b16f6163e6556545835abba668fcab4eea ]
[Why] DSC debugfs, such as dp_dsc_clock_en_read,
use aconnector->dc_link to find pipe_ctx for display.
Displays connected to MST hub share the same dc_link.
DSC instance is from pipe_ctx. This causes incorrect
DSC instance for display connected to MST hub.
[How] Add aconnector->sink check to find pipe_ctx.
CC: stable@vger.kernel.org
Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 48 ++++++++++++++-----
1 file changed, 36 insertions(+), 12 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
index 939734eecf709..8ccd43ec68829 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -1316,7 +1316,9 @@ static ssize_t dp_dsc_clock_en_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
if (pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
+ pipe_ctx->stream->link == aconnector->dc_link &&
+ pipe_ctx->stream->sink &&
+ pipe_ctx->stream->sink == aconnector->dc_sink)
break;
}
@@ -1417,7 +1419,9 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
if (pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
+ pipe_ctx->stream->link == aconnector->dc_link &&
+ pipe_ctx->stream->sink &&
+ pipe_ctx->stream->sink == aconnector->dc_sink)
break;
}
@@ -1502,7 +1506,9 @@ static ssize_t dp_dsc_slice_width_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
if (pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
+ pipe_ctx->stream->link == aconnector->dc_link &&
+ pipe_ctx->stream->sink &&
+ pipe_ctx->stream->sink == aconnector->dc_sink)
break;
}
@@ -1601,7 +1607,9 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
if (pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
+ pipe_ctx->stream->link == aconnector->dc_link &&
+ pipe_ctx->stream->sink &&
+ pipe_ctx->stream->sink == aconnector->dc_sink)
break;
}
@@ -1686,7 +1694,9 @@ static ssize_t dp_dsc_slice_height_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
if (pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
+ pipe_ctx->stream->link == aconnector->dc_link &&
+ pipe_ctx->stream->sink &&
+ pipe_ctx->stream->sink == aconnector->dc_sink)
break;
}
@@ -1785,7 +1795,9 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
if (pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
+ pipe_ctx->stream->link == aconnector->dc_link &&
+ pipe_ctx->stream->sink &&
+ pipe_ctx->stream->sink == aconnector->dc_sink)
break;
}
@@ -1866,7 +1878,9 @@ static ssize_t dp_dsc_bits_per_pixel_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
if (pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
+ pipe_ctx->stream->link == aconnector->dc_link &&
+ pipe_ctx->stream->sink &&
+ pipe_ctx->stream->sink == aconnector->dc_sink)
break;
}
@@ -1962,7 +1976,9 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
if (pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
+ pipe_ctx->stream->link == aconnector->dc_link &&
+ pipe_ctx->stream->sink &&
+ pipe_ctx->stream->sink == aconnector->dc_sink)
break;
}
@@ -2041,7 +2057,9 @@ static ssize_t dp_dsc_pic_width_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
if (pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
+ pipe_ctx->stream->link == aconnector->dc_link &&
+ pipe_ctx->stream->sink &&
+ pipe_ctx->stream->sink == aconnector->dc_sink)
break;
}
@@ -2097,7 +2115,9 @@ static ssize_t dp_dsc_pic_height_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
if (pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
+ pipe_ctx->stream->link == aconnector->dc_link &&
+ pipe_ctx->stream->sink &&
+ pipe_ctx->stream->sink == aconnector->dc_sink)
break;
}
@@ -2168,7 +2188,9 @@ static ssize_t dp_dsc_chunk_size_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
if (pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
+ pipe_ctx->stream->link == aconnector->dc_link &&
+ pipe_ctx->stream->sink &&
+ pipe_ctx->stream->sink == aconnector->dc_sink)
break;
}
@@ -2239,7 +2261,9 @@ static ssize_t dp_dsc_slice_bpg_offset_read(struct file *f, char __user *buf,
for (i = 0; i < MAX_PIPES; i++) {
pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
if (pipe_ctx->stream &&
- pipe_ctx->stream->link == aconnector->dc_link)
+ pipe_ctx->stream->link == aconnector->dc_link &&
+ pipe_ctx->stream->sink &&
+ pipe_ctx->stream->sink == aconnector->dc_sink)
break;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 044/356] pvpanic: Keep single style across modules
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 043/356] drm/amd/display: Fix incorrect DSC instance for MST Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 045/356] pvpanic: Indentation fixes here and there Greg Kroah-Hartman
` (319 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 33a430419456991480cde9d8889e5a27f6049df4 ]
We have different style on where we place module_*() and MODULE_*() macros.
Inherit the style from the original module (now pvpanic-mmio.c).
Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20210829124354.81653-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: ee59be35d7a8 ("misc/pvpanic-pci: register attributes via pci_driver")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/pvpanic/pvpanic-pci.c | 14 ++++++--------
drivers/misc/pvpanic/pvpanic.c | 3 +--
2 files changed, 7 insertions(+), 10 deletions(-)
diff --git a/drivers/misc/pvpanic/pvpanic-pci.c b/drivers/misc/pvpanic/pvpanic-pci.c
index 741116b3d9958..7d1220f4c95bc 100644
--- a/drivers/misc/pvpanic/pvpanic-pci.c
+++ b/drivers/misc/pvpanic/pvpanic-pci.c
@@ -22,11 +22,6 @@ MODULE_AUTHOR("Mihai Carabas <mihai.carabas@oracle.com>");
MODULE_DESCRIPTION("pvpanic device driver ");
MODULE_LICENSE("GPL");
-static const struct pci_device_id pvpanic_pci_id_tbl[] = {
- { PCI_DEVICE(PCI_VENDOR_ID_REDHAT, PCI_DEVICE_ID_REDHAT_PVPANIC)},
- {}
-};
-
static ssize_t capability_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
@@ -99,6 +94,12 @@ static int pvpanic_pci_probe(struct pci_dev *pdev,
return devm_pvpanic_probe(&pdev->dev, pi);
}
+static const struct pci_device_id pvpanic_pci_id_tbl[] = {
+ { PCI_DEVICE(PCI_VENDOR_ID_REDHAT, PCI_DEVICE_ID_REDHAT_PVPANIC)},
+ {}
+};
+MODULE_DEVICE_TABLE(pci, pvpanic_pci_id_tbl);
+
static struct pci_driver pvpanic_pci_driver = {
.name = "pvpanic-pci",
.id_table = pvpanic_pci_id_tbl,
@@ -107,7 +108,4 @@ static struct pci_driver pvpanic_pci_driver = {
.dev_groups = pvpanic_pci_dev_groups,
},
};
-
-MODULE_DEVICE_TABLE(pci, pvpanic_pci_id_tbl);
-
module_pci_driver(pvpanic_pci_driver);
diff --git a/drivers/misc/pvpanic/pvpanic.c b/drivers/misc/pvpanic/pvpanic.c
index b9e6400a574b0..477bf9c6b6bc5 100644
--- a/drivers/misc/pvpanic/pvpanic.c
+++ b/drivers/misc/pvpanic/pvpanic.c
@@ -107,6 +107,7 @@ static int pvpanic_init(void)
return 0;
}
+module_init(pvpanic_init);
static void pvpanic_exit(void)
{
@@ -114,6 +115,4 @@ static void pvpanic_exit(void)
&pvpanic_panic_nb);
}
-
-module_init(pvpanic_init);
module_exit(pvpanic_exit);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 045/356] pvpanic: Indentation fixes here and there
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 044/356] pvpanic: Keep single style across modules Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 046/356] misc/pvpanic: deduplicate common code Greg Kroah-Hartman
` (318 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mihai Carabas, Andy Shevchenko,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 84b0f12a953c4feff9994b1c4583ed18b441f482 ]
1) replace double spaces with single;
2) relax line width limitation a bit.
Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20210829124354.81653-3-andriy.shevchenko@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: ee59be35d7a8 ("misc/pvpanic-pci: register attributes via pci_driver")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/pvpanic/pvpanic-mmio.c | 7 +++----
drivers/misc/pvpanic/pvpanic-pci.c | 12 +++++-------
drivers/misc/pvpanic/pvpanic.c | 11 ++++-------
3 files changed, 12 insertions(+), 18 deletions(-)
diff --git a/drivers/misc/pvpanic/pvpanic-mmio.c b/drivers/misc/pvpanic/pvpanic-mmio.c
index 61dbff5f0065c..eb97167c03fb4 100644
--- a/drivers/misc/pvpanic/pvpanic-mmio.c
+++ b/drivers/misc/pvpanic/pvpanic-mmio.c
@@ -24,8 +24,7 @@ MODULE_AUTHOR("Hu Tao <hutao@cn.fujitsu.com>");
MODULE_DESCRIPTION("pvpanic-mmio device driver");
MODULE_LICENSE("GPL");
-static ssize_t capability_show(struct device *dev,
- struct device_attribute *attr, char *buf)
+static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf)
{
struct pvpanic_instance *pi = dev_get_drvdata(dev);
@@ -33,14 +32,14 @@ static ssize_t capability_show(struct device *dev,
}
static DEVICE_ATTR_RO(capability);
-static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf)
+static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf)
{
struct pvpanic_instance *pi = dev_get_drvdata(dev);
return sysfs_emit(buf, "%x\n", pi->events);
}
-static ssize_t events_store(struct device *dev, struct device_attribute *attr,
+static ssize_t events_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
struct pvpanic_instance *pi = dev_get_drvdata(dev);
diff --git a/drivers/misc/pvpanic/pvpanic-pci.c b/drivers/misc/pvpanic/pvpanic-pci.c
index 7d1220f4c95bc..07eddb5ea30fa 100644
--- a/drivers/misc/pvpanic/pvpanic-pci.c
+++ b/drivers/misc/pvpanic/pvpanic-pci.c
@@ -19,11 +19,10 @@
#define PCI_DEVICE_ID_REDHAT_PVPANIC 0x0011
MODULE_AUTHOR("Mihai Carabas <mihai.carabas@oracle.com>");
-MODULE_DESCRIPTION("pvpanic device driver ");
+MODULE_DESCRIPTION("pvpanic device driver");
MODULE_LICENSE("GPL");
-static ssize_t capability_show(struct device *dev,
- struct device_attribute *attr, char *buf)
+static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf)
{
struct pvpanic_instance *pi = dev_get_drvdata(dev);
@@ -31,14 +30,14 @@ static ssize_t capability_show(struct device *dev,
}
static DEVICE_ATTR_RO(capability);
-static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf)
+static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf)
{
struct pvpanic_instance *pi = dev_get_drvdata(dev);
return sysfs_emit(buf, "%x\n", pi->events);
}
-static ssize_t events_store(struct device *dev, struct device_attribute *attr,
+static ssize_t events_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
struct pvpanic_instance *pi = dev_get_drvdata(dev);
@@ -65,8 +64,7 @@ static struct attribute *pvpanic_pci_dev_attrs[] = {
};
ATTRIBUTE_GROUPS(pvpanic_pci_dev);
-static int pvpanic_pci_probe(struct pci_dev *pdev,
- const struct pci_device_id *ent)
+static int pvpanic_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
{
struct pvpanic_instance *pi;
void __iomem *base;
diff --git a/drivers/misc/pvpanic/pvpanic.c b/drivers/misc/pvpanic/pvpanic.c
index 477bf9c6b6bc5..049a120063489 100644
--- a/drivers/misc/pvpanic/pvpanic.c
+++ b/drivers/misc/pvpanic/pvpanic.c
@@ -23,7 +23,7 @@
#include "pvpanic.h"
MODULE_AUTHOR("Mihai Carabas <mihai.carabas@oracle.com>");
-MODULE_DESCRIPTION("pvpanic device driver ");
+MODULE_DESCRIPTION("pvpanic device driver");
MODULE_LICENSE("GPL");
static struct list_head pvpanic_list;
@@ -45,8 +45,7 @@ pvpanic_send_event(unsigned int event)
}
static int
-pvpanic_panic_notify(struct notifier_block *nb, unsigned long code,
- void *unused)
+pvpanic_panic_notify(struct notifier_block *nb, unsigned long code, void *unused)
{
unsigned int event = PVPANIC_PANICKED;
@@ -102,8 +101,7 @@ static int pvpanic_init(void)
INIT_LIST_HEAD(&pvpanic_list);
spin_lock_init(&pvpanic_lock);
- atomic_notifier_chain_register(&panic_notifier_list,
- &pvpanic_panic_nb);
+ atomic_notifier_chain_register(&panic_notifier_list, &pvpanic_panic_nb);
return 0;
}
@@ -111,8 +109,7 @@ module_init(pvpanic_init);
static void pvpanic_exit(void)
{
- atomic_notifier_chain_unregister(&panic_notifier_list,
- &pvpanic_panic_nb);
+ atomic_notifier_chain_unregister(&panic_notifier_list, &pvpanic_panic_nb);
}
module_exit(pvpanic_exit);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 046/356] misc/pvpanic: deduplicate common code
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 045/356] pvpanic: Indentation fixes here and there Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 047/356] misc/pvpanic-pci: register attributes via pci_driver Greg Kroah-Hartman
` (317 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
[ Upstream commit c1426d392aebc51da4944d950d89e483e43f6f14 ]
pvpanic-mmio.c and pvpanic-pci.c share a lot of code.
Refactor it into pvpanic.c where it doesn't have to be kept in sync
manually and where the core logic can be understood more easily.
No functional change.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Link: https://lore.kernel.org/r/20231011-pvpanic-cleanup-v2-1-4b21d56f779f@weissschuh.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: ee59be35d7a8 ("misc/pvpanic-pci: register attributes via pci_driver")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/pvpanic/pvpanic-mmio.c | 58 +---------------------
drivers/misc/pvpanic/pvpanic-pci.c | 58 +---------------------
drivers/misc/pvpanic/pvpanic.c | 76 ++++++++++++++++++++++++++++-
drivers/misc/pvpanic/pvpanic.h | 10 +---
4 files changed, 80 insertions(+), 122 deletions(-)
diff --git a/drivers/misc/pvpanic/pvpanic-mmio.c b/drivers/misc/pvpanic/pvpanic-mmio.c
index eb97167c03fb4..9715798acce3d 100644
--- a/drivers/misc/pvpanic/pvpanic-mmio.c
+++ b/drivers/misc/pvpanic/pvpanic-mmio.c
@@ -24,52 +24,9 @@ MODULE_AUTHOR("Hu Tao <hutao@cn.fujitsu.com>");
MODULE_DESCRIPTION("pvpanic-mmio device driver");
MODULE_LICENSE("GPL");
-static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf)
-{
- struct pvpanic_instance *pi = dev_get_drvdata(dev);
-
- return sysfs_emit(buf, "%x\n", pi->capability);
-}
-static DEVICE_ATTR_RO(capability);
-
-static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf)
-{
- struct pvpanic_instance *pi = dev_get_drvdata(dev);
-
- return sysfs_emit(buf, "%x\n", pi->events);
-}
-
-static ssize_t events_store(struct device *dev, struct device_attribute *attr,
- const char *buf, size_t count)
-{
- struct pvpanic_instance *pi = dev_get_drvdata(dev);
- unsigned int tmp;
- int err;
-
- err = kstrtouint(buf, 16, &tmp);
- if (err)
- return err;
-
- if ((tmp & pi->capability) != tmp)
- return -EINVAL;
-
- pi->events = tmp;
-
- return count;
-}
-static DEVICE_ATTR_RW(events);
-
-static struct attribute *pvpanic_mmio_dev_attrs[] = {
- &dev_attr_capability.attr,
- &dev_attr_events.attr,
- NULL
-};
-ATTRIBUTE_GROUPS(pvpanic_mmio_dev);
-
static int pvpanic_mmio_probe(struct platform_device *pdev)
{
struct device *dev = &pdev->dev;
- struct pvpanic_instance *pi;
struct resource *res;
void __iomem *base;
@@ -92,18 +49,7 @@ static int pvpanic_mmio_probe(struct platform_device *pdev)
return -EINVAL;
}
- pi = devm_kmalloc(dev, sizeof(*pi), GFP_KERNEL);
- if (!pi)
- return -ENOMEM;
-
- pi->base = base;
- pi->capability = PVPANIC_PANICKED | PVPANIC_CRASH_LOADED;
-
- /* initialize capability by RDPT */
- pi->capability &= ioread8(base);
- pi->events = pi->capability;
-
- return devm_pvpanic_probe(dev, pi);
+ return devm_pvpanic_probe(dev, base);
}
static const struct of_device_id pvpanic_mmio_match[] = {
@@ -123,7 +69,7 @@ static struct platform_driver pvpanic_mmio_driver = {
.name = "pvpanic-mmio",
.of_match_table = pvpanic_mmio_match,
.acpi_match_table = pvpanic_device_ids,
- .dev_groups = pvpanic_mmio_dev_groups,
+ .dev_groups = pvpanic_dev_groups,
},
.probe = pvpanic_mmio_probe,
};
diff --git a/drivers/misc/pvpanic/pvpanic-pci.c b/drivers/misc/pvpanic/pvpanic-pci.c
index 07eddb5ea30fa..689af4c28c2a9 100644
--- a/drivers/misc/pvpanic/pvpanic-pci.c
+++ b/drivers/misc/pvpanic/pvpanic-pci.c
@@ -22,51 +22,8 @@ MODULE_AUTHOR("Mihai Carabas <mihai.carabas@oracle.com>");
MODULE_DESCRIPTION("pvpanic device driver");
MODULE_LICENSE("GPL");
-static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf)
-{
- struct pvpanic_instance *pi = dev_get_drvdata(dev);
-
- return sysfs_emit(buf, "%x\n", pi->capability);
-}
-static DEVICE_ATTR_RO(capability);
-
-static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf)
-{
- struct pvpanic_instance *pi = dev_get_drvdata(dev);
-
- return sysfs_emit(buf, "%x\n", pi->events);
-}
-
-static ssize_t events_store(struct device *dev, struct device_attribute *attr,
- const char *buf, size_t count)
-{
- struct pvpanic_instance *pi = dev_get_drvdata(dev);
- unsigned int tmp;
- int err;
-
- err = kstrtouint(buf, 16, &tmp);
- if (err)
- return err;
-
- if ((tmp & pi->capability) != tmp)
- return -EINVAL;
-
- pi->events = tmp;
-
- return count;
-}
-static DEVICE_ATTR_RW(events);
-
-static struct attribute *pvpanic_pci_dev_attrs[] = {
- &dev_attr_capability.attr,
- &dev_attr_events.attr,
- NULL
-};
-ATTRIBUTE_GROUPS(pvpanic_pci_dev);
-
static int pvpanic_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
{
- struct pvpanic_instance *pi;
void __iomem *base;
int ret;
@@ -78,18 +35,7 @@ static int pvpanic_pci_probe(struct pci_dev *pdev, const struct pci_device_id *e
if (!base)
return -ENOMEM;
- pi = devm_kmalloc(&pdev->dev, sizeof(*pi), GFP_KERNEL);
- if (!pi)
- return -ENOMEM;
-
- pi->base = base;
- pi->capability = PVPANIC_PANICKED | PVPANIC_CRASH_LOADED;
-
- /* initlize capability by RDPT */
- pi->capability &= ioread8(base);
- pi->events = pi->capability;
-
- return devm_pvpanic_probe(&pdev->dev, pi);
+ return devm_pvpanic_probe(&pdev->dev, base);
}
static const struct pci_device_id pvpanic_pci_id_tbl[] = {
@@ -103,7 +49,7 @@ static struct pci_driver pvpanic_pci_driver = {
.id_table = pvpanic_pci_id_tbl,
.probe = pvpanic_pci_probe,
.driver = {
- .dev_groups = pvpanic_pci_dev_groups,
+ .dev_groups = pvpanic_dev_groups,
},
};
module_pci_driver(pvpanic_pci_driver);
diff --git a/drivers/misc/pvpanic/pvpanic.c b/drivers/misc/pvpanic/pvpanic.c
index 049a120063489..305b367e0ce34 100644
--- a/drivers/misc/pvpanic/pvpanic.c
+++ b/drivers/misc/pvpanic/pvpanic.c
@@ -7,6 +7,7 @@
* Copyright (C) 2021 Oracle.
*/
+#include <linux/device.h>
#include <linux/io.h>
#include <linux/kernel.h>
#include <linux/kexec.h>
@@ -26,6 +27,13 @@ MODULE_AUTHOR("Mihai Carabas <mihai.carabas@oracle.com>");
MODULE_DESCRIPTION("pvpanic device driver");
MODULE_LICENSE("GPL");
+struct pvpanic_instance {
+ void __iomem *base;
+ unsigned int capability;
+ unsigned int events;
+ struct list_head list;
+};
+
static struct list_head pvpanic_list;
static spinlock_t pvpanic_lock;
@@ -81,11 +89,75 @@ static void pvpanic_remove(void *param)
spin_unlock(&pvpanic_lock);
}
-int devm_pvpanic_probe(struct device *dev, struct pvpanic_instance *pi)
+static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf)
+{
+ struct pvpanic_instance *pi = dev_get_drvdata(dev);
+
+ return sysfs_emit(buf, "%x\n", pi->capability);
+}
+static DEVICE_ATTR_RO(capability);
+
+static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf)
+{
+ struct pvpanic_instance *pi = dev_get_drvdata(dev);
+
+ return sysfs_emit(buf, "%x\n", pi->events);
+}
+
+static ssize_t events_store(struct device *dev, struct device_attribute *attr,
+ const char *buf, size_t count)
+{
+ struct pvpanic_instance *pi = dev_get_drvdata(dev);
+ unsigned int tmp;
+ int err;
+
+ err = kstrtouint(buf, 16, &tmp);
+ if (err)
+ return err;
+
+ if ((tmp & pi->capability) != tmp)
+ return -EINVAL;
+
+ pi->events = tmp;
+
+ return count;
+}
+static DEVICE_ATTR_RW(events);
+
+static struct attribute *pvpanic_dev_attrs[] = {
+ &dev_attr_capability.attr,
+ &dev_attr_events.attr,
+ NULL
+};
+
+static const struct attribute_group pvpanic_dev_group = {
+ .attrs = pvpanic_dev_attrs,
+};
+
+const struct attribute_group *pvpanic_dev_groups[] = {
+ &pvpanic_dev_group,
+ NULL
+};
+EXPORT_SYMBOL_GPL(pvpanic_dev_groups);
+
+int devm_pvpanic_probe(struct device *dev, void __iomem *base)
{
- if (!pi || !pi->base)
+ struct pvpanic_instance *pi;
+
+ if (!base)
return -EINVAL;
+ pi = devm_kmalloc(dev, sizeof(*pi), GFP_KERNEL);
+ if (!pi)
+ return -ENOMEM;
+
+ pi->base = base;
+ pi->capability = PVPANIC_PANICKED | PVPANIC_CRASH_LOADED;
+
+ /* initlize capability by RDPT */
+ pi->capability &= ioread8(base);
+ pi->events = pi->capability;
+
spin_lock(&pvpanic_lock);
list_add(&pi->list, &pvpanic_list);
spin_unlock(&pvpanic_lock);
diff --git a/drivers/misc/pvpanic/pvpanic.h b/drivers/misc/pvpanic/pvpanic.h
index 4935459517548..46ffb10438adf 100644
--- a/drivers/misc/pvpanic/pvpanic.h
+++ b/drivers/misc/pvpanic/pvpanic.h
@@ -8,13 +8,7 @@
#ifndef PVPANIC_H_
#define PVPANIC_H_
-struct pvpanic_instance {
- void __iomem *base;
- unsigned int capability;
- unsigned int events;
- struct list_head list;
-};
-
-int devm_pvpanic_probe(struct device *dev, struct pvpanic_instance *pi);
+int devm_pvpanic_probe(struct device *dev, void __iomem *base);
+extern const struct attribute_group *pvpanic_dev_groups[];
#endif /* PVPANIC_H_ */
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 047/356] misc/pvpanic-pci: register attributes via pci_driver
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 046/356] misc/pvpanic: deduplicate common code Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 048/356] skbuff: introduce skb_pull_data Greg Kroah-Hartman
` (316 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
[ Upstream commit ee59be35d7a8be7fcaa2d61fb89734ab5c25e4ee ]
In __pci_register_driver(), the pci core overwrites the dev_groups field of
the embedded struct device_driver with the dev_groups from the outer
struct pci_driver unconditionally.
Set dev_groups in the pci_driver to make sure it is used.
This was broken since the introduction of pvpanic-pci.
Fixes: db3a4f0abefd ("misc/pvpanic: add PCI driver")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Fixes: ded13b9cfd59 ("PCI: Add support for dev_groups to struct pci_driver")
Link: https://lore.kernel.org/r/20240411-pvpanic-pci-dev-groups-v1-1-db8cb69f1b09@weissschuh.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/pvpanic/pvpanic-pci.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/misc/pvpanic/pvpanic-pci.c b/drivers/misc/pvpanic/pvpanic-pci.c
index 689af4c28c2a9..2494725dfacfa 100644
--- a/drivers/misc/pvpanic/pvpanic-pci.c
+++ b/drivers/misc/pvpanic/pvpanic-pci.c
@@ -48,8 +48,6 @@ static struct pci_driver pvpanic_pci_driver = {
.name = "pvpanic-pci",
.id_table = pvpanic_pci_id_tbl,
.probe = pvpanic_pci_probe,
- .driver = {
- .dev_groups = pvpanic_dev_groups,
- },
+ .dev_groups = pvpanic_dev_groups,
};
module_pci_driver(pvpanic_pci_driver);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 048/356] skbuff: introduce skb_pull_data
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 047/356] misc/pvpanic-pci: register attributes via pci_driver Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 049/356] Bluetooth: hci_qca: mark OF related data as maybe unused Greg Kroah-Hartman
` (315 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski,
Luiz Augusto von Dentz, Dan Carpenter, Marcel Holtmann,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 13244cccc2b61ec715f0ac583d3037497004d4a5 ]
Like skb_pull but returns the original data pointer before pulling the
data after performing a check against sbk->len.
This allows to change code that does "struct foo *p = (void *)skb->data;"
which is hard to audit and error prone, to:
p = skb_pull_data(skb, sizeof(*p));
if (!p)
return;
Which is both safer and cleaner.
Acked-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/skbuff.h | 2 ++
net/core/skbuff.c | 24 ++++++++++++++++++++++++
2 files changed, 26 insertions(+)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 15de91c65a09a..b230c422dc3b9 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -2447,6 +2447,8 @@ static inline void *skb_pull_inline(struct sk_buff *skb, unsigned int len)
return unlikely(len > skb->len) ? NULL : __skb_pull(skb, len);
}
+void *skb_pull_data(struct sk_buff *skb, size_t len);
+
void *__pskb_pull_tail(struct sk_buff *skb, int delta);
static inline void *__pskb_pull(struct sk_buff *skb, unsigned int len)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 4ec8cfd357eba..17073429cc365 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2071,6 +2071,30 @@ void *skb_pull(struct sk_buff *skb, unsigned int len)
}
EXPORT_SYMBOL(skb_pull);
+/**
+ * skb_pull_data - remove data from the start of a buffer returning its
+ * original position.
+ * @skb: buffer to use
+ * @len: amount of data to remove
+ *
+ * This function removes data from the start of a buffer, returning
+ * the memory to the headroom. A pointer to the original data in the buffer
+ * is returned after checking if there is enough data to pull. Once the
+ * data has been pulled future pushes will overwrite the old data.
+ */
+void *skb_pull_data(struct sk_buff *skb, size_t len)
+{
+ void *data = skb->data;
+
+ if (skb->len < len)
+ return NULL;
+
+ skb_pull(skb, len);
+
+ return data;
+}
+EXPORT_SYMBOL(skb_pull_data);
+
/**
* skb_trim - remove end from a buffer
* @skb: buffer to alter
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 049/356] Bluetooth: hci_qca: mark OF related data as maybe unused
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 048/356] skbuff: introduce skb_pull_data Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 050/356] Bluetooth: btqca: use le32_to_cpu for ver.soc_id Greg Kroah-Hartman
` (314 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit 44fac8a2fd2f72ee98ee41e6bc9ecc7765b5d3cc ]
The driver can be compile tested with !CONFIG_OF making certain data
unused:
drivers/bluetooth/hci_qca.c:1869:37: error: ‘qca_soc_data_wcn6750’
defined but not used [-Werror=unused-const-variable=]
drivers/bluetooth/hci_qca.c:1853:37: error: ‘qca_soc_data_wcn3998’
defined but not used [-Werror=unused-const-variable=]
drivers/bluetooth/hci_qca.c:1841:37: error: ‘qca_soc_data_wcn3991’
defined but not used [-Werror=unused-const-variable=]
drivers/bluetooth/hci_qca.c:1830:37: error: ‘qca_soc_data_wcn3990’
defined but not used [-Werror=unused-const-variable=]
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/hci_qca.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index fb71caa31daa7..1c2bd292ecb7c 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -1834,7 +1834,7 @@ static const struct hci_uart_proto qca_proto = {
.dequeue = qca_dequeue,
};
-static const struct qca_device_data qca_soc_data_wcn3990 = {
+static const struct qca_device_data qca_soc_data_wcn3990 __maybe_unused = {
.soc_type = QCA_WCN3990,
.vregs = (struct qca_vreg []) {
{ "vddio", 15000 },
@@ -1845,7 +1845,7 @@ static const struct qca_device_data qca_soc_data_wcn3990 = {
.num_vregs = 4,
};
-static const struct qca_device_data qca_soc_data_wcn3991 = {
+static const struct qca_device_data qca_soc_data_wcn3991 __maybe_unused = {
.soc_type = QCA_WCN3991,
.vregs = (struct qca_vreg []) {
{ "vddio", 15000 },
@@ -1857,7 +1857,7 @@ static const struct qca_device_data qca_soc_data_wcn3991 = {
.capabilities = QCA_CAP_WIDEBAND_SPEECH | QCA_CAP_VALID_LE_STATES,
};
-static const struct qca_device_data qca_soc_data_wcn3998 = {
+static const struct qca_device_data qca_soc_data_wcn3998 __maybe_unused = {
.soc_type = QCA_WCN3998,
.vregs = (struct qca_vreg []) {
{ "vddio", 10000 },
@@ -1868,13 +1868,13 @@ static const struct qca_device_data qca_soc_data_wcn3998 = {
.num_vregs = 4,
};
-static const struct qca_device_data qca_soc_data_qca6390 = {
+static const struct qca_device_data qca_soc_data_qca6390 __maybe_unused = {
.soc_type = QCA_QCA6390,
.num_vregs = 0,
.capabilities = QCA_CAP_WIDEBAND_SPEECH | QCA_CAP_VALID_LE_STATES,
};
-static const struct qca_device_data qca_soc_data_wcn6750 = {
+static const struct qca_device_data qca_soc_data_wcn6750 __maybe_unused = {
.soc_type = QCA_WCN6750,
.vregs = (struct qca_vreg []) {
{ "vddio", 5000 },
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 050/356] Bluetooth: btqca: use le32_to_cpu for ver.soc_id
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 049/356] Bluetooth: hci_qca: mark OF related data as maybe unused Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 051/356] Bluetooth: btqca: Add WCN3988 support Greg Kroah-Hartman
` (313 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Min-Hua Chen, Luiz Augusto von Dentz,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Min-Hua Chen <minhuadotchen@gmail.com>
[ Upstream commit 8153b738bc547878a017889d2b1cf8dd2de0e0c6 ]
Use le32_to_cpu for ver.soc_id to fix the following
sparse warning.
drivers/bluetooth/btqca.c:640:24: sparse: warning: restricted
__le32 degrades to integer
Signed-off-by: Min-Hua Chen <minhuadotchen@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btqca.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
index d4ae33a5f805e..b850b5de9f862 100644
--- a/drivers/bluetooth/btqca.c
+++ b/drivers/bluetooth/btqca.c
@@ -635,7 +635,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
snprintf(config.fwname, sizeof(config.fwname),
"qca/%s", firmware_name);
else if (qca_is_wcn399x(soc_type)) {
- if (ver.soc_id == QCA_WCN3991_SOC_ID) {
+ if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) {
snprintf(config.fwname, sizeof(config.fwname),
"qca/crnv%02xu.bin", rom_ver);
} else {
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 051/356] Bluetooth: btqca: Add WCN3988 support
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 050/356] Bluetooth: btqca: use le32_to_cpu for ver.soc_id Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 052/356] Bluetooth: qca: use switch case for soc type behavior Greg Kroah-Hartman
` (312 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Weiss, Luiz Augusto von Dentz,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit f904feefe60c28b6852d5625adc4a2c39426a2d9 ]
Add support for the Bluetooth chip codenamed APACHE which is part of
WCN3988.
The firmware for this chip has a slightly different naming scheme
compared to most others. For ROM Version 0x0200 we need to use
apbtfw10.tlv + apnv10.bin and for ROM version 0x201 apbtfw11.tlv +
apnv11.bin
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btqca.c | 13 +++++++++++--
drivers/bluetooth/btqca.h | 12 ++++++++++--
drivers/bluetooth/hci_qca.c | 12 ++++++++++++
3 files changed, 33 insertions(+), 4 deletions(-)
diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
index b850b5de9f862..6ae806b9e77f2 100644
--- a/drivers/bluetooth/btqca.c
+++ b/drivers/bluetooth/btqca.c
@@ -595,11 +595,17 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
/* Firmware files to download are based on ROM version.
* ROM version is derived from last two bytes of soc_ver.
*/
- rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f);
+ if (soc_type == QCA_WCN3988)
+ rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f);
+ else
+ rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f);
/* Download rampatch file */
config.type = TLV_TYPE_PATCH;
- if (qca_is_wcn399x(soc_type)) {
+ if (soc_type == QCA_WCN3988) {
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/apbtfw%02x.tlv", rom_ver);
+ } else if (qca_is_wcn399x(soc_type)) {
snprintf(config.fwname, sizeof(config.fwname),
"qca/crbtfw%02x.tlv", rom_ver);
} else if (soc_type == QCA_QCA6390) {
@@ -634,6 +640,9 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
if (firmware_name)
snprintf(config.fwname, sizeof(config.fwname),
"qca/%s", firmware_name);
+ else if (soc_type == QCA_WCN3988)
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/apnv%02x.bin", rom_ver);
else if (qca_is_wcn399x(soc_type)) {
if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) {
snprintf(config.fwname, sizeof(config.fwname),
diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h
index b83bf202ea604..104bb12c88adf 100644
--- a/drivers/bluetooth/btqca.h
+++ b/drivers/bluetooth/btqca.h
@@ -140,6 +140,7 @@ enum qca_btsoc_type {
QCA_INVALID = -1,
QCA_AR3002,
QCA_ROME,
+ QCA_WCN3988,
QCA_WCN3990,
QCA_WCN3998,
QCA_WCN3991,
@@ -160,8 +161,15 @@ int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr);
int qca_send_pre_shutdown_cmd(struct hci_dev *hdev);
static inline bool qca_is_wcn399x(enum qca_btsoc_type soc_type)
{
- return soc_type == QCA_WCN3990 || soc_type == QCA_WCN3991 ||
- soc_type == QCA_WCN3998;
+ switch (soc_type) {
+ case QCA_WCN3988:
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
+ return true;
+ default:
+ return false;
+ }
}
static inline bool qca_is_wcn6750(enum qca_btsoc_type soc_type)
{
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 1c2bd292ecb7c..3e67e07161969 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -1834,6 +1834,17 @@ static const struct hci_uart_proto qca_proto = {
.dequeue = qca_dequeue,
};
+static const struct qca_device_data qca_soc_data_wcn3988 __maybe_unused = {
+ .soc_type = QCA_WCN3988,
+ .vregs = (struct qca_vreg []) {
+ { "vddio", 15000 },
+ { "vddxo", 80000 },
+ { "vddrf", 300000 },
+ { "vddch0", 450000 },
+ },
+ .num_vregs = 4,
+};
+
static const struct qca_device_data qca_soc_data_wcn3990 __maybe_unused = {
.soc_type = QCA_WCN3990,
.vregs = (struct qca_vreg []) {
@@ -2359,6 +2370,7 @@ static const struct of_device_id qca_bluetooth_of_match[] = {
{ .compatible = "qcom,qca6174-bt" },
{ .compatible = "qcom,qca6390-bt", .data = &qca_soc_data_qca6390},
{ .compatible = "qcom,qca9377-bt" },
+ { .compatible = "qcom,wcn3988-bt", .data = &qca_soc_data_wcn3988},
{ .compatible = "qcom,wcn3990-bt", .data = &qca_soc_data_wcn3990},
{ .compatible = "qcom,wcn3991-bt", .data = &qca_soc_data_wcn3991},
{ .compatible = "qcom,wcn3998-bt", .data = &qca_soc_data_wcn3998},
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 052/356] Bluetooth: qca: use switch case for soc type behavior
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 051/356] Bluetooth: btqca: Add WCN3988 support Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 053/356] Bluetooth: qca: add support for QCA2066 Greg Kroah-Hartman
` (311 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio,
Luiz Augusto von Dentz, Neil Armstrong, Luiz Augusto von Dentz,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neil Armstrong <neil.armstrong@linaro.org>
[ Upstream commit 691d54d0f7cb14baac1ff4af210d13c0e4897e27 ]
Use switch/case to handle soc type specific behaviour,
the permit dropping the qca_is_xxx() inline functions
and make the code clearer and easier to update for new
SoCs.
Suggested-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btqca.c | 87 +++++++++-----
drivers/bluetooth/btqca.h | 36 ------
drivers/bluetooth/hci_qca.c | 233 +++++++++++++++++++++++++++---------
3 files changed, 236 insertions(+), 120 deletions(-)
diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
index 6ae806b9e77f2..b14201b7bcd04 100644
--- a/drivers/bluetooth/btqca.c
+++ b/drivers/bluetooth/btqca.c
@@ -602,26 +602,34 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
/* Download rampatch file */
config.type = TLV_TYPE_PATCH;
- if (soc_type == QCA_WCN3988) {
- snprintf(config.fwname, sizeof(config.fwname),
- "qca/apbtfw%02x.tlv", rom_ver);
- } else if (qca_is_wcn399x(soc_type)) {
+ switch (soc_type) {
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
snprintf(config.fwname, sizeof(config.fwname),
"qca/crbtfw%02x.tlv", rom_ver);
- } else if (soc_type == QCA_QCA6390) {
+ break;
+ case QCA_WCN3988:
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/apbtfw%02x.tlv", rom_ver);
+ break;
+ case QCA_QCA6390:
snprintf(config.fwname, sizeof(config.fwname),
"qca/htbtfw%02x.tlv", rom_ver);
- } else if (soc_type == QCA_WCN6750) {
+ break;
+ case QCA_WCN6750:
/* Choose mbn file by default.If mbn file is not found
* then choose tlv file
*/
config.type = ELF_TYPE_PATCH;
snprintf(config.fwname, sizeof(config.fwname),
"qca/msbtfw%02x.mbn", rom_ver);
- } else if (soc_type == QCA_WCN6855) {
+ break;
+ case QCA_WCN6855:
snprintf(config.fwname, sizeof(config.fwname),
"qca/hpbtfw%02x.tlv", rom_ver);
- } else {
+ break;
+ default:
snprintf(config.fwname, sizeof(config.fwname),
"qca/rampatch_%08x.bin", soc_ver);
}
@@ -637,33 +645,44 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
/* Download NVM configuration */
config.type = TLV_TYPE_NVM;
- if (firmware_name)
+ if (firmware_name) {
snprintf(config.fwname, sizeof(config.fwname),
"qca/%s", firmware_name);
- else if (soc_type == QCA_WCN3988)
- snprintf(config.fwname, sizeof(config.fwname),
- "qca/apnv%02x.bin", rom_ver);
- else if (qca_is_wcn399x(soc_type)) {
- if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) {
+ } else {
+ switch (soc_type) {
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
+ if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) {
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/crnv%02xu.bin", rom_ver);
+ } else {
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/crnv%02x.bin", rom_ver);
+ }
+ break;
+ case QCA_WCN3988:
snprintf(config.fwname, sizeof(config.fwname),
- "qca/crnv%02xu.bin", rom_ver);
- } else {
+ "qca/apnv%02x.bin", rom_ver);
+ break;
+ case QCA_QCA6390:
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/htnv%02x.bin", rom_ver);
+ break;
+ case QCA_WCN6750:
snprintf(config.fwname, sizeof(config.fwname),
- "qca/crnv%02x.bin", rom_ver);
+ "qca/msnv%02x.bin", rom_ver);
+ break;
+ case QCA_WCN6855:
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/hpnv%02x.bin", rom_ver);
+ break;
+
+ default:
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/nvm_%08x.bin", soc_ver);
}
}
- else if (soc_type == QCA_QCA6390)
- snprintf(config.fwname, sizeof(config.fwname),
- "qca/htnv%02x.bin", rom_ver);
- else if (soc_type == QCA_WCN6750)
- snprintf(config.fwname, sizeof(config.fwname),
- "qca/msnv%02x.bin", rom_ver);
- else if (soc_type == QCA_WCN6855)
- snprintf(config.fwname, sizeof(config.fwname),
- "qca/hpnv%02x.bin", rom_ver);
- else
- snprintf(config.fwname, sizeof(config.fwname),
- "qca/nvm_%08x.bin", soc_ver);
err = qca_download_firmware(hdev, &config, soc_type, rom_ver);
if (err < 0) {
@@ -671,16 +690,24 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
return err;
}
- if (soc_type >= QCA_WCN3991) {
+ switch (soc_type) {
+ case QCA_WCN3991:
+ case QCA_QCA6390:
+ case QCA_WCN6750:
+ case QCA_WCN6855:
err = qca_disable_soc_logging(hdev);
if (err < 0)
return err;
+ break;
+ default:
+ break;
}
/* WCN399x and WCN6750 supports the Microsoft vendor extension with 0xFD70 as the
* VsMsftOpCode.
*/
switch (soc_type) {
+ case QCA_WCN3988:
case QCA_WCN3990:
case QCA_WCN3991:
case QCA_WCN3998:
diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h
index 104bb12c88adf..fa77c07daecf5 100644
--- a/drivers/bluetooth/btqca.h
+++ b/drivers/bluetooth/btqca.h
@@ -159,27 +159,6 @@ int qca_read_soc_version(struct hci_dev *hdev, struct qca_btsoc_version *ver,
enum qca_btsoc_type);
int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr);
int qca_send_pre_shutdown_cmd(struct hci_dev *hdev);
-static inline bool qca_is_wcn399x(enum qca_btsoc_type soc_type)
-{
- switch (soc_type) {
- case QCA_WCN3988:
- case QCA_WCN3990:
- case QCA_WCN3991:
- case QCA_WCN3998:
- return true;
- default:
- return false;
- }
-}
-static inline bool qca_is_wcn6750(enum qca_btsoc_type soc_type)
-{
- return soc_type == QCA_WCN6750;
-}
-static inline bool qca_is_wcn6855(enum qca_btsoc_type soc_type)
-{
- return soc_type == QCA_WCN6855;
-}
-
#else
static inline int qca_set_bdaddr_rome(struct hci_dev *hdev, const bdaddr_t *bdaddr)
@@ -207,21 +186,6 @@ static inline int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
return -EOPNOTSUPP;
}
-static inline bool qca_is_wcn399x(enum qca_btsoc_type soc_type)
-{
- return false;
-}
-
-static inline bool qca_is_wcn6750(enum qca_btsoc_type soc_type)
-{
- return false;
-}
-
-static inline bool qca_is_wcn6855(enum qca_btsoc_type soc_type)
-{
- return false;
-}
-
static inline int qca_send_pre_shutdown_cmd(struct hci_dev *hdev)
{
return -EOPNOTSUPP;
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 3e67e07161969..62491e7610384 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -606,9 +606,18 @@ static int qca_open(struct hci_uart *hu)
if (hu->serdev) {
qcadev = serdev_device_get_drvdata(hu->serdev);
- if (qca_is_wcn399x(qcadev->btsoc_type) ||
- qca_is_wcn6750(qcadev->btsoc_type))
+ switch (qcadev->btsoc_type) {
+ case QCA_WCN3988:
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
+ case QCA_WCN6750:
hu->init_speed = qcadev->init_speed;
+ break;
+
+ default:
+ break;
+ }
if (qcadev->oper_speed)
hu->oper_speed = qcadev->oper_speed;
@@ -1314,12 +1323,19 @@ static int qca_set_baudrate(struct hci_dev *hdev, uint8_t baudrate)
msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS));
/* Give the controller time to process the request */
- if (qca_is_wcn399x(qca_soc_type(hu)) ||
- qca_is_wcn6750(qca_soc_type(hu)) ||
- qca_is_wcn6855(qca_soc_type(hu)))
+ switch (qca_soc_type(hu)) {
+ case QCA_WCN3988:
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
+ case QCA_WCN6750:
+ case QCA_WCN6855:
usleep_range(1000, 10000);
- else
+ break;
+
+ default:
msleep(300);
+ }
return 0;
}
@@ -1392,13 +1408,19 @@ static unsigned int qca_get_speed(struct hci_uart *hu,
static int qca_check_speeds(struct hci_uart *hu)
{
- if (qca_is_wcn399x(qca_soc_type(hu)) ||
- qca_is_wcn6750(qca_soc_type(hu)) ||
- qca_is_wcn6855(qca_soc_type(hu))) {
+ switch (qca_soc_type(hu)) {
+ case QCA_WCN3988:
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
+ case QCA_WCN6750:
+ case QCA_WCN6855:
if (!qca_get_speed(hu, QCA_INIT_SPEED) &&
!qca_get_speed(hu, QCA_OPER_SPEED))
return -EINVAL;
- } else {
+ break;
+
+ default:
if (!qca_get_speed(hu, QCA_INIT_SPEED) ||
!qca_get_speed(hu, QCA_OPER_SPEED))
return -EINVAL;
@@ -1427,14 +1449,28 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type)
/* Disable flow control for wcn3990 to deassert RTS while
* changing the baudrate of chip and host.
*/
- if (qca_is_wcn399x(soc_type) ||
- qca_is_wcn6750(soc_type) ||
- qca_is_wcn6855(soc_type))
+ switch (soc_type) {
+ case QCA_WCN3988:
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
+ case QCA_WCN6750:
+ case QCA_WCN6855:
hci_uart_set_flow_control(hu, true);
+ break;
- if (soc_type == QCA_WCN3990) {
+ default:
+ break;
+ }
+
+ switch (soc_type) {
+ case QCA_WCN3990:
reinit_completion(&qca->drop_ev_comp);
set_bit(QCA_DROP_VENDOR_EVENT, &qca->flags);
+ break;
+
+ default:
+ break;
}
qca_baudrate = qca_get_baudrate_value(speed);
@@ -1446,12 +1482,22 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type)
host_set_baudrate(hu, speed);
error:
- if (qca_is_wcn399x(soc_type) ||
- qca_is_wcn6750(soc_type) ||
- qca_is_wcn6855(soc_type))
+ switch (soc_type) {
+ case QCA_WCN3988:
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
+ case QCA_WCN6750:
+ case QCA_WCN6855:
hci_uart_set_flow_control(hu, false);
+ break;
- if (soc_type == QCA_WCN3990) {
+ default:
+ break;
+ }
+
+ switch (soc_type) {
+ case QCA_WCN3990:
/* Wait for the controller to send the vendor event
* for the baudrate change command.
*/
@@ -1463,6 +1509,10 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type)
}
clear_bit(QCA_DROP_VENDOR_EVENT, &qca->flags);
+ break;
+
+ default:
+ break;
}
}
@@ -1627,12 +1677,20 @@ static int qca_regulator_init(struct hci_uart *hu)
}
}
- if (qca_is_wcn399x(soc_type)) {
+ switch (soc_type) {
+ case QCA_WCN3988:
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
/* Forcefully enable wcn399x to enter in to boot mode. */
host_set_baudrate(hu, 2400);
ret = qca_send_power_pulse(hu, false);
if (ret)
return ret;
+ break;
+
+ default:
+ break;
}
/* For wcn6750 need to enable gpio bt_en */
@@ -1649,10 +1707,18 @@ static int qca_regulator_init(struct hci_uart *hu)
qca_set_speed(hu, QCA_INIT_SPEED);
- if (qca_is_wcn399x(soc_type)) {
+ switch (soc_type) {
+ case QCA_WCN3988:
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
ret = qca_send_power_pulse(hu, true);
if (ret)
return ret;
+ break;
+
+ default:
+ break;
}
/* Now the device is in ready state to communicate with host.
@@ -1686,11 +1752,17 @@ static int qca_power_on(struct hci_dev *hdev)
if (!hu->serdev)
return 0;
- if (qca_is_wcn399x(soc_type) ||
- qca_is_wcn6750(soc_type) ||
- qca_is_wcn6855(soc_type)) {
+ switch (soc_type) {
+ case QCA_WCN3988:
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
+ case QCA_WCN6750:
+ case QCA_WCN6855:
ret = qca_regulator_init(hu);
- } else {
+ break;
+
+ default:
qcadev = serdev_device_get_drvdata(hu->serdev);
if (qcadev->bt_en) {
gpiod_set_value_cansleep(qcadev->bt_en, 1);
@@ -1713,6 +1785,7 @@ static int qca_setup(struct hci_uart *hu)
const char *firmware_name = qca_get_firmware_name(hu);
int ret;
struct qca_btsoc_version ver;
+ const char *soc_name;
ret = qca_check_speeds(hu);
if (ret)
@@ -1727,10 +1800,26 @@ static int qca_setup(struct hci_uart *hu)
*/
set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
- bt_dev_info(hdev, "setting up %s",
- qca_is_wcn399x(soc_type) ? "wcn399x" :
- (soc_type == QCA_WCN6750) ? "wcn6750" :
- (soc_type == QCA_WCN6855) ? "wcn6855" : "ROME/QCA6390");
+ switch (soc_type) {
+ case QCA_WCN3988:
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
+ soc_name = "wcn399x";
+ break;
+
+ case QCA_WCN6750:
+ soc_name = "wcn6750";
+ break;
+
+ case QCA_WCN6855:
+ soc_name = "wcn6855";
+ break;
+
+ default:
+ soc_name = "ROME/QCA6390";
+ }
+ bt_dev_info(hdev, "setting up %s", soc_name);
qca->memdump_state = QCA_MEMDUMP_IDLE;
@@ -1741,15 +1830,21 @@ static int qca_setup(struct hci_uart *hu)
clear_bit(QCA_SSR_TRIGGERED, &qca->flags);
- if (qca_is_wcn399x(soc_type) ||
- qca_is_wcn6750(soc_type) ||
- qca_is_wcn6855(soc_type)) {
+ switch (soc_type) {
+ case QCA_WCN3988:
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
+ case QCA_WCN6750:
+ case QCA_WCN6855:
set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks);
ret = qca_read_soc_version(hdev, &ver, soc_type);
if (ret)
goto out;
- } else {
+ break;
+
+ default:
qca_set_speed(hu, QCA_INIT_SPEED);
}
@@ -1763,9 +1858,16 @@ static int qca_setup(struct hci_uart *hu)
qca_baudrate = qca_get_baudrate_value(speed);
}
- if (!(qca_is_wcn399x(soc_type) ||
- qca_is_wcn6750(soc_type) ||
- qca_is_wcn6855(soc_type))) {
+ switch (soc_type) {
+ case QCA_WCN3988:
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
+ case QCA_WCN6750:
+ case QCA_WCN6855:
+ break;
+
+ default:
/* Get QCA version information */
ret = qca_read_soc_version(hdev, &ver, soc_type);
if (ret)
@@ -1941,11 +2043,18 @@ static void qca_power_shutdown(struct hci_uart *hu)
qcadev = serdev_device_get_drvdata(hu->serdev);
- if (qca_is_wcn399x(soc_type)) {
+ switch (soc_type) {
+ case QCA_WCN3988:
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
host_set_baudrate(hu, 2400);
qca_send_power_pulse(hu, false);
qca_regulator_disable(qcadev);
- } else if (soc_type == QCA_WCN6750 || soc_type == QCA_WCN6855) {
+ break;
+
+ case QCA_WCN6750:
+ case QCA_WCN6855:
gpiod_set_value_cansleep(qcadev->bt_en, 0);
msleep(100);
qca_regulator_disable(qcadev);
@@ -1953,7 +2062,9 @@ static void qca_power_shutdown(struct hci_uart *hu)
sw_ctrl_state = gpiod_get_value_cansleep(qcadev->sw_ctrl);
bt_dev_dbg(hu->hdev, "SW_CTRL is %d", sw_ctrl_state);
}
- } else if (qcadev->bt_en) {
+ break;
+
+ default:
gpiod_set_value_cansleep(qcadev->bt_en, 0);
}
@@ -2078,11 +2189,18 @@ static int qca_serdev_probe(struct serdev_device *serdev)
if (!qcadev->oper_speed)
BT_DBG("UART will pick default operating speed");
- if (data &&
- (qca_is_wcn399x(data->soc_type) ||
- qca_is_wcn6750(data->soc_type) ||
- qca_is_wcn6855(data->soc_type))) {
+ if (data)
qcadev->btsoc_type = data->soc_type;
+ else
+ qcadev->btsoc_type = QCA_ROME;
+
+ switch (qcadev->btsoc_type) {
+ case QCA_WCN3988:
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
+ case QCA_WCN6750:
+ case QCA_WCN6855:
qcadev->bt_power = devm_kzalloc(&serdev->dev,
sizeof(struct qca_power),
GFP_KERNEL);
@@ -2126,12 +2244,9 @@ static int qca_serdev_probe(struct serdev_device *serdev)
BT_ERR("wcn3990 serdev registration failed");
return err;
}
- } else {
- if (data)
- qcadev->btsoc_type = data->soc_type;
- else
- qcadev->btsoc_type = QCA_ROME;
+ break;
+ default:
qcadev->bt_en = devm_gpiod_get_optional(&serdev->dev, "enable",
GPIOD_OUT_LOW);
if (IS_ERR(qcadev->bt_en)) {
@@ -2187,13 +2302,23 @@ static void qca_serdev_remove(struct serdev_device *serdev)
struct qca_serdev *qcadev = serdev_device_get_drvdata(serdev);
struct qca_power *power = qcadev->bt_power;
- if ((qca_is_wcn399x(qcadev->btsoc_type) ||
- qca_is_wcn6750(qcadev->btsoc_type) ||
- qca_is_wcn6855(qcadev->btsoc_type)) &&
- power->vregs_on)
- qca_power_shutdown(&qcadev->serdev_hu);
- else if (qcadev->susclk)
- clk_disable_unprepare(qcadev->susclk);
+ switch (qcadev->btsoc_type) {
+ case QCA_WCN3988:
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
+ case QCA_WCN6750:
+ case QCA_WCN6855:
+ if (power->vregs_on) {
+ qca_power_shutdown(&qcadev->serdev_hu);
+ break;
+ }
+ fallthrough;
+
+ default:
+ if (qcadev->susclk)
+ clk_disable_unprepare(qcadev->susclk);
+ }
hci_uart_unregister_device(&qcadev->serdev_hu);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 053/356] Bluetooth: qca: add support for QCA2066
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 052/356] Bluetooth: qca: use switch case for soc type behavior Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 054/356] Bluetooth: qca: fix info leak when fetching fw build id Greg Kroah-Hartman
` (310 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tim Jiang, Luiz Augusto von Dentz,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tim Jiang <quic_tjiang@quicinc.com>
[ Upstream commit a7f8dedb4be2cc930a29af24427b885405ecd15d ]
This patch adds support for QCA2066 firmware patch and NVM downloading.
as the RF performance of QCA2066 SOC chip from different foundries may
vary. Therefore we use different NVM to configure them based on board ID.
Changes in v2
- optimize the function qca_generate_hsp_nvm_name
- remove redundant debug code for function qca_read_fw_board_id
Signed-off-by: Tim Jiang <quic_tjiang@quicinc.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btqca.c | 68 +++++++++++++++++++++++++++++++++++++
drivers/bluetooth/btqca.h | 5 ++-
drivers/bluetooth/hci_qca.c | 11 ++++++
3 files changed, 83 insertions(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
index b14201b7bcd04..abd621d224667 100644
--- a/drivers/bluetooth/btqca.c
+++ b/drivers/bluetooth/btqca.c
@@ -160,6 +160,44 @@ static int qca_send_reset(struct hci_dev *hdev)
return 0;
}
+static int qca_read_fw_board_id(struct hci_dev *hdev, u16 *bid)
+{
+ u8 cmd;
+ struct sk_buff *skb;
+ struct edl_event_hdr *edl;
+ int err = 0;
+
+ cmd = EDL_GET_BID_REQ_CMD;
+ skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, EDL_PATCH_CMD_LEN,
+ &cmd, 0, HCI_INIT_TIMEOUT);
+ if (IS_ERR(skb)) {
+ err = PTR_ERR(skb);
+ bt_dev_err(hdev, "Reading QCA board ID failed (%d)", err);
+ return err;
+ }
+
+ edl = skb_pull_data(skb, sizeof(*edl));
+ if (!edl) {
+ bt_dev_err(hdev, "QCA read board ID with no header");
+ err = -EILSEQ;
+ goto out;
+ }
+
+ if (edl->cresp != EDL_CMD_REQ_RES_EVT ||
+ edl->rtype != EDL_GET_BID_REQ_CMD) {
+ bt_dev_err(hdev, "QCA Wrong packet: %d %d", edl->cresp, edl->rtype);
+ err = -EIO;
+ goto out;
+ }
+
+ *bid = (edl->data[1] << 8) + edl->data[2];
+ bt_dev_dbg(hdev, "%s: bid = %x", __func__, *bid);
+
+out:
+ kfree_skb(skb);
+ return err;
+}
+
int qca_send_pre_shutdown_cmd(struct hci_dev *hdev)
{
struct sk_buff *skb;
@@ -575,6 +613,23 @@ int qca_set_bdaddr_rome(struct hci_dev *hdev, const bdaddr_t *bdaddr)
}
EXPORT_SYMBOL_GPL(qca_set_bdaddr_rome);
+static void qca_generate_hsp_nvm_name(char *fwname, size_t max_size,
+ struct qca_btsoc_version ver, u8 rom_ver, u16 bid)
+{
+ const char *variant;
+
+ /* hsp gf chip */
+ if ((le32_to_cpu(ver.soc_id) & QCA_HSP_GF_SOC_MASK) == QCA_HSP_GF_SOC_ID)
+ variant = "g";
+ else
+ variant = "";
+
+ if (bid == 0x0)
+ snprintf(fwname, max_size, "qca/hpnv%02x%s.bin", rom_ver, variant);
+ else
+ snprintf(fwname, max_size, "qca/hpnv%02x%s.%x", rom_ver, variant, bid);
+}
+
int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
enum qca_btsoc_type soc_type, struct qca_btsoc_version ver,
const char *firmware_name)
@@ -583,6 +638,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
int err;
u8 rom_ver = 0;
u32 soc_ver;
+ u16 boardid = 0;
bt_dev_dbg(hdev, "QCA setup on UART");
@@ -613,6 +669,10 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
snprintf(config.fwname, sizeof(config.fwname),
"qca/apbtfw%02x.tlv", rom_ver);
break;
+ case QCA_QCA2066:
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/hpbtfw%02x.tlv", rom_ver);
+ break;
case QCA_QCA6390:
snprintf(config.fwname, sizeof(config.fwname),
"qca/htbtfw%02x.tlv", rom_ver);
@@ -643,6 +703,9 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
/* Give the controller some time to get ready to receive the NVM */
msleep(10);
+ if (soc_type == QCA_QCA2066)
+ qca_read_fw_board_id(hdev, &boardid);
+
/* Download NVM configuration */
config.type = TLV_TYPE_NVM;
if (firmware_name) {
@@ -665,6 +728,10 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
snprintf(config.fwname, sizeof(config.fwname),
"qca/apnv%02x.bin", rom_ver);
break;
+ case QCA_QCA2066:
+ qca_generate_hsp_nvm_name(config.fwname,
+ sizeof(config.fwname), ver, rom_ver, boardid);
+ break;
case QCA_QCA6390:
snprintf(config.fwname, sizeof(config.fwname),
"qca/htnv%02x.bin", rom_ver);
@@ -692,6 +759,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
switch (soc_type) {
case QCA_WCN3991:
+ case QCA_QCA2066:
case QCA_QCA6390:
case QCA_WCN6750:
case QCA_WCN6855:
diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h
index fa77c07daecf5..d69ecfdef2a20 100644
--- a/drivers/bluetooth/btqca.h
+++ b/drivers/bluetooth/btqca.h
@@ -12,6 +12,7 @@
#define EDL_PATCH_VER_REQ_CMD (0x19)
#define EDL_PATCH_TLV_REQ_CMD (0x1E)
#define EDL_GET_BUILD_INFO_CMD (0x20)
+#define EDL_GET_BID_REQ_CMD (0x23)
#define EDL_NVM_ACCESS_SET_REQ_CMD (0x01)
#define MAX_SIZE_PER_TLV_SEGMENT (243)
#define QCA_PRE_SHUTDOWN_CMD (0xFC08)
@@ -45,7 +46,8 @@
((le32_to_cpu(soc_id) << 16) | (le16_to_cpu(rom_ver)))
#define QCA_FW_BUILD_VER_LEN 255
-
+#define QCA_HSP_GF_SOC_ID 0x1200
+#define QCA_HSP_GF_SOC_MASK 0x0000ff00
enum qca_baudrate {
QCA_BAUDRATE_115200 = 0,
@@ -144,6 +146,7 @@ enum qca_btsoc_type {
QCA_WCN3990,
QCA_WCN3998,
QCA_WCN3991,
+ QCA_QCA2066,
QCA_QCA6390,
QCA_WCN6750,
QCA_WCN6855,
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 62491e7610384..0800f6e62b7f0 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -1801,6 +1801,10 @@ static int qca_setup(struct hci_uart *hu)
set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
switch (soc_type) {
+ case QCA_QCA2066:
+ soc_name = "qca2066";
+ break;
+
case QCA_WCN3988:
case QCA_WCN3990:
case QCA_WCN3991:
@@ -1981,6 +1985,11 @@ static const struct qca_device_data qca_soc_data_wcn3998 __maybe_unused = {
.num_vregs = 4,
};
+static const struct qca_device_data qca_soc_data_qca2066 __maybe_unused = {
+ .soc_type = QCA_QCA2066,
+ .num_vregs = 0,
+};
+
static const struct qca_device_data qca_soc_data_qca6390 __maybe_unused = {
.soc_type = QCA_QCA6390,
.num_vregs = 0,
@@ -2492,6 +2501,7 @@ static SIMPLE_DEV_PM_OPS(qca_pm_ops, qca_suspend, qca_resume);
#ifdef CONFIG_OF
static const struct of_device_id qca_bluetooth_of_match[] = {
+ { .compatible = "qcom,qca2066-bt", .data = &qca_soc_data_qca2066},
{ .compatible = "qcom,qca6174-bt" },
{ .compatible = "qcom,qca6390-bt", .data = &qca_soc_data_qca6390},
{ .compatible = "qcom,qca9377-bt" },
@@ -2508,6 +2518,7 @@ MODULE_DEVICE_TABLE(of, qca_bluetooth_of_match);
#ifdef CONFIG_ACPI
static const struct acpi_device_id qca_bluetooth_acpi_match[] = {
+ { "QCOM2066", (kernel_ulong_t)&qca_soc_data_qca2066 },
{ "QCOM6390", (kernel_ulong_t)&qca_soc_data_qca6390 },
{ "DLA16390", (kernel_ulong_t)&qca_soc_data_qca6390 },
{ "DLB16390", (kernel_ulong_t)&qca_soc_data_qca6390 },
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 054/356] Bluetooth: qca: fix info leak when fetching fw build id
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 053/356] Bluetooth: qca: add support for QCA2066 Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 055/356] serial: sc16is7xx: replace hardcoded divisor value with BIT() macro Greg Kroah-Hartman
` (309 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Luiz Augusto von Dentz,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
[ Upstream commit cda0d6a198e2a7ec6f176c36173a57bdd8af7af2 ]
Add the missing sanity checks and move the 255-byte build-id buffer off
the stack to avoid leaking stack data through debugfs in case the
build-info reply is malformed.
Fixes: c0187b0bd3e9 ("Bluetooth: btqca: Add support to read FW build version for WCN3991 BTSoC")
Cc: stable@vger.kernel.org # 5.12
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btqca.c | 25 +++++++++++++++++++++----
drivers/bluetooth/btqca.h | 1 -
2 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
index abd621d224667..7011151420e48 100644
--- a/drivers/bluetooth/btqca.c
+++ b/drivers/bluetooth/btqca.c
@@ -98,7 +98,8 @@ static int qca_read_fw_build_info(struct hci_dev *hdev)
{
struct sk_buff *skb;
struct edl_event_hdr *edl;
- char cmd, build_label[QCA_FW_BUILD_VER_LEN];
+ char *build_label;
+ char cmd;
int build_lbl_len, err = 0;
bt_dev_dbg(hdev, "QCA read fw build info");
@@ -113,6 +114,11 @@ static int qca_read_fw_build_info(struct hci_dev *hdev)
return err;
}
+ if (skb->len < sizeof(*edl)) {
+ err = -EILSEQ;
+ goto out;
+ }
+
edl = (struct edl_event_hdr *)(skb->data);
if (!edl) {
bt_dev_err(hdev, "QCA read fw build info with no header");
@@ -128,14 +134,25 @@ static int qca_read_fw_build_info(struct hci_dev *hdev)
goto out;
}
+ if (skb->len < sizeof(*edl) + 1) {
+ err = -EILSEQ;
+ goto out;
+ }
+
build_lbl_len = edl->data[0];
- if (build_lbl_len <= QCA_FW_BUILD_VER_LEN - 1) {
- memcpy(build_label, edl->data + 1, build_lbl_len);
- *(build_label + build_lbl_len) = '\0';
+
+ if (skb->len < sizeof(*edl) + 1 + build_lbl_len) {
+ err = -EILSEQ;
+ goto out;
}
+ build_label = kstrndup(&edl->data[1], build_lbl_len, GFP_KERNEL);
+ if (!build_label)
+ goto out;
+
hci_set_fw_info(hdev, "%s", build_label);
+ kfree(build_label);
out:
kfree_skb(skb);
return err;
diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h
index d69ecfdef2a20..6a6a286bc8547 100644
--- a/drivers/bluetooth/btqca.h
+++ b/drivers/bluetooth/btqca.h
@@ -45,7 +45,6 @@
#define get_soc_ver(soc_id, rom_ver) \
((le32_to_cpu(soc_id) << 16) | (le16_to_cpu(rom_ver)))
-#define QCA_FW_BUILD_VER_LEN 255
#define QCA_HSP_GF_SOC_ID 0x1200
#define QCA_HSP_GF_SOC_MASK 0x0000ff00
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 055/356] serial: sc16is7xx: replace hardcoded divisor value with BIT() macro
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 054/356] Bluetooth: qca: fix info leak when fetching fw build id Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 056/356] serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler Greg Kroah-Hartman
` (308 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Hugo Villeneuve,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hugo Villeneuve <hvilleneuve@dimonoff.com>
[ Upstream commit 2e57cefc4477659527f7adab1f87cdbf60ef1ae6 ]
To better show why the limit is what it is, since we have only 16 bits for
the divisor.
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Suggested-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
Link: https://lore.kernel.org/r/20231221231823.2327894-13-hugo@hugovil.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 8492bd91aa05 ("serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/sc16is7xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c
index 35f8675db1d89..25e625c2ee74b 100644
--- a/drivers/tty/serial/sc16is7xx.c
+++ b/drivers/tty/serial/sc16is7xx.c
@@ -497,7 +497,7 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud)
u8 prescaler = 0;
unsigned long clk = port->uartclk, div = clk / 16 / baud;
- if (div > 0xffff) {
+ if (div >= BIT(16)) {
prescaler = SC16IS7XX_MCR_CLKSEL_BIT;
div /= 4;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 056/356] serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 055/356] serial: sc16is7xx: replace hardcoded divisor value with BIT() macro Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 057/356] x86/ibt,ftrace: Search for __fentry__ location Greg Kroah-Hartman
` (307 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hugo Villeneuve, Jiri Slaby,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hugo Villeneuve <hvilleneuve@dimonoff.com>
[ Upstream commit 8492bd91aa055907c67ef04f2b56f6dadd1f44bf ]
When using a high speed clock with a low baud rate, the 4x prescaler is
automatically selected if required. In that case, sc16is7xx_set_baud()
properly configures the chip registers, but returns an incorrect baud
rate by not taking into account the prescaler value. This incorrect baud
rate is then fed to uart_update_timeout().
For example, with an input clock of 80MHz, and a selected baud rate of 50,
sc16is7xx_set_baud() will return 200 instead of 50.
Fix this by first changing the prescaler variable to hold the selected
prescaler value instead of the MCR bitfield. Then properly take into
account the selected prescaler value in the return value computation.
Also add better documentation about the divisor value computation.
Fixes: dfeae619d781 ("serial: sc16is7xx")
Cc: stable@vger.kernel.org
Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Link: https://lore.kernel.org/r/20240430200431.4102923-1-hugo@hugovil.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/sc16is7xx.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c
index 25e625c2ee74b..d274a847c6ab3 100644
--- a/drivers/tty/serial/sc16is7xx.c
+++ b/drivers/tty/serial/sc16is7xx.c
@@ -490,16 +490,28 @@ static bool sc16is7xx_regmap_noinc(struct device *dev, unsigned int reg)
return reg == SC16IS7XX_RHR_REG;
}
+/*
+ * Configure programmable baud rate generator (divisor) according to the
+ * desired baud rate.
+ *
+ * From the datasheet, the divisor is computed according to:
+ *
+ * XTAL1 input frequency
+ * -----------------------
+ * prescaler
+ * divisor = ---------------------------
+ * baud-rate x sampling-rate
+ */
static int sc16is7xx_set_baud(struct uart_port *port, int baud)
{
struct sc16is7xx_port *s = dev_get_drvdata(port->dev);
u8 lcr;
- u8 prescaler = 0;
+ unsigned int prescaler = 1;
unsigned long clk = port->uartclk, div = clk / 16 / baud;
if (div >= BIT(16)) {
- prescaler = SC16IS7XX_MCR_CLKSEL_BIT;
- div /= 4;
+ prescaler = 4;
+ div /= prescaler;
}
/* In an amazing feat of design, the Enhanced Features Register shares
@@ -534,9 +546,10 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud)
mutex_unlock(&s->efr_lock);
+ /* If bit MCR_CLKSEL is set, the divide by 4 prescaler is activated. */
sc16is7xx_port_update(port, SC16IS7XX_MCR_REG,
SC16IS7XX_MCR_CLKSEL_BIT,
- prescaler);
+ prescaler == 1 ? 0 : SC16IS7XX_MCR_CLKSEL_BIT);
/* Open the LCR divisors for configuration */
sc16is7xx_port_write(port, SC16IS7XX_LCR_REG,
@@ -551,7 +564,7 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud)
/* Put LCR back to the normal mode */
sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, lcr);
- return DIV_ROUND_CLOSEST(clk / 16, div);
+ return DIV_ROUND_CLOSEST((clk / prescaler) / 16, div);
}
static void sc16is7xx_handle_rx(struct uart_port *port, unsigned int rxlen,
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 057/356] x86/ibt,ftrace: Search for __fentry__ location
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 056/356] serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 058/356] ftrace: Fix possible use-after-free issue in ftrace_location() Greg Kroah-Hartman
` (306 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steven Rostedt,
Peter Zijlstra (Intel), Masami Hiramatsu, Josh Poimboeuf,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit aebfd12521d9c7d0b502cf6d06314cfbcdccfe3b ]
Currently a lot of ftrace code assumes __fentry__ is at sym+0. However
with Intel IBT enabled the first instruction of a function will most
likely be ENDBR.
Change ftrace_location() to not only return the __fentry__ location
when called for the __fentry__ location, but also when called for the
sym+0 location.
Then audit/update all callsites of this function to consistently use
these new semantics.
Suggested-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
Link: https://lore.kernel.org/r/20220308154318.227581603@infradead.org
Stable-dep-of: e60b613df8b6 ("ftrace: Fix possible use-after-free issue in ftrace_location()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/kprobes/core.c | 11 ++------
kernel/bpf/trampoline.c | 20 +++-----------
kernel/kprobes.c | 8 ++----
kernel/trace/ftrace.c | 48 ++++++++++++++++++++++++++++------
4 files changed, 48 insertions(+), 39 deletions(-)
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
index 893f040b97b7d..99dd504307fdc 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -194,17 +194,10 @@ static unsigned long
__recover_probed_insn(kprobe_opcode_t *buf, unsigned long addr)
{
struct kprobe *kp;
- unsigned long faddr;
+ bool faddr;
kp = get_kprobe((void *)addr);
- faddr = ftrace_location(addr);
- /*
- * Addresses inside the ftrace location are refused by
- * arch_check_ftrace_location(). Something went terribly wrong
- * if such an address is checked here.
- */
- if (WARN_ON(faddr && faddr != addr))
- return 0UL;
+ faddr = ftrace_location(addr) == addr;
/*
* Use the current code if it is not modified by Kprobe
* and it cannot be modified by ftrace.
diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
index 4fa75791b45e2..1bffee0458863 100644
--- a/kernel/bpf/trampoline.c
+++ b/kernel/bpf/trampoline.c
@@ -108,18 +108,6 @@ static void bpf_trampoline_module_put(struct bpf_trampoline *tr)
tr->mod = NULL;
}
-static int is_ftrace_location(void *ip)
-{
- long addr;
-
- addr = ftrace_location((long)ip);
- if (!addr)
- return 0;
- if (WARN_ON_ONCE(addr != (long)ip))
- return -EFAULT;
- return 1;
-}
-
static int unregister_fentry(struct bpf_trampoline *tr, void *old_addr)
{
void *ip = tr->func.addr;
@@ -151,12 +139,12 @@ static int modify_fentry(struct bpf_trampoline *tr, void *old_addr, void *new_ad
static int register_fentry(struct bpf_trampoline *tr, void *new_addr)
{
void *ip = tr->func.addr;
+ unsigned long faddr;
int ret;
- ret = is_ftrace_location(ip);
- if (ret < 0)
- return ret;
- tr->func.ftrace_managed = ret;
+ faddr = ftrace_location((unsigned long)ip);
+ if (faddr)
+ tr->func.ftrace_managed = true;
if (bpf_trampoline_module_get(tr))
return -ENOENT;
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index af57705e1fef3..258d425b2c4a5 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1526,14 +1526,10 @@ static inline int warn_kprobe_rereg(struct kprobe *p)
int __weak arch_check_ftrace_location(struct kprobe *p)
{
- unsigned long ftrace_addr;
+ unsigned long addr = (unsigned long)p->addr;
- ftrace_addr = ftrace_location((unsigned long)p->addr);
- if (ftrace_addr) {
+ if (ftrace_location(addr) == addr) {
#ifdef CONFIG_KPROBES_ON_FTRACE
- /* Given address is not on the instruction boundary */
- if ((unsigned long)p->addr != ftrace_addr)
- return -EILSEQ;
p->flags |= KPROBE_FLAG_FTRACE;
#else /* !CONFIG_KPROBES_ON_FTRACE */
return -EINVAL;
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 157a1d2d9802f..3dce1a107a7c7 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -1575,17 +1575,34 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end)
}
/**
- * ftrace_location - return true if the ip giving is a traced location
+ * ftrace_location - return the ftrace location
* @ip: the instruction pointer to check
*
- * Returns rec->ip if @ip given is a pointer to a ftrace location.
- * That is, the instruction that is either a NOP or call to
- * the function tracer. It checks the ftrace internal tables to
- * determine if the address belongs or not.
+ * If @ip matches the ftrace location, return @ip.
+ * If @ip matches sym+0, return sym's ftrace location.
+ * Otherwise, return 0.
*/
unsigned long ftrace_location(unsigned long ip)
{
- return ftrace_location_range(ip, ip);
+ struct dyn_ftrace *rec;
+ unsigned long offset;
+ unsigned long size;
+
+ rec = lookup_rec(ip, ip);
+ if (!rec) {
+ if (!kallsyms_lookup_size_offset(ip, &size, &offset))
+ goto out;
+
+ /* map sym+0 to __fentry__ */
+ if (!offset)
+ rec = lookup_rec(ip, ip + size - 1);
+ }
+
+ if (rec)
+ return rec->ip;
+
+out:
+ return 0;
}
/**
@@ -4942,7 +4959,8 @@ ftrace_match_addr(struct ftrace_hash *hash, unsigned long ip, int remove)
{
struct ftrace_func_entry *entry;
- if (!ftrace_location(ip))
+ ip = ftrace_location(ip);
+ if (!ip)
return -EINVAL;
if (remove) {
@@ -5090,11 +5108,16 @@ int register_ftrace_direct(unsigned long ip, unsigned long addr)
struct ftrace_func_entry *entry;
struct ftrace_hash *free_hash = NULL;
struct dyn_ftrace *rec;
- int ret = -EBUSY;
+ int ret = -ENODEV;
mutex_lock(&direct_mutex);
+ ip = ftrace_location(ip);
+ if (!ip)
+ goto out_unlock;
+
/* See if there's a direct function at @ip already */
+ ret = -EBUSY;
if (ftrace_find_rec_direct(ip))
goto out_unlock;
@@ -5223,6 +5246,10 @@ int unregister_ftrace_direct(unsigned long ip, unsigned long addr)
mutex_lock(&direct_mutex);
+ ip = ftrace_location(ip);
+ if (!ip)
+ goto out_unlock;
+
entry = find_direct_entry(&ip, NULL);
if (!entry)
goto out_unlock;
@@ -5354,6 +5381,11 @@ int modify_ftrace_direct(unsigned long ip,
mutex_lock(&direct_mutex);
mutex_lock(&ftrace_lock);
+
+ ip = ftrace_location(ip);
+ if (!ip)
+ goto out_unlock;
+
entry = find_direct_entry(&ip, &rec);
if (!entry)
goto out_unlock;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 058/356] ftrace: Fix possible use-after-free issue in ftrace_location()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 057/356] x86/ibt,ftrace: Search for __fentry__ location Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 059/356] mmc: davinci_mmc: Convert to platform remove callback returning void Greg Kroah-Hartman
` (305 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, mhiramat, mark.rutland,
mathieu.desnoyers, Steven Rostedt, Zheng Yejian, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zheng Yejian <zhengyejian1@huawei.com>
[ Upstream commit e60b613df8b6253def41215402f72986fee3fc8d ]
KASAN reports a bug:
BUG: KASAN: use-after-free in ftrace_location+0x90/0x120
Read of size 8 at addr ffff888141d40010 by task insmod/424
CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+
[...]
Call Trace:
<TASK>
dump_stack_lvl+0x68/0xa0
print_report+0xcf/0x610
kasan_report+0xb5/0xe0
ftrace_location+0x90/0x120
register_kprobe+0x14b/0xa40
kprobe_init+0x2d/0xff0 [kprobe_example]
do_one_initcall+0x8f/0x2d0
do_init_module+0x13a/0x3c0
load_module+0x3082/0x33d0
init_module_from_file+0xd2/0x130
__x64_sys_finit_module+0x306/0x440
do_syscall_64+0x68/0x140
entry_SYSCALL_64_after_hwframe+0x71/0x79
The root cause is that, in lookup_rec(), ftrace record of some address
is being searched in ftrace pages of some module, but those ftrace pages
at the same time is being freed in ftrace_release_mod() as the
corresponding module is being deleted:
CPU1 | CPU2
register_kprobes() { | delete_module() {
check_kprobe_address_safe() { |
arch_check_ftrace_location() { |
ftrace_location() { |
lookup_rec() // USE! | ftrace_release_mod() // Free!
To fix this issue:
1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();
2. Use ftrace_location_range() instead of lookup_rec() in
ftrace_location();
3. Call synchronize_rcu() before freeing any ftrace pages both in
ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().
Link: https://lore.kernel.org/linux-trace-kernel/20240509192859.1273558-1-zhengyejian1@huawei.com
Cc: stable@vger.kernel.org
Cc: <mhiramat@kernel.org>
Cc: <mark.rutland@arm.com>
Cc: <mathieu.desnoyers@efficios.com>
Fixes: ae6aa16fdc16 ("kprobes: introduce ftrace based optimization")
Suggested-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/ftrace.c | 39 +++++++++++++++++++++++----------------
1 file changed, 23 insertions(+), 16 deletions(-)
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 3dce1a107a7c7..780f1c0563f58 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -1566,12 +1566,15 @@ static struct dyn_ftrace *lookup_rec(unsigned long start, unsigned long end)
unsigned long ftrace_location_range(unsigned long start, unsigned long end)
{
struct dyn_ftrace *rec;
+ unsigned long ip = 0;
+ rcu_read_lock();
rec = lookup_rec(start, end);
if (rec)
- return rec->ip;
+ ip = rec->ip;
+ rcu_read_unlock();
- return 0;
+ return ip;
}
/**
@@ -1584,25 +1587,22 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end)
*/
unsigned long ftrace_location(unsigned long ip)
{
- struct dyn_ftrace *rec;
+ unsigned long loc;
unsigned long offset;
unsigned long size;
- rec = lookup_rec(ip, ip);
- if (!rec) {
+ loc = ftrace_location_range(ip, ip);
+ if (!loc) {
if (!kallsyms_lookup_size_offset(ip, &size, &offset))
goto out;
/* map sym+0 to __fentry__ */
if (!offset)
- rec = lookup_rec(ip, ip + size - 1);
+ loc = ftrace_location_range(ip, ip + size - 1);
}
- if (rec)
- return rec->ip;
-
out:
- return 0;
+ return loc;
}
/**
@@ -6325,6 +6325,8 @@ static int ftrace_process_locs(struct module *mod,
/* We should have used all pages unless we skipped some */
if (pg_unuse) {
WARN_ON(!skipped);
+ /* Need to synchronize with ftrace_location_range() */
+ synchronize_rcu();
ftrace_free_pages(pg_unuse);
}
return ret;
@@ -6507,6 +6509,9 @@ void ftrace_release_mod(struct module *mod)
out_unlock:
mutex_unlock(&ftrace_lock);
+ /* Need to synchronize with ftrace_location_range() */
+ if (tmp_page)
+ synchronize_rcu();
for (pg = tmp_page; pg; pg = tmp_page) {
/* Needs to be called outside of ftrace_lock */
@@ -6829,6 +6834,7 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr)
unsigned long start = (unsigned long)(start_ptr);
unsigned long end = (unsigned long)(end_ptr);
struct ftrace_page **last_pg = &ftrace_pages_start;
+ struct ftrace_page *tmp_page = NULL;
struct ftrace_page *pg;
struct dyn_ftrace *rec;
struct dyn_ftrace key;
@@ -6872,12 +6878,8 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr)
ftrace_update_tot_cnt--;
if (!pg->index) {
*last_pg = pg->next;
- if (pg->records) {
- free_pages((unsigned long)pg->records, pg->order);
- ftrace_number_of_pages -= 1 << pg->order;
- }
- ftrace_number_of_groups--;
- kfree(pg);
+ pg->next = tmp_page;
+ tmp_page = pg;
pg = container_of(last_pg, struct ftrace_page, next);
if (!(*last_pg))
ftrace_pages = pg;
@@ -6894,6 +6896,11 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr)
clear_func_from_hashes(func);
kfree(func);
}
+ /* Need to synchronize with ftrace_location_range() */
+ if (tmp_page) {
+ synchronize_rcu();
+ ftrace_free_pages(tmp_page);
+ }
}
void __init ftrace_free_init_mem(void)
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 059/356] mmc: davinci_mmc: Convert to platform remove callback returning void
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 058/356] ftrace: Fix possible use-after-free issue in ftrace_location() Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 060/356] mmc: davinci: Dont strip remove function when driver is builtin Greg Kroah-Hartman
` (304 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Yangtao Li,
Ulf Hansson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yangtao Li <frank.li@vivo.com>
[ Upstream commit bc1711e8332da03648d8fe1950189237e66313af ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is (mostly) ignored
and this typically results in resource leaks. To improve here there is a
quest to make the remove callback return void. In the first step of this
quest all drivers are converted to .remove_new() which already returns
void.
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Cc: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Yangtao Li <frank.li@vivo.com>
Link: https://lore.kernel.org/r/20230727070051.17778-7-frank.li@vivo.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Stable-dep-of: 55c421b36448 ("mmc: davinci: Don't strip remove function when driver is builtin")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/davinci_mmc.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c
index 80de660027d89..36c45867eb643 100644
--- a/drivers/mmc/host/davinci_mmc.c
+++ b/drivers/mmc/host/davinci_mmc.c
@@ -1347,7 +1347,7 @@ static int davinci_mmcsd_probe(struct platform_device *pdev)
return ret;
}
-static int __exit davinci_mmcsd_remove(struct platform_device *pdev)
+static void __exit davinci_mmcsd_remove(struct platform_device *pdev)
{
struct mmc_davinci_host *host = platform_get_drvdata(pdev);
@@ -1356,8 +1356,6 @@ static int __exit davinci_mmcsd_remove(struct platform_device *pdev)
davinci_release_dma_channels(host);
clk_disable_unprepare(host->clk);
mmc_free_host(host->mmc);
-
- return 0;
}
#ifdef CONFIG_PM
@@ -1404,7 +1402,7 @@ static struct platform_driver davinci_mmcsd_driver = {
.of_match_table = davinci_mmc_dt_ids,
},
.probe = davinci_mmcsd_probe,
- .remove = __exit_p(davinci_mmcsd_remove),
+ .remove_new = __exit_p(davinci_mmcsd_remove),
.id_table = davinci_mmc_devtype,
};
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 060/356] mmc: davinci: Dont strip remove function when driver is builtin
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 059/356] mmc: davinci_mmc: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 061/356] i2c: add fwnode APIs Greg Kroah-Hartman
` (303 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Ulf Hansson,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 55c421b364482b61c4c45313a535e61ed5ae4ea3 ]
Using __exit for the remove function results in the remove callback being
discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g.
using sysfs or hotplug), the driver is just removed without the cleanup
being performed. This results in resource leaks. Fix it by compiling in the
remove callback unconditionally.
This also fixes a W=1 modpost warning:
WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in
reference: davinci_mmcsd_driver+0x10 (section: .data) ->
davinci_mmcsd_remove (section: .exit.text)
Fixes: b4cff4549b7a ("DaVinci: MMC: MMC/SD controller driver for DaVinci family")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240324114017.231936-2-u.kleine-koenig@pengutronix.de
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/davinci_mmc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c
index 36c45867eb643..e0175808c3b0d 100644
--- a/drivers/mmc/host/davinci_mmc.c
+++ b/drivers/mmc/host/davinci_mmc.c
@@ -1347,7 +1347,7 @@ static int davinci_mmcsd_probe(struct platform_device *pdev)
return ret;
}
-static void __exit davinci_mmcsd_remove(struct platform_device *pdev)
+static void davinci_mmcsd_remove(struct platform_device *pdev)
{
struct mmc_davinci_host *host = platform_get_drvdata(pdev);
@@ -1402,7 +1402,7 @@ static struct platform_driver davinci_mmcsd_driver = {
.of_match_table = davinci_mmc_dt_ids,
},
.probe = davinci_mmcsd_probe,
- .remove_new = __exit_p(davinci_mmcsd_remove),
+ .remove_new = davinci_mmcsd_remove,
.id_table = davinci_mmc_devtype,
};
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 061/356] i2c: add fwnode APIs
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 060/356] mmc: davinci: Dont strip remove function when driver is builtin Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 062/356] i2c: acpi: Unbind mux adapters before delete Greg Kroah-Hartman
` (302 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mika Westerberg,
Russell King (Oracle), Wolfram Sang, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
[ Upstream commit 373c612d72461ddaea223592df31e62c934aae61 ]
Add fwnode APIs for finding and getting I2C adapters, which will be
used by the SFP code. These are passed the fwnode corresponding to
the adapter, and return the I2C adapter. It is the responsibility of
the caller to find the appropriate fwnode.
We keep the DT and ACPI interfaces, but where appropriate, recode them
to use the fwnode interfaces internally.
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Stable-dep-of: 3f858bbf04db ("i2c: acpi: Unbind mux adapters before delete")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/i2c-core-acpi.c | 13 +----
drivers/i2c/i2c-core-base.c | 98 +++++++++++++++++++++++++++++++++++++
drivers/i2c/i2c-core-of.c | 66 -------------------------
include/linux/i2c.h | 24 +++++++--
4 files changed, 120 insertions(+), 81 deletions(-)
diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c
index 546cc935e035a..29a482abf1eed 100644
--- a/drivers/i2c/i2c-core-acpi.c
+++ b/drivers/i2c/i2c-core-acpi.c
@@ -421,18 +421,7 @@ EXPORT_SYMBOL_GPL(i2c_acpi_find_adapter_by_handle);
static struct i2c_client *i2c_acpi_find_client_by_adev(struct acpi_device *adev)
{
- struct device *dev;
- struct i2c_client *client;
-
- dev = bus_find_device_by_acpi_dev(&i2c_bus_type, adev);
- if (!dev)
- return NULL;
-
- client = i2c_verify_client(dev);
- if (!client)
- put_device(dev);
-
- return client;
+ return i2c_find_device_by_fwnode(acpi_fwnode_handle(adev));
}
static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value,
diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c
index 1810a994c07ca..505eebbc98a09 100644
--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -1009,6 +1009,35 @@ void i2c_unregister_device(struct i2c_client *client)
}
EXPORT_SYMBOL_GPL(i2c_unregister_device);
+/**
+ * i2c_find_device_by_fwnode() - find an i2c_client for the fwnode
+ * @fwnode: &struct fwnode_handle corresponding to the &struct i2c_client
+ *
+ * Look up and return the &struct i2c_client corresponding to the @fwnode.
+ * If no client can be found, or @fwnode is NULL, this returns NULL.
+ *
+ * The user must call put_device(&client->dev) once done with the i2c client.
+ */
+struct i2c_client *i2c_find_device_by_fwnode(struct fwnode_handle *fwnode)
+{
+ struct i2c_client *client;
+ struct device *dev;
+
+ if (!fwnode)
+ return NULL;
+
+ dev = bus_find_device_by_fwnode(&i2c_bus_type, fwnode);
+ if (!dev)
+ return NULL;
+
+ client = i2c_verify_client(dev);
+ if (!client)
+ put_device(dev);
+
+ return client;
+}
+EXPORT_SYMBOL(i2c_find_device_by_fwnode);
+
static const struct i2c_device_id dummy_id[] = {
{ "dummy", 0 },
@@ -1764,6 +1793,75 @@ int devm_i2c_add_adapter(struct device *dev, struct i2c_adapter *adapter)
}
EXPORT_SYMBOL_GPL(devm_i2c_add_adapter);
+static int i2c_dev_or_parent_fwnode_match(struct device *dev, const void *data)
+{
+ if (dev_fwnode(dev) == data)
+ return 1;
+
+ if (dev->parent && dev_fwnode(dev->parent) == data)
+ return 1;
+
+ return 0;
+}
+
+/**
+ * i2c_find_adapter_by_fwnode() - find an i2c_adapter for the fwnode
+ * @fwnode: &struct fwnode_handle corresponding to the &struct i2c_adapter
+ *
+ * Look up and return the &struct i2c_adapter corresponding to the @fwnode.
+ * If no adapter can be found, or @fwnode is NULL, this returns NULL.
+ *
+ * The user must call put_device(&adapter->dev) once done with the i2c adapter.
+ */
+struct i2c_adapter *i2c_find_adapter_by_fwnode(struct fwnode_handle *fwnode)
+{
+ struct i2c_adapter *adapter;
+ struct device *dev;
+
+ if (!fwnode)
+ return NULL;
+
+ dev = bus_find_device(&i2c_bus_type, NULL, fwnode,
+ i2c_dev_or_parent_fwnode_match);
+ if (!dev)
+ return NULL;
+
+ adapter = i2c_verify_adapter(dev);
+ if (!adapter)
+ put_device(dev);
+
+ return adapter;
+}
+EXPORT_SYMBOL(i2c_find_adapter_by_fwnode);
+
+/**
+ * i2c_get_adapter_by_fwnode() - find an i2c_adapter for the fwnode
+ * @fwnode: &struct fwnode_handle corresponding to the &struct i2c_adapter
+ *
+ * Look up and return the &struct i2c_adapter corresponding to the @fwnode,
+ * and increment the adapter module's use count. If no adapter can be found,
+ * or @fwnode is NULL, this returns NULL.
+ *
+ * The user must call i2c_put_adapter(adapter) once done with the i2c adapter.
+ * Note that this is different from i2c_find_adapter_by_node().
+ */
+struct i2c_adapter *i2c_get_adapter_by_fwnode(struct fwnode_handle *fwnode)
+{
+ struct i2c_adapter *adapter;
+
+ adapter = i2c_find_adapter_by_fwnode(fwnode);
+ if (!adapter)
+ return NULL;
+
+ if (!try_module_get(adapter->owner)) {
+ put_device(&adapter->dev);
+ adapter = NULL;
+ }
+
+ return adapter;
+}
+EXPORT_SYMBOL(i2c_get_adapter_by_fwnode);
+
static void i2c_parse_timing(struct device *dev, char *prop_name, u32 *cur_val_p,
u32 def_val, bool use_def)
{
diff --git a/drivers/i2c/i2c-core-of.c b/drivers/i2c/i2c-core-of.c
index 3ed74aa4b44bb..bce6b796e04c2 100644
--- a/drivers/i2c/i2c-core-of.c
+++ b/drivers/i2c/i2c-core-of.c
@@ -113,72 +113,6 @@ void of_i2c_register_devices(struct i2c_adapter *adap)
of_node_put(bus);
}
-static int of_dev_or_parent_node_match(struct device *dev, const void *data)
-{
- if (dev->of_node == data)
- return 1;
-
- if (dev->parent)
- return dev->parent->of_node == data;
-
- return 0;
-}
-
-/* must call put_device() when done with returned i2c_client device */
-struct i2c_client *of_find_i2c_device_by_node(struct device_node *node)
-{
- struct device *dev;
- struct i2c_client *client;
-
- dev = bus_find_device_by_of_node(&i2c_bus_type, node);
- if (!dev)
- return NULL;
-
- client = i2c_verify_client(dev);
- if (!client)
- put_device(dev);
-
- return client;
-}
-EXPORT_SYMBOL(of_find_i2c_device_by_node);
-
-/* must call put_device() when done with returned i2c_adapter device */
-struct i2c_adapter *of_find_i2c_adapter_by_node(struct device_node *node)
-{
- struct device *dev;
- struct i2c_adapter *adapter;
-
- dev = bus_find_device(&i2c_bus_type, NULL, node,
- of_dev_or_parent_node_match);
- if (!dev)
- return NULL;
-
- adapter = i2c_verify_adapter(dev);
- if (!adapter)
- put_device(dev);
-
- return adapter;
-}
-EXPORT_SYMBOL(of_find_i2c_adapter_by_node);
-
-/* must call i2c_put_adapter() when done with returned i2c_adapter device */
-struct i2c_adapter *of_get_i2c_adapter_by_node(struct device_node *node)
-{
- struct i2c_adapter *adapter;
-
- adapter = of_find_i2c_adapter_by_node(node);
- if (!adapter)
- return NULL;
-
- if (!try_module_get(adapter->owner)) {
- put_device(&adapter->dev);
- adapter = NULL;
- }
-
- return adapter;
-}
-EXPORT_SYMBOL(of_get_i2c_adapter_by_node);
-
static const struct of_device_id*
i2c_of_match_device_sysfs(const struct of_device_id *matches,
struct i2c_client *client)
diff --git a/include/linux/i2c.h b/include/linux/i2c.h
index 2ce3efbe9198a..f071a121ed914 100644
--- a/include/linux/i2c.h
+++ b/include/linux/i2c.h
@@ -954,15 +954,33 @@ int i2c_handle_smbus_host_notify(struct i2c_adapter *adap, unsigned short addr);
#endif /* I2C */
+/* must call put_device() when done with returned i2c_client device */
+struct i2c_client *i2c_find_device_by_fwnode(struct fwnode_handle *fwnode);
+
+/* must call put_device() when done with returned i2c_adapter device */
+struct i2c_adapter *i2c_find_adapter_by_fwnode(struct fwnode_handle *fwnode);
+
+/* must call i2c_put_adapter() when done with returned i2c_adapter device */
+struct i2c_adapter *i2c_get_adapter_by_fwnode(struct fwnode_handle *fwnode);
+
#if IS_ENABLED(CONFIG_OF)
/* must call put_device() when done with returned i2c_client device */
-struct i2c_client *of_find_i2c_device_by_node(struct device_node *node);
+static inline struct i2c_client *of_find_i2c_device_by_node(struct device_node *node)
+{
+ return i2c_find_device_by_fwnode(of_fwnode_handle(node));
+}
/* must call put_device() when done with returned i2c_adapter device */
-struct i2c_adapter *of_find_i2c_adapter_by_node(struct device_node *node);
+static inline struct i2c_adapter *of_find_i2c_adapter_by_node(struct device_node *node)
+{
+ return i2c_find_adapter_by_fwnode(of_fwnode_handle(node));
+}
/* must call i2c_put_adapter() when done with returned i2c_adapter device */
-struct i2c_adapter *of_get_i2c_adapter_by_node(struct device_node *node);
+static inline struct i2c_adapter *of_get_i2c_adapter_by_node(struct device_node *node)
+{
+ return i2c_get_adapter_by_fwnode(of_fwnode_handle(node));
+}
const struct of_device_id
*i2c_of_match_device(const struct of_device_id *matches,
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 062/356] i2c: acpi: Unbind mux adapters before delete
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 061/356] i2c: add fwnode APIs Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 063/356] cma: factor out minimum alignment requirement Greg Kroah-Hartman
` (301 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hamish Martin, Mika Westerberg,
Andi Shyti, Wolfram Sang, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
[ Upstream commit 3f858bbf04dbac934ac279aaee05d49eb9910051 ]
There is an issue with ACPI overlay table removal specifically related
to I2C multiplexers.
Consider an ACPI SSDT Overlay that defines a PCA9548 I2C mux on an
existing I2C bus. When this table is loaded we see the creation of a
device for the overall PCA9548 chip and 8 further devices - one
i2c_adapter each for the mux channels. These are all bound to their
ACPI equivalents via an eventual invocation of acpi_bind_one().
When we unload the SSDT overlay we run into the problem. The ACPI
devices are deleted as normal via acpi_device_del_work_fn() and the
acpi_device_del_list.
However, the following warning and stack trace is output as the
deletion does not go smoothly:
------------[ cut here ]------------
kernfs: can not remove 'physical_node', no directory
WARNING: CPU: 1 PID: 11 at fs/kernfs/dir.c:1674 kernfs_remove_by_name_ns+0xb9/0xc0
Modules linked in:
CPU: 1 PID: 11 Comm: kworker/u128:0 Not tainted 6.8.0-rc6+ #1
Hardware name: congatec AG conga-B7E3/conga-B7E3, BIOS 5.13 05/16/2023
Workqueue: kacpi_hotplug acpi_device_del_work_fn
RIP: 0010:kernfs_remove_by_name_ns+0xb9/0xc0
Code: e4 00 48 89 ef e8 07 71 db ff 5b b8 fe ff ff ff 5d 41 5c 41 5d e9 a7 55 e4 00 0f 0b eb a6 48 c7 c7 f0 38 0d 9d e8 97 0a d5 ff <0f> 0b eb dc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffff9f864008fb28 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8ef90a8d4940 RCX: 0000000000000000
RDX: ffff8f000e267d10 RSI: ffff8f000e25c780 RDI: ffff8f000e25c780
RBP: ffff8ef9186f9870 R08: 0000000000013ffb R09: 00000000ffffbfff
R10: 00000000ffffbfff R11: ffff8f000e0a0000 R12: ffff9f864008fb50
R13: ffff8ef90c93dd60 R14: ffff8ef9010d0958 R15: ffff8ef9186f98c8
FS: 0000000000000000(0000) GS:ffff8f000e240000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f48f5253a08 CR3: 00000003cb82e000 CR4: 00000000003506f0
Call Trace:
<TASK>
? kernfs_remove_by_name_ns+0xb9/0xc0
? __warn+0x7c/0x130
? kernfs_remove_by_name_ns+0xb9/0xc0
? report_bug+0x171/0x1a0
? handle_bug+0x3c/0x70
? exc_invalid_op+0x17/0x70
? asm_exc_invalid_op+0x1a/0x20
? kernfs_remove_by_name_ns+0xb9/0xc0
? kernfs_remove_by_name_ns+0xb9/0xc0
acpi_unbind_one+0x108/0x180
device_del+0x18b/0x490
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
device_unregister+0xd/0x30
i2c_del_adapter.part.0+0x1bf/0x250
i2c_mux_del_adapters+0xa1/0xe0
i2c_device_remove+0x1e/0x80
device_release_driver_internal+0x19a/0x200
bus_remove_device+0xbf/0x100
device_del+0x157/0x490
? __pfx_device_match_fwnode+0x10/0x10
? srso_return_thunk+0x5/0x5f
device_unregister+0xd/0x30
i2c_acpi_notify+0x10f/0x140
notifier_call_chain+0x58/0xd0
blocking_notifier_call_chain+0x3a/0x60
acpi_device_del_work_fn+0x85/0x1d0
process_one_work+0x134/0x2f0
worker_thread+0x2f0/0x410
? __pfx_worker_thread+0x10/0x10
kthread+0xe3/0x110
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2f/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
---[ end trace 0000000000000000 ]---
...
repeated 7 more times, 1 for each channel of the mux
...
The issue is that the binding of the ACPI devices to their peer I2C
adapters is not correctly cleaned up. Digging deeper into the issue we
see that the deletion order is such that the ACPI devices matching the
mux channel i2c adapters are deleted first during the SSDT overlay
removal. For each of the channels we see a call to i2c_acpi_notify()
with ACPI_RECONFIG_DEVICE_REMOVE but, because these devices are not
actually i2c_clients, nothing is done for them.
Later on, after each of the mux channels has been dealt with, we come
to delete the i2c_client representing the PCA9548 device. This is the
call stack we see above, whereby the kernel cleans up the i2c_client
including destruction of the mux and its channel adapters. At this
point we do attempt to unbind from the ACPI peers but those peers no
longer exist and so we hit the kernfs errors.
The fix is to augment i2c_acpi_notify() to handle i2c_adapters. But,
given that the life cycle of the adapters is linked to the i2c_client,
instead of deleting the i2c_adapters during the i2c_acpi_notify(), we
just trigger unbinding of the ACPI device from the adapter device, and
allow the clean up of the adapter to continue in the way it always has.
Signed-off-by: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
Fixes: 525e6fabeae2 ("i2c / ACPI: add support for ACPI reconfigure notifications")
Cc: <stable@vger.kernel.org> # v4.8+
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/i2c-core-acpi.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c
index 29a482abf1eed..6ce05441178a3 100644
--- a/drivers/i2c/i2c-core-acpi.c
+++ b/drivers/i2c/i2c-core-acpi.c
@@ -424,6 +424,11 @@ static struct i2c_client *i2c_acpi_find_client_by_adev(struct acpi_device *adev)
return i2c_find_device_by_fwnode(acpi_fwnode_handle(adev));
}
+static struct i2c_adapter *i2c_acpi_find_adapter_by_adev(struct acpi_device *adev)
+{
+ return i2c_find_adapter_by_fwnode(acpi_fwnode_handle(adev));
+}
+
static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value,
void *arg)
{
@@ -450,11 +455,17 @@ static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value,
break;
client = i2c_acpi_find_client_by_adev(adev);
- if (!client)
- break;
+ if (client) {
+ i2c_unregister_device(client);
+ put_device(&client->dev);
+ }
+
+ adapter = i2c_acpi_find_adapter_by_adev(adev);
+ if (adapter) {
+ acpi_unbind_one(&adapter->dev);
+ put_device(&adapter->dev);
+ }
- i2c_unregister_device(client);
- put_device(&client->dev);
break;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 063/356] cma: factor out minimum alignment requirement
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 062/356] i2c: acpi: Unbind mux adapters before delete Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 064/356] mm/cma: drop incorrect alignment check in cma_init_reserved_mem Greg Kroah-Hartman
` (300 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand, Zi Yan,
Rob Herring, Aneesh Kumar K.V, Michael Ellerman,
Benjamin Herrenschmidt, Paul Mackerras, Frank Rowand,
Michael S. Tsirkin, Christoph Hellwig, Marek Szyprowski,
Robin Murphy, Minchan Kim, Vlastimil Babka, John Garry via iommu,
Andrew Morton, Linus Torvalds, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit e16faf26780fc0c8dd693ea9ee8420a7706cb2f5 ]
Patch series "mm: enforce pageblock_order < MAX_ORDER".
Having pageblock_order >= MAX_ORDER seems to be able to happen in corner
cases and some parts of the kernel are not prepared for it.
For example, Aneesh has shown [1] that such kernels can be compiled on
ppc64 with 64k base pages by setting FORCE_MAX_ZONEORDER=8, which will
run into a WARN_ON_ONCE(order >= MAX_ORDER) in comapction code right
during boot.
We can get pageblock_order >= MAX_ORDER when the default hugetlb size is
bigger than the maximum allocation granularity of the buddy, in which
case we are no longer talking about huge pages but instead gigantic
pages.
Having pageblock_order >= MAX_ORDER can only make alloc_contig_range()
of such gigantic pages more likely to succeed.
Reliable use of gigantic pages either requires boot time allcoation or
CMA, no need to overcomplicate some places in the kernel to optimize for
corner cases that are broken in other areas of the kernel.
This patch (of 2):
Let's enforce pageblock_order < MAX_ORDER and simplify.
Especially patch #1 can be regarded a cleanup before:
[PATCH v5 0/6] Use pageblock_order for cma and alloc_contig_range
alignment. [2]
[1] https://lkml.kernel.org/r/87r189a2ks.fsf@linux.ibm.com
[2] https://lkml.kernel.org/r/20220211164135.1803616-1-zi.yan@sent.com
Link: https://lkml.kernel.org/r/20220214174132.219303-2-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Zi Yan <ziy@nvidia.com>
Acked-by: Rob Herring <robh@kernel.org>
Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Frank Rowand <frowand.list@gmail.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Marek Szyprowski <m.szyprowski@samsung.com>
Cc: Robin Murphy <robin.murphy@arm.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: John Garry via iommu <iommu@lists.linux-foundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Stable-dep-of: b174f139bdc8 ("mm/cma: drop incorrect alignment check in cma_init_reserved_mem")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/include/asm/fadump-internal.h | 5 -----
arch/powerpc/kernel/fadump.c | 2 +-
drivers/of/of_reserved_mem.c | 9 +++------
include/linux/cma.h | 9 +++++++++
kernel/dma/contiguous.c | 4 +---
mm/cma.c | 20 +++++---------------
6 files changed, 19 insertions(+), 30 deletions(-)
diff --git a/arch/powerpc/include/asm/fadump-internal.h b/arch/powerpc/include/asm/fadump-internal.h
index 8d61c8f3fec47..d06b2be645326 100644
--- a/arch/powerpc/include/asm/fadump-internal.h
+++ b/arch/powerpc/include/asm/fadump-internal.h
@@ -19,11 +19,6 @@
#define memblock_num_regions(memblock_type) (memblock.memblock_type.cnt)
-/* Alignment per CMA requirement. */
-#define FADUMP_CMA_ALIGNMENT (PAGE_SIZE << \
- max_t(unsigned long, MAX_ORDER - 1, \
- pageblock_order))
-
/* FAD commands */
#define FADUMP_REGISTER 1
#define FADUMP_UNREGISTER 2
diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
index d496dc5151aa1..35b142ad0e40e 100644
--- a/arch/powerpc/kernel/fadump.c
+++ b/arch/powerpc/kernel/fadump.c
@@ -544,7 +544,7 @@ int __init fadump_reserve_mem(void)
if (!fw_dump.nocma) {
fw_dump.boot_memory_size =
ALIGN(fw_dump.boot_memory_size,
- FADUMP_CMA_ALIGNMENT);
+ CMA_MIN_ALIGNMENT_BYTES);
}
#endif
diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
index 9e949ddcb1464..6ec668ae2d6fa 100644
--- a/drivers/of/of_reserved_mem.c
+++ b/drivers/of/of_reserved_mem.c
@@ -22,6 +22,7 @@
#include <linux/slab.h>
#include <linux/memblock.h>
#include <linux/kmemleak.h>
+#include <linux/cma.h>
#include "of_private.h"
@@ -117,12 +118,8 @@ static int __init __reserved_mem_alloc_size(unsigned long node,
if (IS_ENABLED(CONFIG_CMA)
&& of_flat_dt_is_compatible(node, "shared-dma-pool")
&& of_get_flat_dt_prop(node, "reusable", NULL)
- && !nomap) {
- unsigned long order =
- max_t(unsigned long, MAX_ORDER - 1, pageblock_order);
-
- align = max(align, (phys_addr_t)PAGE_SIZE << order);
- }
+ && !nomap)
+ align = max_t(phys_addr_t, align, CMA_MIN_ALIGNMENT_BYTES);
prop = of_get_flat_dt_prop(node, "alloc-ranges", &len);
if (prop) {
diff --git a/include/linux/cma.h b/include/linux/cma.h
index 53fd8c3cdbd04..1b302e204c09b 100644
--- a/include/linux/cma.h
+++ b/include/linux/cma.h
@@ -20,6 +20,15 @@
#define CMA_MAX_NAME 64
+/*
+ * TODO: once the buddy -- especially pageblock merging and alloc_contig_range()
+ * -- can deal with only some pageblocks of a higher-order page being
+ * MIGRATE_CMA, we can use pageblock_nr_pages.
+ */
+#define CMA_MIN_ALIGNMENT_PAGES max_t(phys_addr_t, MAX_ORDER_NR_PAGES, \
+ pageblock_nr_pages)
+#define CMA_MIN_ALIGNMENT_BYTES (PAGE_SIZE * CMA_MIN_ALIGNMENT_PAGES)
+
struct cma;
extern unsigned long totalcma_pages;
diff --git a/kernel/dma/contiguous.c b/kernel/dma/contiguous.c
index 3d63d91cba5cf..6ea80ae426228 100644
--- a/kernel/dma/contiguous.c
+++ b/kernel/dma/contiguous.c
@@ -399,8 +399,6 @@ static const struct reserved_mem_ops rmem_cma_ops = {
static int __init rmem_cma_setup(struct reserved_mem *rmem)
{
- phys_addr_t align = PAGE_SIZE << max(MAX_ORDER - 1, pageblock_order);
- phys_addr_t mask = align - 1;
unsigned long node = rmem->fdt_node;
bool default_cma = of_get_flat_dt_prop(node, "linux,cma-default", NULL);
struct cma *cma;
@@ -416,7 +414,7 @@ static int __init rmem_cma_setup(struct reserved_mem *rmem)
of_get_flat_dt_prop(node, "no-map", NULL))
return -EINVAL;
- if ((rmem->base & mask) || (rmem->size & mask)) {
+ if (!IS_ALIGNED(rmem->base | rmem->size, CMA_MIN_ALIGNMENT_BYTES)) {
pr_err("Reserved memory: incorrect alignment of CMA region\n");
return -EINVAL;
}
diff --git a/mm/cma.c b/mm/cma.c
index 26967c70e9c73..5208aee4f45ad 100644
--- a/mm/cma.c
+++ b/mm/cma.c
@@ -169,7 +169,6 @@ int __init cma_init_reserved_mem(phys_addr_t base, phys_addr_t size,
struct cma **res_cma)
{
struct cma *cma;
- phys_addr_t alignment;
/* Sanity checks */
if (cma_area_count == ARRAY_SIZE(cma_areas)) {
@@ -180,15 +179,12 @@ int __init cma_init_reserved_mem(phys_addr_t base, phys_addr_t size,
if (!size || !memblock_is_region_reserved(base, size))
return -EINVAL;
- /* ensure minimal alignment required by mm core */
- alignment = PAGE_SIZE <<
- max_t(unsigned long, MAX_ORDER - 1, pageblock_order);
-
/* alignment should be aligned with order_per_bit */
- if (!IS_ALIGNED(alignment >> PAGE_SHIFT, 1 << order_per_bit))
+ if (!IS_ALIGNED(CMA_MIN_ALIGNMENT_PAGES, 1 << order_per_bit))
return -EINVAL;
- if (ALIGN(base, alignment) != base || ALIGN(size, alignment) != size)
+ /* ensure minimal alignment required by mm core */
+ if (!IS_ALIGNED(base | size, CMA_MIN_ALIGNMENT_BYTES))
return -EINVAL;
/*
@@ -263,14 +259,8 @@ int __init cma_declare_contiguous_nid(phys_addr_t base,
if (alignment && !is_power_of_2(alignment))
return -EINVAL;
- /*
- * Sanitise input arguments.
- * Pages both ends in CMA area could be merged into adjacent unmovable
- * migratetype page by page allocator's buddy algorithm. In the case,
- * you couldn't get a contiguous memory, which is not what we want.
- */
- alignment = max(alignment, (phys_addr_t)PAGE_SIZE <<
- max_t(unsigned long, MAX_ORDER - 1, pageblock_order));
+ /* Sanitise input arguments. */
+ alignment = max_t(phys_addr_t, alignment, CMA_MIN_ALIGNMENT_BYTES);
if (fixed && base & (alignment - 1)) {
ret = -EINVAL;
pr_err("Region at %pa must be aligned to %pa bytes\n",
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 064/356] mm/cma: drop incorrect alignment check in cma_init_reserved_mem
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 063/356] cma: factor out minimum alignment requirement Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 065/356] selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages Greg Kroah-Hartman
` (299 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank van der Linden,
David Hildenbrand, Marek Szyprowski, Muchun Song, Roman Gushchin,
Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frank van der Linden <fvdl@google.com>
[ Upstream commit b174f139bdc8aaaf72f5b67ad1bd512c4868a87e ]
cma_init_reserved_mem uses IS_ALIGNED to check if the size represented by
one bit in the cma allocation bitmask is aligned with
CMA_MIN_ALIGNMENT_BYTES (pageblock size).
However, this is too strict, as this will fail if order_per_bit >
pageblock_order, which is a valid configuration.
We could check IS_ALIGNED both ways, but since both numbers are powers of
two, no check is needed at all.
Link: https://lkml.kernel.org/r/20240404162515.527802-1-fvdl@google.com
Fixes: de9e14eebf33 ("drivers: dma-contiguous: add initialization from device tree")
Signed-off-by: Frank van der Linden <fvdl@google.com>
Acked-by: David Hildenbrand <david@redhat.com>
Cc: Marek Szyprowski <m.szyprowski@samsung.com>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/cma.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/mm/cma.c b/mm/cma.c
index 5208aee4f45ad..88fbd4f8124d3 100644
--- a/mm/cma.c
+++ b/mm/cma.c
@@ -179,10 +179,6 @@ int __init cma_init_reserved_mem(phys_addr_t base, phys_addr_t size,
if (!size || !memblock_is_region_reserved(base, size))
return -EINVAL;
- /* alignment should be aligned with order_per_bit */
- if (!IS_ALIGNED(CMA_MIN_ALIGNMENT_PAGES, 1 << order_per_bit))
- return -EINVAL;
-
/* ensure minimal alignment required by mm core */
if (!IS_ALIGNED(base | size, CMA_MIN_ALIGNMENT_BYTES))
return -EINVAL;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 065/356] selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 064/356] mm/cma: drop incorrect alignment check in cma_init_reserved_mem Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 066/356] selftests/mm: conform test to TAP format output Greg Kroah-Hartman
` (298 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dev Jain, Anshuman Khandual,
Shuah Khan, Sri Jayaramappa, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dev Jain <dev.jain@arm.com>
[ Upstream commit 9ad665ef55eaad1ead1406a58a34f615a7c18b5e ]
Currently, the test tries to set nr_hugepages to zero, but that is not
actually done because the file offset is not reset after read(). Fix that
using lseek().
Link: https://lkml.kernel.org/r/20240521074358.675031-3-dev.jain@arm.com
Fixes: bd67d5c15cc1 ("Test compaction of mlocked memory")
Signed-off-by: Dev Jain <dev.jain@arm.com>
Cc: <stable@vger.kernel.org>
Cc: Anshuman Khandual <anshuman.khandual@arm.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Sri Jayaramappa <sjayaram@akamai.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/vm/compaction_test.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/testing/selftests/vm/compaction_test.c b/tools/testing/selftests/vm/compaction_test.c
index 9b420140ba2ba..55dec92e1e58c 100644
--- a/tools/testing/selftests/vm/compaction_test.c
+++ b/tools/testing/selftests/vm/compaction_test.c
@@ -103,6 +103,8 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
goto close_fd;
}
+ lseek(fd, 0, SEEK_SET);
+
/* Start with the initial condition of 0 huge pages*/
if (write(fd, "0", sizeof(char)) != sizeof(char)) {
perror("Failed to write 0 to /proc/sys/vm/nr_hugepages\n");
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 066/356] selftests/mm: conform test to TAP format output
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 065/356] selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 067/356] selftests/mm: log a consistent test name for check_compaction Greg Kroah-Hartman
` (297 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Muhammad Usama Anjum, Shuah Khan,
Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Usama Anjum <usama.anjum@collabora.com>
[ Upstream commit 9a21701edc41465de56f97914741bfb7bfc2517d ]
Conform the layout, informational and status messages to TAP. No
functional change is intended other than the layout of output messages.
Link: https://lkml.kernel.org/r/20240101083614.1076768-1-usama.anjum@collabora.com
Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Cc: Shuah Khan <shuah@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: d4202e66a4b1 ("selftests/mm: compaction_test: fix bogus test success on Aarch64")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/vm/compaction_test.c | 91 ++++++++++----------
1 file changed, 44 insertions(+), 47 deletions(-)
diff --git a/tools/testing/selftests/vm/compaction_test.c b/tools/testing/selftests/vm/compaction_test.c
index 55dec92e1e58c..f81931c1f8386 100644
--- a/tools/testing/selftests/vm/compaction_test.c
+++ b/tools/testing/selftests/vm/compaction_test.c
@@ -33,7 +33,7 @@ int read_memory_info(unsigned long *memfree, unsigned long *hugepagesize)
FILE *cmdfile = popen(cmd, "r");
if (!(fgets(buffer, sizeof(buffer), cmdfile))) {
- perror("Failed to read meminfo\n");
+ ksft_print_msg("Failed to read meminfo: %s\n", strerror(errno));
return -1;
}
@@ -44,7 +44,7 @@ int read_memory_info(unsigned long *memfree, unsigned long *hugepagesize)
cmdfile = popen(cmd, "r");
if (!(fgets(buffer, sizeof(buffer), cmdfile))) {
- perror("Failed to read meminfo\n");
+ ksft_print_msg("Failed to read meminfo: %s\n", strerror(errno));
return -1;
}
@@ -62,14 +62,14 @@ int prereq(void)
fd = open("/proc/sys/vm/compact_unevictable_allowed",
O_RDONLY | O_NONBLOCK);
if (fd < 0) {
- perror("Failed to open\n"
- "/proc/sys/vm/compact_unevictable_allowed\n");
+ ksft_print_msg("Failed to open /proc/sys/vm/compact_unevictable_allowed: %s\n",
+ strerror(errno));
return -1;
}
if (read(fd, &allowed, sizeof(char)) != sizeof(char)) {
- perror("Failed to read from\n"
- "/proc/sys/vm/compact_unevictable_allowed\n");
+ ksft_print_msg("Failed to read from /proc/sys/vm/compact_unevictable_allowed: %s\n",
+ strerror(errno));
close(fd);
return -1;
}
@@ -78,12 +78,13 @@ int prereq(void)
if (allowed == '1')
return 0;
+ ksft_print_msg("Compaction isn't allowed\n");
return -1;
}
int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
{
- int fd;
+ int fd, ret = -1;
int compaction_index = 0;
char initial_nr_hugepages[10] = {0};
char nr_hugepages[10] = {0};
@@ -94,12 +95,14 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
fd = open("/proc/sys/vm/nr_hugepages", O_RDWR | O_NONBLOCK);
if (fd < 0) {
- perror("Failed to open /proc/sys/vm/nr_hugepages");
+ ksft_test_result_fail("Failed to open /proc/sys/vm/nr_hugepages: %s\n",
+ strerror(errno));
return -1;
}
if (read(fd, initial_nr_hugepages, sizeof(initial_nr_hugepages)) <= 0) {
- perror("Failed to read from /proc/sys/vm/nr_hugepages");
+ ksft_test_result_fail("Failed to read from /proc/sys/vm/nr_hugepages: %s\n",
+ strerror(errno));
goto close_fd;
}
@@ -107,7 +110,8 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
/* Start with the initial condition of 0 huge pages*/
if (write(fd, "0", sizeof(char)) != sizeof(char)) {
- perror("Failed to write 0 to /proc/sys/vm/nr_hugepages\n");
+ ksft_test_result_fail("Failed to write 0 to /proc/sys/vm/nr_hugepages: %s\n",
+ strerror(errno));
goto close_fd;
}
@@ -116,14 +120,16 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
/* Request a large number of huge pages. The Kernel will allocate
as much as it can */
if (write(fd, "100000", (6*sizeof(char))) != (6*sizeof(char))) {
- perror("Failed to write 100000 to /proc/sys/vm/nr_hugepages\n");
+ ksft_test_result_fail("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n",
+ strerror(errno));
goto close_fd;
}
lseek(fd, 0, SEEK_SET);
if (read(fd, nr_hugepages, sizeof(nr_hugepages)) <= 0) {
- perror("Failed to re-read from /proc/sys/vm/nr_hugepages\n");
+ ksft_test_result_fail("Failed to re-read from /proc/sys/vm/nr_hugepages: %s\n",
+ strerror(errno));
goto close_fd;
}
@@ -131,67 +137,58 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
huge pages */
compaction_index = mem_free/(atoi(nr_hugepages) * hugepage_size);
- if (compaction_index > 3) {
- printf("No of huge pages allocated = %d\n",
- (atoi(nr_hugepages)));
- fprintf(stderr, "ERROR: Less that 1/%d of memory is available\n"
- "as huge pages\n", compaction_index);
- goto close_fd;
- }
-
- printf("No of huge pages allocated = %d\n",
- (atoi(nr_hugepages)));
-
lseek(fd, 0, SEEK_SET);
if (write(fd, initial_nr_hugepages, strlen(initial_nr_hugepages))
!= strlen(initial_nr_hugepages)) {
- perror("Failed to write value to /proc/sys/vm/nr_hugepages\n");
+ ksft_test_result_fail("Failed to write value to /proc/sys/vm/nr_hugepages: %s\n",
+ strerror(errno));
goto close_fd;
}
- close(fd);
- return 0;
+ if (compaction_index > 3) {
+ ksft_print_msg("ERROR: Less that 1/%d of memory is available\n"
+ "as huge pages\n", compaction_index);
+ ksft_test_result_fail("No of huge pages allocated = %d\n", (atoi(nr_hugepages)));
+ goto close_fd;
+ }
+
+ ksft_test_result_pass("Memory compaction succeeded. No of huge pages allocated = %d\n",
+ (atoi(nr_hugepages)));
+ ret = 0;
close_fd:
close(fd);
- printf("Not OK. Compaction test failed.");
- return -1;
+ return ret;
}
int main(int argc, char **argv)
{
struct rlimit lim;
- struct map_list *list, *entry;
+ struct map_list *list = NULL, *entry;
size_t page_size, i;
void *map = NULL;
unsigned long mem_free = 0;
unsigned long hugepage_size = 0;
long mem_fragmentable_MB = 0;
- if (prereq() != 0) {
- printf("Either the sysctl compact_unevictable_allowed is not\n"
- "set to 1 or couldn't read the proc file.\n"
- "Skipping the test\n");
- return KSFT_SKIP;
- }
+ ksft_print_header();
+
+ if (prereq() != 0)
+ return ksft_exit_pass();
+
+ ksft_set_plan(1);
lim.rlim_cur = RLIM_INFINITY;
lim.rlim_max = RLIM_INFINITY;
- if (setrlimit(RLIMIT_MEMLOCK, &lim)) {
- perror("Failed to set rlimit:\n");
- return -1;
- }
+ if (setrlimit(RLIMIT_MEMLOCK, &lim))
+ ksft_exit_fail_msg("Failed to set rlimit: %s\n", strerror(errno));
page_size = getpagesize();
- list = NULL;
-
- if (read_memory_info(&mem_free, &hugepage_size) != 0) {
- printf("ERROR: Cannot read meminfo\n");
- return -1;
- }
+ if (read_memory_info(&mem_free, &hugepage_size) != 0)
+ ksft_exit_fail_msg("Failed to get meminfo\n");
mem_fragmentable_MB = mem_free * 0.8 / 1024;
@@ -227,7 +224,7 @@ int main(int argc, char **argv)
}
if (check_compaction(mem_free, hugepage_size) == 0)
- return 0;
+ return ksft_exit_pass();
- return -1;
+ return ksft_exit_fail();
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 067/356] selftests/mm: log a consistent test name for check_compaction
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 066/356] selftests/mm: conform test to TAP format output Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 12:02 ` Mark Brown
2024-07-03 10:36 ` [PATCH 5.15 068/356] selftests/mm: compaction_test: fix bogus test success on Aarch64 Greg Kroah-Hartman
` (296 subsequent siblings)
363 siblings, 1 reply; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Brown, Muhammad Usama Anjum,
Ryan Roberts, Shuah Khan, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
[ Upstream commit f3b7568c49420d2dcd251032c9ca1e069ec8a6c9 ]
Every test result report in the compaction test prints a distinct log
messae, and some of the reports print a name that varies at runtime. This
causes problems for automation since a lot of automation software uses the
printed string as the name of the test, if the name varies from run to run
and from pass to fail then the automation software can't identify that a
test changed result or that the same tests are being run.
Refactor the logging to use a consistent name when printing the result of
the test, printing the existing messages as diagnostic information instead
so they are still available for people trying to interpret the results.
Link: https://lkml.kernel.org/r/20240209-kselftest-mm-cleanup-v1-2-a3c0386496b5@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: Muhammad Usama Anjum <usama.anjum@collabora.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Shuah Khan <shuah@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: d4202e66a4b1 ("selftests/mm: compaction_test: fix bogus test success on Aarch64")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/vm/compaction_test.c | 35 +++++++++++---------
1 file changed, 19 insertions(+), 16 deletions(-)
diff --git a/tools/testing/selftests/vm/compaction_test.c b/tools/testing/selftests/vm/compaction_test.c
index f81931c1f8386..6aa6460b854ea 100644
--- a/tools/testing/selftests/vm/compaction_test.c
+++ b/tools/testing/selftests/vm/compaction_test.c
@@ -95,14 +95,15 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
fd = open("/proc/sys/vm/nr_hugepages", O_RDWR | O_NONBLOCK);
if (fd < 0) {
- ksft_test_result_fail("Failed to open /proc/sys/vm/nr_hugepages: %s\n",
- strerror(errno));
- return -1;
+ ksft_print_msg("Failed to open /proc/sys/vm/nr_hugepages: %s\n",
+ strerror(errno));
+ ret = -1;
+ goto out;
}
if (read(fd, initial_nr_hugepages, sizeof(initial_nr_hugepages)) <= 0) {
- ksft_test_result_fail("Failed to read from /proc/sys/vm/nr_hugepages: %s\n",
- strerror(errno));
+ ksft_print_msg("Failed to read from /proc/sys/vm/nr_hugepages: %s\n",
+ strerror(errno));
goto close_fd;
}
@@ -110,8 +111,8 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
/* Start with the initial condition of 0 huge pages*/
if (write(fd, "0", sizeof(char)) != sizeof(char)) {
- ksft_test_result_fail("Failed to write 0 to /proc/sys/vm/nr_hugepages: %s\n",
- strerror(errno));
+ ksft_print_msg("Failed to write 0 to /proc/sys/vm/nr_hugepages: %s\n",
+ strerror(errno));
goto close_fd;
}
@@ -120,16 +121,16 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
/* Request a large number of huge pages. The Kernel will allocate
as much as it can */
if (write(fd, "100000", (6*sizeof(char))) != (6*sizeof(char))) {
- ksft_test_result_fail("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n",
- strerror(errno));
+ ksft_print_msg("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n",
+ strerror(errno));
goto close_fd;
}
lseek(fd, 0, SEEK_SET);
if (read(fd, nr_hugepages, sizeof(nr_hugepages)) <= 0) {
- ksft_test_result_fail("Failed to re-read from /proc/sys/vm/nr_hugepages: %s\n",
- strerror(errno));
+ ksft_print_msg("Failed to re-read from /proc/sys/vm/nr_hugepages: %s\n",
+ strerror(errno));
goto close_fd;
}
@@ -141,24 +142,26 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
if (write(fd, initial_nr_hugepages, strlen(initial_nr_hugepages))
!= strlen(initial_nr_hugepages)) {
- ksft_test_result_fail("Failed to write value to /proc/sys/vm/nr_hugepages: %s\n",
- strerror(errno));
+ ksft_print_msg("Failed to write value to /proc/sys/vm/nr_hugepages: %s\n",
+ strerror(errno));
goto close_fd;
}
+ ksft_print_msg("Number of huge pages allocated = %d\n",
+ atoi(nr_hugepages));
+
if (compaction_index > 3) {
ksft_print_msg("ERROR: Less that 1/%d of memory is available\n"
"as huge pages\n", compaction_index);
- ksft_test_result_fail("No of huge pages allocated = %d\n", (atoi(nr_hugepages)));
goto close_fd;
}
- ksft_test_result_pass("Memory compaction succeeded. No of huge pages allocated = %d\n",
- (atoi(nr_hugepages)));
ret = 0;
close_fd:
close(fd);
+ out:
+ ksft_test_result(ret == 0, "check_compaction\n");
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 068/356] selftests/mm: compaction_test: fix bogus test success on Aarch64
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 067/356] selftests/mm: log a consistent test name for check_compaction Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 069/356] wifi: ath10k: fix QCOM_RPROC_COMMON dependency Greg Kroah-Hartman
` (295 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dev Jain, Anshuman Khandual,
Shuah Khan, Sri Jayaramappa, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dev Jain <dev.jain@arm.com>
[ Upstream commit d4202e66a4b1fe6968f17f9f09bbc30d08f028a1 ]
Patch series "Fixes for compaction_test", v2.
The compaction_test memory selftest introduces fragmentation in memory
and then tries to allocate as many hugepages as possible. This series
addresses some problems.
On Aarch64, if nr_hugepages == 0, then the test trivially succeeds since
compaction_index becomes 0, which is less than 3, due to no division by
zero exception being raised. We fix that by checking for division by
zero.
Secondly, correctly set the number of hugepages to zero before trying
to set a large number of them.
Now, consider a situation in which, at the start of the test, a non-zero
number of hugepages have been already set (while running the entire
selftests/mm suite, or manually by the admin). The test operates on 80%
of memory to avoid OOM-killer invocation, and because some memory is
already blocked by hugepages, it would increase the chance of OOM-killing.
Also, since mem_free used in check_compaction() is the value before we
set nr_hugepages to zero, the chance that the compaction_index will
be small is very high if the preset nr_hugepages was high, leading to a
bogus test success.
This patch (of 3):
Currently, if at runtime we are not able to allocate a huge page, the test
will trivially pass on Aarch64 due to no exception being raised on
division by zero while computing compaction_index. Fix that by checking
for nr_hugepages == 0. Anyways, in general, avoid a division by zero by
exiting the program beforehand. While at it, fix a typo, and handle the
case where the number of hugepages may overflow an integer.
Link: https://lkml.kernel.org/r/20240521074358.675031-1-dev.jain@arm.com
Link: https://lkml.kernel.org/r/20240521074358.675031-2-dev.jain@arm.com
Fixes: bd67d5c15cc1 ("Test compaction of mlocked memory")
Signed-off-by: Dev Jain <dev.jain@arm.com>
Cc: Anshuman Khandual <anshuman.khandual@arm.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Sri Jayaramappa <sjayaram@akamai.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/vm/compaction_test.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/tools/testing/selftests/vm/compaction_test.c b/tools/testing/selftests/vm/compaction_test.c
index 6aa6460b854ea..309b3750e57e1 100644
--- a/tools/testing/selftests/vm/compaction_test.c
+++ b/tools/testing/selftests/vm/compaction_test.c
@@ -82,12 +82,13 @@ int prereq(void)
return -1;
}
-int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
+int check_compaction(unsigned long mem_free, unsigned long hugepage_size)
{
+ unsigned long nr_hugepages_ul;
int fd, ret = -1;
int compaction_index = 0;
- char initial_nr_hugepages[10] = {0};
- char nr_hugepages[10] = {0};
+ char initial_nr_hugepages[20] = {0};
+ char nr_hugepages[20] = {0};
/* We want to test with 80% of available memory. Else, OOM killer comes
in to play */
@@ -136,7 +137,12 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
/* We should have been able to request at least 1/3 rd of the memory in
huge pages */
- compaction_index = mem_free/(atoi(nr_hugepages) * hugepage_size);
+ nr_hugepages_ul = strtoul(nr_hugepages, NULL, 10);
+ if (!nr_hugepages_ul) {
+ ksft_print_msg("ERROR: No memory is available as huge pages\n");
+ goto close_fd;
+ }
+ compaction_index = mem_free/(nr_hugepages_ul * hugepage_size);
lseek(fd, 0, SEEK_SET);
@@ -147,11 +153,11 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
goto close_fd;
}
- ksft_print_msg("Number of huge pages allocated = %d\n",
- atoi(nr_hugepages));
+ ksft_print_msg("Number of huge pages allocated = %lu\n",
+ nr_hugepages_ul);
if (compaction_index > 3) {
- ksft_print_msg("ERROR: Less that 1/%d of memory is available\n"
+ ksft_print_msg("ERROR: Less than 1/%d of memory is available\n"
"as huge pages\n", compaction_index);
goto close_fd;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 069/356] wifi: ath10k: fix QCOM_RPROC_COMMON dependency
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 068/356] selftests/mm: compaction_test: fix bogus test success on Aarch64 Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 070/356] btrfs: fix leak of qgroup extent records after transaction abort Greg Kroah-Hartman
` (294 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Kalle Valo,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit 21ae74e1bf18331ae5e279bd96304b3630828009 ]
If ath10k_snoc is built-in, while Qualcomm remoteprocs are built as
modules, compilation fails with:
/usr/bin/aarch64-linux-gnu-ld: drivers/net/wireless/ath/ath10k/snoc.o: in function `ath10k_modem_init':
drivers/net/wireless/ath/ath10k/snoc.c:1534: undefined reference to `qcom_register_ssr_notifier'
/usr/bin/aarch64-linux-gnu-ld: drivers/net/wireless/ath/ath10k/snoc.o: in function `ath10k_modem_deinit':
drivers/net/wireless/ath/ath10k/snoc.c:1551: undefined reference to `qcom_unregister_ssr_notifier'
Add corresponding dependency to ATH10K_SNOC Kconfig entry so that it's
built as module if QCOM_RPROC_COMMON is built as module too.
Fixes: 747ff7d3d742 ("ath10k: Don't always treat modem stop events as crashes")
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://msgid.link/20240511-ath10k-snoc-dep-v1-1-9666e3af5c27@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath10k/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/wireless/ath/ath10k/Kconfig
+++ b/drivers/net/wireless/ath/ath10k/Kconfig
@@ -44,6 +44,7 @@ config ATH10K_SNOC
tristate "Qualcomm ath10k SNOC support"
depends on ATH10K
depends on ARCH_QCOM || COMPILE_TEST
+ depends on QCOM_RPROC_COMMON || QCOM_RPROC_COMMON=n
select QCOM_SCM
select QCOM_QMI_HELPERS
help
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 070/356] btrfs: fix leak of qgroup extent records after transaction abort
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 069/356] wifi: ath10k: fix QCOM_RPROC_COMMON dependency Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 071/356] nilfs2: Remove check for PageError Greg Kroah-Hartman
` (293 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+0fecc032fa134afd49df,
Josef Bacik, Qu Wenruo, Filipe Manana, David Sterba, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit fb33eb2ef0d88e75564983ef057b44c5b7e4fded ]
Qgroup extent records are created when delayed ref heads are created and
then released after accounting extents at btrfs_qgroup_account_extents(),
called during the transaction commit path.
If a transaction is aborted we free the qgroup records by calling
btrfs_qgroup_destroy_extent_records() at btrfs_destroy_delayed_refs(),
unless we don't have delayed references. We are incorrectly assuming
that no delayed references means we don't have qgroup extents records.
We can currently have no delayed references because we ran them all
during a transaction commit and the transaction was aborted after that
due to some error in the commit path.
So fix this by ensuring we btrfs_qgroup_destroy_extent_records() at
btrfs_destroy_delayed_refs() even if we don't have any delayed references.
Reported-by: syzbot+0fecc032fa134afd49df@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-btrfs/0000000000004e7f980619f91835@google.com/
Fixes: 81f7eb00ff5b ("btrfs: destroy qgroup extent records on transaction abort")
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/disk-io.c | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index c1dfde886b1e3..092ebed754b0c 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -4707,19 +4707,11 @@ static int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans,
struct btrfs_fs_info *fs_info)
{
struct rb_node *node;
- struct btrfs_delayed_ref_root *delayed_refs;
+ struct btrfs_delayed_ref_root *delayed_refs = &trans->delayed_refs;
struct btrfs_delayed_ref_node *ref;
int ret = 0;
- delayed_refs = &trans->delayed_refs;
-
spin_lock(&delayed_refs->lock);
- if (atomic_read(&delayed_refs->num_entries) == 0) {
- spin_unlock(&delayed_refs->lock);
- btrfs_debug(fs_info, "delayed_refs has NO entry");
- return ret;
- }
-
while ((node = rb_first_cached(&delayed_refs->href_root)) != NULL) {
struct btrfs_delayed_ref_head *head;
struct rb_node *n;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 071/356] nilfs2: Remove check for PageError
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 070/356] btrfs: fix leak of qgroup extent records after transaction abort Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 072/356] nilfs2: return the mapped address from nilfs_get_page() Greg Kroah-Hartman
` (292 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
[ Upstream commit 79ea65563ad8aaab309d61eeb4d5019dd6cf5fa0 ]
If read_mapping_page() encounters an error, it returns an errno, not a
page with PageError set, so this test is not needed.
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Stable-dep-of: 7373a51e7998 ("nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nilfs2/dir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c
index eb7de9e2a384e..24cfe9db66e02 100644
--- a/fs/nilfs2/dir.c
+++ b/fs/nilfs2/dir.c
@@ -194,7 +194,7 @@ static struct page *nilfs_get_page(struct inode *dir, unsigned long n)
if (!IS_ERR(page)) {
kmap(page);
if (unlikely(!PageChecked(page))) {
- if (PageError(page) || !nilfs_check_page(page))
+ if (!nilfs_check_page(page))
goto fail;
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 072/356] nilfs2: return the mapped address from nilfs_get_page()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 071/356] nilfs2: Remove check for PageError Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 073/356] nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors Greg Kroah-Hartman
` (291 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Ryusuke Konishi, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
[ Upstream commit 09a46acb3697e50548bb265afa1d79163659dd85 ]
In prepartion for switching from kmap() to kmap_local(), return the kmap
address from nilfs_get_page() instead of having the caller look up
page_address().
[konishi.ryusuke: fixed a missing blank line after declaration]
Link: https://lkml.kernel.org/r/20231127143036.2425-7-konishi.ryusuke@gmail.com
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 7373a51e7998 ("nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nilfs2/dir.c | 57 +++++++++++++++++++++++--------------------------
1 file changed, 27 insertions(+), 30 deletions(-)
diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c
index 24cfe9db66e02..22f1f75a90c1a 100644
--- a/fs/nilfs2/dir.c
+++ b/fs/nilfs2/dir.c
@@ -186,19 +186,24 @@ static bool nilfs_check_page(struct page *page)
return false;
}
-static struct page *nilfs_get_page(struct inode *dir, unsigned long n)
+static void *nilfs_get_page(struct inode *dir, unsigned long n,
+ struct page **pagep)
{
struct address_space *mapping = dir->i_mapping;
struct page *page = read_mapping_page(mapping, n, NULL);
+ void *kaddr;
- if (!IS_ERR(page)) {
- kmap(page);
- if (unlikely(!PageChecked(page))) {
- if (!nilfs_check_page(page))
- goto fail;
- }
+ if (IS_ERR(page))
+ return page;
+
+ kaddr = kmap(page);
+ if (unlikely(!PageChecked(page))) {
+ if (!nilfs_check_page(page))
+ goto fail;
}
- return page;
+
+ *pagep = page;
+ return kaddr;
fail:
nilfs_put_page(page);
@@ -275,14 +280,14 @@ static int nilfs_readdir(struct file *file, struct dir_context *ctx)
for ( ; n < npages; n++, offset = 0) {
char *kaddr, *limit;
struct nilfs_dir_entry *de;
- struct page *page = nilfs_get_page(inode, n);
+ struct page *page;
- if (IS_ERR(page)) {
+ kaddr = nilfs_get_page(inode, n, &page);
+ if (IS_ERR(kaddr)) {
nilfs_error(sb, "bad page in #%lu", inode->i_ino);
ctx->pos += PAGE_SIZE - offset;
return -EIO;
}
- kaddr = page_address(page);
de = (struct nilfs_dir_entry *)(kaddr + offset);
limit = kaddr + nilfs_last_byte(inode, n) -
NILFS_DIR_REC_LEN(1);
@@ -345,11 +350,9 @@ nilfs_find_entry(struct inode *dir, const struct qstr *qstr,
start = 0;
n = start;
do {
- char *kaddr;
+ char *kaddr = nilfs_get_page(dir, n, &page);
- page = nilfs_get_page(dir, n);
- if (!IS_ERR(page)) {
- kaddr = page_address(page);
+ if (!IS_ERR(kaddr)) {
de = (struct nilfs_dir_entry *)kaddr;
kaddr += nilfs_last_byte(dir, n) - reclen;
while ((char *) de <= kaddr) {
@@ -387,15 +390,11 @@ nilfs_find_entry(struct inode *dir, const struct qstr *qstr,
struct nilfs_dir_entry *nilfs_dotdot(struct inode *dir, struct page **p)
{
- struct page *page = nilfs_get_page(dir, 0);
- struct nilfs_dir_entry *de = NULL;
+ struct nilfs_dir_entry *de = nilfs_get_page(dir, 0, p);
- if (!IS_ERR(page)) {
- de = nilfs_next_entry(
- (struct nilfs_dir_entry *)page_address(page));
- *p = page;
- }
- return de;
+ if (IS_ERR(de))
+ return NULL;
+ return nilfs_next_entry(de);
}
ino_t nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr)
@@ -459,12 +458,11 @@ int nilfs_add_link(struct dentry *dentry, struct inode *inode)
for (n = 0; n <= npages; n++) {
char *dir_end;
- page = nilfs_get_page(dir, n);
- err = PTR_ERR(page);
- if (IS_ERR(page))
+ kaddr = nilfs_get_page(dir, n, &page);
+ err = PTR_ERR(kaddr);
+ if (IS_ERR(kaddr))
goto out;
lock_page(page);
- kaddr = page_address(page);
dir_end = kaddr + nilfs_last_byte(dir, n);
de = (struct nilfs_dir_entry *)kaddr;
kaddr += PAGE_SIZE - reclen;
@@ -627,11 +625,10 @@ int nilfs_empty_dir(struct inode *inode)
char *kaddr;
struct nilfs_dir_entry *de;
- page = nilfs_get_page(inode, i);
- if (IS_ERR(page))
+ kaddr = nilfs_get_page(inode, i, &page);
+ if (IS_ERR(kaddr))
continue;
- kaddr = page_address(page);
de = (struct nilfs_dir_entry *)kaddr;
kaddr += nilfs_last_byte(inode, i) - NILFS_DIR_REC_LEN(1);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 073/356] nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 072/356] nilfs2: return the mapped address from nilfs_get_page() Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 074/356] USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages Greg Kroah-Hartman
` (290 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryusuke Konishi,
syzbot+c8166c541d3971bf6c87, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
[ Upstream commit 7373a51e7998b508af7136530f3a997b286ce81c ]
The error handling in nilfs_empty_dir() when a directory folio/page read
fails is incorrect, as in the old ext2 implementation, and if the
folio/page cannot be read or nilfs_check_folio() fails, it will falsely
determine the directory as empty and corrupt the file system.
In addition, since nilfs_empty_dir() does not immediately return on a
failed folio/page read, but continues to loop, this can cause a long loop
with I/O if i_size of the directory's inode is also corrupted, causing the
log writer thread to wait and hang, as reported by syzbot.
Fix these issues by making nilfs_empty_dir() immediately return a false
value (0) if it fails to get a directory folio/page.
Link: https://lkml.kernel.org/r/20240604134255.7165-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+c8166c541d3971bf6c87@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c8166c541d3971bf6c87
Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nilfs2/dir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c
index 22f1f75a90c1a..552234ef22fe7 100644
--- a/fs/nilfs2/dir.c
+++ b/fs/nilfs2/dir.c
@@ -627,7 +627,7 @@ int nilfs_empty_dir(struct inode *inode)
kaddr = nilfs_get_page(inode, i, &page);
if (IS_ERR(kaddr))
- continue;
+ return 0;
de = (struct nilfs_dir_entry *)kaddr;
kaddr += nilfs_last_byte(inode, i) - NILFS_DIR_REC_LEN(1);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 074/356] USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 073/356] nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 075/356] usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state Greg Kroah-Hartman
` (289 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alan Stern,
syzbot+5f996b83575ef4058638, syzbot+1b2abad17596ad03dcff
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 22f00812862564b314784167a89f27b444f82a46 upstream.
The syzbot fuzzer found that the interrupt-URB completion callback in
the cdc-wdm driver was taking too long, and the driver's immediate
resubmission of interrupt URBs with -EPROTO status combined with the
dummy-hcd emulation to cause a CPU lockup:
cdc_wdm 1-1:1.0: nonzero urb status received: -71
cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes
watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]
CPU#0 Utilization every 4s during lockup:
#1: 98% system, 0% softirq, 3% hardirq, 0% idle
#2: 98% system, 0% softirq, 3% hardirq, 0% idle
#3: 98% system, 0% softirq, 3% hardirq, 0% idle
#4: 98% system, 0% softirq, 3% hardirq, 0% idle
#5: 98% system, 1% softirq, 3% hardirq, 0% idle
Modules linked in:
irq event stamp: 73096
hardirqs last enabled at (73095): [<ffff80008037bc00>] console_emit_next_record kernel/printk/printk.c:2935 [inline]
hardirqs last enabled at (73095): [<ffff80008037bc00>] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994
hardirqs last disabled at (73096): [<ffff80008af10b00>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
hardirqs last disabled at (73096): [<ffff80008af10b00>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
softirqs last enabled at (73048): [<ffff8000801ea530>] softirq_handle_end kernel/softirq.c:400 [inline]
softirqs last enabled at (73048): [<ffff8000801ea530>] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582
softirqs last disabled at (73043): [<ffff800080020de8>] __do_softirq+0x14/0x20 kernel/softirq.c:588
CPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Testing showed that the problem did not occur if the two error
messages -- the first two lines above -- were removed; apparently adding
material to the kernel log takes a surprisingly large amount of time.
In any case, the best approach for preventing these lockups and to
avoid spamming the log with thousands of error messages per second is
to ratelimit the two dev_err() calls. Therefore we replace them with
dev_err_ratelimited().
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Suggested-by: Greg KH <gregkh@linuxfoundation.org>
Reported-and-tested-by: syzbot+5f996b83575ef4058638@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-usb/00000000000073d54b061a6a1c65@google.com/
Reported-and-tested-by: syzbot+1b2abad17596ad03dcff@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-usb/000000000000f45085061aa9b37e@google.com/
Fixes: 9908a32e94de ("USB: remove err() macro from usb class drivers")
Link: https://lore.kernel.org/linux-usb/40dfa45b-5f21-4eef-a8c1-51a2f320e267@rowland.harvard.edu/
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/29855215-52f5-4385-b058-91f42c2bee18@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-wdm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -266,14 +266,14 @@ static void wdm_int_callback(struct urb
dev_err(&desc->intf->dev, "Stall on int endpoint\n");
goto sw; /* halt is cleared in work */
default:
- dev_err(&desc->intf->dev,
+ dev_err_ratelimited(&desc->intf->dev,
"nonzero urb status received: %d\n", status);
break;
}
}
if (urb->actual_length < sizeof(struct usb_cdc_notification)) {
- dev_err(&desc->intf->dev, "wdm_int_callback - %d bytes\n",
+ dev_err_ratelimited(&desc->intf->dev, "wdm_int_callback - %d bytes\n",
urb->actual_length);
goto exit;
}
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 075/356] usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 074/356] USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 076/356] mei: me: release irq in mei_me_pci_resume error path Greg Kroah-Hartman
` (288 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kyle Tso, Heikki Krogerus
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Tso <kyletso@google.com>
commit fc8fb9eea94d8f476e15f3a4a7addeb16b3b99d6 upstream.
Similar to what fixed in Commit a6fe37f428c1 ("usb: typec: tcpm: Skip
hard reset when in error recovery"), the handling of the received Hard
Reset has to be skipped during TOGGLING state.
[ 4086.021288] VBUS off
[ 4086.021295] pending state change SNK_READY -> SNK_UNATTACHED @ 650 ms [rev2 NONE_AMS]
[ 4086.022113] VBUS VSAFE0V
[ 4086.022117] state change SNK_READY -> SNK_UNATTACHED [rev2 NONE_AMS]
[ 4086.022447] VBUS off
[ 4086.022450] state change SNK_UNATTACHED -> SNK_UNATTACHED [rev2 NONE_AMS]
[ 4086.023060] VBUS VSAFE0V
[ 4086.023064] state change SNK_UNATTACHED -> SNK_UNATTACHED [rev2 NONE_AMS]
[ 4086.023070] disable BIST MODE TESTDATA
[ 4086.023766] disable vbus discharge ret:0
[ 4086.023911] Setting usb_comm capable false
[ 4086.028874] Setting voltage/current limit 0 mV 0 mA
[ 4086.028888] polarity 0
[ 4086.030305] Requesting mux state 0, usb-role 0, orientation 0
[ 4086.033539] Start toggling
[ 4086.038496] state change SNK_UNATTACHED -> TOGGLING [rev2 NONE_AMS]
// This Hard Reset is unexpected
[ 4086.038499] Received hard reset
[ 4086.038501] state change TOGGLING -> HARD_RESET_START [rev2 HARD_RESET]
Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)")
Cc: stable@vger.kernel.org
Signed-off-by: Kyle Tso <kyletso@google.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20240520154858.1072347-1-kyletso@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -5351,6 +5351,7 @@ static void _tcpm_pd_hard_reset(struct t
port->tcpc->set_bist_data(port->tcpc, false);
switch (port->state) {
+ case TOGGLING:
case ERROR_RECOVERY:
case PORT_RESET:
case PORT_RESET_WAIT_OFF:
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 076/356] mei: me: release irq in mei_me_pci_resume error path
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 075/356] usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 077/356] jfs: xattr: fix buffer overflow for invalid xattr Greg Kroah-Hartman
` (287 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Tomas Winkler
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomas Winkler <tomas.winkler@intel.com>
commit 283cb234ef95d94c61f59e1cd070cd9499b51292 upstream.
The mei_me_pci_resume doesn't release irq on the error path,
in case mei_start() fails.
Cc: <stable@kernel.org>
Fixes: 33ec08263147 ("mei: revamp mei reset state machine")
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Link: https://lore.kernel.org/r/20240604090728.1027307-1-tomas.winkler@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/mei/pci-me.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/misc/mei/pci-me.c
+++ b/drivers/misc/mei/pci-me.c
@@ -400,8 +400,10 @@ static int mei_me_pci_resume(struct devi
}
err = mei_restart(dev);
- if (err)
+ if (err) {
+ free_irq(pdev->irq, dev);
return err;
+ }
/* Start timer if stopped in suspend */
schedule_delayed_work(&dev->timer_work, HZ);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 077/356] jfs: xattr: fix buffer overflow for invalid xattr
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 076/356] mei: me: release irq in mei_me_pci_resume error path Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 078/356] xhci: Set correct transferred length for cancelled bulk transfers Greg Kroah-Hartman
` (286 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+9dfe490c8176301c1d06,
Dave Kleikamp
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7c55b78818cfb732680c4a72ab270cc2d2ee3d0f upstream.
When an xattr size is not what is expected, it is printed out to the
kernel log in hex format as a form of debugging. But when that xattr
size is bigger than the expected size, printing it out can cause an
access off the end of the buffer.
Fix this all up by properly restricting the size of the debug hex dump
in the kernel log.
Reported-by: syzbot+9dfe490c8176301c1d06@syzkaller.appspotmail.com
Cc: Dave Kleikamp <shaggy@kernel.org>
Link: https://lore.kernel.org/r/2024051433-slider-cloning-98f9@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jfs/xattr.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -557,9 +557,11 @@ static int ea_get(struct inode *inode, s
size_check:
if (EALIST_SIZE(ea_buf->xattr) != ea_size) {
+ int size = min_t(int, EALIST_SIZE(ea_buf->xattr), ea_size);
+
printk(KERN_ERR "ea_get: invalid extended attribute\n");
print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1,
- ea_buf->xattr, ea_size, 1);
+ ea_buf->xattr, size, 1);
ea_release(inode, ea_buf);
rc = -EIO;
goto clean_up;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 078/356] xhci: Set correct transferred length for cancelled bulk transfers
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 077/356] jfs: xattr: fix buffer overflow for invalid xattr Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 079/356] xhci: Apply reset resume quirk to Etron EJ188 xHCI host Greg Kroah-Hartman
` (285 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pierre Tomon, Alan Stern,
Mathias Nyman
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit f0260589b439e2637ad54a2b25f00a516ef28a57 upstream.
The transferred length is set incorrectly for cancelled bulk
transfer TDs in case the bulk transfer ring stops on the last transfer
block with a 'Stop - Length Invalid' completion code.
length essentially ends up being set to the requested length:
urb->actual_length = urb->transfer_buffer_length
Length for 'Stop - Length Invalid' cases should be the sum of all
TRB transfer block lengths up to the one the ring stopped on,
_excluding_ the one stopped on.
Fix this by always summing up TRB lengths for 'Stop - Length Invalid'
bulk cases.
This issue was discovered by Alan Stern while debugging
https://bugzilla.kernel.org/show_bug.cgi?id=218890, but does not
solve that bug. Issue is older than 4.10 kernel but fix won't apply
to those due to major reworks in that area.
Tested-by: Pierre Tomon <pierretom+12@ik.me>
Cc: stable@vger.kernel.org # v4.10+
Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20240611120610.3264502-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-ring.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -2570,9 +2570,8 @@ static int process_bulk_intr_td(struct x
goto finish_td;
case COMP_STOPPED_LENGTH_INVALID:
/* stopped on ep trb with invalid length, exclude it */
- ep_trb_len = 0;
- remaining = 0;
- break;
+ td->urb->actual_length = sum_trb_lengths(xhci, ep_ring, ep_trb);
+ goto finish_td;
case COMP_USB_TRANSACTION_ERROR:
if (xhci->quirks & XHCI_NO_SOFT_RETRY ||
(ep->err_count++ > MAX_SOFT_RETRY) ||
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 079/356] xhci: Apply reset resume quirk to Etron EJ188 xHCI host
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 078/356] xhci: Set correct transferred length for cancelled bulk transfers Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 080/356] xhci: Handle TD clearing for multiple streams case Greg Kroah-Hartman
` (284 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kuangyi Chiang, Mathias Nyman
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuangyi Chiang <ki.chiang65@gmail.com>
commit 17bd54555c2aaecfdb38e2734149f684a73fa584 upstream.
As described in commit c877b3b2ad5c ("xhci: Add reset on resume quirk for
asrock p67 host"), EJ188 have the same issue as EJ168, where completely
dies on resume. So apply XHCI_RESET_ON_RESUME quirk to EJ188 as well.
Cc: stable@vger.kernel.org
Signed-off-by: Kuangyi Chiang <ki.chiang65@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20240611120610.3264502-3-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-pci.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -36,6 +36,7 @@
#define PCI_VENDOR_ID_ETRON 0x1b6f
#define PCI_DEVICE_ID_EJ168 0x7023
+#define PCI_DEVICE_ID_EJ188 0x7052
#define PCI_DEVICE_ID_INTEL_LYNXPOINT_XHCI 0x8c31
#define PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI 0x9c31
@@ -276,6 +277,10 @@ static void xhci_pci_quirks(struct devic
xhci->quirks |= XHCI_TRUST_TX_LENGTH;
xhci->quirks |= XHCI_BROKEN_STREAMS;
}
+ if (pdev->vendor == PCI_VENDOR_ID_ETRON &&
+ pdev->device == PCI_DEVICE_ID_EJ188)
+ xhci->quirks |= XHCI_RESET_ON_RESUME;
+
if (pdev->vendor == PCI_VENDOR_ID_RENESAS &&
pdev->device == 0x0014) {
xhci->quirks |= XHCI_TRUST_TX_LENGTH;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 080/356] xhci: Handle TD clearing for multiple streams case
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 079/356] xhci: Apply reset resume quirk to Etron EJ188 xHCI host Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 081/356] xhci: Apply broken streams quirk to Etron EJ188 xHCI host Greg Kroah-Hartman
` (283 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, security, Neal Gompa, Hector Martin,
Mathias Nyman
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hector Martin <marcan@marcan.st>
commit 5ceac4402f5d975e5a01c806438eb4e554771577 upstream.
When multiple streams are in use, multiple TDs might be in flight when
an endpoint is stopped. We need to issue a Set TR Dequeue Pointer for
each, to ensure everything is reset properly and the caches cleared.
Change the logic so that any N>1 TDs found active for different streams
are deferred until after the first one is processed, calling
xhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to
queue another command until we are done with all of them. Also change
the error/"should never happen" paths to ensure we at least clear any
affected TDs, even if we can't issue a command to clear the hardware
cache, and complain loudly with an xhci_warn() if this ever happens.
This problem case dates back to commit e9df17eb1408 ("USB: xhci: Correct
assumptions about number of rings per endpoint.") early on in the XHCI
driver's life, when stream support was first added.
It was then identified but not fixed nor made into a warning in commit
674f8438c121 ("xhci: split handling halted endpoints into two steps"),
which added a FIXME comment for the problem case (without materially
changing the behavior as far as I can tell, though the new logic made
the problem more obvious).
Then later, in commit 94f339147fc3 ("xhci: Fix failure to give back some
cached cancelled URBs."), it was acknowledged again.
[Mathias: commit 94f339147fc3 ("xhci: Fix failure to give back some cached
cancelled URBs.") was a targeted regression fix to the previously mentioned
patch. Users reported issues with usb stuck after unmounting/disconnecting
UAS devices. This rolled back the TD clearing of multiple streams to its
original state.]
Apparently the commit author was aware of the problem (yet still chose
to submit it): It was still mentioned as a FIXME, an xhci_dbg() was
added to log the problem condition, and the remaining issue was mentioned
in the commit description. The choice of making the log type xhci_dbg()
for what is, at this point, a completely unhandled and known broken
condition is puzzling and unfortunate, as it guarantees that no actual
users would see the log in production, thereby making it nigh
undebuggable (indeed, even if you turn on DEBUG, the message doesn't
really hint at there being a problem at all).
It took me *months* of random xHC crashes to finally find a reliable
repro and be able to do a deep dive debug session, which could all have
been avoided had this unhandled, broken condition been actually reported
with a warning, as it should have been as a bug intentionally left in
unfixed (never mind that it shouldn't have been left in at all).
> Another fix to solve clearing the caches of all stream rings with
> cancelled TDs is needed, but not as urgent.
3 years after that statement and 14 years after the original bug was
introduced, I think it's finally time to fix it. And maybe next time
let's not leave bugs unfixed (that are actually worse than the original
bug), and let's actually get people to review kernel commits please.
Fixes xHC crashes and IOMMU faults with UAS devices when handling
errors/faults. Easiest repro is to use `hdparm` to mark an early sector
(e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop.
At least in the case of JMicron controllers, the read errors end up
having to cancel two TDs (for two queued requests to different streams)
and the one that didn't get cleared properly ends up faulting the xHC
entirely when it tries to access DMA pages that have since been unmapped,
referred to by the stale TDs. This normally happens quickly (after two
or three loops). After this fix, I left the `cat` in a loop running
overnight and experienced no xHC failures, with all read errors
recovered properly. Repro'd and tested on an Apple M1 Mac Mini
(dwc3 host).
On systems without an IOMMU, this bug would instead silently corrupt
freed memory, making this a security bug (even on systems with IOMMUs
this could silently corrupt memory belonging to other USB devices on the
same controller, so it's still a security bug). Given that the kernel
autoprobes partition tables, I'm pretty sure a malicious USB device
pretending to be a UAS device and reporting an error with the right
timing could deliberately trigger a UAF and write to freed memory, with
no user action.
[Mathias: Commit message and code comment edit, original at:]
https://lore.kernel.org/linux-usb/20240524-xhci-streams-v1-1-6b1f13819bea@marcan.st/
Fixes: e9df17eb1408 ("USB: xhci: Correct assumptions about number of rings per endpoint.")
Fixes: 94f339147fc3 ("xhci: Fix failure to give back some cached cancelled URBs.")
Fixes: 674f8438c121 ("xhci: split handling halted endpoints into two steps")
Cc: stable@vger.kernel.org
Cc: security@kernel.org
Reviewed-by: Neal Gompa <neal@gompa.dev>
Signed-off-by: Hector Martin <marcan@marcan.st>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20240611120610.3264502-5-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-ring.c | 54 ++++++++++++++++++++++++++++++++++---------
drivers/usb/host/xhci.h | 1
2 files changed, 44 insertions(+), 11 deletions(-)
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -994,13 +994,27 @@ static int xhci_invalidate_cancelled_tds
break;
case TD_DIRTY: /* TD is cached, clear it */
case TD_HALTED:
+ case TD_CLEARING_CACHE_DEFERRED:
+ if (cached_td) {
+ if (cached_td->urb->stream_id != td->urb->stream_id) {
+ /* Multiple streams case, defer move dq */
+ xhci_dbg(xhci,
+ "Move dq deferred: stream %u URB %p\n",
+ td->urb->stream_id, td->urb);
+ td->cancel_status = TD_CLEARING_CACHE_DEFERRED;
+ break;
+ }
+
+ /* Should never happen, but clear the TD if it does */
+ xhci_warn(xhci,
+ "Found multiple active URBs %p and %p in stream %u?\n",
+ td->urb, cached_td->urb,
+ td->urb->stream_id);
+ td_to_noop(xhci, ring, cached_td, false);
+ cached_td->cancel_status = TD_CLEARED;
+ }
+
td->cancel_status = TD_CLEARING_CACHE;
- if (cached_td)
- /* FIXME stream case, several stopped rings */
- xhci_dbg(xhci,
- "Move dq past stream %u URB %p instead of stream %u URB %p\n",
- td->urb->stream_id, td->urb,
- cached_td->urb->stream_id, cached_td->urb);
cached_td = td;
break;
}
@@ -1020,10 +1034,16 @@ static int xhci_invalidate_cancelled_tds
if (err) {
/* Failed to move past cached td, just set cached TDs to no-op */
list_for_each_entry_safe(td, tmp_td, &ep->cancelled_td_list, cancelled_td_list) {
- if (td->cancel_status != TD_CLEARING_CACHE)
+ /*
+ * Deferred TDs need to have the deq pointer set after the above command
+ * completes, so if that failed we just give up on all of them (and
+ * complain loudly since this could cause issues due to caching).
+ */
+ if (td->cancel_status != TD_CLEARING_CACHE &&
+ td->cancel_status != TD_CLEARING_CACHE_DEFERRED)
continue;
- xhci_dbg(xhci, "Failed to clear cancelled cached URB %p, mark clear anyway\n",
- td->urb);
+ xhci_warn(xhci, "Failed to clear cancelled cached URB %p, mark clear anyway\n",
+ td->urb);
td_to_noop(xhci, ring, td, false);
td->cancel_status = TD_CLEARED;
}
@@ -1366,6 +1386,7 @@ static void xhci_handle_cmd_set_deq(stru
struct xhci_ep_ctx *ep_ctx;
struct xhci_slot_ctx *slot_ctx;
struct xhci_td *td, *tmp_td;
+ bool deferred = false;
ep_index = TRB_TO_EP_INDEX(le32_to_cpu(trb->generic.field[3]));
stream_id = TRB_TO_STREAM_ID(le32_to_cpu(trb->generic.field[2]));
@@ -1452,6 +1473,8 @@ static void xhci_handle_cmd_set_deq(stru
xhci_dbg(ep->xhci, "%s: Giveback cancelled URB %p TD\n",
__func__, td->urb);
xhci_td_cleanup(ep->xhci, td, ep_ring, td->status);
+ } else if (td->cancel_status == TD_CLEARING_CACHE_DEFERRED) {
+ deferred = true;
} else {
xhci_dbg(ep->xhci, "%s: Keep cancelled URB %p TD as cancel_status is %d\n",
__func__, td->urb, td->cancel_status);
@@ -1461,8 +1484,17 @@ cleanup:
ep->ep_state &= ~SET_DEQ_PENDING;
ep->queued_deq_seg = NULL;
ep->queued_deq_ptr = NULL;
- /* Restart any rings with pending URBs */
- ring_doorbell_for_active_rings(xhci, slot_id, ep_index);
+
+ if (deferred) {
+ /* We have more streams to clear */
+ xhci_dbg(ep->xhci, "%s: Pending TDs to clear, continuing with invalidation\n",
+ __func__);
+ xhci_invalidate_cancelled_tds(ep);
+ } else {
+ /* Restart any rings with pending URBs */
+ xhci_dbg(ep->xhci, "%s: All TDs cleared, ring doorbell\n", __func__);
+ ring_doorbell_for_active_rings(xhci, slot_id, ep_index);
+ }
}
static void xhci_handle_cmd_reset_ep(struct xhci_hcd *xhci, int slot_id,
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1556,6 +1556,7 @@ enum xhci_cancelled_td_status {
TD_DIRTY = 0,
TD_HALTED,
TD_CLEARING_CACHE,
+ TD_CLEARING_CACHE_DEFERRED,
TD_CLEARED,
};
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 081/356] xhci: Apply broken streams quirk to Etron EJ188 xHCI host
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 080/356] xhci: Handle TD clearing for multiple streams case Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 082/356] scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory Greg Kroah-Hartman
` (282 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kuangyi Chiang, Mathias Nyman
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuangyi Chiang <ki.chiang65@gmail.com>
commit 91f7a1524a92c70ffe264db8bdfa075f15bbbeb9 upstream.
As described in commit 8f873c1ff4ca ("xhci: Blacklist using streams on the
Etron EJ168 controller"), EJ188 have the same issue as EJ168, where Streams
do not work reliable on EJ188. So apply XHCI_BROKEN_STREAMS quirk to EJ188
as well.
Cc: stable@vger.kernel.org
Signed-off-by: Kuangyi Chiang <ki.chiang65@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20240611120610.3264502-4-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-pci.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -278,8 +278,10 @@ static void xhci_pci_quirks(struct devic
xhci->quirks |= XHCI_BROKEN_STREAMS;
}
if (pdev->vendor == PCI_VENDOR_ID_ETRON &&
- pdev->device == PCI_DEVICE_ID_EJ188)
+ pdev->device == PCI_DEVICE_ID_EJ188) {
xhci->quirks |= XHCI_RESET_ON_RESUME;
+ xhci->quirks |= XHCI_BROKEN_STREAMS;
+ }
if (pdev->vendor == PCI_VENDOR_ID_RENESAS &&
pdev->device == 0x0014) {
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 082/356] scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 081/356] xhci: Apply broken streams quirk to Etron EJ188 xHCI host Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 083/356] powerpc/uaccess: Fix build errors seen with GCC 13/14 Greg Kroah-Hartman
` (281 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Keith Busch, Breno Leitao,
Martin K. Petersen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
commit 4254dfeda82f20844299dca6c38cbffcfd499f41 upstream.
There is a potential out-of-bounds access when using test_bit() on a single
word. The test_bit() and set_bit() functions operate on long values, and
when testing or setting a single word, they can exceed the word
boundary. KASAN detects this issue and produces a dump:
BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas
Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965
For full log, please look at [1].
Make the allocation at least the size of sizeof(unsigned long) so that
set_bit() and test_bit() have sufficient room for read/write operations
without overwriting unallocated memory.
[1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/
Fixes: c696f7b83ede ("scsi: mpt3sas: Implement device_remove_in_progress check in IOCTL path")
Cc: stable@vger.kernel.org
Suggested-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Breno Leitao <leitao@debian.org>
Link: https://lore.kernel.org/r/20240605085530.499432-1-leitao@debian.org
Reviewed-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/mpt3sas/mpt3sas_base.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
@@ -8337,6 +8337,12 @@ mpt3sas_base_attach(struct MPT3SAS_ADAPT
ioc->pd_handles_sz = (ioc->facts.MaxDevHandle / 8);
if (ioc->facts.MaxDevHandle % 8)
ioc->pd_handles_sz++;
+ /*
+ * pd_handles_sz should have, at least, the minimal room for
+ * set_bit()/test_bit(), otherwise out-of-memory touch may occur.
+ */
+ ioc->pd_handles_sz = ALIGN(ioc->pd_handles_sz, sizeof(unsigned long));
+
ioc->pd_handles = kzalloc(ioc->pd_handles_sz,
GFP_KERNEL);
if (!ioc->pd_handles) {
@@ -8354,6 +8360,13 @@ mpt3sas_base_attach(struct MPT3SAS_ADAPT
ioc->pend_os_device_add_sz = (ioc->facts.MaxDevHandle / 8);
if (ioc->facts.MaxDevHandle % 8)
ioc->pend_os_device_add_sz++;
+
+ /*
+ * pend_os_device_add_sz should have, at least, the minimal room for
+ * set_bit()/test_bit(), otherwise out-of-memory may occur.
+ */
+ ioc->pend_os_device_add_sz = ALIGN(ioc->pend_os_device_add_sz,
+ sizeof(unsigned long));
ioc->pend_os_device_add = kzalloc(ioc->pend_os_device_add_sz,
GFP_KERNEL);
if (!ioc->pend_os_device_add) {
@@ -8645,6 +8658,12 @@ _base_check_ioc_facts_changes(struct MPT
if (ioc->facts.MaxDevHandle % 8)
pd_handles_sz++;
+ /*
+ * pd_handles should have, at least, the minimal room for
+ * set_bit()/test_bit(), otherwise out-of-memory touch may
+ * occur.
+ */
+ pd_handles_sz = ALIGN(pd_handles_sz, sizeof(unsigned long));
pd_handles = krealloc(ioc->pd_handles, pd_handles_sz,
GFP_KERNEL);
if (!pd_handles) {
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 083/356] powerpc/uaccess: Fix build errors seen with GCC 13/14
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 082/356] scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory Greg Kroah-Hartman
@ 2024-07-03 10:36 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 084/356] Input: try trimming too long modalias strings Greg Kroah-Hartman
` (280 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kewen Lin, Michael Ellerman
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Ellerman <mpe@ellerman.id.au>
commit 2d43cc701b96f910f50915ac4c2a0cae5deb734c upstream.
Building ppc64le_defconfig with GCC 14 fails with assembler errors:
CC fs/readdir.o
/tmp/ccdQn0mD.s: Assembler messages:
/tmp/ccdQn0mD.s:212: Error: operand out of domain (18 is not a multiple of 4)
/tmp/ccdQn0mD.s:226: Error: operand out of domain (18 is not a multiple of 4)
... [6 lines]
/tmp/ccdQn0mD.s:1699: Error: operand out of domain (18 is not a multiple of 4)
A snippet of the asm shows:
# ../fs/readdir.c:210: unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
ld 9,0(29) # MEM[(u64 *)name_38(D) + _88 * 1], MEM[(u64 *)name_38(D) + _88 * 1]
# 210 "../fs/readdir.c" 1
1: std 9,18(8) # put_user # *__pus_addr_52, MEM[(u64 *)name_38(D) + _88 * 1]
The 'std' instruction requires a 4-byte aligned displacement because
it is a DS-form instruction, and as the assembler says, 18 is not a
multiple of 4.
A similar error is seen with GCC 13 and CONFIG_UBSAN_SIGNED_WRAP=y.
The fix is to change the constraint on the memory operand to put_user(),
from "m" which is a general memory reference to "YZ".
The "Z" constraint is documented in the GCC manual PowerPC machine
constraints, and specifies a "memory operand accessed with indexed or
indirect addressing". "Y" is not documented in the manual but specifies
a "memory operand for a DS-form instruction". Using both allows the
compiler to generate a DS-form "std" or X-form "stdx" as appropriate.
The change has to be conditional on CONFIG_PPC_KERNEL_PREFIXED because
the "Y" constraint does not guarantee 4-byte alignment when prefixed
instructions are enabled.
Unfortunately clang doesn't support the "Y" constraint so that has to be
behind an ifdef.
Although the build error is only seen with GCC 13/14, that appears
to just be luck. The constraint has been incorrect since it was first
added.
Fixes: c20beffeec3c ("powerpc/uaccess: Use flexible addressing with __put_user()/__get_user()")
Cc: stable@vger.kernel.org # v5.10+
Suggested-by: Kewen Lin <linkw@gcc.gnu.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240529123029.146953-1-mpe@ellerman.id.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/include/asm/uaccess.h | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -90,9 +90,20 @@ __pu_failed: \
: \
: label)
+#ifdef CONFIG_CC_IS_CLANG
+#define DS_FORM_CONSTRAINT "Z<>"
+#else
+#define DS_FORM_CONSTRAINT "YZ<>"
+#endif
+
#ifdef __powerpc64__
-#define __put_user_asm2_goto(x, ptr, label) \
- __put_user_asm_goto(x, ptr, label, "std")
+#define __put_user_asm2_goto(x, addr, label) \
+ asm goto ("1: std%U1%X1 %0,%1 # put_user\n" \
+ EX_TABLE(1b, %l2) \
+ : \
+ : "r" (x), DS_FORM_CONSTRAINT (*addr) \
+ : \
+ : label)
#else /* __powerpc64__ */
#define __put_user_asm2_goto(x, addr, label) \
asm_volatile_goto( \
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 084/356] Input: try trimming too long modalias strings
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2024-07-03 10:36 ` [PATCH 5.15 083/356] powerpc/uaccess: Fix build errors seen with GCC 13/14 Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 085/356] clk: sifive: Do not register clkdevs for PRCI clocks Greg Kroah-Hartman
` (279 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Andryuk, Peter Hutterer,
Dmitry Torokhov, Jason Andryuk
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 0774d19038c496f0c3602fb505c43e1b2d8eed85 upstream.
If an input device declares too many capability bits then modalias
string for such device may become too long and not fit into uevent
buffer, resulting in failure of sending said uevent. This, in turn,
may prevent userspace from recognizing existence of such devices.
This is typically not a concern for real hardware devices as they have
limited number of keys, but happen with synthetic devices such as
ones created by xen-kbdfront driver, which creates devices as being
capable of delivering all possible keys, since it doesn't know what
keys the backend may produce.
To deal with such devices input core will attempt to trim key data,
in the hope that the rest of modalias string will fit in the given
buffer. When trimming key data it will indicate that it is not
complete by placing "+," sign, resulting in conversions like this:
old: k71,72,73,74,78,7A,7B,7C,7D,8E,9E,A4,AD,E0,E1,E4,F8,174,
new: k71,72,73,74,78,7A,7B,7C,+,
This should allow existing udev rules continue to work with existing
devices, and will also allow writing more complex rules that would
recognize trimmed modalias and check input device characteristics by
other means (for example by parsing KEY= data in uevent or parsing
input device sysfs attributes).
Note that the driver core may try adding more uevent environment
variables once input core is done adding its own, so when forming
modalias we can not use the entire available buffer, so we reduce
it by somewhat an arbitrary amount (96 bytes).
Reported-by: Jason Andryuk <jandryuk@gmail.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Tested-by: Jason Andryuk <jandryuk@gmail.com>
Link: https://lore.kernel.org/r/ZjAWMQCJdrxZkvkB@google.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
---
---
drivers/input/input.c | 105 ++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 90 insertions(+), 15 deletions(-)
--- a/drivers/input/input.c
+++ b/drivers/input/input.c
@@ -1360,19 +1360,19 @@ static int input_print_modalias_bits(cha
char name, unsigned long *bm,
unsigned int min_bit, unsigned int max_bit)
{
- int len = 0, i;
+ int bit = min_bit;
+ int len = 0;
len += snprintf(buf, max(size, 0), "%c", name);
- for (i = min_bit; i < max_bit; i++)
- if (bm[BIT_WORD(i)] & BIT_MASK(i))
- len += snprintf(buf + len, max(size - len, 0), "%X,", i);
+ for_each_set_bit_from(bit, bm, max_bit)
+ len += snprintf(buf + len, max(size - len, 0), "%X,", bit);
return len;
}
-static int input_print_modalias(char *buf, int size, struct input_dev *id,
- int add_cr)
+static int input_print_modalias_parts(char *buf, int size, int full_len,
+ struct input_dev *id)
{
- int len;
+ int len, klen, remainder, space;
len = snprintf(buf, max(size, 0),
"input:b%04Xv%04Xp%04Xe%04X-",
@@ -1381,8 +1381,49 @@ static int input_print_modalias(char *bu
len += input_print_modalias_bits(buf + len, size - len,
'e', id->evbit, 0, EV_MAX);
- len += input_print_modalias_bits(buf + len, size - len,
+
+ /*
+ * Calculate the remaining space in the buffer making sure we
+ * have place for the terminating 0.
+ */
+ space = max(size - (len + 1), 0);
+
+ klen = input_print_modalias_bits(buf + len, size - len,
'k', id->keybit, KEY_MIN_INTERESTING, KEY_MAX);
+ len += klen;
+
+ /*
+ * If we have more data than we can fit in the buffer, check
+ * if we can trim key data to fit in the rest. We will indicate
+ * that key data is incomplete by adding "+" sign at the end, like
+ * this: * "k1,2,3,45,+,".
+ *
+ * Note that we shortest key info (if present) is "k+," so we
+ * can only try to trim if key data is longer than that.
+ */
+ if (full_len && size < full_len + 1 && klen > 3) {
+ remainder = full_len - len;
+ /*
+ * We can only trim if we have space for the remainder
+ * and also for at least "k+," which is 3 more characters.
+ */
+ if (remainder <= space - 3) {
+ int i;
+ /*
+ * We are guaranteed to have 'k' in the buffer, so
+ * we need at least 3 additional bytes for storing
+ * "+," in addition to the remainder.
+ */
+ for (i = size - 1 - remainder - 3; i >= 0; i--) {
+ if (buf[i] == 'k' || buf[i] == ',') {
+ strcpy(buf + i + 1, "+,");
+ len = i + 3; /* Not counting '\0' */
+ break;
+ }
+ }
+ }
+ }
+
len += input_print_modalias_bits(buf + len, size - len,
'r', id->relbit, 0, REL_MAX);
len += input_print_modalias_bits(buf + len, size - len,
@@ -1398,12 +1439,25 @@ static int input_print_modalias(char *bu
len += input_print_modalias_bits(buf + len, size - len,
'w', id->swbit, 0, SW_MAX);
- if (add_cr)
- len += snprintf(buf + len, max(size - len, 0), "\n");
-
return len;
}
+static int input_print_modalias(char *buf, int size, struct input_dev *id)
+{
+ int full_len;
+
+ /*
+ * Printing is done in 2 passes: first one figures out total length
+ * needed for the modalias string, second one will try to trim key
+ * data in case when buffer is too small for the entire modalias.
+ * If the buffer is too small regardless, it will fill as much as it
+ * can (without trimming key data) into the buffer and leave it to
+ * the caller to figure out what to do with the result.
+ */
+ full_len = input_print_modalias_parts(NULL, 0, 0, id);
+ return input_print_modalias_parts(buf, size, full_len, id);
+}
+
static ssize_t input_dev_show_modalias(struct device *dev,
struct device_attribute *attr,
char *buf)
@@ -1411,7 +1465,9 @@ static ssize_t input_dev_show_modalias(s
struct input_dev *id = to_input_dev(dev);
ssize_t len;
- len = input_print_modalias(buf, PAGE_SIZE, id, 1);
+ len = input_print_modalias(buf, PAGE_SIZE, id);
+ if (len < PAGE_SIZE - 2)
+ len += snprintf(buf + len, PAGE_SIZE - len, "\n");
return min_t(int, len, PAGE_SIZE);
}
@@ -1623,6 +1679,23 @@ static int input_add_uevent_bm_var(struc
return 0;
}
+/*
+ * This is a pretty gross hack. When building uevent data the driver core
+ * may try adding more environment variables to kobj_uevent_env without
+ * telling us, so we have no idea how much of the buffer we can use to
+ * avoid overflows/-ENOMEM elsewhere. To work around this let's artificially
+ * reduce amount of memory we will use for the modalias environment variable.
+ *
+ * The potential additions are:
+ *
+ * SEQNUM=18446744073709551615 - (%llu - 28 bytes)
+ * HOME=/ (6 bytes)
+ * PATH=/sbin:/bin:/usr/sbin:/usr/bin (34 bytes)
+ *
+ * 68 bytes total. Allow extra buffer - 96 bytes
+ */
+#define UEVENT_ENV_EXTRA_LEN 96
+
static int input_add_uevent_modalias_var(struct kobj_uevent_env *env,
struct input_dev *dev)
{
@@ -1632,9 +1705,11 @@ static int input_add_uevent_modalias_var
return -ENOMEM;
len = input_print_modalias(&env->buf[env->buflen - 1],
- sizeof(env->buf) - env->buflen,
- dev, 0);
- if (len >= (sizeof(env->buf) - env->buflen))
+ (int)sizeof(env->buf) - env->buflen -
+ UEVENT_ENV_EXTRA_LEN,
+ dev);
+ if (len >= ((int)sizeof(env->buf) - env->buflen -
+ UEVENT_ENV_EXTRA_LEN))
return -ENOMEM;
env->buflen += len;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 085/356] clk: sifive: Do not register clkdevs for PRCI clocks
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 084/356] Input: try trimming too long modalias strings Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 086/356] SUNRPC: return proper error from gss_wrap_req_priv Greg Kroah-Hartman
` (278 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Russell King,
Samuel Holland, Stephen Boyd, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samuel Holland <samuel.holland@sifive.com>
[ Upstream commit 2607133196c35f31892ee199ce7ffa717bea4ad1 ]
These clkdevs were unnecessary, because systems using this driver always
look up clocks using the devicetree. And as Russell King points out[1],
since the provided device name was truncated, lookups via clkdev would
never match.
Recently, commit 8d532528ff6a ("clkdev: report over-sized strings when
creating clkdev entries") caused clkdev registration to fail due to the
truncation, and this now prevents the driver from probing. Fix the
driver by removing the clkdev registration.
Link: https://lore.kernel.org/linux-clk/ZkfYqj+OcAxd9O2t@shell.armlinux.org.uk/ [1]
Fixes: 30b8e27e3b58 ("clk: sifive: add a driver for the SiFive FU540 PRCI IP block")
Fixes: 8d532528ff6a ("clkdev: report over-sized strings when creating clkdev entries")
Reported-by: Guenter Roeck <linux@roeck-us.net>
Closes: https://lore.kernel.org/linux-clk/7eda7621-0dde-4153-89e4-172e4c095d01@roeck-us.net/
Suggested-by: Russell King <linux@armlinux.org.uk>
Signed-off-by: Samuel Holland <samuel.holland@sifive.com>
Link: https://lore.kernel.org/r/20240528001432.1200403-1-samuel.holland@sifive.com
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/sifive/sifive-prci.c | 8 --------
1 file changed, 8 deletions(-)
diff --git a/drivers/clk/sifive/sifive-prci.c b/drivers/clk/sifive/sifive-prci.c
index 80a288c59e56d..8b573ff646f65 100644
--- a/drivers/clk/sifive/sifive-prci.c
+++ b/drivers/clk/sifive/sifive-prci.c
@@ -4,7 +4,6 @@
* Copyright (C) 2020 Zong Li
*/
-#include <linux/clkdev.h>
#include <linux/delay.h>
#include <linux/io.h>
#include <linux/of_device.h>
@@ -541,13 +540,6 @@ static int __prci_register_clocks(struct device *dev, struct __prci_data *pd,
return r;
}
- r = clk_hw_register_clkdev(&pic->hw, pic->name, dev_name(dev));
- if (r) {
- dev_warn(dev, "Failed to register clkdev for %s: %d\n",
- init.name, r);
- return r;
- }
-
pd->hw_clks.hws[i] = &pic->hw;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 086/356] SUNRPC: return proper error from gss_wrap_req_priv
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 085/356] clk: sifive: Do not register clkdevs for PRCI clocks Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 087/356] platform/x86: dell-smbios-base: Use sysfs_emit() Greg Kroah-Hartman
` (277 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Hanxiao, Benjamin Coddington,
Chuck Lever, Trond Myklebust, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Hanxiao <chenhx.fnst@fujitsu.com>
[ Upstream commit 33c94d7e3cb84f6d130678d6d59ba475a6c489cf ]
don't return 0 if snd_buf->len really greater than snd_buf->buflen
Signed-off-by: Chen Hanxiao <chenhx.fnst@fujitsu.com>
Fixes: 0c77668ddb4e ("SUNRPC: Introduce trace points in rpc_auth_gss.ko")
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/auth_gss/auth_gss.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 2ff66a6a7e54c..7ce4a6b7cfae6 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -1855,8 +1855,10 @@ gss_wrap_req_priv(struct rpc_cred *cred, struct gss_cl_ctx *ctx,
offset = (u8 *)p - (u8 *)snd_buf->head[0].iov_base;
maj_stat = gss_wrap(ctx->gc_gss_ctx, offset, snd_buf, inpages);
/* slack space should prevent this ever happening: */
- if (unlikely(snd_buf->len > snd_buf->buflen))
+ if (unlikely(snd_buf->len > snd_buf->buflen)) {
+ status = -EIO;
goto wrap_failed;
+ }
/* We're assuming that when GSS_S_CONTEXT_EXPIRED, the encryption was
* done anyway, so it's safe to put the request on the wire: */
if (maj_stat == GSS_S_CONTEXT_EXPIRED)
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 087/356] platform/x86: dell-smbios-base: Use sysfs_emit()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 086/356] SUNRPC: return proper error from gss_wrap_req_priv Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 088/356] platform/x86: dell-smbios: Fix wrong token data in sysfs Greg Kroah-Hartman
` (276 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ye xingchen, Hans de Goede,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: ye xingchen <ye.xingchen@zte.com.cn>
[ Upstream commit bbfa903b4f9a0a76719f386367fed5e64187f577 ]
Replace the open-code with sysfs_emit() to simplify the code.
Signed-off-by: ye xingchen <ye.xingchen@zte.com.cn>
Link: https://lore.kernel.org/r/20220923063233.239091-1-ye.xingchen@zte.com.cn
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Stable-dep-of: 1981b296f858 ("platform/x86: dell-smbios: Fix wrong token data in sysfs")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/dell/dell-smbios-base.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/platform/x86/dell/dell-smbios-base.c b/drivers/platform/x86/dell/dell-smbios-base.c
index fc086b66f70b3..e61bfaf8b5c48 100644
--- a/drivers/platform/x86/dell/dell-smbios-base.c
+++ b/drivers/platform/x86/dell/dell-smbios-base.c
@@ -441,7 +441,7 @@ static ssize_t location_show(struct device *dev,
i = match_attribute(dev, attr);
if (i > 0)
- return scnprintf(buf, PAGE_SIZE, "%08x", da_tokens[i].location);
+ return sysfs_emit(buf, "%08x", da_tokens[i].location);
return 0;
}
@@ -455,7 +455,7 @@ static ssize_t value_show(struct device *dev,
i = match_attribute(dev, attr);
if (i > 0)
- return scnprintf(buf, PAGE_SIZE, "%08x", da_tokens[i].value);
+ return sysfs_emit(buf, "%08x", da_tokens[i].value);
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 088/356] platform/x86: dell-smbios: Fix wrong token data in sysfs
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 087/356] platform/x86: dell-smbios-base: Use sysfs_emit() Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 089/356] gpio: tqmx86: fix typo in Kconfig label Greg Kroah-Hartman
` (275 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Armin Wolf, Ilpo Järvinen,
Hans de Goede, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit 1981b296f858010eae409548fd297659b2cc570e ]
When reading token data from sysfs on my Inspiron 3505, the token
locations and values are wrong. This happens because match_attribute()
blindly assumes that all entries in da_tokens have an associated
entry in token_attrs.
This however is not true as soon as da_tokens[] contains zeroed
token entries. Those entries are being skipped when initialising
token_attrs, breaking the core assumption of match_attribute().
Fix this by defining an extra struct for each pair of token attributes
and use container_of() to retrieve token information.
Tested on a Dell Inspiron 3050.
Fixes: 33b9ca1e53b4 ("platform/x86: dell-smbios: Add a sysfs interface for SMBIOS tokens")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20240528204903.445546-1-W_Armin@gmx.de
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/dell/dell-smbios-base.c | 91 ++++++++++-----------------
1 file changed, 35 insertions(+), 56 deletions(-)
--- a/drivers/platform/x86/dell/dell-smbios-base.c
+++ b/drivers/platform/x86/dell/dell-smbios-base.c
@@ -25,11 +25,16 @@ static u32 da_supported_commands;
static int da_num_tokens;
static struct platform_device *platform_device;
static struct calling_interface_token *da_tokens;
-static struct device_attribute *token_location_attrs;
-static struct device_attribute *token_value_attrs;
+static struct token_sysfs_data *token_entries;
static struct attribute **token_attrs;
static DEFINE_MUTEX(smbios_mutex);
+struct token_sysfs_data {
+ struct device_attribute location_attr;
+ struct device_attribute value_attr;
+ struct calling_interface_token *token;
+};
+
struct smbios_device {
struct list_head list;
struct device *device;
@@ -416,47 +421,26 @@ static void __init find_tokens(const str
}
}
-static int match_attribute(struct device *dev,
- struct device_attribute *attr)
-{
- int i;
-
- for (i = 0; i < da_num_tokens * 2; i++) {
- if (!token_attrs[i])
- continue;
- if (strcmp(token_attrs[i]->name, attr->attr.name) == 0)
- return i/2;
- }
- dev_dbg(dev, "couldn't match: %s\n", attr->attr.name);
- return -EINVAL;
-}
-
static ssize_t location_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
- int i;
+ struct token_sysfs_data *data = container_of(attr, struct token_sysfs_data, location_attr);
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
- i = match_attribute(dev, attr);
- if (i > 0)
- return sysfs_emit(buf, "%08x", da_tokens[i].location);
- return 0;
+ return sysfs_emit(buf, "%08x", data->token->location);
}
static ssize_t value_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
- int i;
+ struct token_sysfs_data *data = container_of(attr, struct token_sysfs_data, value_attr);
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
- i = match_attribute(dev, attr);
- if (i > 0)
- return sysfs_emit(buf, "%08x", da_tokens[i].value);
- return 0;
+ return sysfs_emit(buf, "%08x", data->token->value);
}
static struct attribute_group smbios_attribute_group = {
@@ -473,22 +457,15 @@ static int build_tokens_sysfs(struct pla
{
char *location_name;
char *value_name;
- size_t size;
int ret;
int i, j;
- /* (number of tokens + 1 for null terminated */
- size = sizeof(struct device_attribute) * (da_num_tokens + 1);
- token_location_attrs = kzalloc(size, GFP_KERNEL);
- if (!token_location_attrs)
+ token_entries = kcalloc(da_num_tokens, sizeof(*token_entries), GFP_KERNEL);
+ if (!token_entries)
return -ENOMEM;
- token_value_attrs = kzalloc(size, GFP_KERNEL);
- if (!token_value_attrs)
- goto out_allocate_value;
/* need to store both location and value + terminator*/
- size = sizeof(struct attribute *) * ((2 * da_num_tokens) + 1);
- token_attrs = kzalloc(size, GFP_KERNEL);
+ token_attrs = kcalloc((2 * da_num_tokens) + 1, sizeof(*token_attrs), GFP_KERNEL);
if (!token_attrs)
goto out_allocate_attrs;
@@ -496,27 +473,32 @@ static int build_tokens_sysfs(struct pla
/* skip empty */
if (da_tokens[i].tokenID == 0)
continue;
+
+ token_entries[i].token = &da_tokens[i];
+
/* add location */
location_name = kasprintf(GFP_KERNEL, "%04x_location",
da_tokens[i].tokenID);
if (location_name == NULL)
goto out_unwind_strings;
- sysfs_attr_init(&token_location_attrs[i].attr);
- token_location_attrs[i].attr.name = location_name;
- token_location_attrs[i].attr.mode = 0444;
- token_location_attrs[i].show = location_show;
- token_attrs[j++] = &token_location_attrs[i].attr;
+
+ sysfs_attr_init(&token_entries[i].location_attr.attr);
+ token_entries[i].location_attr.attr.name = location_name;
+ token_entries[i].location_attr.attr.mode = 0444;
+ token_entries[i].location_attr.show = location_show;
+ token_attrs[j++] = &token_entries[i].location_attr.attr;
/* add value */
value_name = kasprintf(GFP_KERNEL, "%04x_value",
da_tokens[i].tokenID);
if (value_name == NULL)
goto loop_fail_create_value;
- sysfs_attr_init(&token_value_attrs[i].attr);
- token_value_attrs[i].attr.name = value_name;
- token_value_attrs[i].attr.mode = 0444;
- token_value_attrs[i].show = value_show;
- token_attrs[j++] = &token_value_attrs[i].attr;
+
+ sysfs_attr_init(&token_entries[i].value_attr.attr);
+ token_entries[i].value_attr.attr.name = value_name;
+ token_entries[i].value_attr.attr.mode = 0444;
+ token_entries[i].value_attr.show = value_show;
+ token_attrs[j++] = &token_entries[i].value_attr.attr;
continue;
loop_fail_create_value:
@@ -532,14 +514,12 @@ loop_fail_create_value:
out_unwind_strings:
while (i--) {
- kfree(token_location_attrs[i].attr.name);
- kfree(token_value_attrs[i].attr.name);
+ kfree(token_entries[i].location_attr.attr.name);
+ kfree(token_entries[i].value_attr.attr.name);
}
kfree(token_attrs);
out_allocate_attrs:
- kfree(token_value_attrs);
-out_allocate_value:
- kfree(token_location_attrs);
+ kfree(token_entries);
return -ENOMEM;
}
@@ -551,12 +531,11 @@ static void free_group(struct platform_d
sysfs_remove_group(&pdev->dev.kobj,
&smbios_attribute_group);
for (i = 0; i < da_num_tokens; i++) {
- kfree(token_location_attrs[i].attr.name);
- kfree(token_value_attrs[i].attr.name);
+ kfree(token_entries[i].location_attr.attr.name);
+ kfree(token_entries[i].value_attr.attr.name);
}
kfree(token_attrs);
- kfree(token_value_attrs);
- kfree(token_location_attrs);
+ kfree(token_entries);
}
static int __init dell_smbios_init(void)
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 089/356] gpio: tqmx86: fix typo in Kconfig label
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 088/356] platform/x86: dell-smbios: Fix wrong token data in sysfs Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 090/356] gpio: tqmx86: store IRQ trigger type and unmask status separately Greg Kroah-Hartman
` (274 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gregor Herburger, Matthias Schiffer,
Andrew Lunn, Bartosz Golaszewski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gregor Herburger <gregor.herburger@tq-group.com>
[ Upstream commit 8c219e52ca4d9a67cd6a7074e91bf29b55edc075 ]
Fix description for GPIO_TQMX86 from QTMX86 to TQMx86.
Fixes: b868db94a6a7 ("gpio: tqmx86: Add GPIO from for this IO controller")
Signed-off-by: Gregor Herburger <gregor.herburger@tq-group.com>
Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://lore.kernel.org/r/e0e38c9944ad6d281d9a662a45d289b88edc808e.1717063994.git.matthias.schiffer@ew.tq-group.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpio/Kconfig b/drivers/gpio/Kconfig
index 7b9def6b10047..a36afb47a6334 100644
--- a/drivers/gpio/Kconfig
+++ b/drivers/gpio/Kconfig
@@ -1396,7 +1396,7 @@ config GPIO_TPS68470
drivers are loaded.
config GPIO_TQMX86
- tristate "TQ-Systems QTMX86 GPIO"
+ tristate "TQ-Systems TQMx86 GPIO"
depends on MFD_TQMX86 || COMPILE_TEST
depends on HAS_IOPORT_MAP
select GPIOLIB_IRQCHIP
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 090/356] gpio: tqmx86: store IRQ trigger type and unmask status separately
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 089/356] gpio: tqmx86: fix typo in Kconfig label Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 091/356] HID: core: remove unnecessary WARN_ON() in implement() Greg Kroah-Hartman
` (273 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matthias Schiffer,
Bartosz Golaszewski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
commit 08af509efdf8dad08e972b48de0e2c2a7919ea8b upstream.
irq_set_type() should not implicitly unmask the IRQ.
All accesses to the interrupt configuration register are moved to a new
helper tqmx86_gpio_irq_config(). We also introduce the new rule that
accessing irq_type must happen while locked, which will become
significant for fixing EDGE_BOTH handling.
Fixes: b868db94a6a7 ("gpio: tqmx86: Add GPIO from for this IO controller")
Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Link: https://lore.kernel.org/r/6aa4f207f77cb58ef64ffb947e91949b0f753ccd.1717063994.git.matthias.schiffer@ew.tq-group.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-tqmx86.c | 46 +++++++++++++++++++++++++--------------------
1 file changed, 26 insertions(+), 20 deletions(-)
--- a/drivers/gpio/gpio-tqmx86.c
+++ b/drivers/gpio/gpio-tqmx86.c
@@ -27,16 +27,20 @@
#define TQMX86_GPIIC 3 /* GPI Interrupt Configuration Register */
#define TQMX86_GPIIS 4 /* GPI Interrupt Status Register */
+#define TQMX86_GPII_NONE 0
#define TQMX86_GPII_FALLING BIT(0)
#define TQMX86_GPII_RISING BIT(1)
#define TQMX86_GPII_MASK (BIT(0) | BIT(1))
#define TQMX86_GPII_BITS 2
+/* Stored in irq_type with GPII bits */
+#define TQMX86_INT_UNMASKED BIT(2)
struct tqmx86_gpio_data {
struct gpio_chip chip;
struct irq_chip irq_chip;
void __iomem *io_base;
int irq;
+ /* Lock must be held for accessing output and irq_type fields */
raw_spinlock_t spinlock;
u8 irq_type[TQMX86_NGPI];
};
@@ -107,20 +111,30 @@ static int tqmx86_gpio_get_direction(str
return GPIO_LINE_DIRECTION_OUT;
}
+static void tqmx86_gpio_irq_config(struct tqmx86_gpio_data *gpio, int offset)
+ __must_hold(&gpio->spinlock)
+{
+ u8 type = TQMX86_GPII_NONE, gpiic;
+
+ if (gpio->irq_type[offset] & TQMX86_INT_UNMASKED)
+ type = gpio->irq_type[offset] & TQMX86_GPII_MASK;
+
+ gpiic = tqmx86_gpio_read(gpio, TQMX86_GPIIC);
+ gpiic &= ~(TQMX86_GPII_MASK << (offset * TQMX86_GPII_BITS));
+ gpiic |= type << (offset * TQMX86_GPII_BITS);
+ tqmx86_gpio_write(gpio, gpiic, TQMX86_GPIIC);
+}
+
static void tqmx86_gpio_irq_mask(struct irq_data *data)
{
unsigned int offset = (data->hwirq - TQMX86_NGPO);
struct tqmx86_gpio_data *gpio = gpiochip_get_data(
irq_data_get_irq_chip_data(data));
unsigned long flags;
- u8 gpiic, mask;
-
- mask = TQMX86_GPII_MASK << (offset * TQMX86_GPII_BITS);
raw_spin_lock_irqsave(&gpio->spinlock, flags);
- gpiic = tqmx86_gpio_read(gpio, TQMX86_GPIIC);
- gpiic &= ~mask;
- tqmx86_gpio_write(gpio, gpiic, TQMX86_GPIIC);
+ gpio->irq_type[offset] &= ~TQMX86_INT_UNMASKED;
+ tqmx86_gpio_irq_config(gpio, offset);
raw_spin_unlock_irqrestore(&gpio->spinlock, flags);
}
@@ -130,15 +144,10 @@ static void tqmx86_gpio_irq_unmask(struc
struct tqmx86_gpio_data *gpio = gpiochip_get_data(
irq_data_get_irq_chip_data(data));
unsigned long flags;
- u8 gpiic, mask;
-
- mask = TQMX86_GPII_MASK << (offset * TQMX86_GPII_BITS);
raw_spin_lock_irqsave(&gpio->spinlock, flags);
- gpiic = tqmx86_gpio_read(gpio, TQMX86_GPIIC);
- gpiic &= ~mask;
- gpiic |= gpio->irq_type[offset] << (offset * TQMX86_GPII_BITS);
- tqmx86_gpio_write(gpio, gpiic, TQMX86_GPIIC);
+ gpio->irq_type[offset] |= TQMX86_INT_UNMASKED;
+ tqmx86_gpio_irq_config(gpio, offset);
raw_spin_unlock_irqrestore(&gpio->spinlock, flags);
}
@@ -149,7 +158,7 @@ static int tqmx86_gpio_irq_set_type(stru
unsigned int offset = (data->hwirq - TQMX86_NGPO);
unsigned int edge_type = type & IRQF_TRIGGER_MASK;
unsigned long flags;
- u8 new_type, gpiic;
+ u8 new_type;
switch (edge_type) {
case IRQ_TYPE_EDGE_RISING:
@@ -165,13 +174,10 @@ static int tqmx86_gpio_irq_set_type(stru
return -EINVAL; /* not supported */
}
- gpio->irq_type[offset] = new_type;
-
raw_spin_lock_irqsave(&gpio->spinlock, flags);
- gpiic = tqmx86_gpio_read(gpio, TQMX86_GPIIC);
- gpiic &= ~((TQMX86_GPII_MASK) << (offset * TQMX86_GPII_BITS));
- gpiic |= new_type << (offset * TQMX86_GPII_BITS);
- tqmx86_gpio_write(gpio, gpiic, TQMX86_GPIIC);
+ gpio->irq_type[offset] &= ~TQMX86_GPII_MASK;
+ gpio->irq_type[offset] |= new_type;
+ tqmx86_gpio_irq_config(gpio, offset);
raw_spin_unlock_irqrestore(&gpio->spinlock, flags);
return 0;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 091/356] HID: core: remove unnecessary WARN_ON() in implement()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 090/356] gpio: tqmx86: store IRQ trigger type and unmask status separately Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 092/356] iommu/amd: Introduce pci segment structure Greg Kroah-Hartman
` (272 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5186630949e3c55f0799,
Alan Stern, Nikita Zhandarovich, Jiri Kosina, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
[ Upstream commit 4aa2dcfbad538adf7becd0034a3754e1bd01b2b5 ]
Syzkaller hit a warning [1] in a call to implement() when trying
to write a value into a field of smaller size in an output report.
Since implement() already has a warn message printed out with the
help of hid_warn() and value in question gets trimmed with:
...
value &= m;
...
WARN_ON may be considered superfluous. Remove it to suppress future
syzkaller triggers.
[1]
WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline]
WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863
Modules linked in:
CPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:implement drivers/hid/hid-core.c:1451 [inline]
RIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863
...
Call Trace:
<TASK>
__usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline]
usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636
hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:904 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
Fixes: 95d1c8951e5b ("HID: simplify implement() a bit")
Reported-by: <syzbot+5186630949e3c55f0799@syzkaller.appspotmail.com>
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-core.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 7b76405df8c47..15f4a80477974 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1446,7 +1446,6 @@ static void implement(const struct hid_device *hid, u8 *report,
hid_warn(hid,
"%s() called with too large value %d (n: %d)! (%s)\n",
__func__, value, n, current->comm);
- WARN_ON(1);
value &= m;
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 092/356] iommu/amd: Introduce pci segment structure
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 091/356] HID: core: remove unnecessary WARN_ON() in implement() Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 093/356] iommu/amd: Fix sysfs leak in iommu init Greg Kroah-Hartman
` (271 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suravee Suthikulpanit, Vasant Hegde,
Joerg Roedel, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasant Hegde <vasant.hegde@amd.com>
[ Upstream commit 404ec4e4c169fb64da6b2a38b471c13ac0897c76 ]
Newer AMD systems can support multiple PCI segments, where each segment
contains one or more IOMMU instances. However, an IOMMU instance can only
support a single PCI segment.
Current code assumes that system contains only one pci segment (segment 0)
and creates global data structures such as device table, rlookup table,
etc.
Introducing per PCI segment data structure, which contains segment
specific data structures. This will eventually replace the global
data structures.
Also update `amd_iommu->pci_seg` variable to point to PCI segment
structure instead of PCI segment ID.
Co-developed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Signed-off-by: Vasant Hegde <vasant.hegde@amd.com>
Link: https://lore.kernel.org/r/20220706113825.25582-3-vasant.hegde@amd.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Stable-dep-of: a295ec52c862 ("iommu/amd: Fix sysfs leak in iommu init")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/amd/amd_iommu_types.h | 24 ++++++++++++++-
drivers/iommu/amd/init.c | 46 ++++++++++++++++++++++++++++-
2 files changed, 68 insertions(+), 2 deletions(-)
diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h
index 390f10060c82b..2dc025acad4ce 100644
--- a/drivers/iommu/amd/amd_iommu_types.h
+++ b/drivers/iommu/amd/amd_iommu_types.h
@@ -450,6 +450,11 @@ extern bool amd_iommu_irq_remap;
/* kmem_cache to get tables with 128 byte alignement */
extern struct kmem_cache *amd_iommu_irq_cache;
+/* Make iterating over all pci segment easier */
+#define for_each_pci_segment(pci_seg) \
+ list_for_each_entry((pci_seg), &amd_iommu_pci_seg_list, list)
+#define for_each_pci_segment_safe(pci_seg, next) \
+ list_for_each_entry_safe((pci_seg), (next), &amd_iommu_pci_seg_list, list)
/*
* Make iterating over all IOMMUs easier
*/
@@ -524,6 +529,17 @@ struct protection_domain {
unsigned dev_iommu[MAX_IOMMUS]; /* per-IOMMU reference count */
};
+/*
+ * This structure contains information about one PCI segment in the system.
+ */
+struct amd_iommu_pci_seg {
+ /* List with all PCI segments in the system */
+ struct list_head list;
+
+ /* PCI segment number */
+ u16 id;
+};
+
/*
* Structure where we save information about one hardware AMD IOMMU in the
* system.
@@ -575,7 +591,7 @@ struct amd_iommu {
u16 cap_ptr;
/* pci domain of this IOMMU */
- u16 pci_seg;
+ struct amd_iommu_pci_seg *pci_seg;
/* start of exclusion range of that IOMMU */
u64 exclusion_start;
@@ -703,6 +719,12 @@ extern struct list_head ioapic_map;
extern struct list_head hpet_map;
extern struct list_head acpihid_map;
+/*
+ * List with all PCI segments in the system. This list is not locked because
+ * it is only written at driver initialization time
+ */
+extern struct list_head amd_iommu_pci_seg_list;
+
/*
* List with all IOMMUs in the system. This list is not locked because it is
* only written and read at driver initialization or suspend time
diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
index ef855495c210e..724874ad0b2a8 100644
--- a/drivers/iommu/amd/init.c
+++ b/drivers/iommu/amd/init.c
@@ -167,6 +167,7 @@ u16 amd_iommu_last_bdf; /* largest PCI device id we have
LIST_HEAD(amd_iommu_unity_map); /* a list of required unity mappings
we find in ACPI */
+LIST_HEAD(amd_iommu_pci_seg_list); /* list of all PCI segments */
LIST_HEAD(amd_iommu_list); /* list of all AMD IOMMUs in the
system */
@@ -1455,6 +1456,43 @@ static int __init init_iommu_from_acpi(struct amd_iommu *iommu,
return 0;
}
+/* Allocate PCI segment data structure */
+static struct amd_iommu_pci_seg *__init alloc_pci_segment(u16 id)
+{
+ struct amd_iommu_pci_seg *pci_seg;
+
+ pci_seg = kzalloc(sizeof(struct amd_iommu_pci_seg), GFP_KERNEL);
+ if (pci_seg == NULL)
+ return NULL;
+
+ pci_seg->id = id;
+ list_add_tail(&pci_seg->list, &amd_iommu_pci_seg_list);
+
+ return pci_seg;
+}
+
+static struct amd_iommu_pci_seg *__init get_pci_segment(u16 id)
+{
+ struct amd_iommu_pci_seg *pci_seg;
+
+ for_each_pci_segment(pci_seg) {
+ if (pci_seg->id == id)
+ return pci_seg;
+ }
+
+ return alloc_pci_segment(id);
+}
+
+static void __init free_pci_segments(void)
+{
+ struct amd_iommu_pci_seg *pci_seg, *next;
+
+ for_each_pci_segment_safe(pci_seg, next) {
+ list_del(&pci_seg->list);
+ kfree(pci_seg);
+ }
+}
+
static void __init free_iommu_one(struct amd_iommu *iommu)
{
free_cwwb_sem(iommu);
@@ -1541,8 +1579,14 @@ static void amd_iommu_ats_write_check_workaround(struct amd_iommu *iommu)
*/
static int __init init_iommu_one(struct amd_iommu *iommu, struct ivhd_header *h)
{
+ struct amd_iommu_pci_seg *pci_seg;
int ret;
+ pci_seg = get_pci_segment(h->pci_seg);
+ if (pci_seg == NULL)
+ return -ENOMEM;
+ iommu->pci_seg = pci_seg;
+
raw_spin_lock_init(&iommu->lock);
iommu->cmd_sem_val = 0;
@@ -1563,7 +1607,6 @@ static int __init init_iommu_one(struct amd_iommu *iommu, struct ivhd_header *h)
*/
iommu->devid = h->devid;
iommu->cap_ptr = h->cap_ptr;
- iommu->pci_seg = h->pci_seg;
iommu->mmio_phys = h->mmio_phys;
switch (h->type) {
@@ -2604,6 +2647,7 @@ static void __init free_iommu_resources(void)
amd_iommu_dev_table = NULL;
free_iommu_all();
+ free_pci_segments();
}
/* SB IOAPIC is always on this device in AMD systems */
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 093/356] iommu/amd: Fix sysfs leak in iommu init
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 092/356] iommu/amd: Introduce pci segment structure Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 094/356] iommu: Return right value in iommu_sva_bind_device() Greg Kroah-Hartman
` (270 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kun(llfl), Suravee Suthikulpanit,
Joerg Roedel, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kun(llfl) <llfl@linux.alibaba.com>
[ Upstream commit a295ec52c8624883885396fde7b4df1a179627c3 ]
During the iommu initialization, iommu_init_pci() adds sysfs nodes.
However, these nodes aren't remove in free_iommu_resources() subsequently.
Fixes: 39ab9555c241 ("iommu: Add sysfs bindings for struct iommu_device")
Signed-off-by: Kun(llfl) <llfl@linux.alibaba.com>
Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Link: https://lore.kernel.org/r/c8e0d11c6ab1ee48299c288009cf9c5dae07b42d.1715215003.git.llfl@linux.alibaba.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/amd/init.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
index 724874ad0b2a8..70f3720d96c7e 100644
--- a/drivers/iommu/amd/init.c
+++ b/drivers/iommu/amd/init.c
@@ -1493,8 +1493,17 @@ static void __init free_pci_segments(void)
}
}
+static void __init free_sysfs(struct amd_iommu *iommu)
+{
+ if (iommu->iommu.dev) {
+ iommu_device_unregister(&iommu->iommu);
+ iommu_device_sysfs_remove(&iommu->iommu);
+ }
+}
+
static void __init free_iommu_one(struct amd_iommu *iommu)
{
+ free_sysfs(iommu);
free_cwwb_sem(iommu);
free_command_buffer(iommu);
free_event_buffer(iommu);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 094/356] iommu: Return right value in iommu_sva_bind_device()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 093/356] iommu/amd: Fix sysfs leak in iommu init Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 095/356] HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() Greg Kroah-Hartman
` (269 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lu Baolu, Jean-Philippe Brucker,
Kevin Tian, Vasant Hegde, Joerg Roedel, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lu Baolu <baolu.lu@linux.intel.com>
[ Upstream commit 89e8a2366e3bce584b6c01549d5019c5cda1205e ]
iommu_sva_bind_device() should return either a sva bond handle or an
ERR_PTR value in error cases. Existing drivers (idxd and uacce) only
check the return value with IS_ERR(). This could potentially lead to
a kernel NULL pointer dereference issue if the function returns NULL
instead of an error pointer.
In reality, this doesn't cause any problems because iommu_sva_bind_device()
only returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA.
In this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will
return an error, and the device drivers won't call iommu_sva_bind_device()
at all.
Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices")
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
Link: https://lore.kernel.org/r/20240528042528.71396-1-baolu.lu@linux.intel.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/iommu.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/iommu.h b/include/linux/iommu.h
index d2f3435e7d176..2202a665b0927 100644
--- a/include/linux/iommu.h
+++ b/include/linux/iommu.h
@@ -1038,7 +1038,7 @@ iommu_aux_get_pasid(struct iommu_domain *domain, struct device *dev)
static inline struct iommu_sva *
iommu_sva_bind_device(struct device *dev, struct mm_struct *mm, void *drvdata)
{
- return NULL;
+ return ERR_PTR(-ENODEV);
}
static inline void iommu_sva_unbind_device(struct iommu_sva *handle)
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 095/356] HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 094/356] iommu: Return right value in iommu_sva_bind_device() Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 096/356] drm/vmwgfx: 3D disabled should not effect STDU memory limits Greg Kroah-Hartman
` (268 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, José Expósito, Jiri Kosina,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: José Expósito <jose.exposito89@gmail.com>
[ Upstream commit ce3af2ee95170b7d9e15fff6e500d67deab1e7b3 ]
Fix a memory leak on logi_dj_recv_send_report() error path.
Fixes: 6f20d3261265 ("HID: logitech-dj: Fix error handling in logi_dj_recv_switch_to_dj_mode()")
Signed-off-by: José Expósito <jose.exposito89@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-logitech-dj.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
index 57697605b2e24..dc7b0fe83478e 100644
--- a/drivers/hid/hid-logitech-dj.c
+++ b/drivers/hid/hid-logitech-dj.c
@@ -1284,8 +1284,10 @@ static int logi_dj_recv_switch_to_dj_mode(struct dj_receiver_dev *djrcv_dev,
*/
msleep(50);
- if (retval)
+ if (retval) {
+ kfree(dj_report);
return retval;
+ }
}
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 096/356] drm/vmwgfx: 3D disabled should not effect STDU memory limits
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 095/356] HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 097/356] net: sfp: Always call `sfp_sm_mod_remove()` on remove Greg Kroah-Hartman
` (267 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Forbes, Zack Rusin, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Forbes <ian.forbes@broadcom.com>
[ Upstream commit fb5e19d2dd03eb995ccd468d599b2337f7f66555 ]
This limit became a hard cap starting with the change referenced below.
Surface creation on the device will fail if the requested size is larger
than this limit so altering the value arbitrarily will expose modes that
are too large for the device's hard limits.
Fixes: 7ebb47c9f9ab ("drm/vmwgfx: Read new register for GB memory when available")
Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240521184720.767-3-ian.forbes@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
index 8449d09c06f7a..0f09a9116b054 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
@@ -904,13 +904,6 @@ static int vmw_driver_load(struct vmw_private *dev_priv, u32 pci_id)
vmw_read(dev_priv,
SVGA_REG_SUGGESTED_GBOBJECT_MEM_SIZE_KB);
- /*
- * Workaround for low memory 2D VMs to compensate for the
- * allocation taken by fbdev
- */
- if (!(dev_priv->capabilities & SVGA_CAP_3D))
- mem_size *= 3;
-
dev_priv->max_mob_pages = mem_size * 1024 / PAGE_SIZE;
dev_priv->max_primary_mem =
vmw_read(dev_priv, SVGA_REG_MAX_PRIMARY_MEM);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 097/356] net: sfp: Always call `sfp_sm_mod_remove()` on remove
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 096/356] drm/vmwgfx: 3D disabled should not effect STDU memory limits Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 098/356] net: hns3: fix kernel crash problem in concurrent scenario Greg Kroah-Hartman
` (266 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, =20Bence?=, Andrew Lunn,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Csókás, Bence <csokas.bence@prolan.hu>
[ Upstream commit e96b2933152fd87b6a41765b2f58b158fde855b6 ]
If the module is in SFP_MOD_ERROR, `sfp_sm_mod_remove()` will
not be run. As a consequence, `sfp_hwmon_remove()` is not getting
run either, leaving a stale `hwmon` device behind. `sfp_sm_mod_remove()`
itself checks `sfp->sm_mod_state` anyways, so this check was not
really needed in the first place.
Fixes: d2e816c0293f ("net: sfp: handle module remove outside state machine")
Signed-off-by: "Csókás, Bence" <csokas.bence@prolan.hu>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://lore.kernel.org/r/20240605084251.63502-1-csokas.bence@prolan.hu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/sfp.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
index d5918605eae6f..2bb30d635bbca 100644
--- a/drivers/net/phy/sfp.c
+++ b/drivers/net/phy/sfp.c
@@ -2004,8 +2004,7 @@ static void sfp_sm_module(struct sfp *sfp, unsigned int event)
/* Handle remove event globally, it resets this state machine */
if (event == SFP_E_REMOVE) {
- if (sfp->sm_mod_state > SFP_MOD_PROBE)
- sfp_sm_mod_remove(sfp);
+ sfp_sm_mod_remove(sfp);
sfp_sm_mod_next(sfp, SFP_MOD_EMPTY, 0);
return;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 098/356] net: hns3: fix kernel crash problem in concurrent scenario
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 097/356] net: sfp: Always call `sfp_sm_mod_remove()` on remove Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 099/356] net: hns3: add cond_resched() to hns3 ring buffer init process Greg Kroah-Hartman
` (265 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yonglong Liu, Jijie Shao,
Simon Horman, David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yonglong Liu <liuyonglong@huawei.com>
[ Upstream commit 12cda920212a49fa22d9e8b9492ac4ea013310a4 ]
When link status change, the nic driver need to notify the roce
driver to handle this event, but at this time, the roce driver
may uninit, then cause kernel crash.
To fix the problem, when link status change, need to check
whether the roce registered, and when uninit, need to wait link
update finish.
Fixes: 45e92b7e4e27 ("net: hns3: add calling roce callback function when link status change")
Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../hisilicon/hns3/hns3pf/hclge_main.c | 21 ++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
index d58048b056781..c3690e49c3d95 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
@@ -2948,9 +2948,7 @@ static void hclge_push_link_status(struct hclge_dev *hdev)
static void hclge_update_link_status(struct hclge_dev *hdev)
{
- struct hnae3_handle *rhandle = &hdev->vport[0].roce;
struct hnae3_handle *handle = &hdev->vport[0].nic;
- struct hnae3_client *rclient = hdev->roce_client;
struct hnae3_client *client = hdev->nic_client;
int state;
int ret;
@@ -2974,8 +2972,15 @@ static void hclge_update_link_status(struct hclge_dev *hdev)
client->ops->link_status_change(handle, state);
hclge_config_mac_tnl_int(hdev, state);
- if (rclient && rclient->ops->link_status_change)
- rclient->ops->link_status_change(rhandle, state);
+
+ if (test_bit(HCLGE_STATE_ROCE_REGISTERED, &hdev->state)) {
+ struct hnae3_handle *rhandle = &hdev->vport[0].roce;
+ struct hnae3_client *rclient = hdev->roce_client;
+
+ if (rclient && rclient->ops->link_status_change)
+ rclient->ops->link_status_change(rhandle,
+ state);
+ }
hclge_push_link_status(hdev);
}
@@ -11431,6 +11436,12 @@ static int hclge_init_client_instance(struct hnae3_client *client,
return ret;
}
+static bool hclge_uninit_need_wait(struct hclge_dev *hdev)
+{
+ return test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state) ||
+ test_bit(HCLGE_STATE_LINK_UPDATING, &hdev->state);
+}
+
static void hclge_uninit_client_instance(struct hnae3_client *client,
struct hnae3_ae_dev *ae_dev)
{
@@ -11439,7 +11450,7 @@ static void hclge_uninit_client_instance(struct hnae3_client *client,
if (hdev->roce_client) {
clear_bit(HCLGE_STATE_ROCE_REGISTERED, &hdev->state);
- while (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state))
+ while (hclge_uninit_need_wait(hdev))
msleep(HCLGE_WAIT_RESET_DONE);
hdev->roce_client->ops->uninit_instance(&vport->roce, 0);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 099/356] net: hns3: add cond_resched() to hns3 ring buffer init process
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 098/356] net: hns3: fix kernel crash problem in concurrent scenario Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 100/356] liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet Greg Kroah-Hartman
` (264 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jie Wang, Jijie Shao, Simon Horman,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jie Wang <wangjie125@huawei.com>
[ Upstream commit 968fde83841a8c23558dfbd0a0c69d636db52b55 ]
Currently hns3 ring buffer init process would hold cpu too long with big
Tx/Rx ring depth. This could cause soft lockup.
So this patch adds cond_resched() to the process. Then cpu can break to
run other tasks instead of busy looping.
Fixes: a723fb8efe29 ("net: hns3: refine for set ring parameters")
Signed-off-by: Jie Wang <wangjie125@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 4 ++++
drivers/net/ethernet/hisilicon/hns3/hns3_enet.h | 2 ++
2 files changed, 6 insertions(+)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
index bbbafd8aa1b09..e48d33927c176 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
@@ -3342,6 +3342,9 @@ static int hns3_alloc_ring_buffers(struct hns3_enet_ring *ring)
ret = hns3_alloc_and_attach_buffer(ring, i);
if (ret)
goto out_buffer_fail;
+
+ if (!(i % HNS3_RESCHED_BD_NUM))
+ cond_resched();
}
return 0;
@@ -4887,6 +4890,7 @@ int hns3_init_all_ring(struct hns3_nic_priv *priv)
}
u64_stats_init(&priv->ring[i].syncp);
+ cond_resched();
}
return 0;
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h
index 91b656adaacb0..f60ba2ee8b8b1 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h
@@ -206,6 +206,8 @@ enum hns3_nic_state {
#define HNS3_CQ_MODE_EQE 1U
#define HNS3_CQ_MODE_CQE 0U
+#define HNS3_RESCHED_BD_NUM 1024
+
enum hns3_pkt_l2t_type {
HNS3_L2_TYPE_UNICAST,
HNS3_L2_TYPE_MULTICAST,
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 100/356] liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 099/356] net: hns3: add cond_resched() to hns3 ring buffer init process Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 101/356] drm/komeda: check for error-valued pointer Greg Kroah-Hartman
` (263 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Mishin, Simon Horman,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandr Mishin <amishin@t-argos.ru>
[ Upstream commit c44711b78608c98a3e6b49ce91678cd0917d5349 ]
In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value,
but then it is unconditionally passed to skb_add_rx_frag() which looks
strange and could lead to null pointer dereference.
lio_vf_rep_copy_packet() call trace looks like:
octeon_droq_process_packets
octeon_droq_fast_process_packets
octeon_droq_dispatch_pkt
octeon_create_recv_info
...search in the dispatch_list...
->disp_fn(rdisp->rinfo, ...)
lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...)
In this path there is no code which sets pg_info->page to NULL.
So this check looks unneeded and doesn't solve potential problem.
But I guess the author had reason to add a check and I have no such card
and can't do real test.
In addition, the code in the function liquidio_push_packet() in
liquidio/lio_core.c does exactly the same.
Based on this, I consider the most acceptable compromise solution to
adjust this issue by moving skb_add_rx_frag() into conditional scope.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 1f233f327913 ("liquidio: switchdev support for LiquidIO NIC")
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c b/drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c
index 600de587d7a98..e70b9ccca380e 100644
--- a/drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c
+++ b/drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c
@@ -272,13 +272,12 @@ lio_vf_rep_copy_packet(struct octeon_device *oct,
pg_info->page_offset;
memcpy(skb->data, va, MIN_SKB_SIZE);
skb_put(skb, MIN_SKB_SIZE);
+ skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
+ pg_info->page,
+ pg_info->page_offset + MIN_SKB_SIZE,
+ len - MIN_SKB_SIZE,
+ LIO_RXBUFFER_SZ);
}
-
- skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
- pg_info->page,
- pg_info->page_offset + MIN_SKB_SIZE,
- len - MIN_SKB_SIZE,
- LIO_RXBUFFER_SZ);
} else {
struct octeon_skb_page_info *pg_info =
((struct octeon_skb_page_info *)(skb->cb));
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 101/356] drm/komeda: check for error-valued pointer
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 100/356] liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 102/356] drm/bridge/panel: Fix runtime warning on panel bridge release Greg Kroah-Hartman
` (262 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amjad Ouled-Ameur, Maxime Ripard,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amjad Ouled-Ameur <amjad.ouled-ameur@arm.com>
[ Upstream commit b880018edd3a577e50366338194dee9b899947e0 ]
komeda_pipeline_get_state() may return an error-valued pointer, thus
check the pointer for negative or null value before dereferencing.
Fixes: 502932a03fce ("drm/komeda: Add the initial scaler support for CORE")
Signed-off-by: Amjad Ouled-Ameur <amjad.ouled-ameur@arm.com>
Signed-off-by: Maxime Ripard <mripard@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20240610102056.40406-1-amjad.ouled-ameur@arm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c b/drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c
index 88b58153f9d66..c956fda918beb 100644
--- a/drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c
+++ b/drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c
@@ -259,7 +259,7 @@ komeda_component_get_avail_scaler(struct komeda_component *c,
u32 avail_scalers;
pipe_st = komeda_pipeline_get_state(c->pipeline, state);
- if (!pipe_st)
+ if (IS_ERR_OR_NULL(pipe_st))
return NULL;
avail_scalers = (pipe_st->active_comps & KOMEDA_PIPELINE_SCALERS) ^
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 102/356] drm/bridge/panel: Fix runtime warning on panel bridge release
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 101/356] drm/komeda: check for error-valued pointer Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 103/356] tcp: fix race in tcp_v6_syn_recv_sock() Greg Kroah-Hartman
` (261 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adam Miotk, Maxime Ripard,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adam Miotk <adam.miotk@arm.com>
[ Upstream commit ce62600c4dbee8d43b02277669dd91785a9b81d9 ]
Device managed panel bridge wrappers are created by calling to
drm_panel_bridge_add_typed() and registering a release handler for
clean-up when the device gets unbound.
Since the memory for this bridge is also managed and linked to the panel
device, the release function should not try to free that memory.
Moreover, the call to devm_kfree() inside drm_panel_bridge_remove() will
fail in this case and emit a warning because the panel bridge resource
is no longer on the device resources list (it has been removed from
there before the call to release handlers).
Fixes: 67022227ffb1 ("drm/bridge: Add a devm_ allocator for panel bridge.")
Signed-off-by: Adam Miotk <adam.miotk@arm.com>
Signed-off-by: Maxime Ripard <mripard@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20240610102739.139852-1-adam.miotk@arm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/bridge/panel.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/bridge/panel.c b/drivers/gpu/drm/bridge/panel.c
index b32295abd9e75..e67bcbef0e8ed 100644
--- a/drivers/gpu/drm/bridge/panel.c
+++ b/drivers/gpu/drm/bridge/panel.c
@@ -253,9 +253,12 @@ EXPORT_SYMBOL(drm_panel_bridge_remove);
static void devm_drm_panel_bridge_release(struct device *dev, void *res)
{
- struct drm_bridge **bridge = res;
+ struct drm_bridge *bridge = *(struct drm_bridge **)res;
- drm_panel_bridge_remove(*bridge);
+ if (!bridge)
+ return;
+
+ drm_bridge_remove(bridge);
}
/**
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 103/356] tcp: fix race in tcp_v6_syn_recv_sock()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 102/356] drm/bridge/panel: Fix runtime warning on panel bridge release Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 104/356] net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN) packets Greg Kroah-Hartman
` (260 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Simon Horman,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d37fe4255abe8e7b419b90c5847e8ec2b8debb08 ]
tcp_v6_syn_recv_sock() calls ip6_dst_store() before
inet_sk(newsk)->pinet6 has been set up.
This means ip6_dst_store() writes over the parent (listener)
np->dst_cookie.
This is racy because multiple threads could share the same
parent and their final np->dst_cookie could be wrong.
Move ip6_dst_store() call after inet_sk(newsk)->pinet6
has been changed and after the copy of parent ipv6_pinfo.
Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/tcp_ipv6.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index c18fdddbfa09d..c1f1fa6e33161 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1331,7 +1331,6 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
*/
newsk->sk_gso_type = SKB_GSO_TCPV6;
- ip6_dst_store(newsk, dst, NULL, NULL);
inet6_sk_rx_dst_set(newsk, skb);
inet_sk(newsk)->pinet6 = tcp_inet6_sk(newsk);
@@ -1342,6 +1341,8 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
memcpy(newnp, np, sizeof(struct ipv6_pinfo));
+ ip6_dst_store(newsk, dst, NULL, NULL);
+
newsk->sk_v6_daddr = ireq->ir_v6_rmt_addr;
newnp->saddr = ireq->ir_v6_loc_addr;
newsk->sk_v6_rcv_saddr = ireq->ir_v6_loc_addr;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 104/356] net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN) packets
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 103/356] tcp: fix race in tcp_v6_syn_recv_sock() Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 105/356] Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ Greg Kroah-Hartman
` (259 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gal Pressman, Dragos Tatulea,
Tariq Toukan, Wojciech Drewek, David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit 791b4089e326271424b78f2fae778b20e53d071b ]
Move the vxlan_features_check() call to after we verified the packet is
a tunneled VXLAN packet.
Without this, tunneled UDP non-VXLAN packets (for ex. GENENVE) might
wrongly not get offloaded.
In some cases, it worked by chance as GENEVE header is the same size as
VXLAN, but it is obviously incorrect.
Fixes: e3cfc7e6b7bd ("net/mlx5e: TX, Add geneve tunnel stateless offload support")
Signed-off-by: Gal Pressman <gal@nvidia.com>
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index 79d687c663d54..a0870da414538 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -3989,7 +3989,7 @@ static netdev_features_t mlx5e_tunnel_features_check(struct mlx5e_priv *priv,
/* Verify if UDP port is being offloaded by HW */
if (mlx5_vxlan_lookup_port(priv->mdev->vxlan, port))
- return features;
+ return vxlan_features_check(skb, features);
#if IS_ENABLED(CONFIG_GENEVE)
/* Support Geneve offload for default UDP port */
@@ -4015,7 +4015,6 @@ netdev_features_t mlx5e_features_check(struct sk_buff *skb,
struct mlx5e_priv *priv = netdev_priv(netdev);
features = vlan_features_check(skb, features);
- features = vxlan_features_check(skb, features);
/* Validate if the tunneled packet is being offloaded by HW */
if (skb->encapsulation &&
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 105/356] Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 104/356] net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN) packets Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 106/356] netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type Greg Kroah-Hartman
` (258 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 806a5198c05987b748b50f3d0c0cfb3d417381a4 ]
This removes the bogus check for max > hcon->le_conn_max_interval since
the later is just the initial maximum conn interval not the maximum the
stack could support which is really 3200=4000ms.
In order to pass GAP/CONN/CPUP/BV-05-C one shall probably enter values
of the following fields in IXIT that would cause hci_check_conn_params
to fail:
TSPX_conn_update_int_min
TSPX_conn_update_int_max
TSPX_conn_update_peripheral_latency
TSPX_conn_update_supervision_timeout
Link: https://github.com/bluez/bluez/issues/847
Fixes: e4b019515f95 ("Bluetooth: Enforce validation on max value of connection interval")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/bluetooth/hci_core.h | 36 ++++++++++++++++++++++++++++----
net/bluetooth/l2cap_core.c | 8 +------
2 files changed, 33 insertions(+), 11 deletions(-)
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index b6114bc0dd0f2..d5935610c6602 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -1690,18 +1690,46 @@ static inline int hci_check_conn_params(u16 min, u16 max, u16 latency,
{
u16 max_latency;
- if (min > max || min < 6 || max > 3200)
+ if (min > max) {
+ BT_WARN("min %d > max %d", min, max);
return -EINVAL;
+ }
+
+ if (min < 6) {
+ BT_WARN("min %d < 6", min);
+ return -EINVAL;
+ }
+
+ if (max > 3200) {
+ BT_WARN("max %d > 3200", max);
+ return -EINVAL;
+ }
+
+ if (to_multiplier < 10) {
+ BT_WARN("to_multiplier %d < 10", to_multiplier);
+ return -EINVAL;
+ }
- if (to_multiplier < 10 || to_multiplier > 3200)
+ if (to_multiplier > 3200) {
+ BT_WARN("to_multiplier %d > 3200", to_multiplier);
return -EINVAL;
+ }
- if (max >= to_multiplier * 8)
+ if (max >= to_multiplier * 8) {
+ BT_WARN("max %d >= to_multiplier %d * 8", max, to_multiplier);
return -EINVAL;
+ }
max_latency = (to_multiplier * 4 / max) - 1;
- if (latency > 499 || latency > max_latency)
+ if (latency > 499) {
+ BT_WARN("latency %d > 499", latency);
return -EINVAL;
+ }
+
+ if (latency > max_latency) {
+ BT_WARN("latency %d > max_latency %d", latency, max_latency);
+ return -EINVAL;
+ }
return 0;
}
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 900b352975856..43a21a90619d9 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5617,13 +5617,7 @@ static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
memset(&rsp, 0, sizeof(rsp));
- if (max > hcon->le_conn_max_interval) {
- BT_DBG("requested connection interval exceeds current bounds.");
- err = -EINVAL;
- } else {
- err = hci_check_conn_params(min, max, latency, to_multiplier);
- }
-
+ err = hci_check_conn_params(min, max, latency, to_multiplier);
if (err)
rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
else
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 106/356] netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 105/356] Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 107/356] net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs parameters Greg Kroah-Hartman
` (257 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lion Ackermann, Jozsef Kadlecsik,
Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jozsef Kadlecsik <kadlec@netfilter.org>
[ Upstream commit 4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10 ]
Lion Ackermann reported that there is a race condition between namespace cleanup
in ipset and the garbage collection of the list:set type. The namespace
cleanup can destroy the list:set type of sets while the gc of the set type is
waiting to run in rcu cleanup. The latter uses data from the destroyed set which
thus leads use after free. The patch contains the following parts:
- When destroying all sets, first remove the garbage collectors, then wait
if needed and then destroy the sets.
- Fix the badly ordered "wait then remove gc" for the destroy a single set
case.
- Fix the missing rcu locking in the list:set type in the userspace test
case.
- Use proper RCU list handlings in the list:set type.
The patch depends on c1193d9bbbd3 (netfilter: ipset: Add list flush to cancel_gc).
Fixes: 97f7cf1cd80e (netfilter: ipset: fix performance regression in swap operation)
Reported-by: Lion Ackermann <nnamrec@gmail.com>
Tested-by: Lion Ackermann <nnamrec@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/ipset/ip_set_core.c | 81 +++++++++++++++------------
net/netfilter/ipset/ip_set_list_set.c | 30 +++++-----
2 files changed, 60 insertions(+), 51 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 01cedf416b10a..8819c28a0e491 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1174,23 +1174,50 @@ ip_set_setname_policy[IPSET_ATTR_CMD_MAX + 1] = {
.len = IPSET_MAXNAMELEN - 1 },
};
+/* In order to return quickly when destroying a single set, it is split
+ * into two stages:
+ * - Cancel garbage collector
+ * - Destroy the set itself via call_rcu()
+ */
+
static void
-ip_set_destroy_set(struct ip_set *set)
+ip_set_destroy_set_rcu(struct rcu_head *head)
{
- pr_debug("set: %s\n", set->name);
+ struct ip_set *set = container_of(head, struct ip_set, rcu);
- /* Must call it without holding any lock */
set->variant->destroy(set);
module_put(set->type->me);
kfree(set);
}
static void
-ip_set_destroy_set_rcu(struct rcu_head *head)
+_destroy_all_sets(struct ip_set_net *inst)
{
- struct ip_set *set = container_of(head, struct ip_set, rcu);
+ struct ip_set *set;
+ ip_set_id_t i;
+ bool need_wait = false;
- ip_set_destroy_set(set);
+ /* First cancel gc's: set:list sets are flushed as well */
+ for (i = 0; i < inst->ip_set_max; i++) {
+ set = ip_set(inst, i);
+ if (set) {
+ set->variant->cancel_gc(set);
+ if (set->type->features & IPSET_TYPE_NAME)
+ need_wait = true;
+ }
+ }
+ /* Must wait for flush to be really finished */
+ if (need_wait)
+ rcu_barrier();
+ for (i = 0; i < inst->ip_set_max; i++) {
+ set = ip_set(inst, i);
+ if (set) {
+ ip_set(inst, i) = NULL;
+ set->variant->destroy(set);
+ module_put(set->type->me);
+ kfree(set);
+ }
+ }
}
static int ip_set_destroy(struct sk_buff *skb, const struct nfnl_info *info,
@@ -1204,11 +1231,10 @@ static int ip_set_destroy(struct sk_buff *skb, const struct nfnl_info *info,
if (unlikely(protocol_min_failed(attr)))
return -IPSET_ERR_PROTOCOL;
-
/* Commands are serialized and references are
* protected by the ip_set_ref_lock.
* External systems (i.e. xt_set) must call
- * ip_set_put|get_nfnl_* functions, that way we
+ * ip_set_nfnl_get_* functions, that way we
* can safely check references here.
*
* list:set timer can only decrement the reference
@@ -1216,8 +1242,6 @@ static int ip_set_destroy(struct sk_buff *skb, const struct nfnl_info *info,
* without holding the lock.
*/
if (!attr[IPSET_ATTR_SETNAME]) {
- /* Must wait for flush to be really finished in list:set */
- rcu_barrier();
read_lock_bh(&ip_set_ref_lock);
for (i = 0; i < inst->ip_set_max; i++) {
s = ip_set(inst, i);
@@ -1228,15 +1252,7 @@ static int ip_set_destroy(struct sk_buff *skb, const struct nfnl_info *info,
}
inst->is_destroyed = true;
read_unlock_bh(&ip_set_ref_lock);
- for (i = 0; i < inst->ip_set_max; i++) {
- s = ip_set(inst, i);
- if (s) {
- ip_set(inst, i) = NULL;
- /* Must cancel garbage collectors */
- s->variant->cancel_gc(s);
- ip_set_destroy_set(s);
- }
- }
+ _destroy_all_sets(inst);
/* Modified by ip_set_destroy() only, which is serialized */
inst->is_destroyed = false;
} else {
@@ -1257,12 +1273,12 @@ static int ip_set_destroy(struct sk_buff *skb, const struct nfnl_info *info,
features = s->type->features;
ip_set(inst, i) = NULL;
read_unlock_bh(&ip_set_ref_lock);
+ /* Must cancel garbage collectors */
+ s->variant->cancel_gc(s);
if (features & IPSET_TYPE_NAME) {
/* Must wait for flush to be really finished */
rcu_barrier();
}
- /* Must cancel garbage collectors */
- s->variant->cancel_gc(s);
call_rcu(&s->rcu, ip_set_destroy_set_rcu);
}
return 0;
@@ -2365,30 +2381,25 @@ ip_set_net_init(struct net *net)
}
static void __net_exit
-ip_set_net_exit(struct net *net)
+ip_set_net_pre_exit(struct net *net)
{
struct ip_set_net *inst = ip_set_pernet(net);
- struct ip_set *set = NULL;
- ip_set_id_t i;
-
inst->is_deleted = true; /* flag for ip_set_nfnl_put */
+}
- nfnl_lock(NFNL_SUBSYS_IPSET);
- for (i = 0; i < inst->ip_set_max; i++) {
- set = ip_set(inst, i);
- if (set) {
- ip_set(inst, i) = NULL;
- set->variant->cancel_gc(set);
- ip_set_destroy_set(set);
- }
- }
- nfnl_unlock(NFNL_SUBSYS_IPSET);
+static void __net_exit
+ip_set_net_exit(struct net *net)
+{
+ struct ip_set_net *inst = ip_set_pernet(net);
+
+ _destroy_all_sets(inst);
kvfree(rcu_dereference_protected(inst->ip_set_list, 1));
}
static struct pernet_operations ip_set_net_ops = {
.init = ip_set_net_init,
+ .pre_exit = ip_set_net_pre_exit,
.exit = ip_set_net_exit,
.id = &ip_set_net_id,
.size = sizeof(struct ip_set_net),
diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
index 6bc7019982b05..e839c356bcb56 100644
--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -79,7 +79,7 @@ list_set_kadd(struct ip_set *set, const struct sk_buff *skb,
struct set_elem *e;
int ret;
- list_for_each_entry(e, &map->members, list) {
+ list_for_each_entry_rcu(e, &map->members, list) {
if (SET_WITH_TIMEOUT(set) &&
ip_set_timeout_expired(ext_timeout(e, set)))
continue;
@@ -99,7 +99,7 @@ list_set_kdel(struct ip_set *set, const struct sk_buff *skb,
struct set_elem *e;
int ret;
- list_for_each_entry(e, &map->members, list) {
+ list_for_each_entry_rcu(e, &map->members, list) {
if (SET_WITH_TIMEOUT(set) &&
ip_set_timeout_expired(ext_timeout(e, set)))
continue;
@@ -188,9 +188,10 @@ list_set_utest(struct ip_set *set, void *value, const struct ip_set_ext *ext,
struct list_set *map = set->data;
struct set_adt_elem *d = value;
struct set_elem *e, *next, *prev = NULL;
- int ret;
+ int ret = 0;
- list_for_each_entry(e, &map->members, list) {
+ rcu_read_lock();
+ list_for_each_entry_rcu(e, &map->members, list) {
if (SET_WITH_TIMEOUT(set) &&
ip_set_timeout_expired(ext_timeout(e, set)))
continue;
@@ -201,6 +202,7 @@ list_set_utest(struct ip_set *set, void *value, const struct ip_set_ext *ext,
if (d->before == 0) {
ret = 1;
+ goto out;
} else if (d->before > 0) {
next = list_next_entry(e, list);
ret = !list_is_last(&e->list, &map->members) &&
@@ -208,9 +210,11 @@ list_set_utest(struct ip_set *set, void *value, const struct ip_set_ext *ext,
} else {
ret = prev && prev->id == d->refid;
}
- return ret;
+ goto out;
}
- return 0;
+out:
+ rcu_read_unlock();
+ return ret;
}
static void
@@ -239,7 +243,7 @@ list_set_uadd(struct ip_set *set, void *value, const struct ip_set_ext *ext,
/* Find where to add the new entry */
n = prev = next = NULL;
- list_for_each_entry(e, &map->members, list) {
+ list_for_each_entry_rcu(e, &map->members, list) {
if (SET_WITH_TIMEOUT(set) &&
ip_set_timeout_expired(ext_timeout(e, set)))
continue;
@@ -316,9 +320,9 @@ list_set_udel(struct ip_set *set, void *value, const struct ip_set_ext *ext,
{
struct list_set *map = set->data;
struct set_adt_elem *d = value;
- struct set_elem *e, *next, *prev = NULL;
+ struct set_elem *e, *n, *next, *prev = NULL;
- list_for_each_entry(e, &map->members, list) {
+ list_for_each_entry_safe(e, n, &map->members, list) {
if (SET_WITH_TIMEOUT(set) &&
ip_set_timeout_expired(ext_timeout(e, set)))
continue;
@@ -424,14 +428,8 @@ static void
list_set_destroy(struct ip_set *set)
{
struct list_set *map = set->data;
- struct set_elem *e, *n;
- list_for_each_entry_safe(e, n, &map->members, list) {
- list_del(&e->list);
- ip_set_put_byindex(map->net, e->id);
- ip_set_ext_destroy(set, e);
- kfree(e);
- }
+ WARN_ON_ONCE(!list_empty(&map->members));
kfree(map);
set->data = NULL;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 107/356] net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs parameters
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 106/356] netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 108/356] net/ipv6: Fix the RT cache flush via sysctl using a previous delay Greg Kroah-Hartman
` (256 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaolei Wang, Wojciech Drewek,
Vladimir Oltean, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaolei Wang <xiaolei.wang@windriver.com>
[ Upstream commit be27b896529787e23a35ae4befb6337ce73fcca0 ]
The current cbs parameter depends on speed after uplinking,
which is not needed and will report a configuration error
if the port is not initially connected. The UAPI exposed by
tc-cbs requires userspace to recalculate the send slope anyway,
because the formula depends on port_transmit_rate (see man tc-cbs),
which is not an invariant from tc's perspective. Therefore, we
use offload->sendslope and offload->idleslope to derive the
original port_transmit_rate from the CBS formula.
Fixes: 1f705bc61aee ("net: stmmac: Add support for CBS QDISC")
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
Link: https://lore.kernel.org/r/20240608143524.2065736-1-xiaolei.wang@windriver.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/stmicro/stmmac/stmmac_tc.c | 25 ++++++++-----------
1 file changed, 11 insertions(+), 14 deletions(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
index 08cffc0558743..a9b5f5ad1bac4 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
@@ -341,10 +341,11 @@ static int tc_setup_cbs(struct stmmac_priv *priv,
struct tc_cbs_qopt_offload *qopt)
{
u32 tx_queues_count = priv->plat->tx_queues_to_use;
+ s64 port_transmit_rate_kbps;
u32 queue = qopt->queue;
- u32 ptr, speed_div;
u32 mode_to_use;
u64 value;
+ u32 ptr;
int ret;
/* Queue 0 is not AVB capable */
@@ -353,30 +354,26 @@ static int tc_setup_cbs(struct stmmac_priv *priv,
if (!priv->dma_cap.av)
return -EOPNOTSUPP;
+ port_transmit_rate_kbps = qopt->idleslope - qopt->sendslope;
+
/* Port Transmit Rate and Speed Divider */
- switch (priv->speed) {
+ switch (div_s64(port_transmit_rate_kbps, 1000)) {
case SPEED_10000:
- ptr = 32;
- speed_div = 10000000;
- break;
case SPEED_5000:
ptr = 32;
- speed_div = 5000000;
break;
case SPEED_2500:
- ptr = 8;
- speed_div = 2500000;
- break;
case SPEED_1000:
ptr = 8;
- speed_div = 1000000;
break;
case SPEED_100:
ptr = 4;
- speed_div = 100000;
break;
default:
- return -EOPNOTSUPP;
+ netdev_err(priv->dev,
+ "Invalid portTransmitRate %lld (idleSlope - sendSlope)\n",
+ port_transmit_rate_kbps);
+ return -EINVAL;
}
mode_to_use = priv->plat->tx_queues_cfg[queue].mode_to_use;
@@ -396,10 +393,10 @@ static int tc_setup_cbs(struct stmmac_priv *priv,
}
/* Final adjustments for HW */
- value = div_s64(qopt->idleslope * 1024ll * ptr, speed_div);
+ value = div_s64(qopt->idleslope * 1024ll * ptr, port_transmit_rate_kbps);
priv->plat->tx_queues_cfg[queue].idle_slope = value & GENMASK(31, 0);
- value = div_s64(-qopt->sendslope * 1024ll * ptr, speed_div);
+ value = div_s64(-qopt->sendslope * 1024ll * ptr, port_transmit_rate_kbps);
priv->plat->tx_queues_cfg[queue].send_slope = value & GENMASK(31, 0);
value = qopt->hicredit * 1024ll * 8;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 108/356] net/ipv6: Fix the RT cache flush via sysctl using a previous delay
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 107/356] net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs parameters Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 109/356] ionic: fix use after netif_napi_del() Greg Kroah-Hartman
` (255 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Pavlu, David Ahern,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Pavlu <petr.pavlu@suse.com>
[ Upstream commit 14a20e5b4ad998793c5f43b0330d9e1388446cf3 ]
The net.ipv6.route.flush system parameter takes a value which specifies
a delay used during the flush operation for aging exception routes. The
written value is however not used in the currently requested flush and
instead utilized only in the next one.
A problem is that ipv6_sysctl_rtcache_flush() first reads the old value
of net->ipv6.sysctl.flush_delay into a local delay variable and then
calls proc_dointvec() which actually updates the sysctl based on the
provided input.
Fix the problem by switching the order of the two operations.
Fixes: 4990509f19e8 ("[NETNS][IPV6]: Make sysctls route per namespace.")
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240607112828.30285-1-petr.pavlu@suse.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 2c60270c5798b..0ca3da0999c6a 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -6346,12 +6346,12 @@ static int ipv6_sysctl_rtcache_flush(struct ctl_table *ctl, int write,
if (!write)
return -EINVAL;
- net = (struct net *)ctl->extra1;
- delay = net->ipv6.sysctl.flush_delay;
ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
if (ret)
return ret;
+ net = (struct net *)ctl->extra1;
+ delay = net->ipv6.sysctl.flush_delay;
fib6_run_gc(delay <= 0 ? 0 : (unsigned long)delay, net, delay > 0);
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 109/356] ionic: fix use after netif_napi_del()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 108/356] net/ipv6: Fix the RT cache flush via sysctl using a previous delay Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 110/356] af_unix: Read with MSG_PEEK loops if the first unread byte is OOB Greg Kroah-Hartman
` (254 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Taehee Yoo, Brett Creeley,
Shannon Nelson, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Taehee Yoo <ap420073@gmail.com>
[ Upstream commit 79f18a41dd056115d685f3b0a419c7cd40055e13 ]
When queues are started, netif_napi_add() and napi_enable() are called.
If there are 4 queues and only 3 queues are used for the current
configuration, only 3 queues' napi should be registered and enabled.
The ionic_qcq_enable() checks whether the .poll pointer is not NULL for
enabling only the using queue' napi. Unused queues' napi will not be
registered by netif_napi_add(), so the .poll pointer indicates NULL.
But it couldn't distinguish whether the napi was unregistered or not
because netif_napi_del() doesn't reset the .poll pointer to NULL.
So, ionic_qcq_enable() calls napi_enable() for the queue, which was
unregistered by netif_napi_del().
Reproducer:
ethtool -L <interface name> rx 1 tx 1 combined 0
ethtool -L <interface name> rx 0 tx 0 combined 1
ethtool -L <interface name> rx 0 tx 0 combined 4
Splat looks like:
kernel BUG at net/core/dev.c:6666!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16
Workqueue: events ionic_lif_deferred_work [ionic]
RIP: 0010:napi_enable+0x3b/0x40
Code: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f
RSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28
RBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
R13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20
FS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0
PKRU: 55555554
Call Trace:
<TASK>
? die+0x33/0x90
? do_trap+0xd9/0x100
? napi_enable+0x3b/0x40
? do_error_trap+0x83/0xb0
? napi_enable+0x3b/0x40
? napi_enable+0x3b/0x40
? exc_invalid_op+0x4e/0x70
? napi_enable+0x3b/0x40
? asm_exc_invalid_op+0x16/0x20
? napi_enable+0x3b/0x40
ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
process_one_work+0x145/0x360
worker_thread+0x2bb/0x3d0
? __pfx_worker_thread+0x10/0x10
kthread+0xcc/0x100
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2d/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
Fixes: 0f3154e6bcb3 ("ionic: Add Tx and Rx handling")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Reviewed-by: Brett Creeley <brett.creeley@amd.com>
Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
Link: https://lore.kernel.org/r/20240612060446.1754392-1-ap420073@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
index 1f84ba638e6eb..b791fba82c2fd 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
@@ -283,10 +283,8 @@ static int ionic_qcq_enable(struct ionic_qcq *qcq)
if (ret)
return ret;
- if (qcq->napi.poll)
- napi_enable(&qcq->napi);
-
if (qcq->flags & IONIC_QCQ_F_INTR) {
+ napi_enable(&qcq->napi);
irq_set_affinity_hint(qcq->intr.vector,
&qcq->intr.affinity_mask);
ionic_intr_mask(idev->intr_ctrl, qcq->intr.index,
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 110/356] af_unix: Read with MSG_PEEK loops if the first unread byte is OOB
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 109/356] ionic: fix use after netif_napi_del() Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 111/356] iio: adc: ad9467: fix scan type sign Greg Kroah-Hartman
` (253 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rao Shoaib, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rao Shoaib <Rao.Shoaib@oracle.com>
[ Upstream commit a6736a0addd60fccc3a3508461d72314cc609772 ]
Read with MSG_PEEK flag loops if the first byte to read is an OOB byte.
commit 22dd70eb2c3d ("af_unix: Don't peek OOB data without MSG_OOB.")
addresses the loop issue but does not address the issue that no data
beyond OOB byte can be read.
>>> from socket import *
>>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)
>>> c1.send(b'a', MSG_OOB)
1
>>> c1.send(b'b')
1
>>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT)
b'b'
>>> from socket import *
>>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)
>>> c2.setsockopt(SOL_SOCKET, SO_OOBINLINE, 1)
>>> c1.send(b'a', MSG_OOB)
1
>>> c1.send(b'b')
1
>>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT)
b'a'
>>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT)
b'a'
>>> c2.recv(1, MSG_DONTWAIT)
b'a'
>>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT)
b'b'
>>>
Fixes: 314001f0bf92 ("af_unix: Add OOB support")
Signed-off-by: Rao Shoaib <Rao.Shoaib@oracle.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20240611084639.2248934-1-Rao.Shoaib@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2565,18 +2565,18 @@ static struct sk_buff *manage_oob(struct
if (skb == u->oob_skb) {
if (copied) {
skb = NULL;
- } else if (sock_flag(sk, SOCK_URGINLINE)) {
- if (!(flags & MSG_PEEK)) {
+ } else if (!(flags & MSG_PEEK)) {
+ if (sock_flag(sk, SOCK_URGINLINE)) {
WRITE_ONCE(u->oob_skb, NULL);
consume_skb(skb);
+ } else {
+ __skb_unlink(skb, &sk->sk_receive_queue);
+ WRITE_ONCE(u->oob_skb, NULL);
+ unlinked_skb = skb;
+ skb = skb_peek(&sk->sk_receive_queue);
}
- } else if (flags & MSG_PEEK) {
- skb = NULL;
- } else {
- __skb_unlink(skb, &sk->sk_receive_queue);
- WRITE_ONCE(u->oob_skb, NULL);
- unlinked_skb = skb;
- skb = skb_peek(&sk->sk_receive_queue);
+ } else if (!sock_flag(sk, SOCK_URGINLINE)) {
+ skb = skb_peek_next(skb, &sk->sk_receive_queue);
}
}
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 111/356] iio: adc: ad9467: fix scan type sign
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 110/356] af_unix: Read with MSG_PEEK loops if the first unread byte is OOB Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 112/356] iio: dac: ad5592r: fix temperature channel scaling value Greg Kroah-Hartman
` (252 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Lechner, Stable,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
commit 8a01ef749b0a632f0e1f4ead0f08b3310d99fcb1 upstream.
According to the IIO documentation, the sign in the scan type should be
lower case. The ad9467 driver was incorrectly using upper case.
Fix by changing to lower case.
Fixes: 4606d0f4b05f ("iio: adc: ad9467: add support for AD9434 high-speed ADC")
Fixes: ad6797120238 ("iio: adc: ad9467: add support AD9467 ADC")
Signed-off-by: David Lechner <dlechner@baylibre.com>
Link: https://lore.kernel.org/r/20240503-ad9467-fix-scan-type-sign-v1-1-c7a1a066ebb9@baylibre.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad9467.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/ad9467.c
+++ b/drivers/iio/adc/ad9467.c
@@ -223,11 +223,11 @@ static void __ad9467_get_scale(struct ad
}
static const struct iio_chan_spec ad9434_channels[] = {
- AD9467_CHAN(0, 0, 12, 'S'),
+ AD9467_CHAN(0, 0, 12, 's'),
};
static const struct iio_chan_spec ad9467_channels[] = {
- AD9467_CHAN(0, 0, 16, 'S'),
+ AD9467_CHAN(0, 0, 16, 's'),
};
static const struct ad9467_chip_info ad9467_chip_tbl[] = {
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 112/356] iio: dac: ad5592r: fix temperature channel scaling value
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 111/356] iio: adc: ad9467: fix scan type sign Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 113/356] iio: imu: inv_icm42600: delete unneeded update watermark call Greg Kroah-Hartman
` (251 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Ferland, Stable,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Ferland <marc.ferland@sonatest.com>
commit 279428df888319bf68f2686934897301a250bb84 upstream.
The scale value for the temperature channel is (assuming Vref=2.5 and
the datasheet):
376.7897513
When calculating both val and val2 for the temperature scale we
use (3767897513/25) and multiply it by Vref (here I assume 2500mV) to
obtain:
2500 * (3767897513/25) ==> 376789751300
Finally we divide with remainder by 10^9 to get:
val = 376
val2 = 789751300
However, we return IIO_VAL_INT_PLUS_MICRO (should have been NANO) as
the scale type. So when converting the raw temperature value to the
'processed' temperature value we will get (assuming raw=810,
offset=-753):
processed = (raw + offset) * scale_val
= (810 + -753) * 376
= 21432
processed += div((raw + offset) * scale_val2, 10^6)
+= div((810 + -753) * 789751300, 10^6)
+= 45015
==> 66447
==> 66.4 Celcius
instead of the expected 21.5 Celsius.
Fix this issue by changing IIO_VAL_INT_PLUS_MICRO to
IIO_VAL_INT_PLUS_NANO.
Fixes: 56ca9db862bf ("iio: dac: Add support for the AD5592R/AD5593R ADCs/DACs")
Signed-off-by: Marc Ferland <marc.ferland@sonatest.com>
Link: https://lore.kernel.org/r/20240501150554.1871390-1-marc.ferland@sonatest.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5592r-base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/dac/ad5592r-base.c
+++ b/drivers/iio/dac/ad5592r-base.c
@@ -411,7 +411,7 @@ static int ad5592r_read_raw(struct iio_d
s64 tmp = *val * (3767897513LL / 25LL);
*val = div_s64_rem(tmp, 1000000000LL, val2);
- return IIO_VAL_INT_PLUS_MICRO;
+ return IIO_VAL_INT_PLUS_NANO;
}
mutex_lock(&st->lock);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 113/356] iio: imu: inv_icm42600: delete unneeded update watermark call
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 112/356] iio: dac: ad5592r: fix temperature channel scaling value Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 114/356] drivers: core: synchronize really_probe() and dev_uevent() Greg Kroah-Hartman
` (250 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean-Baptiste Maneyrol,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
commit 245f3b149e6cc3ac6ee612cdb7042263bfc9e73c upstream.
Update watermark will be done inside the hwfifo_set_watermark callback
just after the update_scan_mode. It is useless to do it here.
Fixes: 7f85e42a6c54 ("iio: imu: inv_icm42600: add buffer support in iio devices")
Cc: stable@vger.kernel.org
Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
Link: https://lore.kernel.org/r/20240527210008.612932-1-inv.git-commit@tdk.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 4 ----
drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 4 ----
2 files changed, 8 deletions(-)
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c
@@ -128,10 +128,6 @@ static int inv_icm42600_accel_update_sca
/* update data FIFO write */
inv_icm42600_timestamp_apply_odr(ts, 0, 0, 0);
ret = inv_icm42600_buffer_set_fifo_en(st, fifo_en | st->fifo.en);
- if (ret)
- goto out_unlock;
-
- ret = inv_icm42600_buffer_update_watermark(st);
out_unlock:
mutex_unlock(&st->lock);
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c
@@ -128,10 +128,6 @@ static int inv_icm42600_gyro_update_scan
/* update data FIFO write */
inv_icm42600_timestamp_apply_odr(ts, 0, 0, 0);
ret = inv_icm42600_buffer_set_fifo_en(st, fifo_en | st->fifo.en);
- if (ret)
- goto out_unlock;
-
- ret = inv_icm42600_buffer_update_watermark(st);
out_unlock:
mutex_unlock(&st->lock);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 114/356] drivers: core: synchronize really_probe() and dev_uevent()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 113/356] iio: imu: inv_icm42600: delete unneeded update watermark call Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 115/356] drm/exynos/vidi: fix memory leak in .get_modes() Greg Kroah-Hartman
` (249 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+ffa8143439596313a85a,
Ashish Sangwan, Namjae Jeon, Dirk Behme
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dirk Behme <dirk.behme@de.bosch.com>
commit c0a40097f0bc81deafc15f9195d1fb54595cd6d0 upstream.
Synchronize the dev->driver usage in really_probe() and dev_uevent().
These can run in different threads, what can result in the following
race condition for dev->driver uninitialization:
Thread #1:
==========
really_probe() {
...
probe_failed:
...
device_unbind_cleanup(dev) {
...
dev->driver = NULL; // <= Failed probe sets dev->driver to NULL
...
}
...
}
Thread #2:
==========
dev_uevent() {
...
if (dev->driver)
// If dev->driver is NULLed from really_probe() from here on,
// after above check, the system crashes
add_uevent_var(env, "DRIVER=%s", dev->driver->name);
...
}
really_probe() holds the lock, already. So nothing needs to be done
there. dev_uevent() is called with lock held, often, too. But not
always. What implies that we can't add any locking in dev_uevent()
itself. So fix this race by adding the lock to the non-protected
path. This is the path where above race is observed:
dev_uevent+0x235/0x380
uevent_show+0x10c/0x1f0 <= Add lock here
dev_attr_show+0x3a/0xa0
sysfs_kf_seq_show+0x17c/0x250
kernfs_seq_show+0x7c/0x90
seq_read_iter+0x2d7/0x940
kernfs_fop_read_iter+0xc6/0x310
vfs_read+0x5bc/0x6b0
ksys_read+0xeb/0x1b0
__x64_sys_read+0x42/0x50
x64_sys_call+0x27ad/0x2d30
do_syscall_64+0xcd/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Similar cases are reported by syzkaller in
https://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a
But these are regarding the *initialization* of dev->driver
dev->driver = drv;
As this switches dev->driver to non-NULL these reports can be considered
to be false-positives (which should be "fixed" by this commit, as well,
though).
The same issue was reported and tried to be fixed back in 2015 in
https://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@samsung.com/
already.
Fixes: 239378f16aa1 ("Driver core: add uevent vars for devices of a class")
Cc: stable <stable@kernel.org>
Cc: syzbot+ffa8143439596313a85a@syzkaller.appspotmail.com
Cc: Ashish Sangwan <a.sangwan@samsung.com>
Cc: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>
Link: https://lore.kernel.org/r/20240513050634.3964461-1-dirk.behme@de.bosch.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -2404,8 +2404,11 @@ static ssize_t uevent_show(struct device
if (!env)
return -ENOMEM;
+ /* Synchronize with really_probe() */
+ device_lock(dev);
/* let the kset specific function add its keys */
retval = kset->uevent_ops->uevent(kset, &dev->kobj, env);
+ device_unlock(dev);
if (retval)
goto out;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 115/356] drm/exynos/vidi: fix memory leak in .get_modes()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 114/356] drivers: core: synchronize really_probe() and dev_uevent() Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 116/356] drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found Greg Kroah-Hartman
` (248 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jani Nikula, Inki Dae
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jani Nikula <jani.nikula@intel.com>
commit 38e3825631b1f314b21e3ade00b5a4d737eb054e upstream.
The duplicated EDID is never freed. Fix it.
Cc: stable@vger.kernel.org
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/exynos/exynos_drm_vidi.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
@@ -308,6 +308,7 @@ static int vidi_get_modes(struct drm_con
struct vidi_context *ctx = ctx_from_connector(connector);
struct edid *edid;
int edid_len;
+ int count;
/*
* the edid data comes from user side and it would be set
@@ -327,7 +328,11 @@ static int vidi_get_modes(struct drm_con
drm_connector_update_edid_property(connector, edid);
- return drm_add_edid_modes(connector, edid);
+ count = drm_add_edid_modes(connector, edid);
+
+ kfree(edid);
+
+ return count;
}
static const struct drm_connector_helper_funcs vidi_connector_helper_funcs = {
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 116/356] drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 115/356] drm/exynos/vidi: fix memory leak in .get_modes() Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 117/356] mptcp: ensure snd_una is properly initialized on connect Greg Kroah-Hartman
` (247 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Inki Dae
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
commit 799d4b392417ed6889030a5b2335ccb6dcf030ab upstream.
When reading EDID fails and driver reports no modes available, the DRM
core adds an artificial 1024x786 mode to the connector. Unfortunately
some variants of the Exynos HDMI (like the one in Exynos4 SoCs) are not
able to drive such mode, so report a safe 640x480 mode instead of nothing
in case of the EDID reading failure.
This fixes the following issue observed on Trats2 board since commit
13d5b040363c ("drm/exynos: do not return negative values from .get_modes()"):
[drm] Exynos DRM: using 11c00000.fimd device for DMA mapping operations
exynos-drm exynos-drm: bound 11c00000.fimd (ops fimd_component_ops)
exynos-drm exynos-drm: bound 12c10000.mixer (ops mixer_component_ops)
exynos-dsi 11c80000.dsi: [drm:samsung_dsim_host_attach] Attached s6e8aa0 device (lanes:4 bpp:24 mode-flags:0x10b)
exynos-drm exynos-drm: bound 11c80000.dsi (ops exynos_dsi_component_ops)
exynos-drm exynos-drm: bound 12d00000.hdmi (ops hdmi_component_ops)
[drm] Initialized exynos 1.1.0 20180330 for exynos-drm on minor 1
exynos-hdmi 12d00000.hdmi: [drm:hdmiphy_enable.part.0] *ERROR* PLL could not reach steady state
panel-samsung-s6e8aa0 11c80000.dsi.0: ID: 0xa2, 0x20, 0x8c
exynos-mixer 12c10000.mixer: timeout waiting for VSYNC
------------[ cut here ]------------
WARNING: CPU: 1 PID: 11 at drivers/gpu/drm/drm_atomic_helper.c:1682 drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8
[CRTC:70:crtc-1] vblank wait timed out
Modules linked in:
CPU: 1 PID: 11 Comm: kworker/u16:0 Not tainted 6.9.0-rc5-next-20240424 #14913
Hardware name: Samsung Exynos (Flattened Device Tree)
Workqueue: events_unbound deferred_probe_work_func
Call trace:
unwind_backtrace from show_stack+0x10/0x14
show_stack from dump_stack_lvl+0x68/0x88
dump_stack_lvl from __warn+0x7c/0x1c4
__warn from warn_slowpath_fmt+0x11c/0x1a8
warn_slowpath_fmt from drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8
drm_atomic_helper_wait_for_vblanks.part.0 from drm_atomic_helper_commit_tail_rpm+0x7c/0x8c
drm_atomic_helper_commit_tail_rpm from commit_tail+0x9c/0x184
commit_tail from drm_atomic_helper_commit+0x168/0x190
drm_atomic_helper_commit from drm_atomic_commit+0xb4/0xe0
drm_atomic_commit from drm_client_modeset_commit_atomic+0x23c/0x27c
drm_client_modeset_commit_atomic from drm_client_modeset_commit_locked+0x60/0x1cc
drm_client_modeset_commit_locked from drm_client_modeset_commit+0x24/0x40
drm_client_modeset_commit from __drm_fb_helper_restore_fbdev_mode_unlocked+0x9c/0xc4
__drm_fb_helper_restore_fbdev_mode_unlocked from drm_fb_helper_set_par+0x2c/0x3c
drm_fb_helper_set_par from fbcon_init+0x3d8/0x550
fbcon_init from visual_init+0xc0/0x108
visual_init from do_bind_con_driver+0x1b8/0x3a4
do_bind_con_driver from do_take_over_console+0x140/0x1ec
do_take_over_console from do_fbcon_takeover+0x70/0xd0
do_fbcon_takeover from fbcon_fb_registered+0x19c/0x1ac
fbcon_fb_registered from register_framebuffer+0x190/0x21c
register_framebuffer from __drm_fb_helper_initial_config_and_unlock+0x350/0x574
__drm_fb_helper_initial_config_and_unlock from exynos_drm_fbdev_client_hotplug+0x6c/0xb0
exynos_drm_fbdev_client_hotplug from drm_client_register+0x58/0x94
drm_client_register from exynos_drm_bind+0x160/0x190
exynos_drm_bind from try_to_bring_up_aggregate_device+0x200/0x2d8
try_to_bring_up_aggregate_device from __component_add+0xb0/0x170
__component_add from mixer_probe+0x74/0xcc
mixer_probe from platform_probe+0x5c/0xb8
platform_probe from really_probe+0xe0/0x3d8
really_probe from __driver_probe_device+0x9c/0x1e4
__driver_probe_device from driver_probe_device+0x30/0xc0
driver_probe_device from __device_attach_driver+0xa8/0x120
__device_attach_driver from bus_for_each_drv+0x80/0xcc
bus_for_each_drv from __device_attach+0xac/0x1fc
__device_attach from bus_probe_device+0x8c/0x90
bus_probe_device from deferred_probe_work_func+0x98/0xe0
deferred_probe_work_func from process_one_work+0x240/0x6d0
process_one_work from worker_thread+0x1a0/0x3f4
worker_thread from kthread+0x104/0x138
kthread from ret_from_fork+0x14/0x28
Exception stack(0xf0895fb0 to 0xf0895ff8)
...
irq event stamp: 82357
hardirqs last enabled at (82363): [<c01a96e8>] vprintk_emit+0x308/0x33c
hardirqs last disabled at (82368): [<c01a969c>] vprintk_emit+0x2bc/0x33c
softirqs last enabled at (81614): [<c0101644>] __do_softirq+0x320/0x500
softirqs last disabled at (81609): [<c012dfe0>] __irq_exit_rcu+0x130/0x184
---[ end trace 0000000000000000 ]---
exynos-drm exynos-drm: [drm] *ERROR* flip_done timed out
exynos-drm exynos-drm: [drm] *ERROR* [CRTC:70:crtc-1] commit wait timed out
exynos-drm exynos-drm: [drm] *ERROR* flip_done timed out
exynos-drm exynos-drm: [drm] *ERROR* [CONNECTOR:74:HDMI-A-1] commit wait timed out
exynos-drm exynos-drm: [drm] *ERROR* flip_done timed out
exynos-drm exynos-drm: [drm] *ERROR* [PLANE:56:plane-5] commit wait timed out
exynos-mixer 12c10000.mixer: timeout waiting for VSYNC
Cc: stable@vger.kernel.org
Fixes: 13d5b040363c ("drm/exynos: do not return negative values from .get_modes()")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/exynos/exynos_hdmi.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/exynos/exynos_hdmi.c
+++ b/drivers/gpu/drm/exynos/exynos_hdmi.c
@@ -887,11 +887,11 @@ static int hdmi_get_modes(struct drm_con
int ret;
if (!hdata->ddc_adpt)
- return 0;
+ goto no_edid;
edid = drm_get_edid(connector, hdata->ddc_adpt);
if (!edid)
- return 0;
+ goto no_edid;
hdata->dvi_mode = !drm_detect_hdmi_monitor(edid);
DRM_DEV_DEBUG_KMS(hdata->dev, "%s : width[%d] x height[%d]\n",
@@ -906,6 +906,9 @@ static int hdmi_get_modes(struct drm_con
kfree(edid);
return ret;
+
+no_edid:
+ return drm_add_modes_noedid(connector, 640, 480);
}
static int hdmi_find_phy_conf(struct hdmi_context *hdata, u32 pixel_clock)
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 117/356] mptcp: ensure snd_una is properly initialized on connect
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 116/356] drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 118/356] tracing/selftests: Fix kprobe event name test for .isra. functions Greg Kroah-Hartman
` (246 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau, Christoph Paasch,
Paolo Abeni, Matthieu Baerts (NGI0), Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 8031b58c3a9b1db3ef68b3bd749fbee2e1e1aaa3 upstream.
This is strictly related to commit fb7a0d334894 ("mptcp: ensure snd_nxt
is properly initialized on connect"). It turns out that syzkaller can
trigger the retransmit after fallback and before processing any other
incoming packet - so that snd_una is still left uninitialized.
Address the issue explicitly initializing snd_una together with snd_nxt
and write_seq.
Suggested-by: Mat Martineau <martineau@kernel.org>
Fixes: 8fd738049ac3 ("mptcp: fallback in case of simultaneous connect")
Cc: stable@vger.kernel.org
Reported-by: Christoph Paasch <cpaasch@apple.com>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/485
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://lore.kernel.org/r/20240607-upstream-net-20240607-misc-fixes-v1-1-1ab9ddfa3d00@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -3398,6 +3398,7 @@ static int mptcp_stream_connect(struct s
WRITE_ONCE(msk->write_seq, subflow->idsn);
WRITE_ONCE(msk->snd_nxt, subflow->idsn);
+ WRITE_ONCE(msk->snd_una, subflow->idsn);
if (likely(!__mptcp_check_fallback(msk)))
MPTCP_INC_STATS(sock_net(sock->sk), MPTCP_MIB_MPCAPABLEACTIVE);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 118/356] tracing/selftests: Fix kprobe event name test for .isra. functions
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 117/356] mptcp: ensure snd_una is properly initialized on connect Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 119/356] null_blk: Print correct max open zones limit in null_init_zoned_dev() Greg Kroah-Hartman
` (245 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steven Rostedt (Google),
Masami Hiramatsu (Google), Shuah Khan
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt (Google) <rostedt@goodmis.org>
commit 23a4b108accc29a6125ed14de4a044689ffeda78 upstream.
The kprobe_eventname.tc test checks if a function with .isra. can have a
kprobe attached to it. It loops through the kallsyms file for all the
functions that have the .isra. name, and checks if it exists in the
available_filter_functions file, and if it does, it uses it to attach a
kprobe to it.
The issue is that kprobes can not attach to functions that are listed more
than once in available_filter_functions. With the latest kernel, the
function that is found is: rapl_event_update.isra.0
# grep rapl_event_update.isra.0 /sys/kernel/tracing/available_filter_functions
rapl_event_update.isra.0
rapl_event_update.isra.0
It is listed twice. This causes the attached kprobe to it to fail which in
turn fails the test. Instead of just picking the function function that is
found in available_filter_functions, pick the first one that is listed
only once in available_filter_functions.
Cc: stable@vger.kernel.org
Fixes: 604e3548236d ("selftests/ftrace: Select an existing function in kprobe_eventname test")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/ftrace/test.d/kprobe/kprobe_eventname.tc | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_eventname.tc
+++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_eventname.tc
@@ -30,7 +30,8 @@ find_dot_func() {
fi
grep " [tT] .*\.isra\..*" /proc/kallsyms | cut -f 3 -d " " | while read f; do
- if grep -s $f available_filter_functions; then
+ cnt=`grep -s $f available_filter_functions | wc -l`;
+ if [ $cnt -eq 1 ]; then
echo $f
break
fi
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 119/356] null_blk: Print correct max open zones limit in null_init_zoned_dev()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 118/356] tracing/selftests: Fix kprobe event name test for .isra. functions Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 120/356] sock_map: avoid race between sock_map_close and sk_psock_put Greg Kroah-Hartman
` (244 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Niklas Cassel,
Jens Axboe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
commit 233e27b4d21c3e44eb863f03e566d3a22e81a7ae upstream.
When changing the maximum number of open zones, print that number
instead of the total number of zones.
Fixes: dc4d137ee3b7 ("null_blk: add support for max open/active zone limit for zoned devices")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Link: https://lore.kernel.org/r/20240528062852.437599-1-dlemoal@kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/null_blk/zoned.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/block/null_blk/zoned.c
+++ b/drivers/block/null_blk/zoned.c
@@ -109,7 +109,7 @@ int null_init_zoned_dev(struct nullb_dev
if (dev->zone_max_active && dev->zone_max_open > dev->zone_max_active) {
dev->zone_max_open = dev->zone_max_active;
pr_info("changed the maximum number of open zones to %u\n",
- dev->nr_zones);
+ dev->zone_max_open);
} else if (dev->zone_max_open >= dev->nr_zones - dev->zone_nr_conv) {
dev->zone_max_open = 0;
pr_info("zone_max_open limit disabled, limit >= zone count\n");
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 120/356] sock_map: avoid race between sock_map_close and sk_psock_put
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 119/356] null_blk: Print correct max open zones limit in null_init_zoned_dev() Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 121/356] vmci: prevent speculation leaks by sanitizing event in event_deliver() Greg Kroah-Hartman
` (243 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni,
syzbot+07a2e4a1a57118ef7355, Thadeu Lima de Souza Cascardo,
Jakub Sitnicki
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
commit 4b4647add7d3c8530493f7247d11e257ee425bf0 upstream.
sk_psock_get will return NULL if the refcount of psock has gone to 0, which
will happen when the last call of sk_psock_put is done. However,
sk_psock_drop may not have finished yet, so the close callback will still
point to sock_map_close despite psock being NULL.
This can be reproduced with a thread deleting an element from the sock map,
while the second one creates a socket, adds it to the map and closes it.
That will trigger the WARN_ON_ONCE:
------------[ cut here ]------------
WARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701
Modules linked in:
CPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701
Code: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02
RSP: 0018:ffffc9000441fda8 EFLAGS: 00010293
RAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000
RDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0
RBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3
R10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840
R13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870
FS: 000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0
Call Trace:
<TASK>
unix_release+0x87/0xc0 net/unix/af_unix.c:1048
__sock_release net/socket.c:659 [inline]
sock_close+0xbe/0x240 net/socket.c:1421
__fput+0x42b/0x8a0 fs/file_table.c:422
__do_sys_close fs/open.c:1556 [inline]
__se_sys_close fs/open.c:1541 [inline]
__x64_sys_close+0x7f/0x110 fs/open.c:1541
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb37d618070
Code: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c
RSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070
RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Use sk_psock, which will only check that the pointer is not been set to
NULL yet, which should only happen after the callbacks are restored. If,
then, a reference can still be gotten, we may call sk_psock_stop and cancel
psock->work.
As suggested by Paolo Abeni, reorder the condition so the control flow is
less convoluted.
After that change, the reproducer does not trigger the WARN_ON_ONCE
anymore.
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Reported-by: syzbot+07a2e4a1a57118ef7355@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=07a2e4a1a57118ef7355
Fixes: aadb2bb83ff7 ("sock_map: Fix a potential use-after-free in sock_map_close()")
Fixes: 5b4a79ba65a1 ("bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself")
Cc: stable@vger.kernel.org
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/r/20240524144702.1178377-1-cascardo@igalia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/sock_map.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -1566,19 +1566,23 @@ void sock_map_close(struct sock *sk, lon
lock_sock(sk);
rcu_read_lock();
- psock = sk_psock_get(sk);
- if (unlikely(!psock)) {
- rcu_read_unlock();
- release_sock(sk);
- saved_close = READ_ONCE(sk->sk_prot)->close;
- } else {
+ psock = sk_psock(sk);
+ if (likely(psock)) {
saved_close = psock->saved_close;
sock_map_remove_links(sk, psock);
+ psock = sk_psock_get(sk);
+ if (unlikely(!psock))
+ goto no_psock;
rcu_read_unlock();
sk_psock_stop(psock);
release_sock(sk);
cancel_delayed_work_sync(&psock->work);
sk_psock_put(sk, psock);
+ } else {
+ saved_close = READ_ONCE(sk->sk_prot)->close;
+no_psock:
+ rcu_read_unlock();
+ release_sock(sk);
}
/* Make sure we do not recurse. This is a bug.
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 121/356] vmci: prevent speculation leaks by sanitizing event in event_deliver()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 120/356] sock_map: avoid race between sock_map_close and sk_psock_put Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 122/356] spmi: hisi-spmi-controller: Do not override device identifier Greg Kroah-Hartman
` (242 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Hagar Gamal Halim Hemdan
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hagar Gamal Halim Hemdan <hagarhem@amazon.com>
commit 8003f00d895310d409b2bf9ef907c56b42a4e0f4 upstream.
Coverity spotted that event_msg is controlled by user-space,
event_msg->event_data.event is passed to event_deliver() and used
as an index without sanitization.
This change ensures that the event index is sanitized to mitigate any
possibility of speculative information leaks.
This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc.
Only compile tested, no access to HW.
Fixes: 1d990201f9bb ("VMCI: event handling implementation.")
Cc: stable <stable@kernel.org>
Signed-off-by: Hagar Gamal Halim Hemdan <hagarhem@amazon.com>
Link: https://lore.kernel.org/stable/20231127193533.46174-1-hagarhem%40amazon.com
Link: https://lore.kernel.org/r/20240430085916.4753-1-hagarhem@amazon.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/vmw_vmci/vmci_event.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/misc/vmw_vmci/vmci_event.c
+++ b/drivers/misc/vmw_vmci/vmci_event.c
@@ -9,6 +9,7 @@
#include <linux/vmw_vmci_api.h>
#include <linux/list.h>
#include <linux/module.h>
+#include <linux/nospec.h>
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/rculist.h>
@@ -86,9 +87,12 @@ static void event_deliver(struct vmci_ev
{
struct vmci_subscription *cur;
struct list_head *subscriber_list;
+ u32 sanitized_event, max_vmci_event;
rcu_read_lock();
- subscriber_list = &subscriber_array[event_msg->event_data.event];
+ max_vmci_event = ARRAY_SIZE(subscriber_array);
+ sanitized_event = array_index_nospec(event_msg->event_data.event, max_vmci_event);
+ subscriber_list = &subscriber_array[sanitized_event];
list_for_each_entry_rcu(cur, subscriber_list, node) {
cur->callback(cur->id, &event_msg->event_data,
cur->callback_data);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 122/356] spmi: hisi-spmi-controller: Do not override device identifier
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 121/356] vmci: prevent speculation leaks by sanitizing event in event_deliver() Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 123/356] knfsd: LOOKUP can return an illegal error value Greg Kroah-Hartman
` (241 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vamshi Gajjela, Stephen Boyd
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vamshi Gajjela <vamshigajjela@google.com>
commit eda4923d78d634482227c0b189d9b7ca18824146 upstream.
'nr' member of struct spmi_controller, which serves as an identifier
for the controller/bus. This value is a dynamic ID assigned in
spmi_controller_alloc, and overriding it from the driver results in an
ida_free error "ida_free called for id=xx which is not allocated".
Signed-off-by: Vamshi Gajjela <vamshigajjela@google.com>
Fixes: 70f59c90c819 ("staging: spmi: add Hikey 970 SPMI controller driver")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240228185116.1269-1-vamshigajjela@google.com
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Link: https://lore.kernel.org/r/20240507210809.3479953-5-sboyd@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spmi/hisi-spmi-controller.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/spmi/hisi-spmi-controller.c
+++ b/drivers/spmi/hisi-spmi-controller.c
@@ -303,7 +303,6 @@ static int spmi_controller_probe(struct
spin_lock_init(&spmi_controller->lock);
- ctrl->nr = spmi_controller->channel;
ctrl->dev.parent = pdev->dev.parent;
ctrl->dev.of_node = of_node_get(pdev->dev.of_node);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 123/356] knfsd: LOOKUP can return an illegal error value
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 122/356] spmi: hisi-spmi-controller: Do not override device identifier Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 124/356] fs/proc: fix softlockup in __read_vmcore Greg Kroah-Hartman
` (240 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Chuck Lever
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
commit e221c45da3770962418fb30c27d941bbc70d595a upstream.
The 'NFS error' NFSERR_OPNOTSUPP is not described by any of the official
NFS related RFCs, but appears to have snuck into some older .x files for
NFSv2.
Either way, it is not in RFC1094, RFC1813 or any of the NFSv4 RFCs, so
should not be returned by the knfsd server, and particularly not by the
"LOOKUP" operation.
Instead, let's return NFSERR_STALE, which is more appropriate if the
filesystem encodes the filehandle as FILEID_INVALID.
Cc: stable@vger.kernel.org
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfsfh.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/nfsd/nfsfh.c
+++ b/fs/nfsd/nfsfh.c
@@ -569,7 +569,7 @@ fh_compose(struct svc_fh *fhp, struct sv
_fh_update(fhp, exp, dentry);
if (fhp->fh_handle.fh_fileid_type == FILEID_INVALID) {
fh_put(fhp);
- return nfserr_opnotsupp;
+ return nfserr_stale;
}
return 0;
@@ -595,7 +595,7 @@ fh_update(struct svc_fh *fhp)
_fh_update(fhp, fhp->fh_export, dentry);
if (fhp->fh_handle.fh_fileid_type == FILEID_INVALID)
- return nfserr_opnotsupp;
+ return nfserr_stale;
return 0;
out_bad:
printk(KERN_ERR "fh_update: fh not verified!\n");
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 124/356] fs/proc: fix softlockup in __read_vmcore
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 123/356] knfsd: LOOKUP can return an illegal error value Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 125/356] ocfs2: use coarse time for new created files Greg Kroah-Hartman
` (239 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rik van Riel, Baoquan He, Dave Young,
Vivek Goyal, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rik van Riel <riel@surriel.com>
commit 5cbcb62dddf5346077feb82b7b0c9254222d3445 upstream.
While taking a kernel core dump with makedumpfile on a larger system,
softlockup messages often appear.
While softlockup warnings can be harmless, they can also interfere with
things like RCU freeing memory, which can be problematic when the kdump
kexec image is configured with as little memory as possible.
Avoid the softlockup, and give things like work items and RCU a chance to
do their thing during __read_vmcore by adding a cond_resched.
Link: https://lkml.kernel.org/r/20240507091858.36ff767f@imladris.surriel.com
Signed-off-by: Rik van Riel <riel@surriel.com>
Acked-by: Baoquan He <bhe@redhat.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/proc/vmcore.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/proc/vmcore.c
+++ b/fs/proc/vmcore.c
@@ -373,6 +373,8 @@ static ssize_t __read_vmcore(char *buffe
/* leave now if filled buffer already */
if (buflen == 0)
return acc;
+
+ cond_resched();
}
list_for_each_entry(m, &vmcore_list, list) {
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 125/356] ocfs2: use coarse time for new created files
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 124/356] fs/proc: fix softlockup in __read_vmcore Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 126/356] ocfs2: fix races between hole punching and AIO+DIO Greg Kroah-Hartman
` (238 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Su Yue, Joseph Qi, Mark Fasheh,
Joel Becker, Junxiao Bi, Changwei Ge, Gang He, Jun Piao,
Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Su Yue <glass.su@suse.com>
commit b8cb324277ee16f3eca3055b96fce4735a5a41c6 upstream.
The default atime related mount option is '-o realtime' which means file
atime should be updated if atime <= ctime or atime <= mtime. atime should
be updated in the following scenario, but it is not:
==========================================================
$ rm /mnt/testfile;
$ echo test > /mnt/testfile
$ stat -c "%X %Y %Z" /mnt/testfile
1711881646 1711881646 1711881646
$ sleep 5
$ cat /mnt/testfile > /dev/null
$ stat -c "%X %Y %Z" /mnt/testfile
1711881646 1711881646 1711881646
==========================================================
And the reason the atime in the test is not updated is that ocfs2 calls
ktime_get_real_ts64() in __ocfs2_mknod_locked during file creation. Then
inode_set_ctime_current() is called in inode_set_ctime_current() calls
ktime_get_coarse_real_ts64() to get current time.
ktime_get_real_ts64() is more accurate than ktime_get_coarse_real_ts64().
In my test box, I saw ctime set by ktime_get_coarse_real_ts64() is less
than ktime_get_real_ts64() even ctime is set later. The ctime of the new
inode is smaller than atime.
The call trace is like:
ocfs2_create
ocfs2_mknod
__ocfs2_mknod_locked
....
ktime_get_real_ts64 <------- set atime,ctime,mtime, more accurate
ocfs2_populate_inode
...
ocfs2_init_acl
ocfs2_acl_set_mode
inode_set_ctime_current
current_time
ktime_get_coarse_real_ts64 <-------less accurate
ocfs2_file_read_iter
ocfs2_inode_lock_atime
ocfs2_should_update_atime
atime <= ctime ? <-------- false, ctime < atime due to accuracy
So here call ktime_get_coarse_real_ts64 to set inode time coarser while
creating new files. It may lower the accuracy of file times. But it's
not a big deal since we already use coarse time in other places like
ocfs2_update_inode_atime and inode_set_ctime_current.
Link: https://lkml.kernel.org/r/20240408082041.20925-5-glass.su@suse.com
Fixes: c62c38f6b91b ("ocfs2: replace CURRENT_TIME macro")
Signed-off-by: Su Yue <glass.su@suse.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ocfs2/namei.c
+++ b/fs/ocfs2/namei.c
@@ -566,7 +566,7 @@ static int __ocfs2_mknod_locked(struct i
fe->i_last_eb_blk = 0;
strcpy(fe->i_signature, OCFS2_INODE_SIGNATURE);
fe->i_flags |= cpu_to_le32(OCFS2_VALID_FL);
- ktime_get_real_ts64(&ts);
+ ktime_get_coarse_real_ts64(&ts);
fe->i_atime = fe->i_ctime = fe->i_mtime =
cpu_to_le64(ts.tv_sec);
fe->i_mtime_nsec = fe->i_ctime_nsec = fe->i_atime_nsec =
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 126/356] ocfs2: fix races between hole punching and AIO+DIO
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 125/356] ocfs2: use coarse time for new created files Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 127/356] PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id Greg Kroah-Hartman
` (237 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Su Yue, Joseph Qi, Changwei Ge,
Gang He, Joel Becker, Jun Piao, Junxiao Bi, Mark Fasheh,
Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Su Yue <glass.su@suse.com>
commit 952b023f06a24b2ad6ba67304c4c84d45bea2f18 upstream.
After commit "ocfs2: return real error code in ocfs2_dio_wr_get_block",
fstests/generic/300 become from always failed to sometimes failed:
========================================================================
[ 473.293420 ] run fstests generic/300
[ 475.296983 ] JBD2: Ignoring recovery information on journal
[ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.
[ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found
[ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.
[ 494.292018 ] OCFS2: File system is now read-only.
[ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30
[ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3
fio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072
=========================================================================
In __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten
extents to a list. extents are also inserted into extent tree in
ocfs2_write_begin_nolock. Then another thread call fallocate to puch a
hole at one of the unwritten extent. The extent at cpos was removed by
ocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list
found there is no such extent at the cpos.
T1 T2 T3
inode lock
...
insert extents
...
inode unlock
ocfs2_fallocate
__ocfs2_change_file_space
inode lock
lock ip_alloc_sem
ocfs2_remove_inode_range inode
ocfs2_remove_btree_range
ocfs2_remove_extent
^---remove the extent at cpos 78723
...
unlock ip_alloc_sem
inode unlock
ocfs2_dio_end_io
ocfs2_dio_end_io_write
lock ip_alloc_sem
ocfs2_mark_extent_written
ocfs2_change_extent_flag
ocfs2_search_extent_list
^---failed to find extent
...
unlock ip_alloc_sem
In most filesystems, fallocate is not compatible with racing with AIO+DIO,
so fix it by adding to wait for all dio before fallocate/punch_hole like
ext4.
Link: https://lkml.kernel.org/r/20240408082041.20925-3-glass.su@suse.com
Fixes: b25801038da5 ("ocfs2: Support xfs style space reservation ioctls")
Signed-off-by: Su Yue <glass.su@suse.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/file.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -1940,6 +1940,8 @@ static int __ocfs2_change_file_space(str
inode_lock(inode);
+ /* Wait all existing dio workers, newcomers will block on i_rwsem */
+ inode_dio_wait(inode);
/*
* This prevents concurrent writes on other nodes
*/
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 127/356] PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 126/356] ocfs2: fix races between hole punching and AIO+DIO Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 128/356] dmaengine: axi-dmac: fix possible race in remove() Greg Kroah-Hartman
` (236 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rick Wertenbroek,
Krzysztof Wilczyński, Bjorn Helgaas, Damien Le Moal
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rick Wertenbroek <rick.wertenbroek@gmail.com>
commit 2dba285caba53f309d6060fca911b43d63f41697 upstream.
Remove wrong mask on subsys_vendor_id. Both the Vendor ID and Subsystem
Vendor ID are u16 variables and are written to a u32 register of the
controller. The Subsystem Vendor ID was always 0 because the u16 value
was masked incorrectly with GENMASK(31,16) resulting in all lower 16
bits being set to 0 prior to the shift.
Remove both masks as they are unnecessary and set the register correctly
i.e., the lower 16-bits are the Vendor ID and the upper 16-bits are the
Subsystem Vendor ID.
This is documented in the RK3399 TRM section 17.6.7.1.17
[kwilczynski: removed unnecesary newline]
Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller")
Link: https://lore.kernel.org/linux-pci/20240403144508.489835-1-rick.wertenbroek@gmail.com
Signed-off-by: Rick Wertenbroek <rick.wertenbroek@gmail.com>
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pcie-rockchip-ep.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/pci/controller/pcie-rockchip-ep.c
+++ b/drivers/pci/controller/pcie-rockchip-ep.c
@@ -98,10 +98,8 @@ static int rockchip_pcie_ep_write_header
/* All functions share the same vendor ID with function 0 */
if (fn == 0) {
- u32 vid_regs = (hdr->vendorid & GENMASK(15, 0)) |
- (hdr->subsys_vendor_id & GENMASK(31, 16)) << 16;
-
- rockchip_pcie_write(rockchip, vid_regs,
+ rockchip_pcie_write(rockchip,
+ hdr->vendorid | hdr->subsys_vendor_id << 16,
PCIE_CORE_CONFIG_VENDOR);
}
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 128/356] dmaengine: axi-dmac: fix possible race in remove()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 127/356] PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 129/356] intel_th: pci: Add Granite Rapids support Greg Kroah-Hartman
` (235 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Nuno Sa, Vinod Koul
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nuno Sa <nuno.sa@analog.com>
commit 1bc31444209c8efae98cb78818131950d9a6f4d6 upstream.
We need to first free the IRQ before calling of_dma_controller_free().
Otherwise we could get an interrupt and schedule a tasklet while
removing the DMA controller.
Fixes: 0e3b67b348b8 ("dmaengine: Add support for the Analog Devices AXI-DMAC DMA controller")
Cc: stable@kernel.org
Signed-off-by: Nuno Sa <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20240328-axi-dmac-devm-probe-v3-1-523c0176df70@analog.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/dma-axi-dmac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/dma/dma-axi-dmac.c
+++ b/drivers/dma/dma-axi-dmac.c
@@ -1020,8 +1020,8 @@ static int axi_dmac_remove(struct platfo
{
struct axi_dmac *dmac = platform_get_drvdata(pdev);
- of_dma_controller_free(pdev->dev.of_node);
free_irq(dmac->irq, dmac);
+ of_dma_controller_free(pdev->dev.of_node);
tasklet_kill(&dmac->chan.vchan.task);
dma_async_device_unregister(&dmac->dma_dev);
clk_disable_unprepare(dmac->clk);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 129/356] intel_th: pci: Add Granite Rapids support
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 128/356] dmaengine: axi-dmac: fix possible race in remove() Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 130/356] intel_th: pci: Add Granite Rapids SOC support Greg Kroah-Hartman
` (234 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Shishkin, Andy Shevchenko,
stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
commit e44937889bdf4ecd1f0c25762b7226406b9b7a69 upstream.
Add support for the Trace Hub in Granite Rapids.
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20240429130119.1518073-11-alexander.shishkin@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/intel_th/pci.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/hwtracing/intel_th/pci.c
+++ b/drivers/hwtracing/intel_th/pci.c
@@ -305,6 +305,11 @@ static const struct pci_device_id intel_
.driver_data = (kernel_ulong_t)&intel_th_2x,
},
{
+ /* Granite Rapids */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x0963),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
+ {
/* Alder Lake CPU */
PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x466f),
.driver_data = (kernel_ulong_t)&intel_th_2x,
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 130/356] intel_th: pci: Add Granite Rapids SOC support
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 129/356] intel_th: pci: Add Granite Rapids support Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 131/356] intel_th: pci: Add Sapphire " Greg Kroah-Hartman
` (233 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Shishkin, Andy Shevchenko,
stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
commit 854afe461b009801a171b3a49c5f75ea43e4c04c upstream.
Add support for the Trace Hub in Granite Rapids SOC.
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20240429130119.1518073-12-alexander.shishkin@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/intel_th/pci.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/hwtracing/intel_th/pci.c
+++ b/drivers/hwtracing/intel_th/pci.c
@@ -310,6 +310,11 @@ static const struct pci_device_id intel_
.driver_data = (kernel_ulong_t)&intel_th_2x,
},
{
+ /* Granite Rapids SOC */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x3256),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
+ {
/* Alder Lake CPU */
PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x466f),
.driver_data = (kernel_ulong_t)&intel_th_2x,
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 131/356] intel_th: pci: Add Sapphire Rapids SOC support
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 130/356] intel_th: pci: Add Granite Rapids SOC support Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 132/356] intel_th: pci: Add Meteor Lake-S support Greg Kroah-Hartman
` (232 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Shishkin, Andy Shevchenko,
stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
commit 2e1da7efabe05cb0cf0b358883b2bc89080ed0eb upstream.
Add support for the Trace Hub in Sapphire Rapids SOC.
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20240429130119.1518073-13-alexander.shishkin@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/intel_th/pci.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/hwtracing/intel_th/pci.c
+++ b/drivers/hwtracing/intel_th/pci.c
@@ -315,6 +315,11 @@ static const struct pci_device_id intel_
.driver_data = (kernel_ulong_t)&intel_th_2x,
},
{
+ /* Sapphire Rapids SOC */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x3456),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
+ {
/* Alder Lake CPU */
PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x466f),
.driver_data = (kernel_ulong_t)&intel_th_2x,
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 132/356] intel_th: pci: Add Meteor Lake-S support
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 131/356] intel_th: pci: Add Sapphire " Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 133/356] intel_th: pci: Add Lunar Lake support Greg Kroah-Hartman
` (231 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Shishkin, Andy Shevchenko,
stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
commit c4a30def564d75e84718b059d1a62cc79b137cf9 upstream.
Add support for the Trace Hub in Meteor Lake-S.
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20240429130119.1518073-14-alexander.shishkin@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/intel_th/pci.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/hwtracing/intel_th/pci.c
+++ b/drivers/hwtracing/intel_th/pci.c
@@ -295,6 +295,11 @@ static const struct pci_device_id intel_
.driver_data = (kernel_ulong_t)&intel_th_2x,
},
{
+ /* Meteor Lake-S */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x7f26),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
+ {
/* Raptor Lake-S */
PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x7a26),
.driver_data = (kernel_ulong_t)&intel_th_2x,
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 133/356] intel_th: pci: Add Lunar Lake support
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 132/356] intel_th: pci: Add Meteor Lake-S support Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 134/356] nilfs2: fix potential kernel bug due to lack of writeback flag waiting Greg Kroah-Hartman
` (230 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Shishkin, Andy Shevchenko,
stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
commit f866b65322bfbc8fcca13c25f49e1a5c5a93ae4d upstream.
Add support for the Trace Hub in Lunar Lake.
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20240429130119.1518073-16-alexander.shishkin@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/intel_th/pci.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/hwtracing/intel_th/pci.c
+++ b/drivers/hwtracing/intel_th/pci.c
@@ -325,6 +325,11 @@ static const struct pci_device_id intel_
.driver_data = (kernel_ulong_t)&intel_th_2x,
},
{
+ /* Lunar Lake */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa824),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
+ {
/* Alder Lake CPU */
PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x466f),
.driver_data = (kernel_ulong_t)&intel_th_2x,
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 134/356] nilfs2: fix potential kernel bug due to lack of writeback flag waiting
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 133/356] intel_th: pci: Add Lunar Lake support Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 135/356] tick/nohz_full: Dont abuse smp_call_function_single() in tick_setup_device() Greg Kroah-Hartman
` (229 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ryusuke Konishi, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
commit a4ca369ca221bb7e06c725792ac107f0e48e82e7 upstream.
Destructive writes to a block device on which nilfs2 is mounted can cause
a kernel bug in the folio/page writeback start routine or writeback end
routine (__folio_start_writeback in the log below):
kernel BUG at mm/page-writeback.c:3070!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
...
RIP: 0010:__folio_start_writeback+0xbaa/0x10e0
Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff
e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f>
0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00
...
Call Trace:
<TASK>
nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2]
nilfs_segctor_construct+0x181/0x6b0 [nilfs2]
nilfs_segctor_thread+0x548/0x11c0 [nilfs2]
kthread+0x2f0/0x390
ret_from_fork+0x4b/0x80
ret_from_fork_asm+0x1a/0x30
</TASK>
This is because when the log writer starts a writeback for segment summary
blocks or a super root block that use the backing device's page cache, it
does not wait for the ongoing folio/page writeback, resulting in an
inconsistent writeback state.
Fix this issue by waiting for ongoing writebacks when putting
folios/pages on the backing device into writeback state.
Link: https://lkml.kernel.org/r/20240530141556.4411-1-konishi.ryusuke@gmail.com
Fixes: 9ff05123e3bf ("nilfs2: segment constructor")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/segment.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/nilfs2/segment.c
+++ b/fs/nilfs2/segment.c
@@ -1692,6 +1692,7 @@ static void nilfs_segctor_prepare_write(
if (bh->b_page != bd_page) {
if (bd_page) {
lock_page(bd_page);
+ wait_on_page_writeback(bd_page);
clear_page_dirty_for_io(bd_page);
set_page_writeback(bd_page);
unlock_page(bd_page);
@@ -1705,6 +1706,7 @@ static void nilfs_segctor_prepare_write(
if (bh == segbuf->sb_super_root) {
if (bh->b_page != bd_page) {
lock_page(bd_page);
+ wait_on_page_writeback(bd_page);
clear_page_dirty_for_io(bd_page);
set_page_writeback(bd_page);
unlock_page(bd_page);
@@ -1721,6 +1723,7 @@ static void nilfs_segctor_prepare_write(
}
if (bd_page) {
lock_page(bd_page);
+ wait_on_page_writeback(bd_page);
clear_page_dirty_for_io(bd_page);
set_page_writeback(bd_page);
unlock_page(bd_page);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 135/356] tick/nohz_full: Dont abuse smp_call_function_single() in tick_setup_device()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 134/356] nilfs2: fix potential kernel bug due to lack of writeback flag waiting Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 136/356] scsi: mpi3mr: Fix ATA NCQ priority support Greg Kroah-Hartman
` (228 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oleg Nesterov, Thomas Gleixner
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
commit 07c54cc5988f19c9642fd463c2dbdac7fc52f777 upstream.
After the recent commit 5097cbcb38e6 ("sched/isolation: Prevent boot crash
when the boot CPU is nohz_full") the kernel no longer crashes, but there is
another problem.
In this case tick_setup_device() calls tick_take_do_timer_from_boot() to
update tick_do_timer_cpu and this triggers the WARN_ON_ONCE(irqs_disabled)
in smp_call_function_single().
Kill tick_take_do_timer_from_boot() and just use WRITE_ONCE(), the new
comment explains why this is safe (thanks Thomas!).
Fixes: 08ae95f4fd3b ("nohz_full: Allow the boot CPU to be nohz_full")
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240528122019.GA28794@redhat.com
Link: https://lore.kernel.org/all/20240522151742.GA10400@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/time/tick-common.c | 42 ++++++++++++++----------------------------
1 file changed, 14 insertions(+), 28 deletions(-)
--- a/kernel/time/tick-common.c
+++ b/kernel/time/tick-common.c
@@ -179,26 +179,6 @@ void tick_setup_periodic(struct clock_ev
}
}
-#ifdef CONFIG_NO_HZ_FULL
-static void giveup_do_timer(void *info)
-{
- int cpu = *(unsigned int *)info;
-
- WARN_ON(tick_do_timer_cpu != smp_processor_id());
-
- tick_do_timer_cpu = cpu;
-}
-
-static void tick_take_do_timer_from_boot(void)
-{
- int cpu = smp_processor_id();
- int from = tick_do_timer_boot_cpu;
-
- if (from >= 0 && from != cpu)
- smp_call_function_single(from, giveup_do_timer, &cpu, 1);
-}
-#endif
-
/*
* Setup the tick device
*/
@@ -222,19 +202,25 @@ static void tick_setup_device(struct tic
tick_next_period = ktime_get();
#ifdef CONFIG_NO_HZ_FULL
/*
- * The boot CPU may be nohz_full, in which case set
- * tick_do_timer_boot_cpu so the first housekeeping
- * secondary that comes up will take do_timer from
- * us.
+ * The boot CPU may be nohz_full, in which case the
+ * first housekeeping secondary will take do_timer()
+ * from it.
*/
if (tick_nohz_full_cpu(cpu))
tick_do_timer_boot_cpu = cpu;
- } else if (tick_do_timer_boot_cpu != -1 &&
- !tick_nohz_full_cpu(cpu)) {
- tick_take_do_timer_from_boot();
+ } else if (tick_do_timer_boot_cpu != -1 && !tick_nohz_full_cpu(cpu)) {
tick_do_timer_boot_cpu = -1;
- WARN_ON(tick_do_timer_cpu != cpu);
+ /*
+ * The boot CPU will stay in periodic (NOHZ disabled)
+ * mode until clocksource_done_booting() called after
+ * smp_init() selects a high resolution clocksource and
+ * timekeeping_notify() kicks the NOHZ stuff alive.
+ *
+ * So this WRITE_ONCE can only race with the READ_ONCE
+ * check in tick_periodic() but this race is harmless.
+ */
+ WRITE_ONCE(tick_do_timer_cpu, cpu);
#endif
}
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 136/356] scsi: mpi3mr: Fix ATA NCQ priority support
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 135/356] tick/nohz_full: Dont abuse smp_call_function_single() in tick_setup_device() Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 137/356] mm/huge_memory: dont unpoison huge_zero_folio Greg Kroah-Hartman
` (227 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Scott McCoy, Damien Le Moal,
Niklas Cassel, Martin K. Petersen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
commit 90e6f08915ec6efe46570420412a65050ec826b2 upstream.
The function mpi3mr_qcmd() of the mpi3mr driver is able to indicate to
the HBA if a read or write command directed at an ATA device should be
translated to an NCQ read/write command with the high prioiryt bit set
when the request uses the RT priority class and the user has enabled NCQ
priority through sysfs.
However, unlike the mpt3sas driver, the mpi3mr driver does not define
the sas_ncq_prio_supported and sas_ncq_prio_enable sysfs attributes, so
the ncq_prio_enable field of struct mpi3mr_sdev_priv_data is never
actually set and NCQ Priority cannot ever be used.
Fix this by defining these missing atributes to allow a user to check if
an ATA device supports NCQ priority and to enable/disable the use of NCQ
priority. To do this, lift the function scsih_ncq_prio_supp() out of the
mpt3sas driver and make it the generic SCSI SAS transport function
sas_ata_ncq_prio_supported(). Nothing in that function is hardware
specific, so this function can be used in both the mpt3sas driver and
the mpi3mr driver.
Reported-by: Scott McCoy <scott.mccoy@wdc.com>
Fixes: 023ab2a9b4ed ("scsi: mpi3mr: Add support for queue command processing")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Link: https://lore.kernel.org/r/20240611083435.92961-1-dlemoal@kernel.org
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/mpi3mr/mpi3mr.h | 1
drivers/scsi/mpi3mr/mpi3mr_os.c | 67 +++++++++++++++++++++++++++++++++++
drivers/scsi/mpt3sas/mpt3sas_base.h | 3 -
drivers/scsi/mpt3sas/mpt3sas_ctl.c | 4 +-
drivers/scsi/mpt3sas/mpt3sas_scsih.c | 25 -------------
drivers/scsi/scsi_transport_sas.c | 29 +++++++++++++++
include/scsi/scsi_transport_sas.h | 2 +
7 files changed, 101 insertions(+), 30 deletions(-)
--- a/drivers/scsi/mpi3mr/mpi3mr.h
+++ b/drivers/scsi/mpi3mr/mpi3mr.h
@@ -38,6 +38,7 @@
#include <scsi/scsi_device.h>
#include <scsi/scsi_host.h>
#include <scsi/scsi_tcq.h>
+#include <scsi/scsi_transport_sas.h>
#include "mpi/mpi30_transport.h"
#include "mpi/mpi30_cnfg.h"
--- a/drivers/scsi/mpi3mr/mpi3mr_os.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_os.c
@@ -3549,6 +3549,72 @@ out:
return retval;
}
+/**
+ * sas_ncq_prio_supported_show - Indicate if device supports NCQ priority
+ * @dev: pointer to embedded device
+ * @attr: sas_ncq_prio_supported attribute descriptor
+ * @buf: the buffer returned
+ *
+ * A sysfs 'read-only' sdev attribute, only works with SATA devices
+ */
+static ssize_t
+sas_ncq_prio_supported_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+{
+ struct scsi_device *sdev = to_scsi_device(dev);
+
+ return sysfs_emit(buf, "%d\n", sas_ata_ncq_prio_supported(sdev));
+}
+static DEVICE_ATTR_RO(sas_ncq_prio_supported);
+
+/**
+ * sas_ncq_prio_enable_show - send prioritized io commands to device
+ * @dev: pointer to embedded device
+ * @attr: sas_ncq_prio_enable attribute descriptor
+ * @buf: the buffer returned
+ *
+ * A sysfs 'read/write' sdev attribute, only works with SATA devices
+ */
+static ssize_t
+sas_ncq_prio_enable_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+{
+ struct scsi_device *sdev = to_scsi_device(dev);
+ struct mpi3mr_sdev_priv_data *sdev_priv_data = sdev->hostdata;
+
+ if (!sdev_priv_data)
+ return 0;
+
+ return sysfs_emit(buf, "%d\n", sdev_priv_data->ncq_prio_enable);
+}
+
+static ssize_t
+sas_ncq_prio_enable_store(struct device *dev,
+ struct device_attribute *attr,
+ const char *buf, size_t count)
+{
+ struct scsi_device *sdev = to_scsi_device(dev);
+ struct mpi3mr_sdev_priv_data *sdev_priv_data = sdev->hostdata;
+ bool ncq_prio_enable = 0;
+
+ if (kstrtobool(buf, &ncq_prio_enable))
+ return -EINVAL;
+
+ if (!sas_ata_ncq_prio_supported(sdev))
+ return -EINVAL;
+
+ sdev_priv_data->ncq_prio_enable = ncq_prio_enable;
+
+ return strlen(buf);
+}
+static DEVICE_ATTR_RW(sas_ncq_prio_enable);
+
+static struct device_attribute *mpi3mr_dev_attrs[] = {
+ &dev_attr_sas_ncq_prio_supported,
+ &dev_attr_sas_ncq_prio_enable,
+ NULL,
+};
+
static struct scsi_host_template mpi3mr_driver_template = {
.module = THIS_MODULE,
.name = "MPI3 Storage Controller",
@@ -3577,6 +3643,7 @@ static struct scsi_host_template mpi3mr_
.cmd_per_lun = MPI3MR_MAX_CMDS_LUN,
.track_queue_depth = 1,
.cmd_size = sizeof(struct scmd_priv),
+ .sdev_attrs = mpi3mr_dev_attrs,
};
/**
--- a/drivers/scsi/mpt3sas/mpt3sas_base.h
+++ b/drivers/scsi/mpt3sas/mpt3sas_base.h
@@ -2010,9 +2010,6 @@ void
mpt3sas_setup_direct_io(struct MPT3SAS_ADAPTER *ioc, struct scsi_cmnd *scmd,
struct _raid_device *raid_device, Mpi25SCSIIORequest_t *mpi_request);
-/* NCQ Prio Handling Check */
-bool scsih_ncq_prio_supp(struct scsi_device *sdev);
-
void mpt3sas_setup_debugfs(struct MPT3SAS_ADAPTER *ioc);
void mpt3sas_destroy_debugfs(struct MPT3SAS_ADAPTER *ioc);
void mpt3sas_init_debugfs(void);
--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
@@ -3933,7 +3933,7 @@ sas_ncq_prio_supported_show(struct devic
{
struct scsi_device *sdev = to_scsi_device(dev);
- return sysfs_emit(buf, "%d\n", scsih_ncq_prio_supp(sdev));
+ return sysfs_emit(buf, "%d\n", sas_ata_ncq_prio_supported(sdev));
}
static DEVICE_ATTR_RO(sas_ncq_prio_supported);
@@ -3968,7 +3968,7 @@ sas_ncq_prio_enable_store(struct device
if (kstrtobool(buf, &ncq_prio_enable))
return -EINVAL;
- if (!scsih_ncq_prio_supp(sdev))
+ if (!sas_ata_ncq_prio_supported(sdev))
return -EINVAL;
sas_device_priv_data->ncq_prio_enable = ncq_prio_enable;
--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
@@ -12580,31 +12580,6 @@ scsih_pci_mmio_enabled(struct pci_dev *p
return PCI_ERS_RESULT_RECOVERED;
}
-/**
- * scsih_ncq_prio_supp - Check for NCQ command priority support
- * @sdev: scsi device struct
- *
- * This is called when a user indicates they would like to enable
- * ncq command priorities. This works only on SATA devices.
- */
-bool scsih_ncq_prio_supp(struct scsi_device *sdev)
-{
- unsigned char *buf;
- bool ncq_prio_supp = false;
-
- if (!scsi_device_supports_vpd(sdev))
- return ncq_prio_supp;
-
- buf = kmalloc(SCSI_VPD_PG_LEN, GFP_KERNEL);
- if (!buf)
- return ncq_prio_supp;
-
- if (!scsi_get_vpd_page(sdev, 0x89, buf, SCSI_VPD_PG_LEN))
- ncq_prio_supp = (buf[213] >> 4) & 1;
-
- kfree(buf);
- return ncq_prio_supp;
-}
/*
* The pci device ids are defined in mpi/mpi2_cnfg.h.
*/
--- a/drivers/scsi/scsi_transport_sas.c
+++ b/drivers/scsi/scsi_transport_sas.c
@@ -410,6 +410,35 @@ unsigned int sas_is_tlr_enabled(struct s
}
EXPORT_SYMBOL_GPL(sas_is_tlr_enabled);
+/**
+ * sas_ata_ncq_prio_supported - Check for ATA NCQ command priority support
+ * @sdev: SCSI device
+ *
+ * Check if an ATA device supports NCQ priority using VPD page 89h (ATA
+ * Information). Since this VPD page is implemented only for ATA devices,
+ * this function always returns false for SCSI devices.
+ */
+bool sas_ata_ncq_prio_supported(struct scsi_device *sdev)
+{
+ unsigned char *buf;
+ bool ncq_prio_supported = false;
+
+ if (!scsi_device_supports_vpd(sdev))
+ return false;
+
+ buf = kmalloc(SCSI_VPD_PG_LEN, GFP_KERNEL);
+ if (!buf)
+ return false;
+
+ if (!scsi_get_vpd_page(sdev, 0x89, buf, SCSI_VPD_PG_LEN))
+ ncq_prio_supported = (buf[213] >> 4) & 1;
+
+ kfree(buf);
+
+ return ncq_prio_supported;
+}
+EXPORT_SYMBOL_GPL(sas_ata_ncq_prio_supported);
+
/*
* SAS Phy attributes
*/
--- a/include/scsi/scsi_transport_sas.h
+++ b/include/scsi/scsi_transport_sas.h
@@ -199,6 +199,8 @@ unsigned int sas_is_tlr_enabled(struct s
void sas_disable_tlr(struct scsi_device *);
void sas_enable_tlr(struct scsi_device *);
+bool sas_ata_ncq_prio_supported(struct scsi_device *sdev);
+
extern struct sas_rphy *sas_end_device_alloc(struct sas_port *);
extern struct sas_rphy *sas_expander_alloc(struct sas_port *, enum sas_device_type);
void sas_rphy_free(struct sas_rphy *);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 137/356] mm/huge_memory: dont unpoison huge_zero_folio
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 136/356] scsi: mpi3mr: Fix ATA NCQ priority support Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 138/356] serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level Greg Kroah-Hartman
` (226 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaohe Lin, David Hildenbrand,
Yang Shi, Oscar Salvador, Anshuman Khandual, Naoya Horiguchi,
Xu Yu, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaohe Lin <linmiaohe@huawei.com>
commit fe6f86f4b40855a130a19aa589f9ba7f650423f4 upstream.
When I did memory failure tests recently, below panic occurs:
kernel BUG at include/linux/mm.h:1135!
invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14
RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0
RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246
RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0
RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492
R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00
FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0
Call Trace:
<TASK>
do_shrink_slab+0x14f/0x6a0
shrink_slab+0xca/0x8c0
shrink_node+0x2d0/0x7d0
balance_pgdat+0x33a/0x720
kswapd+0x1f3/0x410
kthread+0xd5/0x100
ret_from_fork+0x2f/0x50
ret_from_fork_asm+0x1a/0x30
</TASK>
Modules linked in: mce_inject hwpoison_inject
---[ end trace 0000000000000000 ]---
RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0
RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246
RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0
RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492
R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00
FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0
The root cause is that HWPoison flag will be set for huge_zero_folio
without increasing the folio refcnt. But then unpoison_memory() will
decrease the folio refcnt unexpectedly as it appears like a successfully
hwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when
releasing huge_zero_folio.
Skip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue.
We're not prepared to unpoison huge_zero_folio yet.
Link: https://lkml.kernel.org/r/20240516122608.22610-1-linmiaohe@huawei.com
Fixes: 478d134e9506 ("mm/huge_memory: do not overkill when splitting huge_zero_page")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Yang Shi <shy828301@gmail.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: Xu Yu <xuyu@linux.alibaba.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory-failure.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -2051,6 +2051,13 @@ int unpoison_memory(unsigned long pfn)
mutex_lock(&mf_mutex);
+ if (is_huge_zero_page(page)) {
+ unpoison_pr_info("Unpoison: huge zero page is not supported %#lx\n",
+ pfn, &unpoison_rs);
+ ret = -EOPNOTSUPP;
+ goto unlock_mutex;
+ }
+
if (!PageHWPoison(p)) {
unpoison_pr_info("Unpoison: Page was already unpoisoned %#lx\n",
pfn, &unpoison_rs);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 138/356] serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 137/356] mm/huge_memory: dont unpoison huge_zero_folio Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 139/356] hugetlb_encode.h: fix undefined behaviour (34 << 26) Greg Kroah-Hartman
` (225 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Doug Brown, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Doug Brown <doug@schmorgal.com>
commit 5208e7ced520a813b4f4774451fbac4e517e78b2 upstream.
The FIFO is 64 bytes, but the FCR is configured to fire the TX interrupt
when the FIFO is half empty (bit 3 = 0). Thus, we should only write 32
bytes when a TX interrupt occurs.
This fixes a problem observed on the PXA168 that dropped a bunch of TX
bytes during large transmissions.
Fixes: ab28f51c77cd ("serial: rewrite pxa2xx-uart to use 8250_core")
Signed-off-by: Doug Brown <doug@schmorgal.com>
Link: https://lore.kernel.org/r/20240519191929.122202-1-doug@schmorgal.com
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_pxa.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/tty/serial/8250/8250_pxa.c
+++ b/drivers/tty/serial/8250/8250_pxa.c
@@ -125,6 +125,7 @@ static int serial_pxa_probe(struct platf
uart.port.regshift = 2;
uart.port.irq = irq;
uart.port.fifosize = 64;
+ uart.tx_loadsz = 32;
uart.port.flags = UPF_IOREMAP | UPF_SKIP_TEST | UPF_FIXED_TYPE;
uart.port.dev = &pdev->dev;
uart.port.uartclk = clk_get_rate(data->clk);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 139/356] hugetlb_encode.h: fix undefined behaviour (34 << 26)
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 138/356] serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 140/356] mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID Greg Kroah-Hartman
` (224 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthias Goergens, Randy Dunlap,
Mike Kravetz, Muchun Song, Andrew Morton, Carlos Llamas
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthias Goergens <matthias.goergens@gmail.com>
commit 710bb68c2e3a24512e2d2bae470960d7488e97b1 upstream.
Left-shifting past the size of your datatype is undefined behaviour in C.
The literal 34 gets the type `int`, and that one is not big enough to be
left shifted by 26 bits.
An `unsigned` is long enough (on any machine that has at least 32 bits for
their ints.)
For uniformity, we mark all the literals as unsigned. But it's only
really needed for HUGETLB_FLAG_ENCODE_16GB.
Thanks to Randy Dunlap for an initial review and suggestion.
Link: https://lkml.kernel.org/r/20220905031904.150925-1-matthias.goergens@gmail.com
Signed-off-by: Matthias Goergens <matthias.goergens@gmail.com>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Muchun Song <songmuchun@bytedance.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/asm-generic/hugetlb_encode.h | 26 +++++++++++++-------------
tools/include/asm-generic/hugetlb_encode.h | 26 +++++++++++++-------------
2 files changed, 26 insertions(+), 26 deletions(-)
--- a/include/uapi/asm-generic/hugetlb_encode.h
+++ b/include/uapi/asm-generic/hugetlb_encode.h
@@ -20,18 +20,18 @@
#define HUGETLB_FLAG_ENCODE_SHIFT 26
#define HUGETLB_FLAG_ENCODE_MASK 0x3f
-#define HUGETLB_FLAG_ENCODE_16KB (14 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_64KB (16 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_512KB (19 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_1MB (20 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_2MB (21 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_8MB (23 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_16MB (24 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_32MB (25 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_256MB (28 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_512MB (29 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_1GB (30 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_2GB (31 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_16GB (34 << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_16KB (14U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_64KB (16U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_512KB (19U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_1MB (20U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_2MB (21U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_8MB (23U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_16MB (24U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_32MB (25U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_256MB (28U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_512MB (29U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_1GB (30U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_2GB (31U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_16GB (34U << HUGETLB_FLAG_ENCODE_SHIFT)
#endif /* _ASM_GENERIC_HUGETLB_ENCODE_H_ */
--- a/tools/include/asm-generic/hugetlb_encode.h
+++ b/tools/include/asm-generic/hugetlb_encode.h
@@ -20,18 +20,18 @@
#define HUGETLB_FLAG_ENCODE_SHIFT 26
#define HUGETLB_FLAG_ENCODE_MASK 0x3f
-#define HUGETLB_FLAG_ENCODE_16KB (14 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_64KB (16 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_512KB (19 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_1MB (20 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_2MB (21 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_8MB (23 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_16MB (24 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_32MB (25 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_256MB (28 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_512MB (29 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_1GB (30 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_2GB (31 << HUGETLB_FLAG_ENCODE_SHIFT)
-#define HUGETLB_FLAG_ENCODE_16GB (34 << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_16KB (14U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_64KB (16U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_512KB (19U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_1MB (20U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_2MB (21U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_8MB (23U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_16MB (24U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_32MB (25U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_256MB (28U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_512MB (29U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_1GB (30U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_2GB (31U << HUGETLB_FLAG_ENCODE_SHIFT)
+#define HUGETLB_FLAG_ENCODE_16GB (34U << HUGETLB_FLAG_ENCODE_SHIFT)
#endif /* _ASM_GENERIC_HUGETLB_ENCODE_H_ */
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 140/356] mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 139/356] hugetlb_encode.h: fix undefined behaviour (34 << 26) Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 141/356] mptcp: pm: update add_addr counters after connect Greg Kroah-Hartman
` (223 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts (NGI0), YonglongLi,
Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: YonglongLi <liyonglong@chinatelecom.cn>
commit 6a09788c1a66e3d8b04b3b3e7618cc817bb60ae9 upstream.
The RmAddr MIB counter is supposed to be incremented once when a valid
RM_ADDR has been received. Before this patch, it could have been
incremented as many times as the number of subflows connected to the
linked address ID, so it could have been 0, 1 or more than 1.
The "RmSubflow" is incremented after a local operation. In this case,
it is normal to tied it with the number of subflows that have been
actually removed.
The "remove invalid addresses" MP Join subtest has been modified to
validate this case. A broadcast IP address is now used instead: the
client will not be able to create a subflow to this address. The
consequence is that when receiving the RM_ADDR with the ID attached to
this broadcast IP address, no subflow linked to this ID will be found.
Fixes: 7a7e52e38a40 ("mptcp: add RM_ADDR related mibs")
Cc: stable@vger.kernel.org
Co-developed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: YonglongLi <liyonglong@chinatelecom.cn>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://lore.kernel.org/r/20240607-upstream-net-20240607-misc-fixes-v1-2-1ab9ddfa3d00@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflicts in pm_netlink.c because the context has changed later in
multiple commits linked to new features, e.g. commit 86e39e04482b
("mptcp: keep track of local endpoint still available for each msk"),
commit a88c9e496937 ("mptcp: do not block subflows creation on errors")
and commit 3ad14f54bd74 ("mptcp: more accurate MPC endpoint tracking"),
but the independent lines that needed to be modified were still there.
Conflicts in the selftests, because many features modifying the whole
file have been added later, e.g. commit ae7bd9ccecc3 ("selftests:
mptcp: join: option to execute specific tests"). The same
modifications have been reported to the old code: simply changing the
IP address and add a new comment. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 5 ++++-
tools/testing/selftests/net/mptcp/mptcp_join.sh | 3 ++-
2 files changed, 6 insertions(+), 2 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -757,8 +757,11 @@ static void mptcp_pm_nl_rm_addr_or_subfl
removed = true;
msk->pm.subflows--;
- __MPTCP_INC_STATS(sock_net(sk), rm_type);
+ if (rm_type == MPTCP_MIB_RMSUBFLOW)
+ __MPTCP_INC_STATS(sock_net(sk), rm_type);
}
+ if (rm_type == MPTCP_MIB_RMADDR)
+ __MPTCP_INC_STATS(sock_net(sk), rm_type);
if (!removed)
continue;
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -1307,7 +1307,8 @@ remove_tests()
ip netns exec $ns1 ./pm_nl_ctl limits 3 3
ip netns exec $ns1 ./pm_nl_ctl add 10.0.12.1 flags signal
ip netns exec $ns1 ./pm_nl_ctl add 10.0.3.1 flags signal
- ip netns exec $ns1 ./pm_nl_ctl add 10.0.14.1 flags signal
+ # broadcast IP: no packet for this address will be received on ns1
+ ip netns exec $ns1 ./pm_nl_ctl add 224.0.0.1 flags signal
ip netns exec $ns2 ./pm_nl_ctl limits 3 3
run_tests $ns1 $ns2 10.0.1.1 0 -3 0 slow
chk_join_nr "remove invalid addresses" 1 1 1
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 141/356] mptcp: pm: update add_addr counters after connect
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 140/356] mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 142/356] kbuild: Remove support for Clangs ThinLTO caching Greg Kroah-Hartman
` (222 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts (NGI0), YonglongLi,
Mat Martineau, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: YonglongLi <liyonglong@chinatelecom.cn>
commit 40eec1795cc27b076d49236649a29507c7ed8c2d upstream.
The creation of new subflows can fail for different reasons. If no
subflow have been created using the received ADD_ADDR, the related
counters should not be updated, otherwise they will never be decremented
for events related to this ID later on.
For the moment, the number of accepted ADD_ADDR is only decremented upon
the reception of a related RM_ADDR, and only if the remote address ID is
currently being used by at least one subflow. In other words, if no
subflow can be created with the received address, the counter will not
be decremented. In this case, it is then important not to increment
pm.add_addr_accepted counter, and not to modify pm.accept_addr bit.
Note that this patch does not modify the behaviour in case of failures
later on, e.g. if the MP Join is dropped or rejected.
The "remove invalid addresses" MP Join subtest has been modified to
validate this case. The broadcast IP address is added before the "valid"
address that will be used to successfully create a subflow, and the
limit is decreased by one: without this patch, it was not possible to
create the last subflow, because:
- the broadcast address would have been accepted even if it was not
usable: the creation of a subflow to this address results in an error,
- the limit of 2 accepted ADD_ADDR would have then been reached.
Fixes: 01cacb00b35c ("mptcp: add netlink-based PM")
Cc: stable@vger.kernel.org
Co-developed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: YonglongLi <liyonglong@chinatelecom.cn>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://lore.kernel.org/r/20240607-upstream-net-20240607-misc-fixes-v1-3-1ab9ddfa3d00@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflicts in pm_netlink.c because commit 12a18341b5c3 ("mptcp: send
ADD_ADDR echo before create subflows") is not present in this version,
and it changes the context, but not the block that needs to be moved.
Conflicts in the selftests, because many features modifying the whole
file have been added later, e.g. commit ae7bd9ccecc3 ("selftests:
mptcp: join: option to execute specific tests"). The same
modifications have been reported to the old code: simply moving one
line, and changing the limits. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 16 ++++++++++------
tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 ++--
2 files changed, 12 insertions(+), 8 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -608,6 +608,7 @@ static void mptcp_pm_nl_add_addr_receive
struct mptcp_addr_info remote;
unsigned int subflows_max;
bool reset_port = false;
+ bool sf_created = false;
int i, nr;
add_addr_accept_max = mptcp_pm_get_add_addr_accept_max(msk);
@@ -632,16 +633,19 @@ static void mptcp_pm_nl_add_addr_receive
*/
nr = fill_local_addresses_vec(msk, addrs);
- msk->pm.add_addr_accepted++;
- if (msk->pm.add_addr_accepted >= add_addr_accept_max ||
- msk->pm.subflows >= subflows_max)
- WRITE_ONCE(msk->pm.accept_addr, false);
-
spin_unlock_bh(&msk->pm.lock);
for (i = 0; i < nr; i++)
- __mptcp_subflow_connect(sk, &addrs[i], &remote);
+ if (__mptcp_subflow_connect(sk, &addrs[i], &remote) == 0)
+ sf_created = true;
spin_lock_bh(&msk->pm.lock);
+ if (sf_created) {
+ msk->pm.add_addr_accepted++;
+ if (msk->pm.add_addr_accepted >= add_addr_accept_max ||
+ msk->pm.subflows >= subflows_max)
+ WRITE_ONCE(msk->pm.accept_addr, false);
+ }
+
/* be sure to echo exactly the received address */
if (reset_port)
remote.port = 0;
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -1306,10 +1306,10 @@ remove_tests()
reset
ip netns exec $ns1 ./pm_nl_ctl limits 3 3
ip netns exec $ns1 ./pm_nl_ctl add 10.0.12.1 flags signal
- ip netns exec $ns1 ./pm_nl_ctl add 10.0.3.1 flags signal
# broadcast IP: no packet for this address will be received on ns1
ip netns exec $ns1 ./pm_nl_ctl add 224.0.0.1 flags signal
- ip netns exec $ns2 ./pm_nl_ctl limits 3 3
+ ip netns exec $ns1 ./pm_nl_ctl add 10.0.3.1 flags signal
+ ip netns exec $ns2 ./pm_nl_ctl limits 2 2
run_tests $ns1 $ns2 10.0.1.1 0 -3 0 slow
chk_join_nr "remove invalid addresses" 1 1 1
chk_add_nr 3 3
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 142/356] kbuild: Remove support for Clangs ThinLTO caching
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 141/356] mptcp: pm: update add_addr counters after connect Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 143/356] greybus: Fix use-after-free bug in gb_interface_release due to race condition Greg Kroah-Hartman
` (221 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Hong, Masami Hiramatsu,
Nathan Chancellor, Masahiro Yamada
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit aba091547ef6159d52471f42a3ef531b7b660ed8 upstream.
There is an issue in clang's ThinLTO caching (enabled for the kernel via
'--thinlto-cache-dir') with .incbin, which the kernel occasionally uses
to include data within the kernel, such as the .config file for
/proc/config.gz. For example, when changing the .config and rebuilding
vmlinux, the copy of .config in vmlinux does not match the copy of
.config in the build folder:
$ echo 'CONFIG_LTO_NONE=n
CONFIG_LTO_CLANG_THIN=y
CONFIG_IKCONFIG=y
CONFIG_HEADERS_INSTALL=y' >kernel/configs/repro.config
$ make -skj"$(nproc)" ARCH=x86_64 LLVM=1 clean defconfig repro.config vmlinux
...
$ grep CONFIG_HEADERS_INSTALL .config
CONFIG_HEADERS_INSTALL=y
$ scripts/extract-ikconfig vmlinux | grep CONFIG_HEADERS_INSTALL
CONFIG_HEADERS_INSTALL=y
$ scripts/config -d HEADERS_INSTALL
$ make -kj"$(nproc)" ARCH=x86_64 LLVM=1 vmlinux
...
UPD kernel/config_data
GZIP kernel/config_data.gz
CC kernel/configs.o
...
LD vmlinux
...
$ grep CONFIG_HEADERS_INSTALL .config
# CONFIG_HEADERS_INSTALL is not set
$ scripts/extract-ikconfig vmlinux | grep CONFIG_HEADERS_INSTALL
CONFIG_HEADERS_INSTALL=y
Without '--thinlto-cache-dir' or when using full LTO, this issue does
not occur.
Benchmarking incremental builds on a few different machines with and
without the cache shows a 20% increase in incremental build time without
the cache when measured by touching init/main.c and running 'make all'.
ARCH=arm64 defconfig + CONFIG_LTO_CLANG_THIN=y on an arm64 host:
Benchmark 1: With ThinLTO cache
Time (mean ± σ): 56.347 s ± 0.163 s [User: 83.768 s, System: 24.661 s]
Range (min … max): 56.109 s … 56.594 s 10 runs
Benchmark 2: Without ThinLTO cache
Time (mean ± σ): 67.740 s ± 0.479 s [User: 718.458 s, System: 31.797 s]
Range (min … max): 67.059 s … 68.556 s 10 runs
Summary
With ThinLTO cache ran
1.20 ± 0.01 times faster than Without ThinLTO cache
ARCH=x86_64 defconfig + CONFIG_LTO_CLANG_THIN=y on an x86_64 host:
Benchmark 1: With ThinLTO cache
Time (mean ± σ): 85.772 s ± 0.252 s [User: 91.505 s, System: 8.408 s]
Range (min … max): 85.447 s … 86.244 s 10 runs
Benchmark 2: Without ThinLTO cache
Time (mean ± σ): 103.833 s ± 0.288 s [User: 232.058 s, System: 8.569 s]
Range (min … max): 103.286 s … 104.124 s 10 runs
Summary
With ThinLTO cache ran
1.21 ± 0.00 times faster than Without ThinLTO cache
While it is unfortunate to take this performance improvement off the
table, correctness is more important. If/when this is fixed in LLVM, it
can potentially be brought back in a conditional manner. Alternatively,
a developer can just disable LTO if doing incremental compiles quickly
is important, as a full compile cycle can still take over a minute even
with the cache and it is unlikely that LTO will result in functional
differences for a kernel change.
Cc: stable@vger.kernel.org
Fixes: dc5723b02e52 ("kbuild: add support for Clang LTO")
Reported-by: Yifan Hong <elsk@google.com>
Closes: https://github.com/ClangBuiltLinux/linux/issues/2021
Reported-by: Masami Hiramatsu <mhiramat@kernel.org>
Closes: https://lore.kernel.org/r/20220327115526.cc4b0ff55fc53c97683c3e4d@kernel.org/
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
[nathan: Address conflict in Makefile]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Makefile | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/Makefile
+++ b/Makefile
@@ -959,7 +959,6 @@ endif
ifdef CONFIG_LTO_CLANG
ifdef CONFIG_LTO_CLANG_THIN
CC_FLAGS_LTO := -flto=thin -fsplit-lto-unit
-KBUILD_LDFLAGS += --thinlto-cache-dir=$(extmod_prefix).thinlto-cache
else
CC_FLAGS_LTO := -flto
endif
@@ -1560,7 +1559,7 @@ endif # CONFIG_MODULES
# Directories & files removed with 'make clean'
CLEAN_FILES += include/ksym vmlinux.symvers modules-only.symvers \
modules.builtin modules.builtin.modinfo modules.nsdeps \
- compile_commands.json .thinlto-cache
+ compile_commands.json
# Directories & files removed with 'make mrproper'
MRPROPER_FILES += include/config include/generated \
@@ -1788,7 +1787,7 @@ PHONY += compile_commands.json
clean-dirs := $(KBUILD_EXTMOD)
clean: rm-files := $(KBUILD_EXTMOD)/Module.symvers $(KBUILD_EXTMOD)/modules.nsdeps \
- $(KBUILD_EXTMOD)/compile_commands.json $(KBUILD_EXTMOD)/.thinlto-cache
+ $(KBUILD_EXTMOD)/compile_commands.json
PHONY += prepare
# now expand this into a simple variable to reduce the cost of shell evaluations
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 143/356] greybus: Fix use-after-free bug in gb_interface_release due to race condition.
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 142/356] kbuild: Remove support for Clangs ThinLTO caching Greg Kroah-Hartman
@ 2024-07-03 10:37 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 144/356] usb-storage: alauda: Check whether the media is initialized Greg Kroah-Hartman
` (220 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sicong Huang, Ronnie Sahlberg
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sicong Huang <congei42@163.com>
commit 5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce upstream.
In gb_interface_create, &intf->mode_switch_completion is bound with
gb_interface_mode_switch_work. Then it will be started by
gb_interface_request_mode_switch. Here is the relevant code.
if (!queue_work(system_long_wq, &intf->mode_switch_work)) {
...
}
If we call gb_interface_release to make cleanup, there may be an
unfinished work. This function will call kfree to free the object
"intf". However, if gb_interface_mode_switch_work is scheduled to
run after kfree, it may cause use-after-free error as
gb_interface_mode_switch_work will use the object "intf".
The possible execution flow that may lead to the issue is as follows:
CPU0 CPU1
| gb_interface_create
| gb_interface_request_mode_switch
gb_interface_release |
kfree(intf) (free) |
| gb_interface_mode_switch_work
| mutex_lock(&intf->mutex) (use)
Fix it by canceling the work before kfree.
Signed-off-by: Sicong Huang <congei42@163.com>
Link: https://lore.kernel.org/r/20240416080313.92306-1-congei42@163.com
Cc: Ronnie Sahlberg <rsahlberg@ciq.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/greybus/interface.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/greybus/interface.c
+++ b/drivers/greybus/interface.c
@@ -694,6 +694,7 @@ static void gb_interface_release(struct
trace_gb_interface_release(intf);
+ cancel_work_sync(&intf->mode_switch_work);
kfree(intf);
}
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 144/356] usb-storage: alauda: Check whether the media is initialized
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2024-07-03 10:37 ` [PATCH 5.15 143/356] greybus: Fix use-after-free bug in gb_interface_release due to race condition Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 145/356] i2c: at91: Fix the functionality flags of the slave-only interface Greg Kroah-Hartman
` (219 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, xingwei lee, yue sun, Alan Stern,
Shichao Lai, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shichao Lai <shichaorai@gmail.com>
[ Upstream commit 16637fea001ab3c8df528a8995b3211906165a30 ]
The member "uzonesize" of struct alauda_info will remain 0
if alauda_init_media() fails, potentially causing divide errors
in alauda_read_data() and alauda_write_lba().
- Add a member "media_initialized" to struct alauda_info.
- Change a condition in alauda_check_media() to ensure the
first initialization.
- Add an error check for the return value of alauda_init_media().
Fixes: e80b0fade09e ("[PATCH] USB Storage: add alauda support")
Reported-by: xingwei lee <xrivendell7@gmail.com>
Reported-by: yue sun <samsun1006219@gmail.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Shichao Lai <shichaorai@gmail.com>
Link: https://lore.kernel.org/r/20240526012745.2852061-1-shichaorai@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/storage/alauda.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c
index dcc4778d1ae99..17fe35083f048 100644
--- a/drivers/usb/storage/alauda.c
+++ b/drivers/usb/storage/alauda.c
@@ -105,6 +105,8 @@ struct alauda_info {
unsigned char sense_key;
unsigned long sense_asc; /* additional sense code */
unsigned long sense_ascq; /* additional sense code qualifier */
+
+ bool media_initialized;
};
#define short_pack(lsb,msb) ( ((u16)(lsb)) | ( ((u16)(msb))<<8 ) )
@@ -476,11 +478,12 @@ static int alauda_check_media(struct us_data *us)
}
/* Check for media change */
- if (status[0] & 0x08) {
+ if (status[0] & 0x08 || !info->media_initialized) {
usb_stor_dbg(us, "Media change detected\n");
alauda_free_maps(&MEDIA_INFO(us));
- alauda_init_media(us);
-
+ rc = alauda_init_media(us);
+ if (rc == USB_STOR_TRANSPORT_GOOD)
+ info->media_initialized = true;
info->sense_key = UNIT_ATTENTION;
info->sense_asc = 0x28;
info->sense_ascq = 0x00;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 145/356] i2c: at91: Fix the functionality flags of the slave-only interface
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 144/356] usb-storage: alauda: Check whether the media is initialized Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 146/356] i2c: designware: " Greg Kroah-Hartman
` (218 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean Delvare, Juergen Fitschen,
Ludovic Desroches, Codrin Ciubotariu, Andi Shyti, Nicolas Ferre,
Alexandre Belloni, Claudiu Beznea, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean Delvare <jdelvare@suse.de>
[ Upstream commit d6d5645e5fc1233a7ba950de4a72981c394a2557 ]
When an I2C adapter acts only as a slave, it should not claim to
support I2C master capabilities.
Fixes: 9d3ca54b550c ("i2c: at91: added slave mode support")
Signed-off-by: Jean Delvare <jdelvare@suse.de>
Cc: Juergen Fitschen <me@jue.yt>
Cc: Ludovic Desroches <ludovic.desroches@microchip.com>
Cc: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
Cc: Andi Shyti <andi.shyti@kernel.org>
Cc: Nicolas Ferre <nicolas.ferre@microchip.com>
Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
Cc: Claudiu Beznea <claudiu.beznea@tuxon.dev>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-at91-slave.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/i2c/busses/i2c-at91-slave.c b/drivers/i2c/busses/i2c-at91-slave.c
index d6eeea5166c04..131a67d9d4a68 100644
--- a/drivers/i2c/busses/i2c-at91-slave.c
+++ b/drivers/i2c/busses/i2c-at91-slave.c
@@ -106,8 +106,7 @@ static int at91_unreg_slave(struct i2c_client *slave)
static u32 at91_twi_func(struct i2c_adapter *adapter)
{
- return I2C_FUNC_SLAVE | I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL
- | I2C_FUNC_SMBUS_READ_BLOCK_DATA;
+ return I2C_FUNC_SLAVE;
}
static const struct i2c_algorithm at91_twi_algorithm_slave = {
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 146/356] i2c: designware: Fix the functionality flags of the slave-only interface
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 145/356] i2c: at91: Fix the functionality flags of the slave-only interface Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 147/356] zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING Greg Kroah-Hartman
` (217 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean Delvare, Luis Oliveira,
Jarkko Nikula, Andy Shevchenko, Mika Westerberg, Jan Dabros,
Andi Shyti, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean Delvare <jdelvare@suse.de>
[ Upstream commit cbf3fb5b29e99e3689d63a88c3cddbffa1b8de99 ]
When an I2C adapter acts only as a slave, it should not claim to
support I2C master capabilities.
Fixes: 5b6d721b266a ("i2c: designware: enable SLAVE in platform module")
Signed-off-by: Jean Delvare <jdelvare@suse.de>
Cc: Luis Oliveira <lolivei@synopsys.com>
Cc: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
Cc: Jan Dabros <jsd@semihalf.com>
Cc: Andi Shyti <andi.shyti@kernel.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Tested-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-designware-slave.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i2c/busses/i2c-designware-slave.c b/drivers/i2c/busses/i2c-designware-slave.c
index 0d15f4c1e9f7e..5b54a9b9ed1a3 100644
--- a/drivers/i2c/busses/i2c-designware-slave.c
+++ b/drivers/i2c/busses/i2c-designware-slave.c
@@ -232,7 +232,7 @@ static const struct i2c_algorithm i2c_dw_algo = {
void i2c_dw_configure_slave(struct dw_i2c_dev *dev)
{
- dev->functionality = I2C_FUNC_SLAVE | DW_IC_DEFAULT_FUNCTIONALITY;
+ dev->functionality = I2C_FUNC_SLAVE;
dev->slave_cfg = DW_IC_CON_RX_FIFO_FULL_HLD_CTRL |
DW_IC_CON_RESTART_EN | DW_IC_CON_STOP_DET_IFADDRESSED;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 147/356] zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 146/356] i2c: designware: " Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 148/356] Bluetooth: qca: Fix error code in qca_read_fw_build_info() Greg Kroah-Hartman
` (216 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oleg Nesterov, Rachel Menge,
Boqun Feng, Wei Fu, Jens Axboe, Allen Pais, Christian Brauner,
Frederic Weisbecker, Joel Fernandes (Google), Joel Granados,
Josh Triplett, Lai Jiangshan, Mateusz Guzik, Mathieu Desnoyers,
Mike Christie, Neeraj Upadhyay, Paul E. McKenney,
Steven Rostedt (Google), Zqiang, Thomas Gleixner, Andrew Morton,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
[ Upstream commit 7fea700e04bd3f424c2d836e98425782f97b494e ]
kernel_wait4() doesn't sleep and returns -EINTR if there is no
eligible child and signal_pending() is true.
That is why zap_pid_ns_processes() clears TIF_SIGPENDING but this is not
enough, it should also clear TIF_NOTIFY_SIGNAL to make signal_pending()
return false and avoid a busy-wait loop.
Link: https://lkml.kernel.org/r/20240608120616.GB7947@redhat.com
Fixes: 12db8b690010 ("entry: Add support for TIF_NOTIFY_SIGNAL")
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Rachel Menge <rachelmenge@linux.microsoft.com>
Closes: https://lore.kernel.org/all/1386cd49-36d0-4a5c-85e9-bc42056a5a38@linux.microsoft.com/
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Tested-by: Wei Fu <fuweid89@gmail.com>
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Cc: Allen Pais <apais@linux.microsoft.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Frederic Weisbecker <frederic@kernel.org>
Cc: Joel Fernandes (Google) <joel@joelfernandes.org>
Cc: Joel Granados <j.granados@samsung.com>
Cc: Josh Triplett <josh@joshtriplett.org>
Cc: Lai Jiangshan <jiangshanlai@gmail.com>
Cc: Mateusz Guzik <mjguzik@gmail.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Mike Christie <michael.christie@oracle.com>
Cc: Neeraj Upadhyay <neeraj.upadhyay@kernel.org>
Cc: Paul E. McKenney <paulmck@kernel.org>
Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
Cc: Zqiang <qiang.zhang1211@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/pid_namespace.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
index 259fc4ca0d9cc..40b011f880675 100644
--- a/kernel/pid_namespace.c
+++ b/kernel/pid_namespace.c
@@ -214,6 +214,7 @@ void zap_pid_ns_processes(struct pid_namespace *pid_ns)
*/
do {
clear_thread_flag(TIF_SIGPENDING);
+ clear_thread_flag(TIF_NOTIFY_SIGNAL);
rc = kernel_wait4(-1, NULL, __WALL, NULL);
} while (rc != -ECHILD);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 148/356] Bluetooth: qca: Fix error code in qca_read_fw_build_info()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 147/356] zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 149/356] Bluetooth: qca: fix info leak when fetching board id Greg Kroah-Hartman
` (215 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Johan Hovold,
Luiz Augusto von Dentz
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
commit a189f0ee6685457528db7a36ded3085e5d13ddc3 upstream.
Return -ENOMEM on allocation failure. Don't return success.
Fixes: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/btqca.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/bluetooth/btqca.c
+++ b/drivers/bluetooth/btqca.c
@@ -147,8 +147,10 @@ static int qca_read_fw_build_info(struct
}
build_label = kstrndup(&edl->data[1], build_lbl_len, GFP_KERNEL);
- if (!build_label)
+ if (!build_label) {
+ err = -ENOMEM;
goto out;
+ }
hci_set_fw_info(hdev, "%s", build_label);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 149/356] Bluetooth: qca: fix info leak when fetching board id
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 148/356] Bluetooth: qca: Fix error code in qca_read_fw_build_info() Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 150/356] padata: Disable BH when taking works lock on MT path Greg Kroah-Hartman
` (214 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tim Jiang, Johan Hovold,
Luiz Augusto von Dentz
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit 0adcf6be1445ed50bfd4a451a7a782568f270197 upstream.
Add the missing sanity check when fetching the board id to avoid leaking
slab data when later requesting the firmware.
Fixes: a7f8dedb4be2 ("Bluetooth: qca: add support for QCA2066")
Cc: stable@vger.kernel.org # 6.7
Cc: Tim Jiang <quic_tjiang@quicinc.com>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/btqca.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/bluetooth/btqca.c
+++ b/drivers/bluetooth/btqca.c
@@ -209,6 +209,11 @@ static int qca_read_fw_board_id(struct h
goto out;
}
+ if (skb->len < 3) {
+ err = -EILSEQ;
+ goto out;
+ }
+
*bid = (edl->data[1] << 8) + edl->data[2];
bt_dev_dbg(hdev, "%s: bid = %x", __func__, *bid);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 150/356] padata: Disable BH when taking works lock on MT path
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 149/356] Bluetooth: qca: fix info leak when fetching board id Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 151/356] crypto: hisilicon/sec - Fix memory leak for sec resource release Greg Kroah-Hartman
` (213 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+0cb5bb0f4bf9e79db3b3,
Herbert Xu, Daniel Jordan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 58329c4312031603bb1786b44265c26d5065fe72 ]
As the old padata code can execute in softirq context, disable
softirqs for the new padata_do_mutithreaded code too as otherwise
lockdep will get antsy.
Reported-by: syzbot+0cb5bb0f4bf9e79db3b3@syzkaller.appspotmail.com
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/padata.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/kernel/padata.c b/kernel/padata.c
index 47f146f061fb1..809978bb249c2 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -98,7 +98,7 @@ static int __init padata_work_alloc_mt(int nworks, void *data,
{
int i;
- spin_lock(&padata_works_lock);
+ spin_lock_bh(&padata_works_lock);
/* Start at 1 because the current task participates in the job. */
for (i = 1; i < nworks; ++i) {
struct padata_work *pw = padata_work_alloc();
@@ -108,7 +108,7 @@ static int __init padata_work_alloc_mt(int nworks, void *data,
padata_work_init(pw, padata_mt_helper, data, 0);
list_add(&pw->pw_list, head);
}
- spin_unlock(&padata_works_lock);
+ spin_unlock_bh(&padata_works_lock);
return i;
}
@@ -126,12 +126,12 @@ static void __init padata_works_free(struct list_head *works)
if (list_empty(works))
return;
- spin_lock(&padata_works_lock);
+ spin_lock_bh(&padata_works_lock);
list_for_each_entry_safe(cur, next, works, pw_list) {
list_del(&cur->pw_list);
padata_work_free(cur);
}
- spin_unlock(&padata_works_lock);
+ spin_unlock_bh(&padata_works_lock);
}
static void padata_parallel_worker(struct work_struct *parallel_work)
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 151/356] crypto: hisilicon/sec - Fix memory leak for sec resource release
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 150/356] padata: Disable BH when taking works lock on MT path Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 152/356] rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment Greg Kroah-Hartman
` (212 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chenghai Huang, Herbert Xu,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenghai Huang <huangchenghai2@huawei.com>
[ Upstream commit bba4250757b4ae1680fea435a358d8093f254094 ]
The AIV is one of the SEC resources. When releasing resources,
it need to release the AIV resources at the same time.
Otherwise, memory leakage occurs.
The aiv resource release is added to the sec resource release
function.
Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/hisilicon/sec2/sec_crypto.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/hisilicon/sec2/sec_crypto.c b/drivers/crypto/hisilicon/sec2/sec_crypto.c
index 0d26eda36a526..28c167e1be426 100644
--- a/drivers/crypto/hisilicon/sec2/sec_crypto.c
+++ b/drivers/crypto/hisilicon/sec2/sec_crypto.c
@@ -463,8 +463,10 @@ static void sec_alg_resource_free(struct sec_ctx *ctx,
if (ctx->pbuf_supported)
sec_free_pbuf_resource(dev, qp_ctx->res);
- if (ctx->alg_type == SEC_AEAD)
+ if (ctx->alg_type == SEC_AEAD) {
sec_free_mac_resource(dev, qp_ctx->res);
+ sec_free_aiv_resource(dev, qp_ctx->res);
+ }
}
static int sec_create_qp_ctx(struct hisi_qm *qm, struct sec_ctx *ctx,
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 152/356] rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 151/356] crypto: hisilicon/sec - Fix memory leak for sec resource release Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 153/356] rcutorture: Make stall-tasks directly exit when rcutorture tests end Greg Kroah-Hartman
` (211 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Torvalds, Paul E. McKenney,
Uladzislau Rezki (Sony), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul E. McKenney <paulmck@kernel.org>
[ Upstream commit 8b9b443fa860276822b25057cb3ff3b28734dec0 ]
The "pipe_count > RCU_TORTURE_PIPE_LEN" check has a comment saying "Should
not happen, but...". This is only true when testing an RCU whose grace
periods are always long enough. This commit therefore fixes this comment.
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Closes: https://lore.kernel.org/lkml/CAHk-=wi7rJ-eGq+xaxVfzFEgbL9tdf6Kc8Z89rCpfcQOKm74Tw@mail.gmail.com/
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rcu/rcutorture.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
index d820ef615475b..82c6046db8a42 100644
--- a/kernel/rcu/rcutorture.c
+++ b/kernel/rcu/rcutorture.c
@@ -1604,7 +1604,8 @@ static bool rcu_torture_one_read(struct torture_random_state *trsp, long myid)
preempt_disable();
pipe_count = READ_ONCE(p->rtort_pipe_count);
if (pipe_count > RCU_TORTURE_PIPE_LEN) {
- /* Should not happen, but... */
+ // Should not happen in a correct RCU implementation,
+ // happens quite often for torture_type=busted.
pipe_count = RCU_TORTURE_PIPE_LEN;
}
completed = cur_ops->get_gp_seq();
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 153/356] rcutorture: Make stall-tasks directly exit when rcutorture tests end
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 152/356] rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 154/356] rcutorture: Fix invalid context warning when enable srcu barrier testing Greg Kroah-Hartman
` (210 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zqiang, Paul E. McKenney,
Uladzislau Rezki (Sony), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zqiang <qiang.zhang1211@gmail.com>
[ Upstream commit 431315a563015f259b28e34c5842f6166439e969 ]
When the rcutorture tests start to exit, the rcu_torture_cleanup() is
invoked to stop kthreads and release resources, if the stall-task
kthreads exist, cpu-stall has started and the rcutorture.stall_cpu
is set to a larger value, the rcu_torture_cleanup() will be blocked
for a long time and the hung-task may occur, this commit therefore
add kthread_should_stop() to the loop of cpu-stall operation, when
rcutorture tests ends, no need to wait for cpu-stall to end, exit
directly.
Use the following command to test:
insmod rcutorture.ko torture_type=srcu fwd_progress=0 stat_interval=4
stall_cpu_block=1 stall_cpu=200 stall_cpu_holdoff=10 read_exit_burst=0
object_debug=1
rmmod rcutorture
[15361.918610] INFO: task rmmod:878 blocked for more than 122 seconds.
[15361.918613] Tainted: G W
6.8.0-rc2-yoctodev-standard+ #25
[15361.918615] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs"
disables this message.
[15361.918616] task:rmmod state:D stack:0 pid:878
tgid:878 ppid:773 flags:0x00004002
[15361.918621] Call Trace:
[15361.918623] <TASK>
[15361.918626] __schedule+0xc0d/0x28f0
[15361.918631] ? __pfx___schedule+0x10/0x10
[15361.918635] ? rcu_is_watching+0x19/0xb0
[15361.918638] ? schedule+0x1f6/0x290
[15361.918642] ? __pfx_lock_release+0x10/0x10
[15361.918645] ? schedule+0xc9/0x290
[15361.918648] ? schedule+0xc9/0x290
[15361.918653] ? trace_preempt_off+0x54/0x100
[15361.918657] ? schedule+0xc9/0x290
[15361.918661] schedule+0xd0/0x290
[15361.918665] schedule_timeout+0x56d/0x7d0
[15361.918669] ? debug_smp_processor_id+0x1b/0x30
[15361.918672] ? rcu_is_watching+0x19/0xb0
[15361.918676] ? __pfx_schedule_timeout+0x10/0x10
[15361.918679] ? debug_smp_processor_id+0x1b/0x30
[15361.918683] ? rcu_is_watching+0x19/0xb0
[15361.918686] ? wait_for_completion+0x179/0x4c0
[15361.918690] ? __pfx_lock_release+0x10/0x10
[15361.918693] ? __kasan_check_write+0x18/0x20
[15361.918696] ? wait_for_completion+0x9d/0x4c0
[15361.918700] ? _raw_spin_unlock_irq+0x36/0x50
[15361.918703] ? wait_for_completion+0x179/0x4c0
[15361.918707] ? _raw_spin_unlock_irq+0x36/0x50
[15361.918710] ? wait_for_completion+0x179/0x4c0
[15361.918714] ? trace_preempt_on+0x54/0x100
[15361.918718] ? wait_for_completion+0x179/0x4c0
[15361.918723] wait_for_completion+0x181/0x4c0
[15361.918728] ? __pfx_wait_for_completion+0x10/0x10
[15361.918738] kthread_stop+0x152/0x470
[15361.918742] _torture_stop_kthread+0x44/0xc0 [torture
7af7f9cbba28271a10503b653f9e05d518fbc8c3]
[15361.918752] rcu_torture_cleanup+0x2ac/0xe90 [rcutorture
f2cb1f556ee7956270927183c4c2c7749a336529]
[15361.918766] ? __pfx_rcu_torture_cleanup+0x10/0x10 [rcutorture
f2cb1f556ee7956270927183c4c2c7749a336529]
[15361.918777] ? __kasan_check_write+0x18/0x20
[15361.918781] ? __mutex_unlock_slowpath+0x17c/0x670
[15361.918789] ? __might_fault+0xcd/0x180
[15361.918793] ? find_module_all+0x104/0x1d0
[15361.918799] __x64_sys_delete_module+0x2a4/0x3f0
[15361.918803] ? __pfx___x64_sys_delete_module+0x10/0x10
[15361.918807] ? syscall_exit_to_user_mode+0x149/0x280
Signed-off-by: Zqiang <qiang.zhang1211@gmail.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rcu/rcutorture.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
index 82c6046db8a42..e9323cc5da73b 100644
--- a/kernel/rcu/rcutorture.c
+++ b/kernel/rcu/rcutorture.c
@@ -2061,8 +2061,8 @@ static int rcu_torture_stall(void *args)
preempt_disable();
pr_alert("%s start on CPU %d.\n",
__func__, raw_smp_processor_id());
- while (ULONG_CMP_LT((unsigned long)ktime_get_seconds(),
- stop_at))
+ while (ULONG_CMP_LT((unsigned long)ktime_get_seconds(), stop_at) &&
+ !kthread_should_stop())
if (stall_cpu_block) {
#ifdef CONFIG_PREEMPTION
preempt_schedule();
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 154/356] rcutorture: Fix invalid context warning when enable srcu barrier testing
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 153/356] rcutorture: Make stall-tasks directly exit when rcutorture tests end Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 155/356] block/ioctl: prefer different overflow check Greg Kroah-Hartman
` (209 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zqiang, Paul E. McKenney,
Uladzislau Rezki (Sony), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zqiang <qiang.zhang1211@gmail.com>
[ Upstream commit 668c0406d887467d53f8fe79261dda1d22d5b671 ]
When the torture_type is set srcu or srcud and cb_barrier is
non-zero, running the rcutorture test will trigger the
following warning:
[ 163.910989][ C1] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
[ 163.910994][ C1] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1
[ 163.910999][ C1] preempt_count: 10001, expected: 0
[ 163.911002][ C1] RCU nest depth: 0, expected: 0
[ 163.911005][ C1] INFO: lockdep is turned off.
[ 163.911007][ C1] irq event stamp: 30964
[ 163.911010][ C1] hardirqs last enabled at (30963): [<ffffffffabc7df52>] do_idle+0x362/0x500
[ 163.911018][ C1] hardirqs last disabled at (30964): [<ffffffffae616eff>] sysvec_call_function_single+0xf/0xd0
[ 163.911025][ C1] softirqs last enabled at (0): [<ffffffffabb6475f>] copy_process+0x16ff/0x6580
[ 163.911033][ C1] softirqs last disabled at (0): [<0000000000000000>] 0x0
[ 163.911038][ C1] Preemption disabled at:
[ 163.911039][ C1] [<ffffffffacf1964b>] stack_depot_save_flags+0x24b/0x6c0
[ 163.911063][ C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G W 6.8.0-rc4-rt4-yocto-preempt-rt+ #3 1e39aa9a737dd024a3275c4f835a872f673a7d3a
[ 163.911071][ C1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[ 163.911075][ C1] Call Trace:
[ 163.911078][ C1] <IRQ>
[ 163.911080][ C1] dump_stack_lvl+0x88/0xd0
[ 163.911089][ C1] dump_stack+0x10/0x20
[ 163.911095][ C1] __might_resched+0x36f/0x530
[ 163.911105][ C1] rt_spin_lock+0x82/0x1c0
[ 163.911112][ C1] spin_lock_irqsave_ssp_contention+0xb8/0x100
[ 163.911121][ C1] srcu_gp_start_if_needed+0x782/0xf00
[ 163.911128][ C1] ? _raw_spin_unlock_irqrestore+0x46/0x70
[ 163.911136][ C1] ? debug_object_active_state+0x336/0x470
[ 163.911148][ C1] ? __pfx_srcu_gp_start_if_needed+0x10/0x10
[ 163.911156][ C1] ? __pfx_lock_release+0x10/0x10
[ 163.911165][ C1] ? __pfx_rcu_torture_barrier_cbf+0x10/0x10
[ 163.911188][ C1] __call_srcu+0x9f/0xe0
[ 163.911196][ C1] call_srcu+0x13/0x20
[ 163.911201][ C1] srcu_torture_call+0x1b/0x30
[ 163.911224][ C1] rcu_torture_barrier1cb+0x4a/0x60
[ 163.911247][ C1] __flush_smp_call_function_queue+0x267/0xca0
[ 163.911256][ C1] ? __pfx_rcu_torture_barrier1cb+0x10/0x10
[ 163.911281][ C1] generic_smp_call_function_single_interrupt+0x13/0x20
[ 163.911288][ C1] __sysvec_call_function_single+0x7d/0x280
[ 163.911295][ C1] sysvec_call_function_single+0x93/0xd0
[ 163.911302][ C1] </IRQ>
[ 163.911304][ C1] <TASK>
[ 163.911308][ C1] asm_sysvec_call_function_single+0x1b/0x20
[ 163.911313][ C1] RIP: 0010:default_idle+0x17/0x20
[ 163.911326][ C1] RSP: 0018:ffff888001997dc8 EFLAGS: 00000246
[ 163.911333][ C1] RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffffae618b51
[ 163.911337][ C1] RDX: 0000000000000000 RSI: ffffffffaea80920 RDI: ffffffffaec2de80
[ 163.911342][ C1] RBP: ffff888001997dc8 R08: 0000000000000001 R09: ffffed100d740cad
[ 163.911346][ C1] R10: ffffed100d740cac R11: ffff88806ba06563 R12: 0000000000000001
[ 163.911350][ C1] R13: ffffffffafe460c0 R14: ffffffffafe460c0 R15: 0000000000000000
[ 163.911358][ C1] ? ct_kernel_exit.constprop.3+0x121/0x160
[ 163.911369][ C1] ? lockdep_hardirqs_on+0xc4/0x150
[ 163.911376][ C1] arch_cpu_idle+0x9/0x10
[ 163.911383][ C1] default_idle_call+0x7a/0xb0
[ 163.911390][ C1] do_idle+0x362/0x500
[ 163.911398][ C1] ? __pfx_do_idle+0x10/0x10
[ 163.911404][ C1] ? complete_with_flags+0x8b/0xb0
[ 163.911416][ C1] cpu_startup_entry+0x58/0x70
[ 163.911423][ C1] start_secondary+0x221/0x280
[ 163.911430][ C1] ? __pfx_start_secondary+0x10/0x10
[ 163.911440][ C1] secondary_startup_64_no_verify+0x17f/0x18b
[ 163.911455][ C1] </TASK>
This commit therefore use smp_call_on_cpu() instead of
smp_call_function_single(), make rcu_torture_barrier1cb() invoked
happens on task-context.
Signed-off-by: Zqiang <qiang.zhang1211@gmail.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rcu/rcutorture.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
index e9323cc5da73b..9d8d1f233d7bd 100644
--- a/kernel/rcu/rcutorture.c
+++ b/kernel/rcu/rcutorture.c
@@ -2533,11 +2533,12 @@ static void rcu_torture_barrier_cbf(struct rcu_head *rcu)
}
/* IPI handler to get callback posted on desired CPU, if online. */
-static void rcu_torture_barrier1cb(void *rcu_void)
+static int rcu_torture_barrier1cb(void *rcu_void)
{
struct rcu_head *rhp = rcu_void;
cur_ops->call(rhp, rcu_torture_barrier_cbf);
+ return 0;
}
/* kthread function to register callbacks used to test RCU barriers. */
@@ -2563,11 +2564,9 @@ static int rcu_torture_barrier_cbs(void *arg)
* The above smp_load_acquire() ensures barrier_phase load
* is ordered before the following ->call().
*/
- if (smp_call_function_single(myid, rcu_torture_barrier1cb,
- &rcu, 1)) {
- // IPI failed, so use direct call from current CPU.
+ if (smp_call_on_cpu(myid, rcu_torture_barrier1cb, &rcu, 1))
cur_ops->call(&rcu, rcu_torture_barrier_cbf);
- }
+
if (atomic_dec_and_test(&barrier_cbs_count))
wake_up(&barrier_wq);
} while (!torture_must_stop());
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 155/356] block/ioctl: prefer different overflow check
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 154/356] rcutorture: Fix invalid context warning when enable srcu barrier testing Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 156/356] selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh Greg Kroah-Hartman
` (208 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Stitt, Christoph Hellwig,
Jens Axboe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Stitt <justinstitt@google.com>
[ Upstream commit ccb326b5f9e623eb7f130fbbf2505ec0e2dcaff9 ]
Running syzkaller with the newly reintroduced signed integer overflow
sanitizer shows this report:
[ 62.982337] ------------[ cut here ]------------
[ 62.985692] cgroup: Invalid name
[ 62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46
[ 62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1
[ 62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long'
[ 62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1
[ 62.999369] random: crng reseeded on system resumption
[ 63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000)
[ 63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
[ 63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 63.000682] Call Trace:
[ 63.000686] <TASK>
[ 63.000731] dump_stack_lvl+0x93/0xd0
[ 63.000919] __get_user_pages+0x903/0xd30
[ 63.001030] __gup_longterm_locked+0x153e/0x1ba0
[ 63.001041] ? _raw_read_unlock_irqrestore+0x17/0x50
[ 63.001072] ? try_get_folio+0x29c/0x2d0
[ 63.001083] internal_get_user_pages_fast+0x1119/0x1530
[ 63.001109] iov_iter_extract_pages+0x23b/0x580
[ 63.001206] bio_iov_iter_get_pages+0x4de/0x1220
[ 63.001235] iomap_dio_bio_iter+0x9b6/0x1410
[ 63.001297] __iomap_dio_rw+0xab4/0x1810
[ 63.001316] iomap_dio_rw+0x45/0xa0
[ 63.001328] ext4_file_write_iter+0xdde/0x1390
[ 63.001372] vfs_write+0x599/0xbd0
[ 63.001394] ksys_write+0xc8/0x190
[ 63.001403] do_syscall_64+0xd4/0x1b0
[ 63.001421] ? arch_exit_to_user_mode_prepare+0x3a/0x60
[ 63.001479] entry_SYSCALL_64_after_hwframe+0x6f/0x77
[ 63.001535] RIP: 0033:0x7f7fd3ebf539
[ 63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539
[ 63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004
[ 63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000
[ 63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8
...
[ 63.018142] ---[ end trace ]---
Historically, the signed integer overflow sanitizer did not work in the
kernel due to its interaction with `-fwrapv` but this has since been
changed [1] in the newest version of Clang; It was re-enabled in the
kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow
sanitizer").
Let's rework this overflow checking logic to not actually perform an
overflow during the check itself, thus avoiding the UBSAN splat.
[1]: https://github.com/llvm/llvm-project/pull/82432
Signed-off-by: Justin Stitt <justinstitt@google.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20240507-b4-sio-block-ioctl-v3-1-ba0c2b32275e@google.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/ioctl.c b/block/ioctl.c
index 7a939c178660f..a260e39e56a48 100644
--- a/block/ioctl.c
+++ b/block/ioctl.c
@@ -33,7 +33,7 @@ static int blkpg_do_ioctl(struct block_device *bdev,
if (op == BLKPG_DEL_PARTITION)
return bdev_del_partition(disk, p.pno);
- if (p.start < 0 || p.length <= 0 || p.start + p.length < 0)
+ if (p.start < 0 || p.length <= 0 || LLONG_MAX - p.length < p.start)
return -EINVAL;
/* Check that the partition is aligned to the block size */
if (!IS_ALIGNED(p.start | p.length, bdev_logical_block_size(bdev)))
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 156/356] selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 155/356] block/ioctl: prefer different overflow check Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 157/356] selftests/bpf: Fix flaky test btf_map_in_map/lookup_update Greg Kroah-Hartman
` (207 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alessandro Carminati (Red Hat),
Andrii Nakryiko, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alessandro Carminati (Red Hat) <alessandro.carminati@gmail.com>
[ Upstream commit f803bcf9208a2540acb4c32bdc3616673169f490 ]
In some systems, the netcat server can incur in delay to start listening.
When this happens, the test can randomly fail in various points.
This is an example error message:
# ip gre none gso
# encap 192.168.1.1 to 192.168.1.2, type gre, mac none len 2000
# test basic connectivity
# Ncat: Connection refused.
The issue stems from a race condition between the netcat client and server.
The test author had addressed this problem by implementing a sleep, which
I have removed in this patch.
This patch introduces a function capable of sleeping for up to two seconds.
However, it can terminate the waiting period early if the port is reported
to be listening.
Signed-off-by: Alessandro Carminati (Red Hat) <alessandro.carminati@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20240314105911.213411-1-alessandro.carminati@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/test_tc_tunnel.sh | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/bpf/test_tc_tunnel.sh b/tools/testing/selftests/bpf/test_tc_tunnel.sh
index 088fcad138c98..38c6e9f16f41e 100755
--- a/tools/testing/selftests/bpf/test_tc_tunnel.sh
+++ b/tools/testing/selftests/bpf/test_tc_tunnel.sh
@@ -71,7 +71,6 @@ cleanup() {
server_listen() {
ip netns exec "${ns2}" nc "${netcat_opt}" -l "${port}" > "${outfile}" &
server_pid=$!
- sleep 0.2
}
client_connect() {
@@ -92,6 +91,16 @@ verify_data() {
fi
}
+wait_for_port() {
+ for i in $(seq 20); do
+ if ip netns exec "${ns2}" ss ${2:--4}OHntl | grep -q "$1"; then
+ return 0
+ fi
+ sleep 0.1
+ done
+ return 1
+}
+
set -e
# no arguments: automated test, run all
@@ -189,6 +198,7 @@ setup
# basic communication works
echo "test basic connectivity"
server_listen
+wait_for_port ${port} ${netcat_opt}
client_connect
verify_data
@@ -200,6 +210,7 @@ ip netns exec "${ns1}" tc filter add dev veth1 egress \
section "encap_${tuntype}_${mac}"
echo "test bpf encap without decap (expect failure)"
server_listen
+wait_for_port ${port} ${netcat_opt}
! client_connect
if [[ "$tuntype" =~ "udp" ]]; then
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 157/356] selftests/bpf: Fix flaky test btf_map_in_map/lookup_update
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 156/356] selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 158/356] batman-adv: bypass empty buckets in batadv_purge_orig_ref() Greg Kroah-Hartman
` (206 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yonghong Song, Daniel Borkmann,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yonghong Song <yonghong.song@linux.dev>
[ Upstream commit 14bb1e8c8d4ad5d9d2febb7d19c70a3cf536e1e5 ]
Recently, I frequently hit the following test failure:
[root@arch-fb-vm1 bpf]# ./test_progs -n 33/1
test_lookup_update:PASS:skel_open 0 nsec
[...]
test_lookup_update:PASS:sync_rcu 0 nsec
test_lookup_update:FAIL:map1_leak inner_map1 leaked!
#33/1 btf_map_in_map/lookup_update:FAIL
#33 btf_map_in_map:FAIL
In the test, after map is closed and then after two rcu grace periods,
it is assumed that map_id is not available to user space.
But the above assumption cannot be guaranteed. After zero or one
or two rcu grace periods in different siturations, the actual
freeing-map-work is put into a workqueue. Later on, when the work
is dequeued, the map will be actually freed.
See bpf_map_put() in kernel/bpf/syscall.c.
By using workqueue, there is no ganrantee that map will be actually
freed after a couple of rcu grace periods. This patch removed
such map leak detection and then the test can pass consistently.
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20240322061353.632136-1-yonghong.song@linux.dev
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../selftests/bpf/prog_tests/btf_map_in_map.c | 26 +------------------
1 file changed, 1 insertion(+), 25 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c b/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c
index eb90a6b8850d2..f4d753185001a 100644
--- a/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c
+++ b/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c
@@ -25,7 +25,7 @@ static void test_lookup_update(void)
int map1_fd, map2_fd, map3_fd, map4_fd, map5_fd, map1_id, map2_id;
int outer_arr_fd, outer_hash_fd, outer_arr_dyn_fd;
struct test_btf_map_in_map *skel;
- int err, key = 0, val, i, fd;
+ int err, key = 0, val, i;
skel = test_btf_map_in_map__open_and_load();
if (CHECK(!skel, "skel_open", "failed to open&load skeleton\n"))
@@ -102,30 +102,6 @@ static void test_lookup_update(void)
CHECK(map1_id == 0, "map1_id", "failed to get ID 1\n");
CHECK(map2_id == 0, "map2_id", "failed to get ID 2\n");
- test_btf_map_in_map__destroy(skel);
- skel = NULL;
-
- /* we need to either wait for or force synchronize_rcu(), before
- * checking for "still exists" condition, otherwise map could still be
- * resolvable by ID, causing false positives.
- *
- * Older kernels (5.8 and earlier) freed map only after two
- * synchronize_rcu()s, so trigger two, to be entirely sure.
- */
- CHECK(kern_sync_rcu(), "sync_rcu", "failed\n");
- CHECK(kern_sync_rcu(), "sync_rcu", "failed\n");
-
- fd = bpf_map_get_fd_by_id(map1_id);
- if (CHECK(fd >= 0, "map1_leak", "inner_map1 leaked!\n")) {
- close(fd);
- goto cleanup;
- }
- fd = bpf_map_get_fd_by_id(map2_id);
- if (CHECK(fd >= 0, "map2_leak", "inner_map2 leaked!\n")) {
- close(fd);
- goto cleanup;
- }
-
cleanup:
test_btf_map_in_map__destroy(skel);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 158/356] batman-adv: bypass empty buckets in batadv_purge_orig_ref()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 157/356] selftests/bpf: Fix flaky test btf_map_in_map/lookup_update Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 159/356] wifi: ath9k: work around memset overflow warning Greg Kroah-Hartman
` (205 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Sven Eckelmann,
Simon Wunderlich, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 40dc8ab605894acae1473e434944924a22cfaaa0 ]
Many syzbot reports are pointing to soft lockups in
batadv_purge_orig_ref() [1]
Root cause is unknown, but we can avoid spending too much
time there and perhaps get more interesting reports.
[1]
watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621]
Modules linked in:
irq event stamp: 6182794
hardirqs last enabled at (6182793): [<ffff8000801dae10>] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386
hardirqs last disabled at (6182794): [<ffff80008ad66a78>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
hardirqs last disabled at (6182794): [<ffff80008ad66a78>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
softirqs last enabled at (6182792): [<ffff80008aab71c4>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
softirqs last enabled at (6182792): [<ffff80008aab71c4>] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287
softirqs last disabled at (6182790): [<ffff80008aab61dc>] spin_lock_bh include/linux/spinlock.h:356 [inline]
softirqs last disabled at (6182790): [<ffff80008aab61dc>] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271
CPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Workqueue: bat_events batadv_purge_orig
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline]
pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388
lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386
sp : ffff800099007970
x29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000
x26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001
x23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4
x20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0
x17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001
x14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003
x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000
Call trace:
__daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]
arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline]
__local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
_raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210
spin_unlock_bh include/linux/spinlock.h:396 [inline]
batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287
batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300
process_one_work+0x694/0x1204 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x938/0xef4 kernel/workqueue.c:2787
kthread+0x288/0x310 kernel/kthread.c:388
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51
lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103
sp : ffff800093a17d30
x29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4
x26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002
x23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000
x20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396
x17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001
x14: 1fffe00036805f10 x13: 0000000000000000 x12: 0000000000000003
x11: 0000000000000001 x10: 0000000000000003 x9 : 0000000000000000
x8 : 00000000000ce8d1 x7 : ffff8000804609e4 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff80008ad6aac0
x2 : 0000000000000000 x1 : ffff80008aedea60 x0 : ffff800125436000
Call trace:
__daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]
arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:49
cpuidle_idle_call kernel/sched/idle.c:170 [inline]
do_idle+0x1f0/0x4e8 kernel/sched/idle.c:312
cpu_startup_entry+0x5c/0x74 kernel/sched/idle.c:410
secondary_start_kernel+0x198/0x1c0 arch/arm64/kernel/smp.c:272
__secondary_switched+0xb8/0xbc arch/arm64/kernel/head.S:404
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/originator.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c
index aadc653ca1d80..b6367a7576750 100644
--- a/net/batman-adv/originator.c
+++ b/net/batman-adv/originator.c
@@ -1238,6 +1238,8 @@ void batadv_purge_orig_ref(struct batadv_priv *bat_priv)
/* for all origins... */
for (i = 0; i < hash->size; i++) {
head = &hash->table[i];
+ if (hlist_empty(head))
+ continue;
list_lock = &hash->list_locks[i];
spin_lock_bh(list_lock);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 159/356] wifi: ath9k: work around memset overflow warning
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 158/356] batman-adv: bypass empty buckets in batadv_purge_orig_ref() Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 160/356] af_packet: avoid a false positive warning in packet_setsockopt() Greg Kroah-Hartman
` (204 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann,
Toke Høiland-Jørgensen, Kees Cook, Kalle Valo,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 61752ac69b69ed2e04444d090f6917c77ab36d42 ]
gcc-9 and some other older versions produce a false-positive warning
for zeroing two fields
In file included from include/linux/string.h:369,
from drivers/net/wireless/ath/ath9k/main.c:18:
In function 'fortify_memset_chk',
inlined from 'ath9k_ps_wakeup' at drivers/net/wireless/ath/ath9k/main.c:140:3:
include/linux/fortify-string.h:462:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
462 | __write_overflow_field(p_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Using a struct_group seems to reliably avoid the warning and
not make the code much uglier. The combined memset() should even
save a couple of cpu cycles.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://msgid.link/20240328135509.3755090-3-arnd@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath.h | 6 ++++--
drivers/net/wireless/ath/ath9k/main.c | 3 +--
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/ath/ath.h b/drivers/net/wireless/ath/ath.h
index f02a308a9ffc5..34654f710d8a1 100644
--- a/drivers/net/wireless/ath/ath.h
+++ b/drivers/net/wireless/ath/ath.h
@@ -171,8 +171,10 @@ struct ath_common {
unsigned int clockrate;
spinlock_t cc_lock;
- struct ath_cycle_counters cc_ani;
- struct ath_cycle_counters cc_survey;
+ struct_group(cc,
+ struct ath_cycle_counters cc_ani;
+ struct ath_cycle_counters cc_survey;
+ );
struct ath_regulatory regulatory;
struct ath_regulatory reg_world_copy;
diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
index 9e6d088bd2818..1b71fb1d04719 100644
--- a/drivers/net/wireless/ath/ath9k/main.c
+++ b/drivers/net/wireless/ath/ath9k/main.c
@@ -135,8 +135,7 @@ void ath9k_ps_wakeup(struct ath_softc *sc)
if (power_mode != ATH9K_PM_AWAKE) {
spin_lock(&common->cc_lock);
ath_hw_cycle_counters_update(common);
- memset(&common->cc_survey, 0, sizeof(common->cc_survey));
- memset(&common->cc_ani, 0, sizeof(common->cc_ani));
+ memset(&common->cc, 0, sizeof(common->cc));
spin_unlock(&common->cc_lock);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 160/356] af_packet: avoid a false positive warning in packet_setsockopt()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 159/356] wifi: ath9k: work around memset overflow warning Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 161/356] drop_monitor: replace spin_lock by raw_spin_lock Greg Kroah-Hartman
` (203 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet, Kees Cook,
Willem de Bruijn, Willem de Bruijn, David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 86d43e2bf93ccac88ef71cee36a23282ebd9e427 ]
Although the code is correct, the following line
copy_from_sockptr(&req_u.req, optval, len));
triggers this warning :
memcpy: detected field-spanning write (size 28) of single field "dst" at include/linux/sockptr.h:49 (size 16)
Refactor the code to be more explicit.
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/packet/af_packet.c | 26 ++++++++++++++------------
1 file changed, 14 insertions(+), 12 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 4f920502f92fe..8d0feb9ad5a52 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3757,28 +3757,30 @@ packet_setsockopt(struct socket *sock, int level, int optname, sockptr_t optval,
case PACKET_TX_RING:
{
union tpacket_req_u req_u;
- int len;
+ ret = -EINVAL;
lock_sock(sk);
switch (po->tp_version) {
case TPACKET_V1:
case TPACKET_V2:
- len = sizeof(req_u.req);
+ if (optlen < sizeof(req_u.req))
+ break;
+ ret = copy_from_sockptr(&req_u.req, optval,
+ sizeof(req_u.req)) ?
+ -EINVAL : 0;
break;
case TPACKET_V3:
default:
- len = sizeof(req_u.req3);
+ if (optlen < sizeof(req_u.req3))
+ break;
+ ret = copy_from_sockptr(&req_u.req3, optval,
+ sizeof(req_u.req3)) ?
+ -EINVAL : 0;
break;
}
- if (optlen < len) {
- ret = -EINVAL;
- } else {
- if (copy_from_sockptr(&req_u.req, optval, len))
- ret = -EFAULT;
- else
- ret = packet_set_ring(sk, &req_u, 0,
- optname == PACKET_TX_RING);
- }
+ if (!ret)
+ ret = packet_set_ring(sk, &req_u, 0,
+ optname == PACKET_TX_RING);
release_sock(sk);
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 161/356] drop_monitor: replace spin_lock by raw_spin_lock
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 160/356] af_packet: avoid a false positive warning in packet_setsockopt() Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 162/356] scsi: qedi: Fix crash while reading debugfs attribute Greg Kroah-Hartman
` (202 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wander Lairson Costa, Hu Chunyu,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wander Lairson Costa <wander@redhat.com>
[ Upstream commit f1e197a665c2148ebc25fe09c53689e60afea195 ]
trace_drop_common() is called with preemption disabled, and it acquires
a spin_lock. This is problematic for RT kernels because spin_locks are
sleeping locks in this configuration, which causes the following splat:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47
preempt_count: 1, expected: 0
RCU nest depth: 2, expected: 2
5 locks held by rcuc/47/449:
#0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210
#1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130
#2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210
#3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70
#4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290
irq event stamp: 139909
hardirqs last enabled at (139908): [<ffffffffb1df2b33>] _raw_spin_unlock_irqrestore+0x63/0x80
hardirqs last disabled at (139909): [<ffffffffb19bd03d>] trace_drop_common.constprop.0+0x26d/0x290
softirqs last enabled at (139892): [<ffffffffb07a1083>] __local_bh_enable_ip+0x103/0x170
softirqs last disabled at (139898): [<ffffffffb0909b33>] rcu_cpu_kthread+0x93/0x1f0
Preemption disabled at:
[<ffffffffb1de786b>] rt_mutex_slowunlock+0xab/0x2e0
CPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7
Hardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022
Call Trace:
<TASK>
dump_stack_lvl+0x8c/0xd0
dump_stack+0x14/0x20
__might_resched+0x21e/0x2f0
rt_spin_lock+0x5e/0x130
? trace_drop_common.constprop.0+0xb5/0x290
? skb_queue_purge_reason.part.0+0x1bf/0x230
trace_drop_common.constprop.0+0xb5/0x290
? preempt_count_sub+0x1c/0xd0
? _raw_spin_unlock_irqrestore+0x4a/0x80
? __pfx_trace_drop_common.constprop.0+0x10/0x10
? rt_mutex_slowunlock+0x26a/0x2e0
? skb_queue_purge_reason.part.0+0x1bf/0x230
? __pfx_rt_mutex_slowunlock+0x10/0x10
? skb_queue_purge_reason.part.0+0x1bf/0x230
trace_kfree_skb_hit+0x15/0x20
trace_kfree_skb+0xe9/0x150
kfree_skb_reason+0x7b/0x110
skb_queue_purge_reason.part.0+0x1bf/0x230
? __pfx_skb_queue_purge_reason.part.0+0x10/0x10
? mark_lock.part.0+0x8a/0x520
...
trace_drop_common() also disables interrupts, but this is a minor issue
because we could easily replace it with a local_lock.
Replace the spin_lock with raw_spin_lock to avoid sleeping in atomic
context.
Signed-off-by: Wander Lairson Costa <wander@redhat.com>
Reported-by: Hu Chunyu <chuhu@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/drop_monitor.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c
index 937d74aeef547..d9a6cdc48cb2c 100644
--- a/net/core/drop_monitor.c
+++ b/net/core/drop_monitor.c
@@ -73,7 +73,7 @@ struct net_dm_hw_entries {
};
struct per_cpu_dm_data {
- spinlock_t lock; /* Protects 'skb', 'hw_entries' and
+ raw_spinlock_t lock; /* Protects 'skb', 'hw_entries' and
* 'send_timer'
*/
union {
@@ -169,9 +169,9 @@ static struct sk_buff *reset_per_cpu_data(struct per_cpu_dm_data *data)
err:
mod_timer(&data->send_timer, jiffies + HZ / 10);
out:
- spin_lock_irqsave(&data->lock, flags);
+ raw_spin_lock_irqsave(&data->lock, flags);
swap(data->skb, skb);
- spin_unlock_irqrestore(&data->lock, flags);
+ raw_spin_unlock_irqrestore(&data->lock, flags);
if (skb) {
struct nlmsghdr *nlh = (struct nlmsghdr *)skb->data;
@@ -226,7 +226,7 @@ static void trace_drop_common(struct sk_buff *skb, void *location)
local_irq_save(flags);
data = this_cpu_ptr(&dm_cpu_data);
- spin_lock(&data->lock);
+ raw_spin_lock(&data->lock);
dskb = data->skb;
if (!dskb)
@@ -260,7 +260,7 @@ static void trace_drop_common(struct sk_buff *skb, void *location)
}
out:
- spin_unlock_irqrestore(&data->lock, flags);
+ raw_spin_unlock_irqrestore(&data->lock, flags);
}
static void trace_kfree_skb_hit(void *ignore, struct sk_buff *skb,
@@ -321,9 +321,9 @@ net_dm_hw_reset_per_cpu_data(struct per_cpu_dm_data *hw_data)
mod_timer(&hw_data->send_timer, jiffies + HZ / 10);
}
- spin_lock_irqsave(&hw_data->lock, flags);
+ raw_spin_lock_irqsave(&hw_data->lock, flags);
swap(hw_data->hw_entries, hw_entries);
- spin_unlock_irqrestore(&hw_data->lock, flags);
+ raw_spin_unlock_irqrestore(&hw_data->lock, flags);
return hw_entries;
}
@@ -455,7 +455,7 @@ net_dm_hw_trap_summary_probe(void *ignore, const struct devlink *devlink,
return;
hw_data = this_cpu_ptr(&dm_hw_cpu_data);
- spin_lock_irqsave(&hw_data->lock, flags);
+ raw_spin_lock_irqsave(&hw_data->lock, flags);
hw_entries = hw_data->hw_entries;
if (!hw_entries)
@@ -484,7 +484,7 @@ net_dm_hw_trap_summary_probe(void *ignore, const struct devlink *devlink,
}
out:
- spin_unlock_irqrestore(&hw_data->lock, flags);
+ raw_spin_unlock_irqrestore(&hw_data->lock, flags);
}
static const struct net_dm_alert_ops net_dm_alert_summary_ops = {
@@ -1671,7 +1671,7 @@ static struct notifier_block dropmon_net_notifier = {
static void __net_dm_cpu_data_init(struct per_cpu_dm_data *data)
{
- spin_lock_init(&data->lock);
+ raw_spin_lock_init(&data->lock);
skb_queue_head_init(&data->drop_queue);
u64_stats_init(&data->stats.syncp);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 162/356] scsi: qedi: Fix crash while reading debugfs attribute
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 161/356] drop_monitor: replace spin_lock by raw_spin_lock Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 163/356] kselftest: arm64: Add a null pointer check Greg Kroah-Hartman
` (201 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Hoyer, John Meneghini,
Manish Rangankar, Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manish Rangankar <mrangankar@marvell.com>
[ Upstream commit 28027ec8e32ecbadcd67623edb290dad61e735b5 ]
The qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly
on a __user pointer, which results into the crash.
To fix this issue, use a small local stack buffer for sprintf() and then
call simple_read_from_buffer(), which in turns make the copy_to_user()
call.
BUG: unable to handle page fault for address: 00007f4801111000
PGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0
Oops: 0002 [#1] PREEMPT SMP PTI
Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023
RIP: 0010:memcpy_orig+0xcd/0x130
RSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202
RAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f
RDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000
RBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572
R10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff
R13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af
FS: 00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
? __die_body+0x1a/0x60
? page_fault_oops+0x183/0x510
? exc_page_fault+0x69/0x150
? asm_exc_page_fault+0x22/0x30
? memcpy_orig+0xcd/0x130
vsnprintf+0x102/0x4c0
sprintf+0x51/0x80
qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324]
full_proxy_read+0x50/0x80
vfs_read+0xa5/0x2e0
? folio_add_new_anon_rmap+0x44/0xa0
? set_pte_at+0x15/0x30
? do_pte_missing+0x426/0x7f0
ksys_read+0xa5/0xe0
do_syscall_64+0x58/0x80
? __count_memcg_events+0x46/0x90
? count_memcg_event_mm+0x3d/0x60
? handle_mm_fault+0x196/0x2f0
? do_user_addr_fault+0x267/0x890
? exc_page_fault+0x69/0x150
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f4800f20b4d
Tested-by: Martin Hoyer <mhoyer@redhat.com>
Reviewed-by: John Meneghini <jmeneghi@redhat.com>
Signed-off-by: Manish Rangankar <mrangankar@marvell.com>
Link: https://lore.kernel.org/r/20240415072155.30840-1-mrangankar@marvell.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qedi/qedi_debugfs.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/drivers/scsi/qedi/qedi_debugfs.c b/drivers/scsi/qedi/qedi_debugfs.c
index 42f5afb60055c..6e724f47ab9e8 100644
--- a/drivers/scsi/qedi/qedi_debugfs.c
+++ b/drivers/scsi/qedi/qedi_debugfs.c
@@ -120,15 +120,11 @@ static ssize_t
qedi_dbg_do_not_recover_cmd_read(struct file *filp, char __user *buffer,
size_t count, loff_t *ppos)
{
- size_t cnt = 0;
-
- if (*ppos)
- return 0;
+ char buf[64];
+ int len;
- cnt = sprintf(buffer, "do_not_recover=%d\n", qedi_do_not_recover);
- cnt = min_t(int, count, cnt - *ppos);
- *ppos += cnt;
- return cnt;
+ len = sprintf(buf, "do_not_recover=%d\n", qedi_do_not_recover);
+ return simple_read_from_buffer(buffer, count, ppos, buf, len);
}
static int
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 163/356] kselftest: arm64: Add a null pointer check
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 162/356] scsi: qedi: Fix crash while reading debugfs attribute Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 164/356] netpoll: Fix race condition in netpoll_owner_active Greg Kroah-Hartman
` (200 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kunwu Chan, Muhammad Usama Anjum,
Will Deacon, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kunwu Chan <chentao@kylinos.cn>
[ Upstream commit 80164282b3620a3cb73de6ffda5592743e448d0e ]
There is a 'malloc' call, which can be unsuccessful.
This patch will add the malloc failure checking
to avoid possible null dereference and give more information
about test fail reasons.
Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Link: https://lore.kernel.org/r/20240423082102.2018886-1-chentao@kylinos.cn
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/arm64/tags/tags_test.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tools/testing/selftests/arm64/tags/tags_test.c b/tools/testing/selftests/arm64/tags/tags_test.c
index 5701163460ef7..955f87c1170d7 100644
--- a/tools/testing/selftests/arm64/tags/tags_test.c
+++ b/tools/testing/selftests/arm64/tags/tags_test.c
@@ -6,6 +6,7 @@
#include <stdint.h>
#include <sys/prctl.h>
#include <sys/utsname.h>
+#include "../../kselftest.h"
#define SHIFT_TAG(tag) ((uint64_t)(tag) << 56)
#define SET_TAG(ptr, tag) (((uint64_t)(ptr) & ~SHIFT_TAG(0xff)) | \
@@ -21,6 +22,9 @@ int main(void)
if (prctl(PR_SET_TAGGED_ADDR_CTRL, PR_TAGGED_ADDR_ENABLE, 0, 0, 0) == 0)
tbi_enabled = 1;
ptr = (struct utsname *)malloc(sizeof(*ptr));
+ if (!ptr)
+ ksft_exit_fail_msg("Failed to allocate utsname buffer\n");
+
if (tbi_enabled)
tag = 0x42;
ptr = (struct utsname *)SET_TAG(ptr, tag);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 164/356] netpoll: Fix race condition in netpoll_owner_active
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 163/356] kselftest: arm64: Add a null pointer check Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 165/356] HID: Add quirk for Logitech Casa touchpad Greg Kroah-Hartman
` (199 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit c2e6a872bde9912f1a7579639c5ca3adf1003916 ]
KCSAN detected a race condition in netpoll:
BUG: KCSAN: data-race in net_rx_action / netpoll_send_skb
write (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10:
net_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)
<snip>
read to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2:
netpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393)
netpoll_send_udp (net/core/netpoll.c:?)
<snip>
value changed: 0x0000000a -> 0xffffffff
This happens because netpoll_owner_active() needs to check if the
current CPU is the owner of the lock, touching napi->poll_owner
non atomically. The ->poll_owner field contains the current CPU holding
the lock.
Use an atomic read to check if the poll owner is the current CPU.
Signed-off-by: Breno Leitao <leitao@debian.org>
Link: https://lore.kernel.org/r/20240429100437.3487432-1-leitao@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/netpoll.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index 47a86da6ab980..2a9d95368d5a2 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -316,7 +316,7 @@ static int netpoll_owner_active(struct net_device *dev)
struct napi_struct *napi;
list_for_each_entry_rcu(napi, &dev->napi_list, dev_list) {
- if (napi->poll_owner == smp_processor_id())
+ if (READ_ONCE(napi->poll_owner) == smp_processor_id())
return 1;
}
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 165/356] HID: Add quirk for Logitech Casa touchpad
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 164/356] netpoll: Fix race condition in netpoll_owner_active Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 166/356] ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7 Greg Kroah-Hartman
` (198 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean OBrien, Jiri Kosina,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean O'Brien <seobrien@chromium.org>
[ Upstream commit dd2c345a94cfa3873cc20db87387ee509c345c1b ]
This device sometimes doesn't send touch release signals when moving
from >=4 fingers to <4 fingers. Using MT_QUIRK_NOT_SEEN_MEANS_UP instead
of MT_QUIRK_ALWAYS_VALID makes sure that no touches become stuck.
MT_QUIRK_FORCE_MULTI_INPUT is not necessary for this device, but does no
harm.
Signed-off-by: Sean O'Brien <seobrien@chromium.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-multitouch.c | 6 ++++++
2 files changed, 7 insertions(+)
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
index 7b1fdfde5b405..0504bdd465013 100644
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -777,6 +777,7 @@
#define USB_DEVICE_ID_LOGITECH_AUDIOHUB 0x0a0e
#define USB_DEVICE_ID_LOGITECH_T651 0xb00c
#define USB_DEVICE_ID_LOGITECH_DINOVO_EDGE_KBD 0xb309
+#define USB_DEVICE_ID_LOGITECH_CASA_TOUCHPAD 0xbb00
#define USB_DEVICE_ID_LOGITECH_C007 0xc007
#define USB_DEVICE_ID_LOGITECH_C077 0xc077
#define USB_DEVICE_ID_LOGITECH_RECEIVER 0xc101
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index 2e14e3071aa69..fea27d66d91c0 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -2082,6 +2082,12 @@ static const struct hid_device_id mt_devices[] = {
USB_VENDOR_ID_LENOVO,
USB_DEVICE_ID_LENOVO_X12_TAB) },
+ /* Logitech devices */
+ { .driver_data = MT_CLS_NSMU,
+ HID_DEVICE(BUS_BLUETOOTH, HID_GROUP_MULTITOUCH_WIN_8,
+ USB_VENDOR_ID_LOGITECH,
+ USB_DEVICE_ID_LOGITECH_CASA_TOUCHPAD) },
+
/* MosArt panels */
{ .driver_data = MT_CLS_CONFIDENCE_MINUS_ONE,
MT_USB_DEVICE(USB_VENDOR_ID_ASUS,
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 166/356] ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 165/356] HID: Add quirk for Logitech Casa touchpad Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 167/356] Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl Greg Kroah-Hartman
` (197 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit c901f63dc142c48326931f164f787dfff69273d9 ]
Lenovo Slim 7 16ARH7 is a machine with switchable graphics between AMD
and Nvidia, and the backlight can't be adjusted properly unless
acpi_backlight=native is passed. Although nvidia-wmi-backlight is
present and loaded, this doesn't work as expected at all.
For making it working as default, add the corresponding quirk entry
with a DMI matching "LENOVO" "82UX".
Link: https://bugzilla.suse.com/show_bug.cgi?id=1217750
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/video_detect.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
index a5cb9e1d48bcc..338e1f44906a9 100644
--- a/drivers/acpi/video_detect.c
+++ b/drivers/acpi/video_detect.c
@@ -341,6 +341,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "82BK"),
},
},
+ {
+ .callback = video_detect_force_native,
+ /* Lenovo Slim 7 16ARH7 */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "82UX"),
+ },
+ },
{
.callback = video_detect_force_native,
/* Lenovo ThinkPad X131e (3371 AMD version) */
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 167/356] Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 166/356] ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7 Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 168/356] drm/amd/display: Exit idle optimizations before HDCP execution Greg Kroah-Hartman
` (196 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uri Arev, Luiz Augusto von Dentz,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uri Arev <me@wantyapps.xyz>
[ Upstream commit 68aa21054ec3a1a313af90a5f95ade16c3326d20 ]
This fixes some CHECKs reported by the checkpatch script.
Issues reported in ath3k.c:
-------
ath3k.c
-------
CHECK: Please don't use multiple blank lines
+
+
CHECK: Blank lines aren't necessary after an open brace '{'
+static const struct usb_device_id ath3k_blist_tbl[] = {
+
CHECK: Alignment should match open parenthesis
+static int ath3k_load_firmware(struct usb_device *udev,
+ const struct firmware *firmware)
CHECK: Alignment should match open parenthesis
+ err = usb_bulk_msg(udev, pipe, send_buf, size,
+ &len, 3000);
CHECK: Unnecessary parentheses around 'len != size'
+ if (err || (len != size)) {
CHECK: Alignment should match open parenthesis
+static int ath3k_get_version(struct usb_device *udev,
+ struct ath3k_version *version)
CHECK: Alignment should match open parenthesis
+static int ath3k_load_fwfile(struct usb_device *udev,
+ const struct firmware *firmware)
CHECK: Alignment should match open parenthesis
+ err = usb_bulk_msg(udev, pipe, send_buf, size,
+ &len, 3000);
CHECK: Unnecessary parentheses around 'len != size'
+ if (err || (len != size)) {
CHECK: Blank lines aren't necessary after an open brace '{'
+ switch (fw_version.ref_clock) {
+
CHECK: Alignment should match open parenthesis
+ snprintf(filename, ATH3K_NAME_LEN, "ar3k/ramps_0x%08x_%d%s",
+ le32_to_cpu(fw_version.rom_version), clk_value, ".dfu");
CHECK: Alignment should match open parenthesis
+static int ath3k_probe(struct usb_interface *intf,
+ const struct usb_device_id *id)
CHECK: Alignment should match open parenthesis
+ BT_ERR("Firmware file \"%s\" not found",
+ ATH3K_FIRMWARE);
CHECK: Alignment should match open parenthesis
+ BT_ERR("Firmware file \"%s\" request failed (err=%d)",
+ ATH3K_FIRMWARE, ret);
total: 0 errors, 0 warnings, 14 checks, 540 lines checked
Signed-off-by: Uri Arev <me@wantyapps.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/ath3k.c | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)
diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
index 759d7828931d9..56ada48104f0e 100644
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -3,7 +3,6 @@
* Copyright (c) 2008-2009 Atheros Communications Inc.
*/
-
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
@@ -129,7 +128,6 @@ MODULE_DEVICE_TABLE(usb, ath3k_table);
* for AR3012
*/
static const struct usb_device_id ath3k_blist_tbl[] = {
-
/* Atheros AR3012 with sflash firmware*/
{ USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
@@ -203,7 +201,7 @@ static inline void ath3k_log_failed_loading(int err, int len, int size,
#define TIMEGAP_USEC_MAX 100
static int ath3k_load_firmware(struct usb_device *udev,
- const struct firmware *firmware)
+ const struct firmware *firmware)
{
u8 *send_buf;
int len = 0;
@@ -238,9 +236,9 @@ static int ath3k_load_firmware(struct usb_device *udev,
memcpy(send_buf, firmware->data + sent, size);
err = usb_bulk_msg(udev, pipe, send_buf, size,
- &len, 3000);
+ &len, 3000);
- if (err || (len != size)) {
+ if (err || len != size) {
ath3k_log_failed_loading(err, len, size, count);
goto error;
}
@@ -263,7 +261,7 @@ static int ath3k_get_state(struct usb_device *udev, unsigned char *state)
}
static int ath3k_get_version(struct usb_device *udev,
- struct ath3k_version *version)
+ struct ath3k_version *version)
{
return usb_control_msg_recv(udev, 0, ATH3K_GETVERSION,
USB_TYPE_VENDOR | USB_DIR_IN, 0, 0,
@@ -272,7 +270,7 @@ static int ath3k_get_version(struct usb_device *udev,
}
static int ath3k_load_fwfile(struct usb_device *udev,
- const struct firmware *firmware)
+ const struct firmware *firmware)
{
u8 *send_buf;
int len = 0;
@@ -311,8 +309,8 @@ static int ath3k_load_fwfile(struct usb_device *udev,
memcpy(send_buf, firmware->data + sent, size);
err = usb_bulk_msg(udev, pipe, send_buf, size,
- &len, 3000);
- if (err || (len != size)) {
+ &len, 3000);
+ if (err || len != size) {
ath3k_log_failed_loading(err, len, size, count);
kfree(send_buf);
return err;
@@ -426,7 +424,6 @@ static int ath3k_load_syscfg(struct usb_device *udev)
}
switch (fw_version.ref_clock) {
-
case ATH3K_XTAL_FREQ_26M:
clk_value = 26;
break;
@@ -442,7 +439,7 @@ static int ath3k_load_syscfg(struct usb_device *udev)
}
snprintf(filename, ATH3K_NAME_LEN, "ar3k/ramps_0x%08x_%d%s",
- le32_to_cpu(fw_version.rom_version), clk_value, ".dfu");
+ le32_to_cpu(fw_version.rom_version), clk_value, ".dfu");
ret = request_firmware(&firmware, filename, &udev->dev);
if (ret < 0) {
@@ -457,7 +454,7 @@ static int ath3k_load_syscfg(struct usb_device *udev)
}
static int ath3k_probe(struct usb_interface *intf,
- const struct usb_device_id *id)
+ const struct usb_device_id *id)
{
const struct firmware *firmware;
struct usb_device *udev = interface_to_usbdev(intf);
@@ -506,10 +503,10 @@ static int ath3k_probe(struct usb_interface *intf,
if (ret < 0) {
if (ret == -ENOENT)
BT_ERR("Firmware file \"%s\" not found",
- ATH3K_FIRMWARE);
+ ATH3K_FIRMWARE);
else
BT_ERR("Firmware file \"%s\" request failed (err=%d)",
- ATH3K_FIRMWARE, ret);
+ ATH3K_FIRMWARE, ret);
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 168/356] drm/amd/display: Exit idle optimizations before HDCP execution
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 167/356] Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 169/356] drm/lima: add mask irq callback to gp and pp Greg Kroah-Hartman
` (195 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Charlene Liu, Alex Hung, Nicholas Kazlauskas, Daniel Wheeler,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
[ Upstream commit f30a3bea92bdab398531129d187629fb1d28f598 ]
[WHY]
PSP can access DCN registers during command submission and we need
to ensure that DCN is not in PG before doing so.
[HOW]
Add a callback to DM to lock and notify DC for idle optimization exit.
It can't be DC directly because of a potential race condition with the
link protection thread and the rest of DM operation.
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Charlene Liu <charlene.liu@amd.com>
Acked-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c | 10 ++++++++++
drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h | 8 ++++++++
2 files changed, 18 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c
index 3e81850a7ffe3..47bb973669d85 100644
--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c
+++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c
@@ -88,6 +88,14 @@ static uint8_t is_cp_desired_hdcp2(struct mod_hdcp *hdcp)
!hdcp->connection.is_hdcp2_revoked;
}
+static void exit_idle_optimizations(struct mod_hdcp *hdcp)
+{
+ struct mod_hdcp_dm *dm = &hdcp->config.dm;
+
+ if (dm->funcs.exit_idle_optimizations)
+ dm->funcs.exit_idle_optimizations(dm->handle);
+}
+
static enum mod_hdcp_status execution(struct mod_hdcp *hdcp,
struct mod_hdcp_event_context *event_ctx,
union mod_hdcp_transition_input *input)
@@ -507,6 +515,8 @@ enum mod_hdcp_status mod_hdcp_process_event(struct mod_hdcp *hdcp,
memset(&event_ctx, 0, sizeof(struct mod_hdcp_event_context));
event_ctx.event = event;
+ exit_idle_optimizations(hdcp);
+
/* execute and transition */
exec_status = execution(hdcp, &event_ctx, &hdcp->auth.trans_input);
trans_status = transition(
diff --git a/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h b/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h
index f37101f5a7777..8a620c34396c7 100644
--- a/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h
+++ b/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h
@@ -154,6 +154,13 @@ struct mod_hdcp_ddc {
} funcs;
};
+struct mod_hdcp_dm {
+ void *handle;
+ struct {
+ void (*exit_idle_optimizations)(void *handle);
+ } funcs;
+};
+
struct mod_hdcp_psp {
void *handle;
void *funcs;
@@ -269,6 +276,7 @@ struct mod_hdcp_display_query {
struct mod_hdcp_config {
struct mod_hdcp_psp psp;
struct mod_hdcp_ddc ddc;
+ struct mod_hdcp_dm dm;
uint8_t index;
};
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 169/356] drm/lima: add mask irq callback to gp and pp
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 168/356] drm/amd/display: Exit idle optimizations before HDCP execution Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 170/356] drm/lima: mask irqs in timeout path before hard reset Greg Kroah-Hartman
` (194 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Erico Nunes, Qiang Yu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erico Nunes <nunes.erico@gmail.com>
[ Upstream commit 49c13b4d2dd4a831225746e758893673f6ae961c ]
This is needed because we want to reset those devices in device-agnostic
code such as lima_sched.
In particular, masking irqs will be useful before a hard reset to
prevent race conditions.
Signed-off-by: Erico Nunes <nunes.erico@gmail.com>
Signed-off-by: Qiang Yu <yuq825@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240405152951.1531555-2-nunes.erico@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/lima/lima_bcast.c | 12 ++++++++++++
drivers/gpu/drm/lima/lima_bcast.h | 3 +++
drivers/gpu/drm/lima/lima_gp.c | 8 ++++++++
drivers/gpu/drm/lima/lima_pp.c | 18 ++++++++++++++++++
drivers/gpu/drm/lima/lima_sched.h | 1 +
5 files changed, 42 insertions(+)
diff --git a/drivers/gpu/drm/lima/lima_bcast.c b/drivers/gpu/drm/lima/lima_bcast.c
index fbc43f243c54d..6d000504e1a4e 100644
--- a/drivers/gpu/drm/lima/lima_bcast.c
+++ b/drivers/gpu/drm/lima/lima_bcast.c
@@ -43,6 +43,18 @@ void lima_bcast_suspend(struct lima_ip *ip)
}
+int lima_bcast_mask_irq(struct lima_ip *ip)
+{
+ bcast_write(LIMA_BCAST_BROADCAST_MASK, 0);
+ bcast_write(LIMA_BCAST_INTERRUPT_MASK, 0);
+ return 0;
+}
+
+int lima_bcast_reset(struct lima_ip *ip)
+{
+ return lima_bcast_hw_init(ip);
+}
+
int lima_bcast_init(struct lima_ip *ip)
{
int i;
diff --git a/drivers/gpu/drm/lima/lima_bcast.h b/drivers/gpu/drm/lima/lima_bcast.h
index 465ee587bceb2..cd08841e47879 100644
--- a/drivers/gpu/drm/lima/lima_bcast.h
+++ b/drivers/gpu/drm/lima/lima_bcast.h
@@ -13,4 +13,7 @@ void lima_bcast_fini(struct lima_ip *ip);
void lima_bcast_enable(struct lima_device *dev, int num_pp);
+int lima_bcast_mask_irq(struct lima_ip *ip);
+int lima_bcast_reset(struct lima_ip *ip);
+
#endif
diff --git a/drivers/gpu/drm/lima/lima_gp.c b/drivers/gpu/drm/lima/lima_gp.c
index 8dd501b7a3d0d..6cf46b653e810 100644
--- a/drivers/gpu/drm/lima/lima_gp.c
+++ b/drivers/gpu/drm/lima/lima_gp.c
@@ -212,6 +212,13 @@ static void lima_gp_task_mmu_error(struct lima_sched_pipe *pipe)
lima_sched_pipe_task_done(pipe);
}
+static void lima_gp_task_mask_irq(struct lima_sched_pipe *pipe)
+{
+ struct lima_ip *ip = pipe->processor[0];
+
+ gp_write(LIMA_GP_INT_MASK, 0);
+}
+
static int lima_gp_task_recover(struct lima_sched_pipe *pipe)
{
struct lima_ip *ip = pipe->processor[0];
@@ -344,6 +351,7 @@ int lima_gp_pipe_init(struct lima_device *dev)
pipe->task_error = lima_gp_task_error;
pipe->task_mmu_error = lima_gp_task_mmu_error;
pipe->task_recover = lima_gp_task_recover;
+ pipe->task_mask_irq = lima_gp_task_mask_irq;
return 0;
}
diff --git a/drivers/gpu/drm/lima/lima_pp.c b/drivers/gpu/drm/lima/lima_pp.c
index a5c95bed08c09..54b208a4a768e 100644
--- a/drivers/gpu/drm/lima/lima_pp.c
+++ b/drivers/gpu/drm/lima/lima_pp.c
@@ -408,6 +408,9 @@ static void lima_pp_task_error(struct lima_sched_pipe *pipe)
lima_pp_hard_reset(ip);
}
+
+ if (pipe->bcast_processor)
+ lima_bcast_reset(pipe->bcast_processor);
}
static void lima_pp_task_mmu_error(struct lima_sched_pipe *pipe)
@@ -416,6 +419,20 @@ static void lima_pp_task_mmu_error(struct lima_sched_pipe *pipe)
lima_sched_pipe_task_done(pipe);
}
+static void lima_pp_task_mask_irq(struct lima_sched_pipe *pipe)
+{
+ int i;
+
+ for (i = 0; i < pipe->num_processor; i++) {
+ struct lima_ip *ip = pipe->processor[i];
+
+ pp_write(LIMA_PP_INT_MASK, 0);
+ }
+
+ if (pipe->bcast_processor)
+ lima_bcast_mask_irq(pipe->bcast_processor);
+}
+
static struct kmem_cache *lima_pp_task_slab;
static int lima_pp_task_slab_refcnt;
@@ -447,6 +464,7 @@ int lima_pp_pipe_init(struct lima_device *dev)
pipe->task_fini = lima_pp_task_fini;
pipe->task_error = lima_pp_task_error;
pipe->task_mmu_error = lima_pp_task_mmu_error;
+ pipe->task_mask_irq = lima_pp_task_mask_irq;
return 0;
}
diff --git a/drivers/gpu/drm/lima/lima_sched.h b/drivers/gpu/drm/lima/lima_sched.h
index 90f03c48ef4a8..f8bbfa69baea6 100644
--- a/drivers/gpu/drm/lima/lima_sched.h
+++ b/drivers/gpu/drm/lima/lima_sched.h
@@ -83,6 +83,7 @@ struct lima_sched_pipe {
void (*task_error)(struct lima_sched_pipe *pipe);
void (*task_mmu_error)(struct lima_sched_pipe *pipe);
int (*task_recover)(struct lima_sched_pipe *pipe);
+ void (*task_mask_irq)(struct lima_sched_pipe *pipe);
struct work_struct recover_work;
};
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 170/356] drm/lima: mask irqs in timeout path before hard reset
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 169/356] drm/lima: add mask irq callback to gp and pp Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 171/356] powerpc/pseries: Enforce hcall result buffer validity and size Greg Kroah-Hartman
` (193 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Erico Nunes, Qiang Yu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erico Nunes <nunes.erico@gmail.com>
[ Upstream commit a421cc7a6a001b70415aa4f66024fa6178885a14 ]
There is a race condition in which a rendering job might take just long
enough to trigger the drm sched job timeout handler but also still
complete before the hard reset is done by the timeout handler.
This runs into race conditions not expected by the timeout handler.
In some very specific cases it currently may result in a refcount
imbalance on lima_pm_idle, with a stack dump such as:
[10136.669170] WARNING: CPU: 0 PID: 0 at drivers/gpu/drm/lima/lima_devfreq.c:205 lima_devfreq_record_idle+0xa0/0xb0
...
[10136.669459] pc : lima_devfreq_record_idle+0xa0/0xb0
...
[10136.669628] Call trace:
[10136.669634] lima_devfreq_record_idle+0xa0/0xb0
[10136.669646] lima_sched_pipe_task_done+0x5c/0xb0
[10136.669656] lima_gp_irq_handler+0xa8/0x120
[10136.669666] __handle_irq_event_percpu+0x48/0x160
[10136.669679] handle_irq_event+0x4c/0xc0
We can prevent that race condition entirely by masking the irqs at the
beginning of the timeout handler, at which point we give up on waiting
for that job entirely.
The irqs will be enabled again at the next hard reset which is already
done as a recovery by the timeout handler.
Signed-off-by: Erico Nunes <nunes.erico@gmail.com>
Reviewed-by: Qiang Yu <yuq825@gmail.com>
Signed-off-by: Qiang Yu <yuq825@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240405152951.1531555-4-nunes.erico@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/lima/lima_sched.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/gpu/drm/lima/lima_sched.c b/drivers/gpu/drm/lima/lima_sched.c
index 2e817dbdcad75..a7572123fee15 100644
--- a/drivers/gpu/drm/lima/lima_sched.c
+++ b/drivers/gpu/drm/lima/lima_sched.c
@@ -421,6 +421,13 @@ static enum drm_gpu_sched_stat lima_sched_timedout_job(struct drm_sched_job *job
struct lima_sched_task *task = to_lima_task(job);
struct lima_device *ldev = pipe->ldev;
+ /*
+ * The task might still finish while this timeout handler runs.
+ * To prevent a race condition on its completion, mask all irqs
+ * on the running core until the next hard reset completes.
+ */
+ pipe->task_mask_irq(pipe);
+
if (!pipe->error)
DRM_ERROR("lima job timeout\n");
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 171/356] powerpc/pseries: Enforce hcall result buffer validity and size
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 170/356] drm/lima: mask irqs in timeout path before hard reset Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 172/356] powerpc/io: Avoid clang null pointer arithmetic warnings Greg Kroah-Hartman
` (192 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Lynch, Michael Ellerman,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Lynch <nathanl@linux.ibm.com>
[ Upstream commit ff2e185cf73df480ec69675936c4ee75a445c3e4 ]
plpar_hcall(), plpar_hcall9(), and related functions expect callers to
provide valid result buffers of certain minimum size. Currently this
is communicated only through comments in the code and the compiler has
no idea.
For example, if I write a bug like this:
long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE
plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);
This compiles with no diagnostics emitted, but likely results in stack
corruption at runtime when plpar_hcall9() stores results past the end
of the array. (To be clear this is a contrived example and I have not
found a real instance yet.)
To make this class of error less likely, we can use explicitly-sized
array parameters instead of pointers in the declarations for the hcall
APIs. When compiled with -Warray-bounds[1], the code above now
provokes a diagnostic like this:
error: array argument is too small;
is of size 32, callee requires at least 72 [-Werror,-Warray-bounds]
60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,
| ^ ~~~~~~
[1] Enabled for LLVM builds but not GCC for now. See commit
0da6e5fd6c37 ("gcc: disable '-Warray-bounds' for gcc-13 too") and
related changes.
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240408-pseries-hvcall-retbuf-v1-1-ebc73d7253cf@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/include/asm/hvcall.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h
index c25f160bb9978..47cec207e5571 100644
--- a/arch/powerpc/include/asm/hvcall.h
+++ b/arch/powerpc/include/asm/hvcall.h
@@ -472,7 +472,7 @@ long plpar_hcall_norets_notrace(unsigned long opcode, ...);
* Used for all but the craziest of phyp interfaces (see plpar_hcall9)
*/
#define PLPAR_HCALL_BUFSIZE 4
-long plpar_hcall(unsigned long opcode, unsigned long *retbuf, ...);
+long plpar_hcall(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL_BUFSIZE], ...);
/**
* plpar_hcall_raw: - Make a hypervisor call without calculating hcall stats
@@ -486,7 +486,7 @@ long plpar_hcall(unsigned long opcode, unsigned long *retbuf, ...);
* plpar_hcall, but plpar_hcall_raw works in real mode and does not
* calculate hypervisor call statistics.
*/
-long plpar_hcall_raw(unsigned long opcode, unsigned long *retbuf, ...);
+long plpar_hcall_raw(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL_BUFSIZE], ...);
/**
* plpar_hcall9: - Make a pseries hypervisor call with up to 9 return arguments
@@ -497,8 +497,8 @@ long plpar_hcall_raw(unsigned long opcode, unsigned long *retbuf, ...);
* PLPAR_HCALL9_BUFSIZE to size the return argument buffer.
*/
#define PLPAR_HCALL9_BUFSIZE 9
-long plpar_hcall9(unsigned long opcode, unsigned long *retbuf, ...);
-long plpar_hcall9_raw(unsigned long opcode, unsigned long *retbuf, ...);
+long plpar_hcall9(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL9_BUFSIZE], ...);
+long plpar_hcall9_raw(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL9_BUFSIZE], ...);
struct hvcall_mpp_data {
unsigned long entitled_mem;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 172/356] powerpc/io: Avoid clang null pointer arithmetic warnings
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 171/356] powerpc/pseries: Enforce hcall result buffer validity and size Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 173/356] power: supply: cros_usbpd: provide ID table for avoiding fallback match Greg Kroah-Hartman
` (191 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naresh Kamboju, Michael Ellerman,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Ellerman <mpe@ellerman.id.au>
[ Upstream commit 03c0f2c2b2220fc9cf8785cd7b61d3e71e24a366 ]
With -Wextra clang warns about pointer arithmetic using a null pointer.
When building with CONFIG_PCI=n, that triggers a warning in the IO
accessors, eg:
In file included from linux/arch/powerpc/include/asm/io.h:672:
linux/arch/powerpc/include/asm/io-defs.h:23:1: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
23 | DEF_PCI_AC_RET(inb, u8, (unsigned long port), (port), pio, port)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
...
linux/arch/powerpc/include/asm/io.h:591:53: note: expanded from macro '__do_inb'
591 | #define __do_inb(port) readb((PCI_IO_ADDR)_IO_BASE + port);
| ~~~~~~~~~~~~~~~~~~~~~ ^
That is because when CONFIG_PCI=n, _IO_BASE is defined as 0.
Although _IO_BASE is defined as plain 0, the cast (PCI_IO_ADDR) converts
it to void * before the addition with port happens.
Instead the addition can be done first, and then the cast. The resulting
value will be the same, but avoids the warning, and also avoids void
pointer arithmetic which is apparently non-standard.
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Closes: https://lore.kernel.org/all/CA+G9fYtEh8zmq8k8wE-8RZwW-Qr927RLTn+KqGnq1F=ptaaNsA@mail.gmail.com
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240503075619.394467-1-mpe@ellerman.id.au
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/include/asm/io.h | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/arch/powerpc/include/asm/io.h b/arch/powerpc/include/asm/io.h
index a4fe1292909e6..56eb8ac443930 100644
--- a/arch/powerpc/include/asm/io.h
+++ b/arch/powerpc/include/asm/io.h
@@ -556,12 +556,12 @@ __do_out_asm(_rec_outl, "stwbrx")
#define __do_inw(port) _rec_inw(port)
#define __do_inl(port) _rec_inl(port)
#else /* CONFIG_PPC32 */
-#define __do_outb(val, port) writeb(val,(PCI_IO_ADDR)_IO_BASE+port);
-#define __do_outw(val, port) writew(val,(PCI_IO_ADDR)_IO_BASE+port);
-#define __do_outl(val, port) writel(val,(PCI_IO_ADDR)_IO_BASE+port);
-#define __do_inb(port) readb((PCI_IO_ADDR)_IO_BASE + port);
-#define __do_inw(port) readw((PCI_IO_ADDR)_IO_BASE + port);
-#define __do_inl(port) readl((PCI_IO_ADDR)_IO_BASE + port);
+#define __do_outb(val, port) writeb(val,(PCI_IO_ADDR)(_IO_BASE+port));
+#define __do_outw(val, port) writew(val,(PCI_IO_ADDR)(_IO_BASE+port));
+#define __do_outl(val, port) writel(val,(PCI_IO_ADDR)(_IO_BASE+port));
+#define __do_inb(port) readb((PCI_IO_ADDR)(_IO_BASE + port));
+#define __do_inw(port) readw((PCI_IO_ADDR)(_IO_BASE + port));
+#define __do_inl(port) readl((PCI_IO_ADDR)(_IO_BASE + port));
#endif /* !CONFIG_PPC32 */
#ifdef CONFIG_EEH
@@ -577,12 +577,12 @@ __do_out_asm(_rec_outl, "stwbrx")
#define __do_writesw(a, b, n) _outsw(PCI_FIX_ADDR(a),(b),(n))
#define __do_writesl(a, b, n) _outsl(PCI_FIX_ADDR(a),(b),(n))
-#define __do_insb(p, b, n) readsb((PCI_IO_ADDR)_IO_BASE+(p), (b), (n))
-#define __do_insw(p, b, n) readsw((PCI_IO_ADDR)_IO_BASE+(p), (b), (n))
-#define __do_insl(p, b, n) readsl((PCI_IO_ADDR)_IO_BASE+(p), (b), (n))
-#define __do_outsb(p, b, n) writesb((PCI_IO_ADDR)_IO_BASE+(p),(b),(n))
-#define __do_outsw(p, b, n) writesw((PCI_IO_ADDR)_IO_BASE+(p),(b),(n))
-#define __do_outsl(p, b, n) writesl((PCI_IO_ADDR)_IO_BASE+(p),(b),(n))
+#define __do_insb(p, b, n) readsb((PCI_IO_ADDR)(_IO_BASE+(p)), (b), (n))
+#define __do_insw(p, b, n) readsw((PCI_IO_ADDR)(_IO_BASE+(p)), (b), (n))
+#define __do_insl(p, b, n) readsl((PCI_IO_ADDR)(_IO_BASE+(p)), (b), (n))
+#define __do_outsb(p, b, n) writesb((PCI_IO_ADDR)(_IO_BASE+(p)),(b),(n))
+#define __do_outsw(p, b, n) writesw((PCI_IO_ADDR)(_IO_BASE+(p)),(b),(n))
+#define __do_outsl(p, b, n) writesl((PCI_IO_ADDR)(_IO_BASE+(p)),(b),(n))
#define __do_memset_io(addr, c, n) \
_memset_io(PCI_FIX_ADDR(addr), c, n)
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 173/356] power: supply: cros_usbpd: provide ID table for avoiding fallback match
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 172/356] powerpc/io: Avoid clang null pointer arithmetic warnings Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 174/356] iommu/arm-smmu-v3: Free MSIs in case of ENOMEM Greg Kroah-Hartman
` (190 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benson Leung, Prashant Malani,
Krzysztof Kozlowski, Tzung-Bi Shih, Sebastian Reichel,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tzung-Bi Shih <tzungbi@kernel.org>
[ Upstream commit 0f8678c34cbfdc63569a9b0ede1fe235ec6ec693 ]
Instead of using fallback driver name match, provide ID table[1] for the
primary match.
[1]: https://elixir.bootlin.com/linux/v6.8/source/drivers/base/platform.c#L1353
Reviewed-by: Benson Leung <bleung@chromium.org>
Reviewed-by: Prashant Malani <pmalani@chromium.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Link: https://lore.kernel.org/r/20240401030052.2887845-4-tzungbi@kernel.org
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/supply/cros_usbpd-charger.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/power/supply/cros_usbpd-charger.c b/drivers/power/supply/cros_usbpd-charger.c
index 0a4f02e4ae7ba..d7ee1eb9ca880 100644
--- a/drivers/power/supply/cros_usbpd-charger.c
+++ b/drivers/power/supply/cros_usbpd-charger.c
@@ -5,6 +5,7 @@
* Copyright (c) 2014 - 2018 Google, Inc
*/
+#include <linux/mod_devicetable.h>
#include <linux/module.h>
#include <linux/platform_data/cros_ec_commands.h>
#include <linux/platform_data/cros_ec_proto.h>
@@ -711,16 +712,22 @@ static int cros_usbpd_charger_resume(struct device *dev)
static SIMPLE_DEV_PM_OPS(cros_usbpd_charger_pm_ops, NULL,
cros_usbpd_charger_resume);
+static const struct platform_device_id cros_usbpd_charger_id[] = {
+ { DRV_NAME, 0 },
+ {}
+};
+MODULE_DEVICE_TABLE(platform, cros_usbpd_charger_id);
+
static struct platform_driver cros_usbpd_charger_driver = {
.driver = {
.name = DRV_NAME,
.pm = &cros_usbpd_charger_pm_ops,
},
- .probe = cros_usbpd_charger_probe
+ .probe = cros_usbpd_charger_probe,
+ .id_table = cros_usbpd_charger_id,
};
module_platform_driver(cros_usbpd_charger_driver);
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("ChromeOS EC USBPD charger");
-MODULE_ALIAS("platform:" DRV_NAME);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 174/356] iommu/arm-smmu-v3: Free MSIs in case of ENOMEM
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 173/356] power: supply: cros_usbpd: provide ID table for avoiding fallback match Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 175/356] f2fs: remove clear SB_INLINECRYPT flag in default_options Greg Kroah-Hartman
` (189 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Aprelkov, Will Deacon,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandr Aprelkov <aaprelkov@usergate.com>
[ Upstream commit 80fea979dd9d48d67c5b48d2f690c5da3e543ebd ]
If devm_add_action() returns -ENOMEM, then MSIs are allocated but not
not freed on teardown. Use devm_add_action_or_reset() instead to keep
the static analyser happy.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Aleksandr Aprelkov <aaprelkov@usergate.com>
Link: https://lore.kernel.org/r/20240403053759.643164-1-aaprelkov@usergate.com
[will: Tweak commit message, remove warning message]
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
index 761cb657f2561..ec4c87095c6cd 100644
--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
+++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
@@ -3239,7 +3239,7 @@ static void arm_smmu_setup_msis(struct arm_smmu_device *smmu)
}
/* Add callback to free MSIs on teardown */
- devm_add_action(dev, arm_smmu_free_msis, dev);
+ devm_add_action_or_reset(dev, arm_smmu_free_msis, dev);
}
static void arm_smmu_setup_unique_irqs(struct arm_smmu_device *smmu)
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 175/356] f2fs: remove clear SB_INLINECRYPT flag in default_options
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 174/356] iommu/arm-smmu-v3: Free MSIs in case of ENOMEM Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 176/356] usb: misc: uss720: check for incompatible versions of the Belkin F5U002 Greg Kroah-Hartman
` (188 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yunlei He, Chao Yu, Jaegeuk Kim,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yunlei He <heyunlei@oppo.com>
[ Upstream commit ac5eecf481c29942eb9a862e758c0c8b68090c33 ]
In f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.
If create new file or open file during this gap, these files
will not use inlinecrypt. Worse case, it may lead to data
corruption if wrappedkey_v0 is enable.
Thread A: Thread B:
-f2fs_remount -f2fs_file_open or f2fs_new_inode
-default_options
<- clear SB_INLINECRYPT flag
-fscrypt_select_encryption_impl
-parse_options
<- set SB_INLINECRYPT again
Signed-off-by: Yunlei He <heyunlei@oppo.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/super.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index df1e5496352c2..706d7adda3b22 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -2068,8 +2068,6 @@ static void default_options(struct f2fs_sb_info *sbi)
F2FS_OPTION(sbi).compress_mode = COMPR_MODE_FS;
F2FS_OPTION(sbi).bggc_mode = BGGC_MODE_ON;
- sbi->sb->s_flags &= ~SB_INLINECRYPT;
-
set_opt(sbi, INLINE_XATTR);
set_opt(sbi, INLINE_DATA);
set_opt(sbi, INLINE_DENTRY);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 176/356] usb: misc: uss720: check for incompatible versions of the Belkin F5U002
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 175/356] f2fs: remove clear SB_INLINECRYPT flag in default_options Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 177/356] Avoid hw_desc array overrun in dw-axi-dmac Greg Kroah-Hartman
` (187 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Henrie, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Henrie <alexhenrie24@gmail.com>
[ Upstream commit 3295f1b866bfbcabd625511968e8a5c541f9ab32 ]
The incompatible device in my possession has a sticker that says
"F5U002 Rev 2" and "P80453-B", and lsusb identifies it as
"050d:0002 Belkin Components IEEE-1284 Controller". There is a bug
report from 2007 from Michael Trausch who was seeing the exact same
errors that I saw in 2024 trying to use this cable.
Link: https://lore.kernel.org/all/46DE5830.9060401@trausch.us/
Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
Link: https://lore.kernel.org/r/20240326150723.99939-5-alexhenrie24@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/misc/uss720.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/drivers/usb/misc/uss720.c b/drivers/usb/misc/uss720.c
index 0be8efcda15d5..d972c09629397 100644
--- a/drivers/usb/misc/uss720.c
+++ b/drivers/usb/misc/uss720.c
@@ -677,7 +677,7 @@ static int uss720_probe(struct usb_interface *intf,
struct parport_uss720_private *priv;
struct parport *pp;
unsigned char reg;
- int i;
+ int ret;
dev_dbg(&intf->dev, "probe: vendor id 0x%x, device id 0x%x\n",
le16_to_cpu(usbdev->descriptor.idVendor),
@@ -688,8 +688,8 @@ static int uss720_probe(struct usb_interface *intf,
usb_put_dev(usbdev);
return -ENODEV;
}
- i = usb_set_interface(usbdev, intf->altsetting->desc.bInterfaceNumber, 2);
- dev_dbg(&intf->dev, "set interface result %d\n", i);
+ ret = usb_set_interface(usbdev, intf->altsetting->desc.bInterfaceNumber, 2);
+ dev_dbg(&intf->dev, "set interface result %d\n", ret);
interface = intf->cur_altsetting;
@@ -725,12 +725,18 @@ static int uss720_probe(struct usb_interface *intf,
set_1284_register(pp, 7, 0x00, GFP_KERNEL);
set_1284_register(pp, 6, 0x30, GFP_KERNEL); /* PS/2 mode */
set_1284_register(pp, 2, 0x0c, GFP_KERNEL);
- /* debugging */
- get_1284_register(pp, 0, ®, GFP_KERNEL);
+
+ /* The Belkin F5U002 Rev 2 P80453-B USB parallel port adapter shares the
+ * device ID 050d:0002 with some other device that works with this
+ * driver, but it itself does not. Detect and handle the bad cable
+ * here. */
+ ret = get_1284_register(pp, 0, ®, GFP_KERNEL);
dev_dbg(&intf->dev, "reg: %7ph\n", priv->reg);
+ if (ret < 0)
+ return ret;
- i = usb_find_last_int_in_endpoint(interface, &epd);
- if (!i) {
+ ret = usb_find_last_int_in_endpoint(interface, &epd);
+ if (!ret) {
dev_dbg(&intf->dev, "epaddr %d interval %d\n",
epd->bEndpointAddress, epd->bInterval);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 177/356] Avoid hw_desc array overrun in dw-axi-dmac
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 176/356] usb: misc: uss720: check for incompatible versions of the Belkin F5U002 Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 178/356] udf: udftime: prevent overflow in udf_disk_stamp_to_time() Greg Kroah-Hartman
` (186 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joao Pinto, Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joao Pinto <Joao.Pinto@synopsys.com>
[ Upstream commit 333e11bf47fa8d477db90e2900b1ed3c9ae9b697 ]
I have a use case where nr_buffers = 3 and in which each descriptor is composed by 3
segments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put()
handles the hw_desc considering the descs_allocated, this scenario would result in a
kernel panic (hw_desc array will be overrun).
To fix this, the proposal is to add a new member to the axi_dma_desc structure,
where we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in
axi_desc_put() to handle the hw_desc array correctly.
Additionally I propose to remove the axi_chan_start_first_queued() call after completing
the transfer, since it was identified that unbalance can occur (started descriptors can
be interrupted and transfer ignored due to DMA channel not being enabled).
Signed-off-by: Joao Pinto <jpinto@synopsys.com>
Link: https://lore.kernel.org/r/1711536564-12919-1-git-send-email-jpinto@synopsys.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 6 ++----
drivers/dma/dw-axi-dmac/dw-axi-dmac.h | 1 +
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
index cfc47efcb5d93..6715ade391aa1 100644
--- a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
+++ b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
@@ -213,6 +213,7 @@ static struct axi_dma_desc *axi_desc_alloc(u32 num)
kfree(desc);
return NULL;
}
+ desc->nr_hw_descs = num;
return desc;
}
@@ -239,7 +240,7 @@ static struct axi_dma_lli *axi_desc_get(struct axi_dma_chan *chan,
static void axi_desc_put(struct axi_dma_desc *desc)
{
struct axi_dma_chan *chan = desc->chan;
- int count = atomic_read(&chan->descs_allocated);
+ int count = desc->nr_hw_descs;
struct axi_dma_hw_desc *hw_desc;
int descs_put;
@@ -1049,9 +1050,6 @@ static void axi_chan_block_xfer_complete(struct axi_dma_chan *chan)
/* Remove the completed descriptor from issued list before completing */
list_del(&vd->node);
vchan_cookie_complete(vd);
-
- /* Submit queued descriptors after processing the completed ones */
- axi_chan_start_first_queued(chan);
}
out:
diff --git a/drivers/dma/dw-axi-dmac/dw-axi-dmac.h b/drivers/dma/dw-axi-dmac/dw-axi-dmac.h
index 380005afde160..58fc6310ee364 100644
--- a/drivers/dma/dw-axi-dmac/dw-axi-dmac.h
+++ b/drivers/dma/dw-axi-dmac/dw-axi-dmac.h
@@ -101,6 +101,7 @@ struct axi_dma_desc {
u32 completed_blocks;
u32 length;
u32 period_len;
+ u32 nr_hw_descs;
};
static inline struct device *dchan2dev(struct dma_chan *dchan)
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 178/356] udf: udftime: prevent overflow in udf_disk_stamp_to_time()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 177/356] Avoid hw_desc array overrun in dw-axi-dmac Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 179/356] PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports Greg Kroah-Hartman
` (185 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Roman Smirnov,
Sergey Shtylyov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roman Smirnov <r.smirnov@omp.ru>
[ Upstream commit 3b84adf460381169c085e4bc09e7b57e9e16db0a ]
An overflow can occur in a situation where src.centiseconds
takes the value of 255. This situation is unlikely, but there
is no validation check anywere in the code.
Found by Linux Verification Center (linuxtesting.org) with Svace.
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Signed-off-by: Jan Kara <jack@suse.cz>
Message-Id: <20240327132755.13945-1-r.smirnov@omp.ru>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/udf/udftime.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/fs/udf/udftime.c b/fs/udf/udftime.c
index fce4ad976c8c2..26169b1f482c3 100644
--- a/fs/udf/udftime.c
+++ b/fs/udf/udftime.c
@@ -60,13 +60,18 @@ udf_disk_stamp_to_time(struct timespec64 *dest, struct timestamp src)
dest->tv_sec = mktime64(year, src.month, src.day, src.hour, src.minute,
src.second);
dest->tv_sec -= offset * 60;
- dest->tv_nsec = 1000 * (src.centiseconds * 10000 +
- src.hundredsOfMicroseconds * 100 + src.microseconds);
+
/*
* Sanitize nanosecond field since reportedly some filesystems are
* recorded with bogus sub-second values.
*/
- dest->tv_nsec %= NSEC_PER_SEC;
+ if (src.centiseconds < 100 && src.hundredsOfMicroseconds < 100 &&
+ src.microseconds < 100) {
+ dest->tv_nsec = 1000 * (src.centiseconds * 10000 +
+ src.hundredsOfMicroseconds * 100 + src.microseconds);
+ } else {
+ dest->tv_nsec = 0;
+ }
}
void
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 179/356] PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 178/356] udf: udftime: prevent overflow in udf_disk_stamp_to_time() Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 180/356] MIPS: Octeon: Add PCIe link status check Greg Kroah-Hartman
` (184 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Heintzmann, Mario Limonciello,
Bjorn Helgaas, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit 256df20c590bf0e4d63ac69330cf23faddac3e08 ]
Hewlett-Packard HP Pavilion 17 Notebook PC/1972 is an Intel Ivy Bridge
system with a muxless AMD Radeon dGPU. Attempting to use the dGPU fails
with the following sequence:
ACPI Error: Aborting method \AMD3._ON due to previous error (AE_AML_LOOP_TIMEOUT) (20230628/psparse-529)
radeon 0000:01:00.0: not ready 1023ms after resume; waiting
radeon 0000:01:00.0: not ready 2047ms after resume; waiting
radeon 0000:01:00.0: not ready 4095ms after resume; waiting
radeon 0000:01:00.0: not ready 8191ms after resume; waiting
radeon 0000:01:00.0: not ready 16383ms after resume; waiting
radeon 0000:01:00.0: not ready 32767ms after resume; waiting
radeon 0000:01:00.0: not ready 65535ms after resume; giving up
radeon 0000:01:00.0: Unable to change power state from D3cold to D0, device inaccessible
The issue is that the Root Port the dGPU is connected to can't handle the
transition from D3cold to D0 so the dGPU can't properly exit runtime PM.
The existing logic in pci_bridge_d3_possible() checks for systems that are
newer than 2015 to decide that D3 is safe. This would nominally work for
an Ivy Bridge system (which was discontinued in 2015), but this system
appears to have continued to receive BIOS updates until 2017 and so this
existing logic doesn't appropriately capture it.
Add the system to bridge_d3_blacklist to prevent D3cold from being used.
Link: https://lore.kernel.org/r/20240307163709.323-1-mario.limonciello@amd.com
Reported-by: Eric Heintzmann <heintzmann.eric@free.fr>
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3229
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Eric Heintzmann <heintzmann.eric@free.fr>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pci.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index 36f1e604191e5..67216f4ea2151 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -2901,6 +2901,18 @@ static const struct dmi_system_id bridge_d3_blacklist[] = {
DMI_MATCH(DMI_BOARD_VERSION, "Continental Z2"),
},
},
+ {
+ /*
+ * Changing power state of root port dGPU is connected fails
+ * https://gitlab.freedesktop.org/drm/amd/-/issues/3229
+ */
+ .ident = "Hewlett-Packard HP Pavilion 17 Notebook PC/1972",
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"),
+ DMI_MATCH(DMI_BOARD_NAME, "1972"),
+ DMI_MATCH(DMI_BOARD_VERSION, "95.33"),
+ },
+ },
#endif
{ }
};
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 180/356] MIPS: Octeon: Add PCIe link status check
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 179/356] PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 181/356] serial: imx: Introduce timeout when waiting on transmitter empty Greg Kroah-Hartman
` (183 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Songyang Li, Thomas Bogendoerfer,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Songyang Li <leesongyang@outlook.com>
[ Upstream commit 29b83a64df3b42c88c0338696feb6fdcd7f1f3b7 ]
The standard PCIe configuration read-write interface is used to
access the configuration space of the peripheral PCIe devices
of the mips processor after the PCIe link surprise down, it can
generate kernel panic caused by "Data bus error". So it is
necessary to add PCIe link status check for system protection.
When the PCIe link is down or in training, assigning a value
of 0 to the configuration address can prevent read-write behavior
to the configuration space of peripheral PCIe devices, thereby
preventing kernel panic.
Signed-off-by: Songyang Li <leesongyang@outlook.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/pci/pcie-octeon.c | 6 ++++++
1 file changed, 6 insertions(+)
mode change 100644 => 100755 arch/mips/pci/pcie-octeon.c
diff --git a/arch/mips/pci/pcie-octeon.c b/arch/mips/pci/pcie-octeon.c
old mode 100644
new mode 100755
index d919a0d813a17..38de2a9c3cf1a
--- a/arch/mips/pci/pcie-octeon.c
+++ b/arch/mips/pci/pcie-octeon.c
@@ -230,12 +230,18 @@ static inline uint64_t __cvmx_pcie_build_config_addr(int pcie_port, int bus,
{
union cvmx_pcie_address pcie_addr;
union cvmx_pciercx_cfg006 pciercx_cfg006;
+ union cvmx_pciercx_cfg032 pciercx_cfg032;
pciercx_cfg006.u32 =
cvmx_pcie_cfgx_read(pcie_port, CVMX_PCIERCX_CFG006(pcie_port));
if ((bus <= pciercx_cfg006.s.pbnum) && (dev != 0))
return 0;
+ pciercx_cfg032.u32 =
+ cvmx_pcie_cfgx_read(pcie_port, CVMX_PCIERCX_CFG032(pcie_port));
+ if ((pciercx_cfg032.s.dlla == 0) || (pciercx_cfg032.s.lt == 1))
+ return 0;
+
pcie_addr.u64 = 0;
pcie_addr.config.upper = 2;
pcie_addr.config.io = 1;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 181/356] serial: imx: Introduce timeout when waiting on transmitter empty
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 180/356] MIPS: Octeon: Add PCIe link status check Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 182/356] serial: exar: adding missing CTI and Exar PCI ids Greg Kroah-Hartman
` (182 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Esben Haabendal, Marc Kleine-Budde,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Esben Haabendal <esben@geanix.com>
[ Upstream commit e533e4c62e9993e62e947ae9bbec34e4c7ae81c2 ]
By waiting at most 1 second for USR2_TXDC to be set, we avoid a potential
deadlock.
In case of the timeout, there is not much we can do, so we simply ignore
the transmitter state and optimistically try to continue.
Signed-off-by: Esben Haabendal <esben@geanix.com>
Acked-by: Marc Kleine-Budde <mkl@pengutronix.de>
Link: https://lore.kernel.org/r/919647898c337a46604edcabaf13d42d80c0915d.1712837613.git.esben@geanix.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/imx.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c
index 0587beaaea08d..b9ef426d5aae3 100644
--- a/drivers/tty/serial/imx.c
+++ b/drivers/tty/serial/imx.c
@@ -27,6 +27,7 @@
#include <linux/of.h>
#include <linux/of_device.h>
#include <linux/io.h>
+#include <linux/iopoll.h>
#include <linux/dma-mapping.h>
#include <asm/irq.h>
@@ -2024,7 +2025,7 @@ imx_uart_console_write(struct console *co, const char *s, unsigned int count)
struct imx_port *sport = imx_uart_ports[co->index];
struct imx_port_ucrs old_ucr;
unsigned long flags;
- unsigned int ucr1;
+ unsigned int ucr1, usr2;
int locked = 1;
if (sport->port.sysrq)
@@ -2055,8 +2056,8 @@ imx_uart_console_write(struct console *co, const char *s, unsigned int count)
* Finally, wait for transmitter to become empty
* and restore UCR1/2/3
*/
- while (!(imx_uart_readl(sport, USR2) & USR2_TXDC));
-
+ read_poll_timeout_atomic(imx_uart_readl, usr2, usr2 & USR2_TXDC,
+ 0, USEC_PER_SEC, false, sport, USR2);
imx_uart_ucrs_restore(sport, &old_ucr);
if (locked)
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 182/356] serial: exar: adding missing CTI and Exar PCI ids
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 181/356] serial: imx: Introduce timeout when waiting on transmitter empty Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 183/356] MIPS: Routerboard 532: Fix vendor retry check code Greg Kroah-Hartman
` (181 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Parker Newman, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Parker Newman <pnewman@connecttech.com>
[ Upstream commit b86ae40ffcf5a16b9569b1016da4a08c4f352ca2 ]
- Added Connect Tech and Exar IDs not already in pci_ids.h
Signed-off-by: Parker Newman <pnewman@connecttech.com>
Link: https://lore.kernel.org/r/7c3d8e795a864dd9b0a00353b722060dc27c4e09.1713270624.git.pnewman@connecttech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/8250/8250_exar.c | 42 +++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c
index 48769e059772a..a38820a1c5cd2 100644
--- a/drivers/tty/serial/8250/8250_exar.c
+++ b/drivers/tty/serial/8250/8250_exar.c
@@ -41,8 +41,50 @@
#define PCI_DEVICE_ID_COMMTECH_4228PCIE 0x0021
#define PCI_DEVICE_ID_COMMTECH_4222PCIE 0x0022
+#define PCI_VENDOR_ID_CONNECT_TECH 0x12c4
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_2_SP_OPTO 0x0340
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_SP_OPTO_A 0x0341
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_SP_OPTO_B 0x0342
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_2_XPRS 0x0350
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_XPRS_A 0x0351
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_XPRS_B 0x0352
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_XPRS 0x0353
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_16_XPRS_A 0x0354
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_16_XPRS_B 0x0355
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_2_XPRS_OPTO 0x0360
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_XPRS_OPTO_A 0x0361
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_XPRS_OPTO_B 0x0362
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_SP 0x0370
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_SP_232 0x0371
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_SP_485 0x0372
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_4_SP 0x0373
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_6_2_SP 0x0374
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_2_6_SP 0x0375
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_SP_232_NS 0x0376
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_2_XP_OPTO_LEFT 0x0380
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_2_XP_OPTO_RIGHT 0x0381
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_XP_OPTO 0x0382
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_4_XPRS_OPTO 0x0392
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_XPRS_LP 0x03A0
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_XPRS_LP_232 0x03A1
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_XPRS_LP_485 0x03A2
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_XPRS_LP_232_NS 0x03A3
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCIE_XEG001 0x0602
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCIE_XR35X_BASE 0x1000
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCIE_XR35X_2 0x1002
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCIE_XR35X_4 0x1004
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCIE_XR35X_8 0x1008
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCIE_XR35X_12 0x100C
+#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCIE_XR35X_16 0x1010
+#define PCI_DEVICE_ID_CONNECT_TECH_PCI_XR79X_12_XIG00X 0x110c
+#define PCI_DEVICE_ID_CONNECT_TECH_PCI_XR79X_12_XIG01X 0x110d
+#define PCI_DEVICE_ID_CONNECT_TECH_PCI_XR79X_16 0x1110
+
#define PCI_DEVICE_ID_EXAR_XR17V4358 0x4358
#define PCI_DEVICE_ID_EXAR_XR17V8358 0x8358
+#define PCI_DEVICE_ID_EXAR_XR17V252 0x0252
+#define PCI_DEVICE_ID_EXAR_XR17V254 0x0254
+#define PCI_DEVICE_ID_EXAR_XR17V258 0x0258
#define PCI_SUBDEVICE_ID_USR_2980 0x0128
#define PCI_SUBDEVICE_ID_USR_2981 0x0129
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 183/356] MIPS: Routerboard 532: Fix vendor retry check code
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 182/356] serial: exar: adding missing CTI and Exar PCI ids Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 184/356] mips: bmips: BCM6358: make sure CBR is correctly set Greg Kroah-Hartman
` (180 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen,
Thomas Bogendoerfer, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
[ Upstream commit ae9daffd9028f2500c9ac1517e46d4f2b57efb80 ]
read_config_dword() contains strange condition checking ret for a
number of values. The ret variable, however, is always zero because
config_access() never returns anything else. Thus, the retry is always
taken until number of tries is exceeded.
The code looks like it wants to check *val instead of ret to see if the
read gave an error response.
Fixes: 73b4390fb234 ("[MIPS] Routerboard 532: Support for base system")
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/pci/ops-rc32434.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/mips/pci/ops-rc32434.c b/arch/mips/pci/ops-rc32434.c
index 874ed6df97683..34b9323bdabb0 100644
--- a/arch/mips/pci/ops-rc32434.c
+++ b/arch/mips/pci/ops-rc32434.c
@@ -112,8 +112,8 @@ static int read_config_dword(struct pci_bus *bus, unsigned int devfn,
* gives them time to settle
*/
if (where == PCI_VENDOR_ID) {
- if (ret == 0xffffffff || ret == 0x00000000 ||
- ret == 0x0000ffff || ret == 0xffff0000) {
+ if (*val == 0xffffffff || *val == 0x00000000 ||
+ *val == 0x0000ffff || *val == 0xffff0000) {
if (delay > 4)
return 0;
delay *= 2;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 184/356] mips: bmips: BCM6358: make sure CBR is correctly set
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 183/356] MIPS: Routerboard 532: Fix vendor retry check code Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 185/356] tracing: Build event generation tests only as modules Greg Kroah-Hartman
` (179 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Marangi, Florian Fainelli,
Thomas Bogendoerfer, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Marangi <ansuelsmth@gmail.com>
[ Upstream commit ce5cdd3b05216b704a704f466fb4c2dff3778caf ]
It was discovered that some device have CBR address set to 0 causing
kernel panic when arch_sync_dma_for_cpu_all is called.
This was notice in situation where the system is booted from TP1 and
BMIPS_GET_CBR() returns 0 instead of a valid address and
!!(read_c0_brcm_cmt_local() & (1 << 31)); not failing.
The current check whether RAC flush should be disabled or not are not
enough hence lets check if CBR is a valid address or not.
Fixes: ab327f8acdf8 ("mips: bmips: BCM6358: disable RAC flush for TP1")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Acked-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/bmips/setup.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/mips/bmips/setup.c b/arch/mips/bmips/setup.c
index 45c7cf582348e..6e5c2c5070179 100644
--- a/arch/mips/bmips/setup.c
+++ b/arch/mips/bmips/setup.c
@@ -110,7 +110,8 @@ static void bcm6358_quirks(void)
* RAC flush causes kernel panics on BCM6358 when booting from TP1
* because the bootloader is not initializing it properly.
*/
- bmips_rac_flush_disable = !!(read_c0_brcm_cmt_local() & (1 << 31));
+ bmips_rac_flush_disable = !!(read_c0_brcm_cmt_local() & (1 << 31)) ||
+ !!BMIPS_GET_CBR();
}
static void bcm6368_quirks(void)
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 185/356] tracing: Build event generation tests only as modules
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 184/356] mips: bmips: BCM6358: make sure CBR is correctly set Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 186/356] cipso: fix total option length computation Greg Kroah-Hartman
` (178 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu (Google),
Steven Rostedt (Google), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
[ Upstream commit 3572bd5689b0812b161b40279e39ca5b66d73e88 ]
The kprobes and synth event generation test modules add events and lock
(get a reference) those event file reference in module init function,
and unlock and delete it in module exit function. This is because those
are designed for playing as modules.
If we make those modules as built-in, those events are left locked in the
kernel, and never be removed. This causes kprobe event self-test failure
as below.
[ 97.349708] ------------[ cut here ]------------
[ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480
[ 97.357106] Modules linked in:
[ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14
[ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480
[ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 <0f> 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90
[ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286
[ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000
[ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68
[ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
[ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000
[ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000
[ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000
[ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0
[ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 97.391196] Call Trace:
[ 97.391967] <TASK>
[ 97.392647] ? __warn+0xcc/0x180
[ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480
[ 97.395181] ? report_bug+0xbd/0x150
[ 97.396234] ? handle_bug+0x3e/0x60
[ 97.397311] ? exc_invalid_op+0x1a/0x50
[ 97.398434] ? asm_exc_invalid_op+0x1a/0x20
[ 97.399652] ? trace_kprobe_is_busy+0x20/0x20
[ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90
[ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480
[ 97.403773] ? init_kprobe_trace+0x50/0x50
[ 97.404972] do_one_initcall+0x112/0x240
[ 97.406113] do_initcall_level+0x95/0xb0
[ 97.407286] ? kernel_init+0x1a/0x1a0
[ 97.408401] do_initcalls+0x3f/0x70
[ 97.409452] kernel_init_freeable+0x16f/0x1e0
[ 97.410662] ? rest_init+0x1f0/0x1f0
[ 97.411738] kernel_init+0x1a/0x1a0
[ 97.412788] ret_from_fork+0x39/0x50
[ 97.413817] ? rest_init+0x1f0/0x1f0
[ 97.414844] ret_from_fork_asm+0x11/0x20
[ 97.416285] </TASK>
[ 97.417134] irq event stamp: 13437323
[ 97.418376] hardirqs last enabled at (13437337): [<ffffffff8110bc0c>] console_unlock+0x11c/0x150
[ 97.421285] hardirqs last disabled at (13437370): [<ffffffff8110bbf1>] console_unlock+0x101/0x150
[ 97.423838] softirqs last enabled at (13437366): [<ffffffff8108e17f>] handle_softirqs+0x23f/0x2a0
[ 97.426450] softirqs last disabled at (13437393): [<ffffffff8108e346>] __irq_exit_rcu+0x66/0xd0
[ 97.428850] ---[ end trace 0000000000000000 ]---
And also, since we can not cleanup dynamic_event file, ftracetest are
failed too.
To avoid these issues, build these tests only as modules.
Link: https://lore.kernel.org/all/171811263754.85078.5877446624311852525.stgit@devnote2/
Fixes: 9fe41efaca08 ("tracing: Add synth event generation test module")
Fixes: 64836248dda2 ("tracing: Add kprobe event command generation test module")
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/Kconfig | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/trace/Kconfig b/kernel/trace/Kconfig
index 4265d125d50f3..193ca0cf5d122 100644
--- a/kernel/trace/Kconfig
+++ b/kernel/trace/Kconfig
@@ -991,7 +991,7 @@ config PREEMPTIRQ_DELAY_TEST
config SYNTH_EVENT_GEN_TEST
tristate "Test module for in-kernel synthetic event generation"
- depends on SYNTH_EVENTS
+ depends on SYNTH_EVENTS && m
help
This option creates a test module to check the base
functionality of in-kernel synthetic event definition and
@@ -1004,7 +1004,7 @@ config SYNTH_EVENT_GEN_TEST
config KPROBE_EVENT_GEN_TEST
tristate "Test module for in-kernel kprobe event generation"
- depends on KPROBE_EVENTS
+ depends on KPROBE_EVENTS && m
help
This option creates a test module to check the base
functionality of in-kernel kprobe event definition.
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 186/356] cipso: fix total option length computation
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 185/356] tracing: Build event generation tests only as modules Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 187/356] netrom: Fix a memory leak in nr_heartbeat_expiry() Greg Kroah-Hartman
` (177 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ondrej Mosnacek, David S. Miller,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ondrej Mosnacek <omosnace@redhat.com>
[ Upstream commit 9f36169912331fa035d7b73a91252d7c2512eb1a ]
As evident from the definition of ip_options_get(), the IP option
IPOPT_END is used to pad the IP option data array, not IPOPT_NOP. Yet
the loop that walks the IP options to determine the total IP options
length in cipso_v4_delopt() doesn't take IPOPT_END into account.
Fix it by recognizing the IPOPT_END value as the end of actual options.
Fixes: 014ab19a69c3 ("selinux: Set socket NetLabel based on connection endpoint")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/cipso_ipv4.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 75ac145253445..016ebcbc8a633 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -2015,12 +2015,16 @@ static int cipso_v4_delopt(struct ip_options_rcu __rcu **opt_ptr)
* from there we can determine the new total option length */
iter = 0;
optlen_new = 0;
- while (iter < opt->opt.optlen)
- if (opt->opt.__data[iter] != IPOPT_NOP) {
+ while (iter < opt->opt.optlen) {
+ if (opt->opt.__data[iter] == IPOPT_END) {
+ break;
+ } else if (opt->opt.__data[iter] == IPOPT_NOP) {
+ iter++;
+ } else {
iter += opt->opt.__data[iter + 1];
optlen_new = iter;
- } else
- iter++;
+ }
+ }
hdr_delta = opt->opt.optlen;
opt->opt.optlen = (optlen_new + 3) & ~3;
hdr_delta -= opt->opt.optlen;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 187/356] netrom: Fix a memory leak in nr_heartbeat_expiry()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 186/356] cipso: fix total option length computation Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 188/356] ipv6: prevent possible NULL deref in fib6_nh_init() Greg Kroah-Hartman
` (176 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+d327a1f3b12e1e206c16,
Gavrilov Ilia, David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
[ Upstream commit 0b9130247f3b6a1122478471ff0e014ea96bb735 ]
syzbot reported a memory leak in nr_create() [0].
Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
added sock_hold() to the nr_heartbeat_expiry() function, where
a) a socket has a SOCK_DESTROY flag or
b) a listening socket has a SOCK_DEAD flag.
But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor
has already been closed and the nr_release() function has been called.
So it makes no sense to hold the reference count because no one will
call another nr_destroy_socket() and put it as in the case "b."
nr_connect
nr_establish_data_link
nr_start_heartbeat
nr_release
switch (nr->state)
case NR_STATE_3
nr->state = NR_STATE_2
sock_set_flag(sk, SOCK_DESTROY);
nr_rx_frame
nr_process_rx_frame
switch (nr->state)
case NR_STATE_2
nr_state2_machine()
nr_disconnect()
nr_sk(sk)->state = NR_STATE_0
sock_set_flag(sk, SOCK_DEAD)
nr_heartbeat_expiry
switch (nr->state)
case NR_STATE_0
if (sock_flag(sk, SOCK_DESTROY) ||
(sk->sk_state == TCP_LISTEN
&& sock_flag(sk, SOCK_DEAD)))
sock_hold() // ( !!! )
nr_destroy_socket()
To fix the memory leak, let's call sock_hold() only for a listening socket.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with Syzkaller.
[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
Reported-by: syzbot+d327a1f3b12e1e206c16@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
Fixes: 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netrom/nr_timer.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c
index 4e7c968cde2dc..5e3ca068f04e0 100644
--- a/net/netrom/nr_timer.c
+++ b/net/netrom/nr_timer.c
@@ -121,7 +121,8 @@ static void nr_heartbeat_expiry(struct timer_list *t)
is accepted() it isn't 'dead' so doesn't get removed. */
if (sock_flag(sk, SOCK_DESTROY) ||
(sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) {
- sock_hold(sk);
+ if (sk->sk_state == TCP_LISTEN)
+ sock_hold(sk);
bh_unlock_sock(sk);
nr_destroy_socket(sk);
goto out;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 188/356] ipv6: prevent possible NULL deref in fib6_nh_init()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 187/356] netrom: Fix a memory leak in nr_heartbeat_expiry() Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 189/356] ipv6: prevent possible NULL dereference in rt6_probe() Greg Kroah-Hartman
` (175 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet,
Lorenzo Bianconi, David Ahern, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 2eab4543a2204092c3a7af81d7d6c506e59a03a6 ]
syzbot reminds us that in6_dev_get() can return NULL.
fib6_nh_init()
ip6_validate_gw( &idev )
ip6_route_check_nh( idev )
*idev = in6_dev_get(dev); // can be NULL
Oops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]
CPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606
Code: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b
RSP: 0018:ffffc900032775a0 EFLAGS: 00010202
RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8
RBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000
R10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8
R13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000
FS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809
ip6_route_add+0x28/0x160 net/ipv6/route.c:3853
ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483
inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579
sock_do_ioctl+0x158/0x460 net/socket.c:1222
sock_ioctl+0x629/0x8e0 net/socket.c:1341
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f940f07cea9
Fixes: 428604fb118f ("ipv6: do not set routes if disable_ipv6 has been enabled")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240614082002.26407-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 0ca3da0999c6a..c7ebb46d803c3 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -3599,7 +3599,7 @@ int fib6_nh_init(struct net *net, struct fib6_nh *fib6_nh,
if (!dev)
goto out;
- if (idev->cnf.disable_ipv6) {
+ if (!idev || idev->cnf.disable_ipv6) {
NL_SET_ERR_MSG(extack, "IPv6 is disabled on nexthop device");
err = -EACCES;
goto out;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 189/356] ipv6: prevent possible NULL dereference in rt6_probe()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 188/356] ipv6: prevent possible NULL deref in fib6_nh_init() Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 190/356] xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() Greg Kroah-Hartman
` (174 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jason Xing,
David Ahern, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit b86762dbe19a62e785c189f313cda5b989931f37 ]
syzbot caught a NULL dereference in rt6_probe() [1]
Bail out if __in6_dev_get() returns NULL.
[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]
CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]
RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758
Code: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19
RSP: 0018:ffffc900034af070 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000
RDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c
RBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a
R13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000
FS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784
nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496
__find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825
find_rr_leaf net/ipv6/route.c:853 [inline]
rt6_select net/ipv6/route.c:897 [inline]
fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195
ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231
pol_lookup_func include/net/ip6_fib.h:616 [inline]
fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121
ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]
ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651
ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147
ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250
rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898
inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
sock_write_iter+0x4b8/0x5c0 net/socket.c:1160
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0x6b6/0x1140 fs/read_write.c:590
ksys_write+0x1f8/0x260 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 52e1635631b3 ("[IPV6]: ROUTE: Add router_probe_interval sysctl.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240615151454.166404-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index c7ebb46d803c3..d937ee942a4fc 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -634,6 +634,8 @@ static void rt6_probe(struct fib6_nh *fib6_nh)
rcu_read_lock_bh();
last_probe = READ_ONCE(fib6_nh->last_probe);
idev = __in6_dev_get(dev);
+ if (!idev)
+ goto out;
neigh = __ipv6_neigh_lookup_noref(dev, nh_gw);
if (neigh) {
if (neigh->nud_state & NUD_VALID)
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 190/356] xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 189/356] ipv6: prevent possible NULL dereference in rt6_probe() Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 191/356] netns: Make get_net_ns() handle zero refcount net Greg Kroah-Hartman
` (173 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet, David Ahern,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d46401052c2d5614da8efea5788532f0401cb164 ]
ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.
syzbot reported:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker
RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64
Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00
RSP: 0018:ffffc90000117378 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7
RDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98
RBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000
R10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]
xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541
xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835
xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]
xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201
xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]
xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309
ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256
send6+0x611/0xd20 drivers/net/wireguard/socket.c:139
wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178
wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200
wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40
wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51
process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240615154231.234442-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/xfrm6_policy.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 4c3aa97f23faa..7c903e0e446cb 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -57,12 +57,18 @@ static int xfrm6_get_saddr(struct net *net, int oif,
{
struct dst_entry *dst;
struct net_device *dev;
+ struct inet6_dev *idev;
dst = xfrm6_dst_lookup(net, 0, oif, NULL, daddr, mark);
if (IS_ERR(dst))
return -EHOSTUNREACH;
- dev = ip6_dst_idev(dst)->dev;
+ idev = ip6_dst_idev(dst);
+ if (!idev) {
+ dst_release(dst);
+ return -EHOSTUNREACH;
+ }
+ dev = idev->dev;
ipv6_dev_get_saddr(dev_net(dev), dev, &daddr->in6, 0, &saddr->in6);
dst_release(dst);
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 191/356] netns: Make get_net_ns() handle zero refcount net
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 190/356] xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 192/356] qca_spi: Make interrupt remembering atomic Greg Kroah-Hartman
` (172 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yue Haibing, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yue Haibing <yuehaibing@huawei.com>
[ Upstream commit ff960f9d3edbe08a736b5a224d91a305ccc946b0 ]
Syzkaller hit a warning:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0
Modules linked in:
CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:refcount_warn_saturate+0xdf/0x1d0
Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1
RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac
RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001
RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139
R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4
R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040
FS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? show_regs+0xa3/0xc0
? __warn+0xa5/0x1c0
? refcount_warn_saturate+0xdf/0x1d0
? report_bug+0x1fc/0x2d0
? refcount_warn_saturate+0xdf/0x1d0
? handle_bug+0xa1/0x110
? exc_invalid_op+0x3c/0xb0
? asm_exc_invalid_op+0x1f/0x30
? __warn_printk+0xcc/0x140
? __warn_printk+0xd5/0x140
? refcount_warn_saturate+0xdf/0x1d0
get_net_ns+0xa4/0xc0
? __pfx_get_net_ns+0x10/0x10
open_related_ns+0x5a/0x130
__tun_chr_ioctl+0x1616/0x2370
? __sanitizer_cov_trace_switch+0x58/0xa0
? __sanitizer_cov_trace_const_cmp2+0x1c/0x30
? __pfx_tun_chr_ioctl+0x10/0x10
tun_chr_ioctl+0x2f/0x40
__x64_sys_ioctl+0x11b/0x160
x64_sys_call+0x1211/0x20d0
do_syscall_64+0x9e/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5b28f165d7
Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8
RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7
RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003
RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0
R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730
R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Kernel panic - not syncing: kernel: panic_on_warn set ...
This is trigger as below:
ns0 ns1
tun_set_iff() //dev is tun0
tun->dev = dev
//ip link set tun0 netns ns1
put_net() //ref is 0
__tun_chr_ioctl() //TUNGETDEVNETNS
net = dev_net(tun->dev);
open_related_ns(&net->ns, get_net_ns); //ns1
get_net_ns()
get_net() //addition on 0
Use maybe_get_net() in get_net_ns in case net's ref is zero to fix this
Fixes: 0c3e0e3bb623 ("tun: Add ioctl() TUNGETDEVNETNS cmd to allow obtaining real net ns of tun device")
Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20240614131302.2698509-1-yuehaibing@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/net_namespace.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index a209db33fa5f7..3addbce20f8ed 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -651,11 +651,16 @@ EXPORT_SYMBOL_GPL(__put_net);
* get_net_ns - increment the refcount of the network namespace
* @ns: common namespace (net)
*
- * Returns the net's common namespace.
+ * Returns the net's common namespace or ERR_PTR() if ref is zero.
*/
struct ns_common *get_net_ns(struct ns_common *ns)
{
- return &get_net(container_of(ns, struct net, ns))->ns;
+ struct net *net;
+
+ net = maybe_get_net(container_of(ns, struct net, ns));
+ if (net)
+ return &net->ns;
+ return ERR_PTR(-EINVAL);
}
EXPORT_SYMBOL_GPL(get_net_ns);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 192/356] qca_spi: Make interrupt remembering atomic
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 191/356] netns: Make get_net_ns() handle zero refcount net Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 193/356] net/sched: act_api: rely on rcu in tcf_idr_check_alloc Greg Kroah-Hartman
` (171 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stefan Wahren, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Wahren <wahrenst@gmx.net>
[ Upstream commit 2d7198278ece01818cd95a3beffbdf8b2a353fa0 ]
The whole mechanism to remember occurred SPI interrupts is not atomic,
which could lead to unexpected behavior. So fix this by using atomic bit
operations instead.
Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
Link: https://lore.kernel.org/r/20240614145030.7781-1-wahrenst@gmx.net
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/qualcomm/qca_debug.c | 6 ++----
drivers/net/ethernet/qualcomm/qca_spi.c | 16 ++++++++--------
drivers/net/ethernet/qualcomm/qca_spi.h | 3 +--
3 files changed, 11 insertions(+), 14 deletions(-)
diff --git a/drivers/net/ethernet/qualcomm/qca_debug.c b/drivers/net/ethernet/qualcomm/qca_debug.c
index 8b61bebd96e4b..9819a0c810f5c 100644
--- a/drivers/net/ethernet/qualcomm/qca_debug.c
+++ b/drivers/net/ethernet/qualcomm/qca_debug.c
@@ -111,10 +111,8 @@ qcaspi_info_show(struct seq_file *s, void *what)
seq_printf(s, "IRQ : %d\n",
qca->spi_dev->irq);
- seq_printf(s, "INTR REQ : %u\n",
- qca->intr_req);
- seq_printf(s, "INTR SVC : %u\n",
- qca->intr_svc);
+ seq_printf(s, "INTR : %lx\n",
+ qca->intr);
seq_printf(s, "SPI max speed : %lu\n",
(unsigned long)qca->spi_dev->max_speed_hz);
diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c
index e02f6ac0125d1..385e4c62ca03c 100644
--- a/drivers/net/ethernet/qualcomm/qca_spi.c
+++ b/drivers/net/ethernet/qualcomm/qca_spi.c
@@ -49,6 +49,8 @@
#define MAX_DMA_BURST_LEN 5000
+#define SPI_INTR 0
+
/* Modules parameters */
#define QCASPI_CLK_SPEED_MIN 1000000
#define QCASPI_CLK_SPEED_MAX 16000000
@@ -593,14 +595,14 @@ qcaspi_spi_thread(void *data)
continue;
}
- if ((qca->intr_req == qca->intr_svc) &&
+ if (!test_bit(SPI_INTR, &qca->intr) &&
!qca->txr.skb[qca->txr.head])
schedule();
set_current_state(TASK_RUNNING);
- netdev_dbg(qca->net_dev, "have work to do. int: %d, tx_skb: %p\n",
- qca->intr_req - qca->intr_svc,
+ netdev_dbg(qca->net_dev, "have work to do. int: %lu, tx_skb: %p\n",
+ qca->intr,
qca->txr.skb[qca->txr.head]);
qcaspi_qca7k_sync(qca, QCASPI_EVENT_UPDATE);
@@ -614,8 +616,7 @@ qcaspi_spi_thread(void *data)
msleep(QCASPI_QCA7K_REBOOT_TIME_MS);
}
- if (qca->intr_svc != qca->intr_req) {
- qca->intr_svc = qca->intr_req;
+ if (test_and_clear_bit(SPI_INTR, &qca->intr)) {
start_spi_intr_handling(qca, &intr_cause);
if (intr_cause & SPI_INT_CPU_ON) {
@@ -677,7 +678,7 @@ qcaspi_intr_handler(int irq, void *data)
{
struct qcaspi *qca = data;
- qca->intr_req++;
+ set_bit(SPI_INTR, &qca->intr);
if (qca->spi_thread)
wake_up_process(qca->spi_thread);
@@ -693,8 +694,7 @@ qcaspi_netdev_open(struct net_device *dev)
if (!qca)
return -EINVAL;
- qca->intr_req = 1;
- qca->intr_svc = 0;
+ set_bit(SPI_INTR, &qca->intr);
qca->sync = QCASPI_SYNC_UNKNOWN;
qcafrm_fsm_init_spi(&qca->frm_handle);
diff --git a/drivers/net/ethernet/qualcomm/qca_spi.h b/drivers/net/ethernet/qualcomm/qca_spi.h
index 3067356106f0b..58ad910068d4b 100644
--- a/drivers/net/ethernet/qualcomm/qca_spi.h
+++ b/drivers/net/ethernet/qualcomm/qca_spi.h
@@ -93,8 +93,7 @@ struct qcaspi {
struct qcafrm_handle frm_handle;
struct sk_buff *rx_skb;
- unsigned int intr_req;
- unsigned int intr_svc;
+ unsigned long intr;
u16 reset_count;
#ifdef CONFIG_DEBUG_FS
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 193/356] net/sched: act_api: rely on rcu in tcf_idr_check_alloc
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 192/356] qca_spi: Make interrupt remembering atomic Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 194/356] net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() Greg Kroah-Hartman
` (170 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pedro Tammela, Jamal Hadi Salim,
Vlad Buslov, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pedro Tammela <pctammela@mojatatu.com>
[ Upstream commit 4b55e86736d5b492cf689125da2600f59c7d2c39 ]
Instead of relying only on the idrinfo->lock mutex for
bind/alloc logic, rely on a combination of rcu + mutex + atomics
to better scale the case where multiple rtnl-less filters are
binding to the same action object.
Action binding happens when an action index is specified explicitly and
an action exists which such index exists. Example:
tc actions add action drop index 1
tc filter add ... matchall action drop index 1
tc filter add ... matchall action drop index 1
tc filter add ... matchall action drop index 1
tc filter ls ...
filter protocol all pref 49150 matchall chain 0 filter protocol all pref 49150 matchall chain 0 handle 0x1
not_in_hw
action order 1: gact action drop
random type none pass val 0
index 1 ref 4 bind 3
filter protocol all pref 49151 matchall chain 0 filter protocol all pref 49151 matchall chain 0 handle 0x1
not_in_hw
action order 1: gact action drop
random type none pass val 0
index 1 ref 4 bind 3
filter protocol all pref 49152 matchall chain 0 filter protocol all pref 49152 matchall chain 0 handle 0x1
not_in_hw
action order 1: gact action drop
random type none pass val 0
index 1 ref 4 bind 3
When no index is specified, as before, grab the mutex and allocate
in the idr the next available id. In this version, as opposed to before,
it's simplified to store the -EBUSY pointer instead of the previous
alloc + replace combination.
When an index is specified, rely on rcu to find if there's an object in
such index. If there's none, fallback to the above, serializing on the
mutex and reserving the specified id. If there's one, it can be an -EBUSY
pointer, in which case we just try again until it's an action, or an action.
Given the rcu guarantees, the action found could be dead and therefore
we need to bump the refcount if it's not 0, handling the case it's
in fact 0.
As bind and the action refcount are already atomics, these increments can
happen without the mutex protection while many tcf_idr_check_alloc race
to bind to the same action instance.
In case binding encounters a parallel delete or add, it will return
-EAGAIN in order to try again. Both filter and action apis already
have the retry machinery in-place. In case it's an unlocked filter it
retries under the rtnl lock.
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Vlad Buslov <vladbu@nvidia.com>
Link: https://lore.kernel.org/r/20231211181807.96028-2-pctammela@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: d864319871b0 ("net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_api.c | 65 ++++++++++++++++++++++++++++++---------------
1 file changed, 43 insertions(+), 22 deletions(-)
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index d775676956bf9..c029ffd491c1a 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -555,6 +555,9 @@ EXPORT_SYMBOL(tcf_idr_cleanup);
* its reference and bind counters, and return 1. Otherwise insert temporary
* error pointer (to prevent concurrent users from inserting actions with same
* index) and return 0.
+ *
+ * May return -EAGAIN for binding actions in case of a parallel add/delete on
+ * the requested index.
*/
int tcf_idr_check_alloc(struct tc_action_net *tn, u32 *index,
@@ -563,43 +566,61 @@ int tcf_idr_check_alloc(struct tc_action_net *tn, u32 *index,
struct tcf_idrinfo *idrinfo = tn->idrinfo;
struct tc_action *p;
int ret;
+ u32 max;
-again:
- mutex_lock(&idrinfo->lock);
if (*index) {
+again:
+ rcu_read_lock();
p = idr_find(&idrinfo->action_idr, *index);
+
if (IS_ERR(p)) {
/* This means that another process allocated
* index but did not assign the pointer yet.
*/
- mutex_unlock(&idrinfo->lock);
+ rcu_read_unlock();
goto again;
}
- if (p) {
- refcount_inc(&p->tcfa_refcnt);
- if (bind)
- atomic_inc(&p->tcfa_bindcnt);
- *a = p;
- ret = 1;
- } else {
- *a = NULL;
- ret = idr_alloc_u32(&idrinfo->action_idr, NULL, index,
- *index, GFP_KERNEL);
- if (!ret)
- idr_replace(&idrinfo->action_idr,
- ERR_PTR(-EBUSY), *index);
+ if (!p) {
+ /* Empty slot, try to allocate it */
+ max = *index;
+ rcu_read_unlock();
+ goto new;
+ }
+
+ if (!refcount_inc_not_zero(&p->tcfa_refcnt)) {
+ /* Action was deleted in parallel */
+ rcu_read_unlock();
+ return -EAGAIN;
}
+
+ if (bind)
+ atomic_inc(&p->tcfa_bindcnt);
+ *a = p;
+
+ rcu_read_unlock();
+
+ return 1;
} else {
+ /* Find a slot */
*index = 1;
- *a = NULL;
- ret = idr_alloc_u32(&idrinfo->action_idr, NULL, index,
- UINT_MAX, GFP_KERNEL);
- if (!ret)
- idr_replace(&idrinfo->action_idr, ERR_PTR(-EBUSY),
- *index);
+ max = UINT_MAX;
}
+
+new:
+ *a = NULL;
+
+ mutex_lock(&idrinfo->lock);
+ ret = idr_alloc_u32(&idrinfo->action_idr, ERR_PTR(-EBUSY), index, max,
+ GFP_KERNEL);
mutex_unlock(&idrinfo->lock);
+
+ /* N binds raced for action allocation,
+ * retry for all the ones that failed.
+ */
+ if (ret == -ENOSPC && *index == max)
+ ret = -EAGAIN;
+
return ret;
}
EXPORT_SYMBOL(tcf_idr_check_alloc);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 194/356] net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 193/356] net/sched: act_api: rely on rcu in tcf_idr_check_alloc Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 195/356] tipc: force a dst refcount before doing decryption Greg Kroah-Hartman
` (169 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b87c222546179f4513a7,
David Ruth, Jamal Hadi Salim, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Ruth <druth@chromium.org>
[ Upstream commit d864319871b05fadd153e0aede4811ca7008f5d6 ]
syzbot found hanging tasks waiting on rtnl_lock [1]
A reproducer is available in the syzbot bug.
When a request to add multiple actions with the same index is sent, the
second request will block forever on the first request. This holds
rtnl_lock, and causes tasks to hang.
Return -EAGAIN to prevent infinite looping, while keeping documented
behavior.
[1]
INFO: task kworker/1:0:5088 blocked for more than 143 seconds.
Not tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000
Workqueue: events_power_efficient reg_check_chans_work
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5409 [inline]
__schedule+0xf15/0x5d00 kernel/sched/core.c:6746
__schedule_loop kernel/sched/core.c:6823 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6838
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
wiphy_lock include/net/cfg80211.h:5953 [inline]
reg_leave_invalid_chans net/wireless/reg.c:2466 [inline]
reg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481
Fixes: 0190c1d452a9 ("net: sched: atomically check-allocate action")
Reported-by: syzbot+b87c222546179f4513a7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b87c222546179f4513a7
Signed-off-by: David Ruth <druth@chromium.org>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20240614190326.1349786-1-druth@chromium.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_api.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index c029ffd491c1a..0b4deb33bdf7a 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -569,7 +569,6 @@ int tcf_idr_check_alloc(struct tc_action_net *tn, u32 *index,
u32 max;
if (*index) {
-again:
rcu_read_lock();
p = idr_find(&idrinfo->action_idr, *index);
@@ -578,7 +577,7 @@ int tcf_idr_check_alloc(struct tc_action_net *tn, u32 *index,
* index but did not assign the pointer yet.
*/
rcu_read_unlock();
- goto again;
+ return -EAGAIN;
}
if (!p) {
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 195/356] tipc: force a dst refcount before doing decryption
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 194/356] net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 196/356] net/sched: act_ct: set net pointer when creating new nf_flow_table Greg Kroah-Hartman
` (168 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuang Li, Xin Long, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 2ebe8f840c7450ecbfca9d18ac92e9ce9155e269 ]
As it says in commit 3bc07321ccc2 ("xfrm: Force a dst refcount before
entering the xfrm type handlers"):
"Crypto requests might return asynchronous. In this case we leave the
rcu protected region, so force a refcount on the skb's destination
entry before we enter the xfrm type input/output handlers."
On TIPC decryption path it has the same problem, and skb_dst_force()
should be called before doing decryption to avoid a possible crash.
Shuang reported this issue when this warning is triggered:
[] WARNING: include/net/dst.h:337 tipc_sk_rcv+0x1055/0x1ea0 [tipc]
[] Kdump: loaded Tainted: G W --------- - - 4.18.0-496.el8.x86_64+debug
[] Workqueue: crypto cryptd_queue_worker
[] RIP: 0010:tipc_sk_rcv+0x1055/0x1ea0 [tipc]
[] Call Trace:
[] tipc_sk_mcast_rcv+0x548/0xea0 [tipc]
[] tipc_rcv+0xcf5/0x1060 [tipc]
[] tipc_aead_decrypt_done+0x215/0x2e0 [tipc]
[] cryptd_aead_crypt+0xdb/0x190
[] cryptd_queue_worker+0xed/0x190
[] process_one_work+0x93d/0x17e0
Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
Reported-by: Shuang Li <shuali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Link: https://lore.kernel.org/r/fbe3195fad6997a4eec62d9bf076b2ad03ac336b.1718476040.git.lucien.xin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/node.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/tipc/node.c b/net/tipc/node.c
index a9c5b6594889b..cf9d9f9b97844 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -2107,6 +2107,7 @@ void tipc_rcv(struct net *net, struct sk_buff *skb, struct tipc_bearer *b)
} else {
n = tipc_node_find_by_id(net, ehdr->id);
}
+ skb_dst_force(skb);
tipc_crypto_rcv(net, (n) ? n->crypto_rx : NULL, &skb, b);
if (!skb)
return;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 196/356] net/sched: act_ct: set net pointer when creating new nf_flow_table
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 195/356] tipc: force a dst refcount before doing decryption Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 197/356] sched: act_ct: add netns into the key of tcf_ct_flow_table Greg Kroah-Hartman
` (167 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vlad Buslov, Oz Shlomo,
Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vlad Buslov <vladbu@nvidia.com>
[ Upstream commit fc54d9065f90dd25063883f404e6ff9a76913e73 ]
Following patches in series use the pointer to access flow table offload
debug variables.
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: Oz Shlomo <ozsh@nvidia.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: 88c67aeb1407 ("sched: act_ct: add netns into the key of tcf_ct_flow_table")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_ct.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index b4c42b257ae7c..0307b4366db10 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -276,7 +276,7 @@ static struct nf_flowtable_type flowtable_ct = {
.owner = THIS_MODULE,
};
-static int tcf_ct_flow_table_get(struct tcf_ct_params *params)
+static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
{
struct tcf_ct_flow_table *ct_ft;
int err = -ENOMEM;
@@ -302,6 +302,7 @@ static int tcf_ct_flow_table_get(struct tcf_ct_params *params)
err = nf_flow_table_init(&ct_ft->nf_ft);
if (err)
goto err_init;
+ write_pnet(&ct_ft->nf_ft.net, net);
__module_get(THIS_MODULE);
out_unlock:
@@ -1304,7 +1305,7 @@ static int tcf_ct_init(struct net *net, struct nlattr *nla,
if (err)
goto cleanup;
- err = tcf_ct_flow_table_get(params);
+ err = tcf_ct_flow_table_get(net, params);
if (err)
goto cleanup_params;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 197/356] sched: act_ct: add netns into the key of tcf_ct_flow_table
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 196/356] net/sched: act_ct: set net pointer when creating new nf_flow_table Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 198/356] ptp: fix integer overflow in max_vclocks_store Greg Kroah-Hartman
` (166 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuang Li, Xin Long, Simon Horman,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 88c67aeb14070bab61d3dd8be96c8b42ebcaf53a ]
zones_ht is a global hashtable for flow_table with zone as key. However,
it does not consider netns when getting a flow_table from zones_ht in
tcf_ct_init(), and it means an act_ct action in netns A may get a
flow_table that belongs to netns B if it has the same zone value.
In Shuang's test with the TOPO:
tcf2_c <---> tcf2_sw1 <---> tcf2_sw2 <---> tcf2_s
tcf2_sw1 and tcf2_sw2 saw the same flow and used the same flow table,
which caused their ct entries entering unexpected states and the
TCP connection not able to end normally.
This patch fixes the issue simply by adding netns into the key of
tcf_ct_flow_table so that an act_ct action gets a flow_table that
belongs to its own netns in tcf_ct_init().
Note that for easy coding we don't use tcf_ct_flow_table.nf_ft.net,
as the ct_ft is initialized after inserting it to the hashtable in
tcf_ct_flow_table_get() and also it requires to implement several
functions in rhashtable_params including hashfn, obj_hashfn and
obj_cmpfn.
Fixes: 64ff70b80fd4 ("net/sched: act_ct: Offload established connections to flow table")
Reported-by: Shuang Li <shuali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/1db5b6cc6902c5fc6f8c6cbd85494a2008087be5.1718488050.git.lucien.xin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_ct.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index 0307b4366db10..5319de38cc6df 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -38,21 +38,26 @@ static struct workqueue_struct *act_ct_wq;
static struct rhashtable zones_ht;
static DEFINE_MUTEX(zones_mutex);
+struct zones_ht_key {
+ struct net *net;
+ u16 zone;
+};
+
struct tcf_ct_flow_table {
struct rhash_head node; /* In zones tables */
struct rcu_work rwork;
struct nf_flowtable nf_ft;
refcount_t ref;
- u16 zone;
+ struct zones_ht_key key;
bool dying;
};
static const struct rhashtable_params zones_params = {
.head_offset = offsetof(struct tcf_ct_flow_table, node),
- .key_offset = offsetof(struct tcf_ct_flow_table, zone),
- .key_len = sizeof_field(struct tcf_ct_flow_table, zone),
+ .key_offset = offsetof(struct tcf_ct_flow_table, key),
+ .key_len = sizeof_field(struct tcf_ct_flow_table, key),
.automatic_shrinking = true,
};
@@ -278,11 +283,12 @@ static struct nf_flowtable_type flowtable_ct = {
static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
{
+ struct zones_ht_key key = { .net = net, .zone = params->zone };
struct tcf_ct_flow_table *ct_ft;
int err = -ENOMEM;
mutex_lock(&zones_mutex);
- ct_ft = rhashtable_lookup_fast(&zones_ht, ¶ms->zone, zones_params);
+ ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params);
if (ct_ft && refcount_inc_not_zero(&ct_ft->ref))
goto out_unlock;
@@ -291,7 +297,7 @@ static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
goto err_alloc;
refcount_set(&ct_ft->ref, 1);
- ct_ft->zone = params->zone;
+ ct_ft->key = key;
err = rhashtable_insert_fast(&zones_ht, &ct_ft->node, zones_params);
if (err)
goto err_insert;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 198/356] ptp: fix integer overflow in max_vclocks_store
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 197/356] sched: act_ct: add netns into the key of tcf_ct_flow_table Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 199/356] net: stmmac: No need to calculate speed divider when offload is disabled Greg Kroah-Hartman
` (165 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Wojciech Drewek,
Jiri Pirko, Heng Qi, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 81d23d2a24012e448f651e007fac2cfd20a45ce0 ]
On 32bit systems, the "4 * max" multiply can overflow. Use kcalloc()
to do the allocation to prevent this.
Fixes: 44c494c8e30e ("ptp: track available ptp vclocks information")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Reviewed-by: Heng Qi <hengqi@linux.alibaba.com>
Link: https://lore.kernel.org/r/ee8110ed-6619-4bd7-9024-28c1f2ac24f4@moroto.mountain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ptp/ptp_sysfs.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c
index 0bdfdd4bb0fa2..be58d5257bcb6 100644
--- a/drivers/ptp/ptp_sysfs.c
+++ b/drivers/ptp/ptp_sysfs.c
@@ -280,8 +280,7 @@ static ssize_t max_vclocks_store(struct device *dev,
if (max < ptp->n_vclocks)
goto out;
- size = sizeof(int) * max;
- vclock_index = kzalloc(size, GFP_KERNEL);
+ vclock_index = kcalloc(max, sizeof(int), GFP_KERNEL);
if (!vclock_index) {
err = -ENOMEM;
goto out;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 199/356] net: stmmac: No need to calculate speed divider when offload is disabled
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 198/356] ptp: fix integer overflow in max_vclocks_store Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 200/356] virtio_net: checksum offloading handling fix Greg Kroah-Hartman
` (164 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaolei Wang, Simon Horman,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaolei Wang <xiaolei.wang@windriver.com>
[ Upstream commit b8c43360f6e424131fa81d3ba8792ad8ff25a09e ]
commit be27b8965297 ("net: stmmac: replace priv->speed with
the portTransmitRate from the tc-cbs parameters") introduced
a problem. When deleting, it prompts "Invalid portTransmitRate
0 (idleSlope - sendSlope)" and exits. Add judgment on cbs.enable.
Only when offload is enabled, speed divider needs to be calculated.
Fixes: be27b8965297 ("net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs parameters")
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240617013922.1035854-1-xiaolei.wang@windriver.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/stmicro/stmmac/stmmac_tc.c | 40 ++++++++++---------
1 file changed, 22 insertions(+), 18 deletions(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
index a9b5f5ad1bac4..b1a5a02bef08e 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
@@ -356,24 +356,28 @@ static int tc_setup_cbs(struct stmmac_priv *priv,
port_transmit_rate_kbps = qopt->idleslope - qopt->sendslope;
- /* Port Transmit Rate and Speed Divider */
- switch (div_s64(port_transmit_rate_kbps, 1000)) {
- case SPEED_10000:
- case SPEED_5000:
- ptr = 32;
- break;
- case SPEED_2500:
- case SPEED_1000:
- ptr = 8;
- break;
- case SPEED_100:
- ptr = 4;
- break;
- default:
- netdev_err(priv->dev,
- "Invalid portTransmitRate %lld (idleSlope - sendSlope)\n",
- port_transmit_rate_kbps);
- return -EINVAL;
+ if (qopt->enable) {
+ /* Port Transmit Rate and Speed Divider */
+ switch (div_s64(port_transmit_rate_kbps, 1000)) {
+ case SPEED_10000:
+ case SPEED_5000:
+ ptr = 32;
+ break;
+ case SPEED_2500:
+ case SPEED_1000:
+ ptr = 8;
+ break;
+ case SPEED_100:
+ ptr = 4;
+ break;
+ default:
+ netdev_err(priv->dev,
+ "Invalid portTransmitRate %lld (idleSlope - sendSlope)\n",
+ port_transmit_rate_kbps);
+ return -EINVAL;
+ }
+ } else {
+ ptr = 0;
}
mode_to_use = priv->plat->tx_queues_cfg[queue].mode_to_use;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 200/356] virtio_net: checksum offloading handling fix
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 199/356] net: stmmac: No need to calculate speed divider when offload is disabled Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 201/356] octeontx2-pf: Add error handling to VLAN unoffload handling Greg Kroah-Hartman
` (163 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heng Qi, Jiri Pirko, Jason Wang,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heng Qi <hengqi@linux.alibaba.com>
[ Upstream commit 604141c036e1b636e2a71cf6e1aa09d1e45f40c2 ]
In virtio spec 0.95, VIRTIO_NET_F_GUEST_CSUM was designed to handle
partially checksummed packets, and the validation of fully checksummed
packets by the device is independent of VIRTIO_NET_F_GUEST_CSUM
negotiation. However, the specification erroneously stated:
"If VIRTIO_NET_F_GUEST_CSUM is not negotiated, the device MUST set flags
to zero and SHOULD supply a fully checksummed packet to the driver."
This statement is inaccurate because even without VIRTIO_NET_F_GUEST_CSUM
negotiation, the device can still set the VIRTIO_NET_HDR_F_DATA_VALID flag.
Essentially, the device can facilitate the validation of these packets'
checksums - a process known as RX checksum offloading - removing the need
for the driver to do so.
This scenario is currently not implemented in the driver and requires
correction. The necessary specification correction[1] has been made and
approved in the virtio TC vote.
[1] https://lists.oasis-open.org/archives/virtio-comment/202401/msg00011.html
Fixes: 4f49129be6fa ("virtio-net: Set RXCSUM feature if GUEST_CSUM is available")
Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/virtio_net.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index 6a655bd442fe3..bd0cb3a03b7b2 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -3211,8 +3211,16 @@ static int virtnet_probe(struct virtio_device *vdev)
dev->features |= dev->hw_features & NETIF_F_ALL_TSO;
/* (!csum && gso) case will be fixed by register_netdev() */
}
- if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_CSUM))
- dev->features |= NETIF_F_RXCSUM;
+
+ /* 1. With VIRTIO_NET_F_GUEST_CSUM negotiation, the driver doesn't
+ * need to calculate checksums for partially checksummed packets,
+ * as they're considered valid by the upper layer.
+ * 2. Without VIRTIO_NET_F_GUEST_CSUM negotiation, the driver only
+ * receives fully checksummed packets. The device may assist in
+ * validating these packets' checksums, so the driver won't have to.
+ */
+ dev->features |= NETIF_F_RXCSUM;
+
if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO4) ||
virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO6))
dev->features |= NETIF_F_GRO_HW;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 201/356] octeontx2-pf: Add error handling to VLAN unoffload handling
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 200/356] virtio_net: checksum offloading handling fix Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 202/356] netfilter: ipset: Fix suspicious rcu_dereference_protected() Greg Kroah-Hartman
` (162 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, David S. Miller,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Horman <horms@kernel.org>
[ Upstream commit b95a4afe2defd6f46891985f9436a568cd35a31c ]
otx2_sq_append_skb makes used of __vlan_hwaccel_push_inside()
to unoffload VLANs - push them from skb meta data into skb data.
However, it omitts a check for __vlan_hwaccel_push_inside()
returning NULL.
Found by inspection based on [1] and [2].
Compile tested only.
[1] Re: [PATCH net-next v1] net: stmmac: Enable TSO on VLANs
https://lore.kernel.org/all/ZmrN2W8Fye450TKs@shell.armlinux.org.uk/
[2] Re: [PATCH net-next v2] net: stmmac: Enable TSO on VLANs
https://lore.kernel.org/all/CANn89i+11L5=tKsa7V7Aeyxaj6nYGRwy35PAbCRYJ73G+b25sg@mail.gmail.com/
Fixes: fd9d7859db6c ("octeontx2-pf: Implement ingress/egress VLAN offload")
Signed-off-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
index d1e3928a24f5c..761eb8671096e 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
@@ -933,8 +933,11 @@ bool otx2_sq_append_skb(struct net_device *netdev, struct otx2_snd_queue *sq,
if (skb_shinfo(skb)->gso_size && !is_hw_tso_supported(pfvf, skb)) {
/* Insert vlan tag before giving pkt to tso */
- if (skb_vlan_tag_present(skb))
+ if (skb_vlan_tag_present(skb)) {
skb = __vlan_hwaccel_push_inside(skb);
+ if (!skb)
+ return true;
+ }
otx2_sq_append_tso(pfvf, sq, skb, qidx);
return true;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 202/356] netfilter: ipset: Fix suspicious rcu_dereference_protected()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 201/356] octeontx2-pf: Add error handling to VLAN unoffload handling Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 203/356] seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors Greg Kroah-Hartman
` (161 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b62c37cdd58103293a5a,
syzbot+cfbe1da5fdfc39efc293, kernel test robot, Jozsef Kadlecsik,
Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jozsef Kadlecsik <kadlec@netfilter.org>
[ Upstream commit 8ecd06277a7664f4ef018abae3abd3451d64e7a6 ]
When destroying all sets, we are either in pernet exit phase or
are executing a "destroy all sets command" from userspace. The latter
was taken into account in ip_set_dereference() (nfnetlink mutex is held),
but the former was not. The patch adds the required check to
rcu_dereference_protected() in ip_set_dereference().
Fixes: 4e7aaa6b82d6 ("netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type")
Reported-by: syzbot+b62c37cdd58103293a5a@syzkaller.appspotmail.com
Reported-by: syzbot+cfbe1da5fdfc39efc293@syzkaller.appspotmail.com
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202406141556.e0b6f17e-lkp@intel.com
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/ipset/ip_set_core.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 8819c28a0e491..f2f6b7325c706 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -53,12 +53,13 @@ MODULE_DESCRIPTION("core IP set support");
MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET);
/* When the nfnl mutex or ip_set_ref_lock is held: */
-#define ip_set_dereference(p) \
- rcu_dereference_protected(p, \
+#define ip_set_dereference(inst) \
+ rcu_dereference_protected((inst)->ip_set_list, \
lockdep_nfnl_is_held(NFNL_SUBSYS_IPSET) || \
- lockdep_is_held(&ip_set_ref_lock))
+ lockdep_is_held(&ip_set_ref_lock) || \
+ (inst)->is_deleted)
#define ip_set(inst, id) \
- ip_set_dereference((inst)->ip_set_list)[id]
+ ip_set_dereference(inst)[id]
#define ip_set_ref_netlink(inst,id) \
rcu_dereference_raw((inst)->ip_set_list)[id]
#define ip_set_dereference_nfnl(p) \
@@ -1135,7 +1136,7 @@ static int ip_set_create(struct sk_buff *skb, const struct nfnl_info *info,
if (!list)
goto cleanup;
/* nfnl mutex is held, both lists are valid */
- tmp = ip_set_dereference(inst->ip_set_list);
+ tmp = ip_set_dereference(inst);
memcpy(list, tmp, sizeof(struct ip_set *) * inst->ip_set_max);
rcu_assign_pointer(inst->ip_set_list, list);
/* Make sure all current packets have passed through */
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 203/356] seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 202/356] netfilter: ipset: Fix suspicious rcu_dereference_protected() Greg Kroah-Hartman
@ 2024-07-03 10:38 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 204/356] bnxt_en: Restore PTP tx_avail count in case of skb_pad() error Greg Kroah-Hartman
` (160 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianguo Wu, Simon Horman,
Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianguo Wu <wujianguo@chinatelecom.cn>
[ Upstream commit 9a3bc8d16e0aacd65c31aaf23a2bced3288a7779 ]
input_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for
PREROUTING hook, in PREROUTING hook, we should passing a valid indev,
and a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer
dereference, as below:
[74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090
[74830.655633] #PF: supervisor read access in kernel mode
[74830.657888] #PF: error_code(0x0000) - not-present page
[74830.659500] PGD 0 P4D 0
[74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI
...
[74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]
...
[74830.689725] Call Trace:
[74830.690402] <IRQ>
[74830.690953] ? show_trace_log_lvl+0x1c4/0x2df
[74830.692020] ? show_trace_log_lvl+0x1c4/0x2df
[74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables]
[74830.694275] ? __die_body.cold+0x8/0xd
[74830.695205] ? page_fault_oops+0xac/0x140
[74830.696244] ? exc_page_fault+0x62/0x150
[74830.697225] ? asm_exc_page_fault+0x22/0x30
[74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]
[74830.699540] ipt_do_table+0x286/0x710 [ip_tables]
[74830.700758] ? ip6_route_input+0x19d/0x240
[74830.701752] nf_hook_slow+0x3f/0xb0
[74830.702678] input_action_end_dx4+0x19b/0x1e0
[74830.703735] ? input_action_end_t+0xe0/0xe0
[74830.704734] seg6_local_input_core+0x2d/0x60
[74830.705782] lwtunnel_input+0x5b/0xb0
[74830.706690] __netif_receive_skb_one_core+0x63/0xa0
[74830.707825] process_backlog+0x99/0x140
[74830.709538] __napi_poll+0x2c/0x160
[74830.710673] net_rx_action+0x296/0x350
[74830.711860] __do_softirq+0xcb/0x2ac
[74830.713049] do_softirq+0x63/0x90
input_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally
trigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback():
static bool
rpfilter_is_loopback(const struct sk_buff *skb,
const struct net_device *in)
{
// in is NULL
return skb->pkt_type == PACKET_LOOPBACK ||
in->flags & IFF_LOOPBACK;
}
Fixes: 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane")
Signed-off-by: Jianguo Wu <wujianguo@chinatelecom.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/seg6_local.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c
index 59454285d5c58..f15f3cb1d5ec2 100644
--- a/net/ipv6/seg6_local.c
+++ b/net/ipv6/seg6_local.c
@@ -427,8 +427,8 @@ static int input_action_end_dx6(struct sk_buff *skb,
if (static_branch_unlikely(&nf_hooks_lwtunnel_enabled))
return NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING,
- dev_net(skb->dev), NULL, skb, NULL,
- skb_dst(skb)->dev, input_action_end_dx6_finish);
+ dev_net(skb->dev), NULL, skb, skb->dev,
+ NULL, input_action_end_dx6_finish);
return input_action_end_dx6_finish(dev_net(skb->dev), NULL, skb);
drop:
@@ -477,8 +477,8 @@ static int input_action_end_dx4(struct sk_buff *skb,
if (static_branch_unlikely(&nf_hooks_lwtunnel_enabled))
return NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING,
- dev_net(skb->dev), NULL, skb, NULL,
- skb_dst(skb)->dev, input_action_end_dx4_finish);
+ dev_net(skb->dev), NULL, skb, skb->dev,
+ NULL, input_action_end_dx4_finish);
return input_action_end_dx4_finish(dev_net(skb->dev), NULL, skb);
drop:
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 204/356] bnxt_en: Restore PTP tx_avail count in case of skb_pad() error
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2024-07-03 10:38 ` [PATCH 5.15 203/356] seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 205/356] net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings Greg Kroah-Hartman
` (159 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Gospodarek, Pavan Chebbi,
Michael Chan, Simon Horman, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavan Chebbi <pavan.chebbi@broadcom.com>
[ Upstream commit 1e7962114c10957fe4d10a15eb714578a394e90b ]
The current code only restores PTP tx_avail count when we get DMA
mapping errors. Fix it so that the PTP tx_avail count will be
restored for both DMA mapping errors and skb_pad() errors.
Otherwise PTP TX timestamp will not be available after a PTP
packet hits the skb_pad() error.
Fixes: 83bb623c968e ("bnxt_en: Transmit and retrieve packet timestamps")
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Signed-off-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240618215313.29631-4-michael.chan@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 3888561a5cc8f..f3c6a122a079a 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -667,9 +667,6 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev)
return NETDEV_TX_OK;
tx_dma_error:
- if (BNXT_TX_PTP_IS_SET(lflags))
- atomic_inc(&bp->ptp_cfg->tx_avail);
-
last_frag = i;
/* start back at beginning and unmap skb */
@@ -691,6 +688,8 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev)
tx_free:
dev_kfree_skb_any(skb);
tx_kick_pending:
+ if (BNXT_TX_PTP_IS_SET(lflags))
+ atomic_inc(&bp->ptp_cfg->tx_avail);
if (txr->kick_pending)
bnxt_txr_db_kick(bp, txr, txr->tx_prod);
txr->tx_buf_ring[txr->tx_prod].skb = NULL;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 205/356] net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 204/356] bnxt_en: Restore PTP tx_avail count in case of skb_pad() error Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 206/356] regulator: core: Fix modpost error "regulator_get_regmap" undefined Greg Kroah-Hartman
` (158 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5186630949e3c55f0799,
Oliver Neukum, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit fba383985354e83474f95f36d7c65feb75dba19d ]
This functions retrieves values by passing a pointer. As the function
that retrieves them can fail before touching the pointers, the variables
must be initialized.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+5186630949e3c55f0799@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20240619132816.11526-1-oneukum@suse.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/rtl8150.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index 4a1b0e0fc3a3a..17b87aba11d19 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -778,7 +778,8 @@ static int rtl8150_get_link_ksettings(struct net_device *netdev,
struct ethtool_link_ksettings *ecmd)
{
rtl8150_t *dev = netdev_priv(netdev);
- short lpa, bmcr;
+ short lpa = 0;
+ short bmcr = 0;
u32 supported;
supported = (SUPPORTED_10baseT_Half |
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 206/356] regulator: core: Fix modpost error "regulator_get_regmap" undefined
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 205/356] net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 207/356] dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list Greg Kroah-Hartman
` (157 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Biju Das,
Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biju Das <biju.das.jz@bp.renesas.com>
[ Upstream commit 3f60497c658d2072714d097a177612d34b34aa3d ]
Fix the modpost error "regulator_get_regmap" undefined by adding export
symbol.
Fixes: 04eca28cde52 ("regulator: Add helpers for low-level register access")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202406110117.mk5UR3VZ-lkp@intel.com
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Link: https://lore.kernel.org/r/20240610195532.175942-1-biju.das.jz@bp.renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index d6febb9ec60d9..879f4a77e91db 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -3297,6 +3297,7 @@ struct regmap *regulator_get_regmap(struct regulator *regulator)
return map ? map : ERR_PTR(-EOPNOTSUPP);
}
+EXPORT_SYMBOL_GPL(regulator_get_regmap);
/**
* regulator_get_hardware_vsel_register - get the HW voltage selector register
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 207/356] dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 206/356] regulator: core: Fix modpost error "regulator_get_regmap" undefined Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 208/356] dmaengine: ioat: switch from pci_ to dma_ API Greg Kroah-Hartman
` (156 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li RongQing, Dave Jiang, Fenghua Yu,
Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li RongQing <lirongqing@baidu.com>
[ Upstream commit e3215deca4520773cd2b155bed164c12365149a7 ]
Use list_for_each_entry_safe() to allow iterating through the list and
deleting the entry in the iteration process. The descriptor is freed via
idxd_desc_complete() and there's a slight chance may cause issue for
the list iterator when the descriptor is reused by another thread
without it being deleted from the list.
Fixes: 16e19e11228b ("dmaengine: idxd: Fix list corruption in description completion")
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Reviewed-by: Fenghua Yu <fenghua.yu@intel.com>
Link: https://lore.kernel.org/r/20240603012444.11902-1-lirongqing@baidu.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/idxd/irq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/irq.c b/drivers/dma/idxd/irq.c
index 6d6af0dc3c0ec..1296076ea217c 100644
--- a/drivers/dma/idxd/irq.c
+++ b/drivers/dma/idxd/irq.c
@@ -233,11 +233,13 @@ static void irq_process_work_list(struct idxd_irq_entry *irq_entry)
spin_unlock(&irq_entry->list_lock);
- list_for_each_entry(desc, &flist, list) {
+ list_for_each_entry_safe(desc, n, &flist, list) {
/*
* Check against the original status as ABORT is software defined
* and 0xff, which DSA_COMP_STATUS_MASK can mask out.
*/
+ list_del(&desc->list);
+
if (unlikely(desc->completion->status == IDXD_COMP_DESC_ABORT)) {
complete_desc(desc, IDXD_COMPLETE_ABORT);
continue;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 208/356] dmaengine: ioat: switch from pci_ to dma_ API
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 207/356] dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 209/356] dmaengine: ioat: Drop redundant pci_enable_pcie_error_reporting() Greg Kroah-Hartman
` (155 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qing Wang, Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qing Wang <wangqing@vivo.com>
[ Upstream commit 0c5afef7bf1fbda7e7883dc4b93f64f90003706f ]
The wrappers in include/linux/pci-dma-compat.h should go away.
pci_set_dma_mask()/pci_set_consistent_dma_mask() should be
replaced with dma_set_mask()/dma_set_coherent_mask(),
and use dma_set_mask_and_coherent() for both.
Signed-off-by: Qing Wang <wangqing@vivo.com>
Link: https://lore.kernel.org/r/1633663733-47199-3-git-send-email-wangqing@vivo.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Stable-dep-of: 1b11b4ef6bd6 ("dmaengine: ioatdma: Fix leaking on version mismatch")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/ioat/init.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/drivers/dma/ioat/init.c b/drivers/dma/ioat/init.c
index 191b592790073..373b8dac6c9ba 100644
--- a/drivers/dma/ioat/init.c
+++ b/drivers/dma/ioat/init.c
@@ -1363,15 +1363,9 @@ static int ioat_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
if (!iomap)
return -ENOMEM;
- err = pci_set_dma_mask(pdev, DMA_BIT_MASK(64));
+ err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(64));
if (err)
- err = pci_set_dma_mask(pdev, DMA_BIT_MASK(32));
- if (err)
- return err;
-
- err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(64));
- if (err)
- err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(32));
+ err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(32));
if (err)
return err;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 209/356] dmaengine: ioat: Drop redundant pci_enable_pcie_error_reporting()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 208/356] dmaengine: ioat: switch from pci_ to dma_ API Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 210/356] dmaengine: ioatdma: Fix leaking on version mismatch Greg Kroah-Hartman
` (154 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Helgaas, Dave Jiang,
Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
[ Upstream commit e32622f84ae289dc7a04e9f01cd62cb914fdc5c6 ]
pci_enable_pcie_error_reporting() enables the device to send ERR_*
Messages. Since f26e58bf6f54 ("PCI/AER: Enable error reporting when AER is
native"), the PCI core does this for all devices during enumeration, so the
driver doesn't need to do it itself.
Remove the redundant pci_enable_pcie_error_reporting() call from the
driver. Also remove the corresponding pci_disable_pcie_error_reporting()
from the driver .remove() path.
Note that this only controls ERR_* Messages from the device. An ERR_*
Message may cause the Root Port to generate an interrupt, depending on the
AER Root Error Command register managed by the AER service driver.
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/20230307192655.874008-2-helgaas@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Stable-dep-of: 1b11b4ef6bd6 ("dmaengine: ioatdma: Fix leaking on version mismatch")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/ioat/init.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/drivers/dma/ioat/init.c b/drivers/dma/ioat/init.c
index 373b8dac6c9ba..783d4e740f115 100644
--- a/drivers/dma/ioat/init.c
+++ b/drivers/dma/ioat/init.c
@@ -15,7 +15,6 @@
#include <linux/workqueue.h>
#include <linux/prefetch.h>
#include <linux/dca.h>
-#include <linux/aer.h>
#include <linux/sizes.h>
#include "dma.h"
#include "registers.h"
@@ -1382,15 +1381,11 @@ static int ioat_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
if (is_skx_ioat(pdev))
device->version = IOAT_VER_3_2;
err = ioat3_dma_probe(device, ioat_dca_enabled);
-
- if (device->version >= IOAT_VER_3_3)
- pci_enable_pcie_error_reporting(pdev);
} else
return -ENODEV;
if (err) {
dev_err(dev, "Intel(R) I/OAT DMA Engine init failed\n");
- pci_disable_pcie_error_reporting(pdev);
return -ENODEV;
}
@@ -1413,7 +1408,6 @@ static void ioat_remove(struct pci_dev *pdev)
device->dca = NULL;
}
- pci_disable_pcie_error_reporting(pdev);
ioat_dma_remove(device);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 210/356] dmaengine: ioatdma: Fix leaking on version mismatch
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 209/356] dmaengine: ioat: Drop redundant pci_enable_pcie_error_reporting() Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 211/356] dmaengine: ioat: use PCI core macros for PCIe Capability Greg Kroah-Hartman
` (153 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikita Shubin, Dave Jiang,
Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Shubin <n.shubin@yadro.com>
[ Upstream commit 1b11b4ef6bd68591dcaf8423c7d05e794e6aec6f ]
Fix leaking ioatdma_device if I/OAT version is less than IOAT_VER_3_0.
Fixes: bf453a0a18b2 ("dmaengine: ioat: Support in-use unbind")
Signed-off-by: Nikita Shubin <n.shubin@yadro.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/20240528-ioatdma-fixes-v2-1-a9f2fbe26ab1@yadro.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/ioat/init.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/drivers/dma/ioat/init.c b/drivers/dma/ioat/init.c
index 783d4e740f115..6c27980a5ec8f 100644
--- a/drivers/dma/ioat/init.c
+++ b/drivers/dma/ioat/init.c
@@ -1349,6 +1349,7 @@ static int ioat_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
void __iomem * const *iomap;
struct device *dev = &pdev->dev;
struct ioatdma_device *device;
+ u8 version;
int err;
err = pcim_enable_device(pdev);
@@ -1362,6 +1363,10 @@ static int ioat_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
if (!iomap)
return -ENOMEM;
+ version = readb(iomap[IOAT_MMIO_BAR] + IOAT_VER_OFFSET);
+ if (version < IOAT_VER_3_0)
+ return -ENODEV;
+
err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(64));
if (err)
err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(32));
@@ -1374,16 +1379,14 @@ static int ioat_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
pci_set_master(pdev);
pci_set_drvdata(pdev, device);
- device->version = readb(device->reg_base + IOAT_VER_OFFSET);
+ device->version = version;
if (device->version >= IOAT_VER_3_4)
ioat_dca_enabled = 0;
- if (device->version >= IOAT_VER_3_0) {
- if (is_skx_ioat(pdev))
- device->version = IOAT_VER_3_2;
- err = ioat3_dma_probe(device, ioat_dca_enabled);
- } else
- return -ENODEV;
+ if (is_skx_ioat(pdev))
+ device->version = IOAT_VER_3_2;
+
+ err = ioat3_dma_probe(device, ioat_dca_enabled);
if (err) {
dev_err(dev, "Intel(R) I/OAT DMA Engine init failed\n");
return -ENODEV;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 211/356] dmaengine: ioat: use PCI core macros for PCIe Capability
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 210/356] dmaengine: ioatdma: Fix leaking on version mismatch Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 212/356] dmaengine: ioatdma: Fix error path in ioat3_dma_probe() Greg Kroah-Hartman
` (152 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Helgaas, Dave Jiang,
Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
[ Upstream commit 8f6707d0773be31972768abd6e0bf7b8515b5b1a ]
The PCIe Capability is defined by the PCIe spec, so use the PCI_EXP_DEVCTL
macros defined by the PCI core instead of defining copies in IOAT. This
makes it easier to find all uses of the PCIe Device Control register. No
functional change intended.
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/20230307214615.887354-1-helgaas@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Stable-dep-of: f0dc9fda2e0e ("dmaengine: ioatdma: Fix error path in ioat3_dma_probe()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/ioat/init.c | 6 +++---
drivers/dma/ioat/registers.h | 7 -------
2 files changed, 3 insertions(+), 10 deletions(-)
diff --git a/drivers/dma/ioat/init.c b/drivers/dma/ioat/init.c
index 6c27980a5ec8f..ed4910e3bc2ac 100644
--- a/drivers/dma/ioat/init.c
+++ b/drivers/dma/ioat/init.c
@@ -1190,13 +1190,13 @@ static int ioat3_dma_probe(struct ioatdma_device *ioat_dma, int dca)
ioat_dma->dca = ioat_dca_init(pdev, ioat_dma->reg_base);
/* disable relaxed ordering */
- err = pcie_capability_read_word(pdev, IOAT_DEVCTRL_OFFSET, &val16);
+ err = pcie_capability_read_word(pdev, PCI_EXP_DEVCTL, &val16);
if (err)
return pcibios_err_to_errno(err);
/* clear relaxed ordering enable */
- val16 &= ~IOAT_DEVCTRL_ROE;
- err = pcie_capability_write_word(pdev, IOAT_DEVCTRL_OFFSET, val16);
+ val16 &= ~PCI_EXP_DEVCTL_RELAX_EN;
+ err = pcie_capability_write_word(pdev, PCI_EXP_DEVCTL, val16);
if (err)
return pcibios_err_to_errno(err);
diff --git a/drivers/dma/ioat/registers.h b/drivers/dma/ioat/registers.h
index f55a5f92f1857..54cf0ad39887b 100644
--- a/drivers/dma/ioat/registers.h
+++ b/drivers/dma/ioat/registers.h
@@ -14,13 +14,6 @@
#define IOAT_PCI_CHANERR_INT_OFFSET 0x180
#define IOAT_PCI_CHANERRMASK_INT_OFFSET 0x184
-/* PCIe config registers */
-
-/* EXPCAPID + N */
-#define IOAT_DEVCTRL_OFFSET 0x8
-/* relaxed ordering enable */
-#define IOAT_DEVCTRL_ROE 0x10
-
/* MMIO Device Registers */
#define IOAT_CHANCNT_OFFSET 0x00 /* 8-bit */
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 212/356] dmaengine: ioatdma: Fix error path in ioat3_dma_probe()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 211/356] dmaengine: ioat: use PCI core macros for PCIe Capability Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 213/356] dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe() Greg Kroah-Hartman
` (151 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikita Shubin, Dave Jiang,
Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Shubin <n.shubin@yadro.com>
[ Upstream commit f0dc9fda2e0ee9e01496c2f5aca3a831131fad79 ]
Make sure we are disabling interrupts and destroying DMA pool if
pcie_capability_read/write_word() call failed.
Fixes: 511deae0261c ("dmaengine: ioatdma: disable relaxed ordering for ioatdma")
Signed-off-by: Nikita Shubin <n.shubin@yadro.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/20240528-ioatdma-fixes-v2-2-a9f2fbe26ab1@yadro.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/ioat/init.c | 33 +++++++++++++++------------------
1 file changed, 15 insertions(+), 18 deletions(-)
diff --git a/drivers/dma/ioat/init.c b/drivers/dma/ioat/init.c
index ed4910e3bc2ac..ceba1b4083a9d 100644
--- a/drivers/dma/ioat/init.c
+++ b/drivers/dma/ioat/init.c
@@ -534,18 +534,6 @@ static int ioat_probe(struct ioatdma_device *ioat_dma)
return err;
}
-static int ioat_register(struct ioatdma_device *ioat_dma)
-{
- int err = dma_async_device_register(&ioat_dma->dma_dev);
-
- if (err) {
- ioat_disable_interrupts(ioat_dma);
- dma_pool_destroy(ioat_dma->completion_pool);
- }
-
- return err;
-}
-
static void ioat_dma_remove(struct ioatdma_device *ioat_dma)
{
struct dma_device *dma = &ioat_dma->dma_dev;
@@ -1180,9 +1168,9 @@ static int ioat3_dma_probe(struct ioatdma_device *ioat_dma, int dca)
ioat_chan->reg_base + IOAT_DCACTRL_OFFSET);
}
- err = ioat_register(ioat_dma);
+ err = dma_async_device_register(&ioat_dma->dma_dev);
if (err)
- return err;
+ goto err_disable_interrupts;
ioat_kobject_add(ioat_dma, &ioat_ktype);
@@ -1191,20 +1179,29 @@ static int ioat3_dma_probe(struct ioatdma_device *ioat_dma, int dca)
/* disable relaxed ordering */
err = pcie_capability_read_word(pdev, PCI_EXP_DEVCTL, &val16);
- if (err)
- return pcibios_err_to_errno(err);
+ if (err) {
+ err = pcibios_err_to_errno(err);
+ goto err_disable_interrupts;
+ }
/* clear relaxed ordering enable */
val16 &= ~PCI_EXP_DEVCTL_RELAX_EN;
err = pcie_capability_write_word(pdev, PCI_EXP_DEVCTL, val16);
- if (err)
- return pcibios_err_to_errno(err);
+ if (err) {
+ err = pcibios_err_to_errno(err);
+ goto err_disable_interrupts;
+ }
if (ioat_dma->cap & IOAT_CAP_DPS)
writeb(ioat_pending_level + 1,
ioat_dma->reg_base + IOAT_PREFETCH_LIMIT_OFFSET);
return 0;
+
+err_disable_interrupts:
+ ioat_disable_interrupts(ioat_dma);
+ dma_pool_destroy(ioat_dma->completion_pool);
+ return err;
}
static void ioat_shutdown(struct pci_dev *pdev)
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 213/356] dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 212/356] dmaengine: ioatdma: Fix error path in ioat3_dma_probe() Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 214/356] dmaengine: ioatdma: Fix missing kmem_cache_destroy() Greg Kroah-Hartman
` (150 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikita Shubin, Dave Jiang,
Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Shubin <n.shubin@yadro.com>
[ Upstream commit 29b7cd255f3628e0d65be33a939d8b5bba10aa62 ]
If probing fails we end up with leaking ioatdma_device and each
allocated channel.
Following kmemleak easy to reproduce by injecting an error in
ioat_alloc_chan_resources() when doing ioat_dma_self_test().
unreferenced object 0xffff888014ad5800 (size 1024): [..]
[<ffffffff827692ca>] kmemleak_alloc+0x4a/0x80
[<ffffffff81430600>] kmalloc_trace+0x270/0x2f0
[<ffffffffa000b7d1>] ioat_pci_probe+0xc1/0x1c0 [ioatdma]
[..]
repeated for each ioatdma channel:
unreferenced object 0xffff8880148e5c00 (size 512): [..]
[<ffffffff827692ca>] kmemleak_alloc+0x4a/0x80
[<ffffffff81430600>] kmalloc_trace+0x270/0x2f0
[<ffffffffa0009641>] ioat_enumerate_channels+0x101/0x2d0 [ioatdma]
[<ffffffffa000b266>] ioat3_dma_probe+0x4d6/0x970 [ioatdma]
[<ffffffffa000b891>] ioat_pci_probe+0x181/0x1c0 [ioatdma]
[..]
Fixes: bf453a0a18b2 ("dmaengine: ioat: Support in-use unbind")
Signed-off-by: Nikita Shubin <n.shubin@yadro.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/20240528-ioatdma-fixes-v2-3-a9f2fbe26ab1@yadro.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/ioat/init.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/dma/ioat/init.c b/drivers/dma/ioat/init.c
index ceba1b4083a9d..8a115bafab6ab 100644
--- a/drivers/dma/ioat/init.c
+++ b/drivers/dma/ioat/init.c
@@ -1346,6 +1346,7 @@ static int ioat_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
void __iomem * const *iomap;
struct device *dev = &pdev->dev;
struct ioatdma_device *device;
+ unsigned int i;
u8 version;
int err;
@@ -1385,6 +1386,9 @@ static int ioat_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
err = ioat3_dma_probe(device, ioat_dca_enabled);
if (err) {
+ for (i = 0; i < IOAT_MAX_CHANS; i++)
+ kfree(device->idx[i]);
+ kfree(device);
dev_err(dev, "Intel(R) I/OAT DMA Engine init failed\n");
return -ENODEV;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 214/356] dmaengine: ioatdma: Fix missing kmem_cache_destroy()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 213/356] dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe() Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 215/356] regulator: bd71815: fix ramp values Greg Kroah-Hartman
` (149 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikita Shubin, Dave Jiang,
Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Shubin <n.shubin@yadro.com>
[ Upstream commit 5422145d0b749ad554ada772133b9b20f9fb0ec8 ]
Fix missing kmem_cache_destroy() for ioat_sed_cache in
ioat_exit_module().
Noticed via:
```
modprobe ioatdma
rmmod ioatdma
modprobe ioatdma
debugfs: Directory 'ioat_sed_ent' with parent 'slab' already present!
```
Fixes: c0f28ce66ecf ("dmaengine: ioatdma: move all the init routines")
Signed-off-by: Nikita Shubin <n.shubin@yadro.com>
Acked-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/20240514-ioatdma_fixes-v1-1-2776a0913254@yadro.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/ioat/init.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/dma/ioat/init.c b/drivers/dma/ioat/init.c
index 8a115bafab6ab..2a47b9053bad8 100644
--- a/drivers/dma/ioat/init.c
+++ b/drivers/dma/ioat/init.c
@@ -1450,6 +1450,7 @@ module_init(ioat_init_module);
static void __exit ioat_exit_module(void)
{
pci_unregister_driver(&ioat_pci_driver);
+ kmem_cache_destroy(ioat_sed_cache);
kmem_cache_destroy(ioat_cache);
}
module_exit(ioat_exit_module);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 215/356] regulator: bd71815: fix ramp values
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 214/356] dmaengine: ioatdma: Fix missing kmem_cache_destroy() Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 216/356] ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." Greg Kroah-Hartman
` (148 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kalle Niemi, Matti Vaittinen,
Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kalle Niemi <kaleposti@gmail.com>
[ Upstream commit 4cac29b846f38d5f0654cdfff5c5bfc37305081c ]
Ramp values are inverted. This caused wrong values written to register
when ramp values were defined in device tree.
Invert values in table to fix this.
Signed-off-by: Kalle Niemi <kaleposti@gmail.com>
Fixes: 1aad39001e85 ("regulator: Support ROHM BD71815 regulators")
Reviewed-by: Matti Vaittinen <mazziesaccount@gmail.com>
Link: https://lore.kernel.org/r/ZmmJXtuVJU6RgQAH@latitude5580
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/bd71815-regulator.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/regulator/bd71815-regulator.c b/drivers/regulator/bd71815-regulator.c
index 16edd9062ca91..5d468303f1029 100644
--- a/drivers/regulator/bd71815-regulator.c
+++ b/drivers/regulator/bd71815-regulator.c
@@ -257,7 +257,7 @@ static int buck12_set_hw_dvs_levels(struct device_node *np,
* 10: 2.50mV/usec 10mV 4uS
* 11: 1.25mV/usec 10mV 8uS
*/
-static const unsigned int bd7181x_ramp_table[] = { 1250, 2500, 5000, 10000 };
+static const unsigned int bd7181x_ramp_table[] = { 10000, 5000, 2500, 1250 };
static int bd7181x_led_set_current_limit(struct regulator_dev *rdev,
int min_uA, int max_uA)
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 216/356] ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 215/356] regulator: bd71815: fix ramp values Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 217/356] RDMA/mlx5: Add check for srq max_sge attribute Greg Kroah-Hartman
` (147 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanath S, Raju Rangoju,
Rafael J. Wysocki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raju Rangoju <Raju.Rangoju@amd.com>
[ Upstream commit a83e1385b780d41307433ddbc86e3c528db031f0 ]
Undo the modifications made in commit d410ee5109a1 ("ACPICA: avoid
"Info: mapping multiple BARs. Your kernel is fine.""). The initial
purpose of this commit was to stop memory mappings for operation
regions from overlapping page boundaries, as it can trigger warnings
if different page attributes are present.
However, it was found that when this situation arises, mapping
continues until the boundary's end, but there is still an attempt to
read/write the entire length of the map, leading to a NULL pointer
deference. For example, if a four-byte mapping request is made but
only one byte is mapped because it hits the current page boundary's
end, a four-byte read/write attempt is still made, resulting in a NULL
pointer deference.
Instead, map the entire length, as the ACPI specification does not
mandate that it must be within the same page boundary. It is
permissible for it to be mapped across different regions.
Link: https://github.com/acpica/acpica/pull/954
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218849
Fixes: d410ee5109a1 ("ACPICA: avoid "Info: mapping multiple BARs. Your kernel is fine."")
Co-developed-by: Sanath S <Sanath.S@amd.com>
Signed-off-by: Sanath S <Sanath.S@amd.com>
Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/exregion.c | 23 ++---------------------
1 file changed, 2 insertions(+), 21 deletions(-)
diff --git a/drivers/acpi/acpica/exregion.c b/drivers/acpi/acpica/exregion.c
index 82b713a9a1939..4b6b53bd90183 100644
--- a/drivers/acpi/acpica/exregion.c
+++ b/drivers/acpi/acpica/exregion.c
@@ -44,7 +44,6 @@ acpi_ex_system_memory_space_handler(u32 function,
struct acpi_mem_mapping *mm = mem_info->cur_mm;
u32 length;
acpi_size map_length;
- acpi_size page_boundary_map_length;
#ifdef ACPI_MISALIGNMENT_NOT_SUPPORTED
u32 remainder;
#endif
@@ -138,26 +137,8 @@ acpi_ex_system_memory_space_handler(u32 function,
map_length = (acpi_size)
((mem_info->address + mem_info->length) - address);
- /*
- * If mapping the entire remaining portion of the region will cross
- * a page boundary, just map up to the page boundary, do not cross.
- * On some systems, crossing a page boundary while mapping regions
- * can cause warnings if the pages have different attributes
- * due to resource management.
- *
- * This has the added benefit of constraining a single mapping to
- * one page, which is similar to the original code that used a 4k
- * maximum window.
- */
- page_boundary_map_length = (acpi_size)
- (ACPI_ROUND_UP(address, ACPI_DEFAULT_PAGE_SIZE) - address);
- if (page_boundary_map_length == 0) {
- page_boundary_map_length = ACPI_DEFAULT_PAGE_SIZE;
- }
-
- if (map_length > page_boundary_map_length) {
- map_length = page_boundary_map_length;
- }
+ if (map_length > ACPI_DEFAULT_PAGE_SIZE)
+ map_length = ACPI_DEFAULT_PAGE_SIZE;
/* Create a new mapping starting at the address given */
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 217/356] RDMA/mlx5: Add check for srq max_sge attribute
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 216/356] ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 218/356] serial: stm32: rework RX over DMA Greg Kroah-Hartman
` (146 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Patrisious Haddad, Leon Romanovsky,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Patrisious Haddad <phaddad@nvidia.com>
[ Upstream commit 36ab7ada64caf08f10ee5a114d39964d1f91e81d ]
max_sge attribute is passed by the user, and is inserted and used
unchecked, so verify that the value doesn't exceed maximum allowed value
before using it.
Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
Link: https://lore.kernel.org/r/277ccc29e8d57bfd53ddeb2ac633f2760cf8cdd0.1716900410.git.leon@kernel.org
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/mlx5/srq.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/infiniband/hw/mlx5/srq.c b/drivers/infiniband/hw/mlx5/srq.c
index 191c4ee7db620..dfed4c4321337 100644
--- a/drivers/infiniband/hw/mlx5/srq.c
+++ b/drivers/infiniband/hw/mlx5/srq.c
@@ -200,17 +200,20 @@ int mlx5_ib_create_srq(struct ib_srq *ib_srq,
int err;
struct mlx5_srq_attr in = {};
__u32 max_srq_wqes = 1 << MLX5_CAP_GEN(dev->mdev, log_max_srq_sz);
+ __u32 max_sge_sz = MLX5_CAP_GEN(dev->mdev, max_wqe_sz_rq) /
+ sizeof(struct mlx5_wqe_data_seg);
if (init_attr->srq_type != IB_SRQT_BASIC &&
init_attr->srq_type != IB_SRQT_XRC &&
init_attr->srq_type != IB_SRQT_TM)
return -EOPNOTSUPP;
- /* Sanity check SRQ size before proceeding */
- if (init_attr->attr.max_wr >= max_srq_wqes) {
- mlx5_ib_dbg(dev, "max_wr %d, cap %d\n",
- init_attr->attr.max_wr,
- max_srq_wqes);
+ /* Sanity check SRQ and sge size before proceeding */
+ if (init_attr->attr.max_wr >= max_srq_wqes ||
+ init_attr->attr.max_sge > max_sge_sz) {
+ mlx5_ib_dbg(dev, "max_wr %d,wr_cap %d,max_sge %d, sge_cap:%d\n",
+ init_attr->attr.max_wr, max_srq_wqes,
+ init_attr->attr.max_sge, max_sge_sz);
return -EINVAL;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 218/356] serial: stm32: rework RX over DMA
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 217/356] RDMA/mlx5: Add check for srq max_sge attribute Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 219/356] net: do not leave a dangling sk pointer, when socket creation fails Greg Kroah-Hartman
` (145 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Valentin Caron, Erwan Le Ray,
Dario Binacchi
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erwan Le Ray <erwan.leray@foss.st.com>
commit 33bb2f6ac3088936b7aad3cab6f439f91af0223c upstream.
This patch reworks RX support over DMA to improve reliability:
- change dma buffer cyclic configuration by using 2 periods. DMA buffer
data are handled by a flip-flop between the 2 periods in order to avoid
risk of data loss/corruption
- change the size of dma buffer to 4096 to limit overruns
- add rx errors management (breaks, parity, framing and overrun).
When an error occurs on the uart line, the dma request line is masked at
HW level. The SW must 1st clear DMAR (dma request line enable), to
handle the error, then re-enable DMAR to recover. So, any correct data
is taken from the DMA buffer, before handling the error itself. Then
errors are handled from RDR/ISR/FIFO (e.g. in PIO mode). Last, DMA
reception is resumed.
- add a condition on DMA request line in DMA RX routines in order to
switch to PIO mode when no DMA request line is disabled, even if the DMA
channel is still enabled.
When the UART is wakeup source and is configured to use DMA for RX, any
incoming data that wakes up the system isn't correctly received.
At data reception, the irq_handler handles the WUF irq, and then the
data reception over DMA.
As the DMA transfer has been terminated at suspend, and will be restored
by resume callback (which has no yet been called by system), the data
can't be received.
The wake-up data has to be handled in PIO mode while suspend callback
has not been called.
Signed-off-by: Valentin Caron <valentin.caron@foss.st.com>
Signed-off-by: Erwan Le Ray <erwan.leray@foss.st.com>
Link: https://lore.kernel.org/r/20211020150332.10214-3-erwan.leray@foss.st.com
[ dario: fix conflicts for backport to v5.15. From the [1] series, only the
first patch was applied to the v5.15 branch. This caused a regression in
character reception, which can be fixed by applying the second patch. The
patch has been tested on the stm32f469-disco board.
[1] https://lore.kernel.org/all/20211020150332.10214-1-erwan.leray@foss.st.com/. ]
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/stm32-usart.c | 204 ++++++++++++++++++++++++++++++---------
drivers/tty/serial/stm32-usart.h | 12 +-
2 files changed, 164 insertions(+), 52 deletions(-)
--- a/drivers/tty/serial/stm32-usart.c
+++ b/drivers/tty/serial/stm32-usart.c
@@ -220,66 +220,60 @@ static int stm32_usart_init_rs485(struct
return uart_get_rs485_mode(port);
}
-static int stm32_usart_pending_rx(struct uart_port *port, u32 *sr,
- int *last_res, bool threaded)
+static bool stm32_usart_rx_dma_enabled(struct uart_port *port)
+{
+ struct stm32_port *stm32_port = to_stm32_port(port);
+ const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs;
+
+ if (!stm32_port->rx_ch)
+ return false;
+
+ return !!(readl_relaxed(port->membase + ofs->cr3) & USART_CR3_DMAR);
+}
+
+/* Return true when data is pending (in pio mode), and false when no data is pending. */
+static bool stm32_usart_pending_rx_pio(struct uart_port *port, u32 *sr)
{
struct stm32_port *stm32_port = to_stm32_port(port);
const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs;
- enum dma_status status;
- struct dma_tx_state state;
*sr = readl_relaxed(port->membase + ofs->isr);
+ /* Get pending characters in RDR or FIFO */
+ if (*sr & USART_SR_RXNE) {
+ /* Get all pending characters from the RDR or the FIFO when using interrupts */
+ if (!stm32_usart_rx_dma_enabled(port))
+ return true;
- if (threaded && stm32_port->rx_ch) {
- status = dmaengine_tx_status(stm32_port->rx_ch,
- stm32_port->rx_ch->cookie,
- &state);
- if (status == DMA_IN_PROGRESS && (*last_res != state.residue))
- return 1;
- else
- return 0;
- } else if (*sr & USART_SR_RXNE) {
- return 1;
+ /* Handle only RX data errors when using DMA */
+ if (*sr & USART_SR_ERR_MASK)
+ return true;
}
- return 0;
+
+ return false;
}
-static unsigned long stm32_usart_get_char(struct uart_port *port, u32 *sr,
- int *last_res)
+static unsigned long stm32_usart_get_char_pio(struct uart_port *port)
{
struct stm32_port *stm32_port = to_stm32_port(port);
const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs;
unsigned long c;
- if (stm32_port->rx_ch) {
- c = stm32_port->rx_buf[RX_BUF_L - (*last_res)--];
- if ((*last_res) == 0)
- *last_res = RX_BUF_L;
- } else {
- c = readl_relaxed(port->membase + ofs->rdr);
- /* apply RDR data mask */
- c &= stm32_port->rdr_mask;
- }
+ c = readl_relaxed(port->membase + ofs->rdr);
+ /* Apply RDR data mask */
+ c &= stm32_port->rdr_mask;
return c;
}
-static void stm32_usart_receive_chars(struct uart_port *port, bool irqflag)
+static void stm32_usart_receive_chars_pio(struct uart_port *port)
{
- struct tty_port *tport = &port->state->port;
struct stm32_port *stm32_port = to_stm32_port(port);
const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs;
- unsigned long c, flags;
+ unsigned long c;
u32 sr;
char flag;
- if (irqflag)
- spin_lock_irqsave(&port->lock, flags);
- else
- spin_lock(&port->lock);
-
- while (stm32_usart_pending_rx(port, &sr, &stm32_port->last_res,
- irqflag)) {
+ while (stm32_usart_pending_rx_pio(port, &sr)) {
sr |= USART_SR_DUMMY_RX;
flag = TTY_NORMAL;
@@ -298,7 +292,7 @@ static void stm32_usart_receive_chars(st
writel_relaxed(sr & USART_SR_ERR_MASK,
port->membase + ofs->icr);
- c = stm32_usart_get_char(port, &sr, &stm32_port->last_res);
+ c = stm32_usart_get_char_pio(port);
port->icount.rx++;
if (sr & USART_SR_ERR_MASK) {
if (sr & USART_SR_ORE) {
@@ -332,6 +326,94 @@ static void stm32_usart_receive_chars(st
continue;
uart_insert_char(port, sr, USART_SR_ORE, c, flag);
}
+}
+
+static void stm32_usart_push_buffer_dma(struct uart_port *port, unsigned int dma_size)
+{
+ struct stm32_port *stm32_port = to_stm32_port(port);
+ struct tty_port *ttyport = &stm32_port->port.state->port;
+ unsigned char *dma_start;
+ int dma_count, i;
+
+ dma_start = stm32_port->rx_buf + (RX_BUF_L - stm32_port->last_res);
+
+ /*
+ * Apply rdr_mask on buffer in order to mask parity bit.
+ * This loop is useless in cs8 mode because DMA copies only
+ * 8 bits and already ignores parity bit.
+ */
+ if (!(stm32_port->rdr_mask == (BIT(8) - 1)))
+ for (i = 0; i < dma_size; i++)
+ *(dma_start + i) &= stm32_port->rdr_mask;
+
+ dma_count = tty_insert_flip_string(ttyport, dma_start, dma_size);
+ port->icount.rx += dma_count;
+ if (dma_count != dma_size)
+ port->icount.buf_overrun++;
+ stm32_port->last_res -= dma_count;
+ if (stm32_port->last_res == 0)
+ stm32_port->last_res = RX_BUF_L;
+}
+
+static void stm32_usart_receive_chars_dma(struct uart_port *port)
+{
+ struct stm32_port *stm32_port = to_stm32_port(port);
+ unsigned int dma_size;
+
+ /* DMA buffer is configured in cyclic mode and handles the rollback of the buffer. */
+ if (stm32_port->rx_dma_state.residue > stm32_port->last_res) {
+ /* Conditional first part: from last_res to end of DMA buffer */
+ dma_size = stm32_port->last_res;
+ stm32_usart_push_buffer_dma(port, dma_size);
+ }
+
+ dma_size = stm32_port->last_res - stm32_port->rx_dma_state.residue;
+ stm32_usart_push_buffer_dma(port, dma_size);
+}
+
+static void stm32_usart_receive_chars(struct uart_port *port, bool irqflag)
+{
+ struct tty_port *tport = &port->state->port;
+ struct stm32_port *stm32_port = to_stm32_port(port);
+ const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs;
+ enum dma_status rx_dma_status;
+ unsigned long flags;
+ u32 sr;
+
+ if (irqflag)
+ spin_lock_irqsave(&port->lock, flags);
+ else
+ spin_lock(&port->lock);
+
+ if (stm32_usart_rx_dma_enabled(port)) {
+ rx_dma_status = dmaengine_tx_status(stm32_port->rx_ch,
+ stm32_port->rx_ch->cookie,
+ &stm32_port->rx_dma_state);
+ if (rx_dma_status == DMA_IN_PROGRESS) {
+ /* Empty DMA buffer */
+ stm32_usart_receive_chars_dma(port);
+ sr = readl_relaxed(port->membase + ofs->isr);
+ if (sr & USART_SR_ERR_MASK) {
+ /* Disable DMA request line */
+ stm32_usart_clr_bits(port, ofs->cr3, USART_CR3_DMAR);
+
+ /* Switch to PIO mode to handle the errors */
+ stm32_usart_receive_chars_pio(port);
+
+ /* Switch back to DMA mode */
+ stm32_usart_set_bits(port, ofs->cr3, USART_CR3_DMAR);
+ }
+ } else {
+ /* Disable RX DMA */
+ dmaengine_terminate_async(stm32_port->rx_ch);
+ stm32_usart_clr_bits(port, ofs->cr3, USART_CR3_DMAR);
+ /* Fall back to interrupt mode */
+ dev_dbg(port->dev, "DMA error, fallback to irq mode\n");
+ stm32_usart_receive_chars_pio(port);
+ }
+ } else {
+ stm32_usart_receive_chars_pio(port);
+ }
if (irqflag)
uart_unlock_and_check_sysrq_irqrestore(port, irqflag);
@@ -373,6 +455,13 @@ static void stm32_usart_tx_interrupt_ena
stm32_usart_set_bits(port, ofs->cr1, USART_CR1_TXEIE);
}
+static void stm32_usart_rx_dma_complete(void *arg)
+{
+ struct uart_port *port = arg;
+
+ stm32_usart_receive_chars(port, true);
+}
+
static void stm32_usart_tc_interrupt_enable(struct uart_port *port)
{
struct stm32_port *stm32_port = to_stm32_port(port);
@@ -588,7 +677,12 @@ static irqreturn_t stm32_usart_interrupt
pm_wakeup_event(tport->tty->dev, 0);
}
- if ((sr & USART_SR_RXNE) && !(stm32_port->rx_ch))
+ /*
+ * rx errors in dma mode has to be handled ASAP to avoid overrun as the DMA request
+ * line has been masked by HW and rx data are stacking in FIFO.
+ */
+ if (((sr & USART_SR_RXNE) && !stm32_usart_rx_dma_enabled(port)) ||
+ ((sr & USART_SR_ERR_MASK) && stm32_usart_rx_dma_enabled(port)))
stm32_usart_receive_chars(port, false);
if ((sr & USART_SR_TXE) && !(stm32_port->tx_ch)) {
@@ -597,7 +691,7 @@ static irqreturn_t stm32_usart_interrupt
spin_unlock(&port->lock);
}
- if (stm32_port->rx_ch)
+ if (stm32_usart_rx_dma_enabled(port))
return IRQ_WAKE_THREAD;
else
return IRQ_HANDLED;
@@ -903,9 +997,11 @@ static void stm32_usart_set_termios(stru
stm32_port->cr1_irq = USART_CR1_RTOIE;
writel_relaxed(bits, port->membase + ofs->rtor);
cr2 |= USART_CR2_RTOEN;
- /* Not using dma, enable fifo threshold irq */
- if (!stm32_port->rx_ch)
- stm32_port->cr3_irq = USART_CR3_RXFTIE;
+ /*
+ * Enable fifo threshold irq in two cases, either when there is no DMA, or when
+ * wake up over usart, from low power until the DMA gets re-enabled by resume.
+ */
+ stm32_port->cr3_irq = USART_CR3_RXFTIE;
}
cr1 |= stm32_port->cr1_irq;
@@ -968,8 +1064,16 @@ static void stm32_usart_set_termios(stru
if ((termios->c_cflag & CREAD) == 0)
port->ignore_status_mask |= USART_SR_DUMMY_RX;
- if (stm32_port->rx_ch)
+ if (stm32_port->rx_ch) {
+ /*
+ * Setup DMA to collect only valid data and enable error irqs.
+ * This also enables break reception when using DMA.
+ */
+ cr1 |= USART_CR1_PEIE;
+ cr3 |= USART_CR3_EIE;
cr3 |= USART_CR3_DMAR;
+ cr3 |= USART_CR3_DDRE;
+ }
if (rs485conf->flags & SER_RS485_ENABLED) {
stm32_usart_config_reg_rs485(&cr1, &cr3,
@@ -1298,9 +1402,9 @@ static int stm32_usart_of_dma_rx_probe(s
return -ENODEV;
}
- /* No callback as dma buffer is drained on usart interrupt */
- desc->callback = NULL;
- desc->callback_param = NULL;
+ /* Set DMA callback */
+ desc->callback = stm32_usart_rx_dma_complete;
+ desc->callback_param = port;
/* Push current DMA transaction in the pending queue */
ret = dma_submit_error(dmaengine_submit(desc));
@@ -1464,6 +1568,7 @@ static int stm32_usart_serial_remove(str
struct stm32_port *stm32_port = to_stm32_port(port);
const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs;
int err;
+ u32 cr3;
pm_runtime_get_sync(&pdev->dev);
err = uart_remove_one_port(&stm32_usart_driver, port);
@@ -1474,7 +1579,12 @@ static int stm32_usart_serial_remove(str
pm_runtime_set_suspended(&pdev->dev);
pm_runtime_put_noidle(&pdev->dev);
- stm32_usart_clr_bits(port, ofs->cr3, USART_CR3_DMAR);
+ stm32_usart_clr_bits(port, ofs->cr1, USART_CR1_PEIE);
+ cr3 = readl_relaxed(port->membase + ofs->cr3);
+ cr3 &= ~USART_CR3_EIE;
+ cr3 &= ~USART_CR3_DMAR;
+ cr3 &= ~USART_CR3_DDRE;
+ writel_relaxed(cr3, port->membase + ofs->cr3);
if (stm32_port->tx_ch) {
stm32_usart_of_dma_tx_remove(stm32_port, pdev);
--- a/drivers/tty/serial/stm32-usart.h
+++ b/drivers/tty/serial/stm32-usart.h
@@ -109,7 +109,7 @@ struct stm32_usart_info stm32h7_info = {
/* USART_SR (F4) / USART_ISR (F7) */
#define USART_SR_PE BIT(0)
#define USART_SR_FE BIT(1)
-#define USART_SR_NF BIT(2)
+#define USART_SR_NE BIT(2) /* F7 (NF for F4) */
#define USART_SR_ORE BIT(3)
#define USART_SR_IDLE BIT(4)
#define USART_SR_RXNE BIT(5)
@@ -126,7 +126,8 @@ struct stm32_usart_info stm32h7_info = {
#define USART_SR_SBKF BIT(18) /* F7 */
#define USART_SR_WUF BIT(20) /* H7 */
#define USART_SR_TEACK BIT(21) /* F7 */
-#define USART_SR_ERR_MASK (USART_SR_ORE | USART_SR_FE | USART_SR_PE)
+#define USART_SR_ERR_MASK (USART_SR_ORE | USART_SR_NE | USART_SR_FE |\
+ USART_SR_PE)
/* Dummy bits */
#define USART_SR_DUMMY_RX BIT(16)
@@ -246,9 +247,9 @@ struct stm32_usart_info stm32h7_info = {
#define STM32_SERIAL_NAME "ttySTM"
#define STM32_MAX_PORTS 8
-#define RX_BUF_L 200 /* dma rx buffer length */
-#define RX_BUF_P RX_BUF_L /* dma rx buffer period */
-#define TX_BUF_L 200 /* dma tx buffer length */
+#define RX_BUF_L 4096 /* dma rx buffer length */
+#define RX_BUF_P (RX_BUF_L / 2) /* dma rx buffer period */
+#define TX_BUF_L RX_BUF_L /* dma tx buffer length */
struct stm32_port {
struct uart_port port;
@@ -273,6 +274,7 @@ struct stm32_port {
bool wakeup_src;
int rdr_mask; /* receive data register mask */
struct mctrl_gpios *gpios; /* modem control gpios */
+ struct dma_tx_state rx_dma_state;
};
static struct stm32_port stm32_ports[STM32_MAX_PORTS];
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 219/356] net: do not leave a dangling sk pointer, when socket creation fails
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 218/356] serial: stm32: rework RX over DMA Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 220/356] btrfs: retry block group reclaim without infinite loop Greg Kroah-Hartman
` (144 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Ignat Korchagin,
D. Wythe, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ignat Korchagin <ignat@cloudflare.com>
commit 6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2 upstream.
It is possible to trigger a use-after-free by:
* attaching an fentry probe to __sock_release() and the probe calling the
bpf_get_socket_cookie() helper
* running traceroute -I 1.1.1.1 on a freshly booted VM
A KASAN enabled kernel will log something like below (decoded and stripped):
==================================================================
BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
Read of size 8 at addr ffff888007110dd8 by task traceroute/299
CPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))
print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)
? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
kasan_report (mm/kasan/report.c:603)
? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)
__sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092)
bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e
bpf_trampoline_6442506592+0x47/0xaf
__sock_release (net/socket.c:652)
__sock_create (net/socket.c:1601)
...
Allocated by task 299 on cpu 2 at 78.328492s:
kasan_save_stack (mm/kasan/common.c:48)
kasan_save_track (mm/kasan/common.c:68)
__kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)
kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007)
sk_prot_alloc (net/core/sock.c:2075)
sk_alloc (net/core/sock.c:2134)
inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252)
__sock_create (net/socket.c:1572)
__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)
__x64_sys_socket (net/socket.c:1718)
do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Freed by task 299 on cpu 2 at 78.328502s:
kasan_save_stack (mm/kasan/common.c:48)
kasan_save_track (mm/kasan/common.c:68)
kasan_save_free_info (mm/kasan/generic.c:582)
poison_slab_object (mm/kasan/common.c:242)
__kasan_slab_free (mm/kasan/common.c:256)
kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511)
__sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208)
inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252)
__sock_create (net/socket.c:1572)
__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)
__x64_sys_socket (net/socket.c:1718)
do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Fix this by clearing the struct socket reference in sk_common_release() to cover
all protocol families create functions, which may already attached the
reference to the sk object with sock_init_data().
Fixes: c5dbb89fc2ac ("bpf: Expose bpf_get_socket_cookie to tracing programs")
Suggested-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/netdev/20240613194047.36478-1-kuniyu@amazon.com/T/
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
Link: https://lore.kernel.org/r/20240617210205.67311-1-ignat@cloudflare.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/sock.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -3459,6 +3459,9 @@ void sk_common_release(struct sock *sk)
sk->sk_prot->unhash(sk);
+ if (sk->sk_socket)
+ sk->sk_socket->sk = NULL;
+
/*
* In this point socket cannot receive new packets, but it is possible
* that some packets are in flight because some CPU runs receiver and
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 220/356] btrfs: retry block group reclaim without infinite loop
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 219/356] net: do not leave a dangling sk pointer, when socket creation fails Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 221/356] KVM: x86: Always sync PIR to IRR prior to scanning I/O APIC routes Greg Kroah-Hartman
` (143 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Boris Burkov, David Sterba
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boris Burkov <boris@bur.io>
commit 4eb4e85c4f818491efc67e9373aa16b123c3f522 upstream.
If inc_block_group_ro systematically fails (e.g. due to ETXTBUSY from
swap) or btrfs_relocate_chunk systematically fails (from lack of
space), then this worker becomes an infinite loop.
At the very least, this strands the cleaner thread, but can also result
in hung tasks/RCU stalls on PREEMPT_NONE kernels and if the
reclaim_bgs_lock mutex is not contended.
I believe the best long term fix is to manage reclaim via work queue,
where we queue up a relocation on the triggering condition and re-queue
on failure. In the meantime, this is an easy fix to apply to avoid the
immediate pain.
Fixes: 7e2718099438 ("btrfs: reinsert BGs failed to reclaim")
CC: stable@vger.kernel.org # 6.6+
Signed-off-by: Boris Burkov <boris@bur.io>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/block-group.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/fs/btrfs/block-group.c
+++ b/fs/btrfs/block-group.c
@@ -1493,6 +1493,7 @@ void btrfs_reclaim_bgs_work(struct work_
container_of(work, struct btrfs_fs_info, reclaim_bgs_work);
struct btrfs_block_group *bg;
struct btrfs_space_info *space_info;
+ LIST_HEAD(retry_list);
if (!test_bit(BTRFS_FS_OPEN, &fs_info->flags))
return;
@@ -1583,8 +1584,11 @@ void btrfs_reclaim_bgs_work(struct work_
}
next:
- if (ret)
- btrfs_mark_bg_to_reclaim(bg);
+ if (ret) {
+ /* Refcount held by the reclaim_bgs list after splice. */
+ btrfs_get_block_group(bg);
+ list_add_tail(&bg->bg_list, &retry_list);
+ }
btrfs_put_block_group(bg);
mutex_unlock(&fs_info->reclaim_bgs_lock);
@@ -1604,6 +1608,9 @@ next:
spin_unlock(&fs_info->unused_bgs_lock);
mutex_unlock(&fs_info->reclaim_bgs_lock);
end:
+ spin_lock(&fs_info->unused_bgs_lock);
+ list_splice_tail(&retry_list, &fs_info->reclaim_bgs);
+ spin_unlock(&fs_info->unused_bgs_lock);
btrfs_exclop_finish(fs_info);
sb_end_write(fs_info->sb);
}
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 221/356] KVM: x86: Always sync PIR to IRR prior to scanning I/O APIC routes
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 220/356] btrfs: retry block group reclaim without infinite loop Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 222/356] ALSA: hda/realtek: Limit mic boost on N14AP7 Greg Kroah-Hartman
` (142 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adamos Ttofari,
Raghavendra Rao Ananta, Jim Mattson, Sean Christopherson,
Paolo Bonzini
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit f3ced000a2df53f4b12849e121769045a81a3b22 upstream.
Sync pending posted interrupts to the IRR prior to re-scanning I/O APIC
routes, irrespective of whether the I/O APIC is emulated by userspace or
by KVM. If a level-triggered interrupt routed through the I/O APIC is
pending or in-service for a vCPU, KVM needs to intercept EOIs on said
vCPU even if the vCPU isn't the destination for the new routing, e.g. if
servicing an interrupt using the old routing races with I/O APIC
reconfiguration.
Commit fceb3a36c29a ("KVM: x86: ioapic: Fix level-triggered EOI and
userspace I/OAPIC reconfigure race") fixed the common cases, but
kvm_apic_pending_eoi() only checks if an interrupt is in the local
APIC's IRR or ISR, i.e. misses the uncommon case where an interrupt is
pending in the PIR.
Failure to intercept EOI can manifest as guest hangs with Windows 11 if
the guest uses the RTC as its timekeeping source, e.g. if the VMM doesn't
expose a more modern form of time to the guest.
Cc: stable@vger.kernel.org
Cc: Adamos Ttofari <attofari@amazon.de>
Cc: Raghavendra Rao Ananta <rananta@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20240611014845.82795-1-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/x86.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -9654,13 +9654,12 @@ static void vcpu_scan_ioapic(struct kvm_
bitmap_zero(vcpu->arch.ioapic_handled_vectors, 256);
+ static_call_cond(kvm_x86_sync_pir_to_irr)(vcpu);
+
if (irqchip_split(vcpu->kvm))
kvm_scan_ioapic_routes(vcpu, vcpu->arch.ioapic_handled_vectors);
- else {
- static_call_cond(kvm_x86_sync_pir_to_irr)(vcpu);
- if (ioapic_in_kernel(vcpu->kvm))
- kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
- }
+ else if (ioapic_in_kernel(vcpu->kvm))
+ kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
if (is_guest_mode(vcpu))
vcpu->arch.load_eoi_exitmap_pending = true;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 222/356] ALSA: hda/realtek: Limit mic boost on N14AP7
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 221/356] KVM: x86: Always sync PIR to IRR prior to scanning I/O APIC routes Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 223/356] drm/i915/mso: using joiner is not possible with eDP MSO Greg Kroah-Hartman
` (141 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Edson Juliano Drosdeck, Takashi Iwai
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
commit 86a433862912f52597263aa224a9ed82bcd533bf upstream.
The internal mic boost on the N14AP7 is too high. Fix this by applying the
ALC269_FIXUP_LIMIT_INT_MIC_BOOST fixup to the machine to limit the gain.
Signed-off-by: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20240605153923.2837-1-edson.drosdeck@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9463,6 +9463,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x1b7d, 0xa831, "Ordissimo EVE2 ", ALC269VB_FIXUP_ORDISSIMO_EVE2), /* Also known as Malata PC-B1303 */
SND_PCI_QUIRK(0x1c06, 0x2013, "Lemote A1802", ALC269_FIXUP_LEMOTE_A1802),
SND_PCI_QUIRK(0x1c06, 0x2015, "Lemote A190X", ALC269_FIXUP_LEMOTE_A190X),
+ SND_PCI_QUIRK(0x1c6c, 0x122a, "Positivo N14AP7", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
SND_PCI_QUIRK(0x1c6c, 0x1251, "Positivo N14KP6-TG", ALC288_FIXUP_DELL1_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1d05, 0x1132, "TongFang PHxTxX1", ALC256_FIXUP_SET_COEF_DEFAULTS),
SND_PCI_QUIRK(0x1d05, 0x1096, "TongFang GMxMRxx", ALC269_FIXUP_NO_SHUTUP),
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 223/356] drm/i915/mso: using joiner is not possible with eDP MSO
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 222/356] ALSA: hda/realtek: Limit mic boost on N14AP7 Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 224/356] drm/radeon: fix UBSAN warning in kv_dpm.c Greg Kroah-Hartman
` (140 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ville Syrjala, Jani Nikula
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jani Nikula <jani.nikula@intel.com>
commit 49cc17967be95d64606d5684416ee51eec35e84a upstream.
It's not possible to use the joiner at the same time with eDP MSO. When
a panel needs MSO, it's not optional, so MSO trumps joiner.
v3: Only change intel_dp_has_joiner(), leave debugfs alone (Ville)
Fixes: bc71194e8897 ("drm/i915/edp: enable eDP MSO during link training")
Cc: <stable@vger.kernel.org> # v5.13+
Cc: Ville Syrjala <ville.syrjala@linux.intel.com>
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1668
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240614142311.589089-1-jani.nikula@intel.com
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
(cherry picked from commit 8b5a92ca24eb96bb71e2a55e352687487d87687f)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/display/intel_dp.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/i915/display/intel_dp.c
+++ b/drivers/gpu/drm/i915/display/intel_dp.c
@@ -226,6 +226,10 @@ bool intel_dp_can_bigjoiner(struct intel
struct intel_encoder *encoder = &intel_dig_port->base;
struct drm_i915_private *dev_priv = to_i915(encoder->base.dev);
+ /* eDP MSO is not compatible with joiner */
+ if (intel_dp->mso_link_count)
+ return false;
+
return DISPLAY_VER(dev_priv) >= 12 ||
(DISPLAY_VER(dev_priv) == 11 &&
encoder->port != PORT_A);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 224/356] drm/radeon: fix UBSAN warning in kv_dpm.c
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 223/356] drm/i915/mso: using joiner is not possible with eDP MSO Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 225/356] gcov: add support for GCC 14 Greg Kroah-Hartman
` (139 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit a498df5421fd737d11bfd152428ba6b1c8538321 upstream.
Adds bounds check for sumo_vid_mapping_entry.
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/radeon/sumo_dpm.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/gpu/drm/radeon/sumo_dpm.c
+++ b/drivers/gpu/drm/radeon/sumo_dpm.c
@@ -1621,6 +1621,8 @@ void sumo_construct_vid_mapping_table(st
for (i = 0; i < SUMO_MAX_HARDWARE_POWERLEVELS; i++) {
if (table[i].ulSupportedSCLK != 0) {
+ if (table[i].usVoltageIndex >= SUMO_MAX_NUMBER_VOLTAGES)
+ continue;
vid_mapping_table->entries[table[i].usVoltageIndex].vid_7bit =
table[i].usVoltageID;
vid_mapping_table->entries[table[i].usVoltageIndex].vid_2bit =
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 225/356] gcov: add support for GCC 14
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 224/356] drm/radeon: fix UBSAN warning in kv_dpm.c Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 226/356] kcov: dont lose track of remote references during softirqs Greg Kroah-Hartman
` (138 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Oberparleiter,
Allison Henderson, Chuck Lever III, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Oberparleiter <oberpar@linux.ibm.com>
commit c1558bc57b8e5b4da5d821537cd30e2e660861d8 upstream.
Using gcov on kernels compiled with GCC 14 results in truncated 16-byte
long .gcda files with no usable data. To fix this, update GCOV_COUNTERS
to match the value defined by GCC 14.
Tested with GCC versions 14.1.0 and 13.2.0.
Link: https://lkml.kernel.org/r/20240610092743.1609845-1-oberpar@linux.ibm.com
Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Reported-by: Allison Henderson <allison.henderson@oracle.com>
Reported-by: Chuck Lever III <chuck.lever@oracle.com>
Tested-by: Chuck Lever <chuck.lever@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/gcov/gcc_4_7.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/kernel/gcov/gcc_4_7.c
+++ b/kernel/gcov/gcc_4_7.c
@@ -18,7 +18,9 @@
#include <linux/mm.h>
#include "gcov.h"
-#if (__GNUC__ >= 10)
+#if (__GNUC__ >= 14)
+#define GCOV_COUNTERS 9
+#elif (__GNUC__ >= 10)
#define GCOV_COUNTERS 8
#elif (__GNUC__ >= 7)
#define GCOV_COUNTERS 9
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 226/356] kcov: dont lose track of remote references during softirqs
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 225/356] gcov: add support for GCC 14 Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 227/356] tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack() Greg Kroah-Hartman
` (137 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Nogikh, Dmitry Vyukov,
Andrey Konovalov, Alexander Potapenko, Arnd Bergmann, Marco Elver,
Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandr Nogikh <nogikh@google.com>
commit 01c8f9806bde438ca1c8cbbc439f0a14a6694f6c upstream.
In kcov_remote_start()/kcov_remote_stop(), we swap the previous KCOV
metadata of the current task into a per-CPU variable. However, the
kcov_mode_enabled(mode) check is not sufficient in the case of remote KCOV
coverage: current->kcov_mode always remains KCOV_MODE_DISABLED for remote
KCOV objects.
If the original task that has invoked the KCOV_REMOTE_ENABLE ioctl happens
to get interrupted and kcov_remote_start() is called, it ultimately leads
to kcov_remote_stop() NOT restoring the original KCOV reference. So when
the task exits, all registered remote KCOV handles remain active forever.
The most uncomfortable effect (at least for syzkaller) is that the bug
prevents the reuse of the same /sys/kernel/debug/kcov descriptor. If
we obtain it in the parent process and then e.g. drop some
capabilities and continuously fork to execute individual programs, at
some point current->kcov of the forked process is lost,
kcov_task_exit() takes no action, and all KCOV_REMOTE_ENABLE ioctls
calls from subsequent forks fail.
And, yes, the efficiency is also affected if we keep on losing remote
kcov objects.
a) kcov_remote_map keeps on growing forever.
b) (If I'm not mistaken), we're also not freeing the memory referenced
by kcov->area.
Fix it by introducing a special kcov_mode that is assigned to the task
that owns a KCOV remote object. It makes kcov_mode_enabled() return true
and yet does not trigger coverage collection in __sanitizer_cov_trace_pc()
and write_comp_data().
[nogikh@google.com: replace WRITE_ONCE() with an ordinary assignment]
Link: https://lkml.kernel.org/r/20240614171221.2837584-1-nogikh@google.com
Link: https://lkml.kernel.org/r/20240611133229.527822-1-nogikh@google.com
Fixes: 5ff3b30ab57d ("kcov: collect coverage from interrupts")
Signed-off-by: Aleksandr Nogikh <nogikh@google.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Tested-by: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Marco Elver <elver@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/kcov.h | 2 ++
kernel/kcov.c | 1 +
2 files changed, 3 insertions(+)
--- a/include/linux/kcov.h
+++ b/include/linux/kcov.h
@@ -21,6 +21,8 @@ enum kcov_mode {
KCOV_MODE_TRACE_PC = 2,
/* Collecting comparison operands mode. */
KCOV_MODE_TRACE_CMP = 3,
+ /* The process owns a KCOV remote reference. */
+ KCOV_MODE_REMOTE = 4,
};
#define KCOV_IN_CTXSW (1 << 30)
--- a/kernel/kcov.c
+++ b/kernel/kcov.c
@@ -635,6 +635,7 @@ static int kcov_ioctl_locked(struct kcov
return -EINVAL;
kcov->mode = mode;
t->kcov = kcov;
+ t->kcov_mode = KCOV_MODE_REMOTE;
kcov->t = t;
kcov->remote = true;
kcov->remote_size = remote_arg->area_size;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 227/356] tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 226/356] kcov: dont lose track of remote references during softirqs Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 228/356] i2c: ocores: set IACK bit after core is enabled Greg Kroah-Hartman
` (136 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neal Cardwell, Yuchung Cheng,
Eric Dumazet, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 9e046bb111f13461d3f9331e24e974324245140e upstream.
Some applications were reporting ETIMEDOUT errors on apparently
good looking flows, according to packet dumps.
We were able to root cause the issue to an accidental setting
of tp->retrans_stamp in the following scenario:
- client sends TFO SYN with data.
- server has TFO disabled, ACKs only SYN but not payload.
- client receives SYNACK covering only SYN.
- tcp_ack() eats SYN and sets tp->retrans_stamp to 0.
- tcp_rcv_fastopen_synack() calls tcp_xmit_retransmit_queue()
to retransmit TFO payload w/o SYN, sets tp->retrans_stamp to "now",
but we are not in any loss recovery state.
- TFO payload is ACKed.
- we are not in any loss recovery state, and don't see any dupacks,
so we don't get to any code path that clears tp->retrans_stamp.
- tp->retrans_stamp stays non-zero for the lifetime of the connection.
- after first RTO, tcp_clamp_rto_to_user_timeout() clamps second RTO
to 1 jiffy due to bogus tp->retrans_stamp.
- on clamped RTO with non-zero icsk_retransmits, retransmits_timed_out()
sets start_ts from tp->retrans_stamp from TFO payload retransmit
hours/days ago, and computes bogus long elapsed time for loss recovery,
and suffers ETIMEDOUT early.
Fixes: a7abf3cd76e1 ("tcp: consider using standard rtx logic in tcp_rcv_fastopen_synack()")
CC: stable@vger.kernel.org
Co-developed-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Co-developed-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20240614130615.396837-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_input.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -6104,6 +6104,7 @@ static bool tcp_rcv_fastopen_synack(stru
skb_rbtree_walk_from(data)
tcp_mark_skb_lost(sk, data);
tcp_xmit_retransmit_queue(sk);
+ tp->retrans_stamp = 0;
NET_INC_STATS(sock_net(sk),
LINUX_MIB_TCPFASTOPENACTIVEFAIL);
return true;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 228/356] i2c: ocores: set IACK bit after core is enabled
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 227/356] tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack() Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 229/356] dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller schema Greg Kroah-Hartman
` (135 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Grygorii Tertychnyi, Peter Korsgaard,
Andi Shyti
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Grygorii Tertychnyi <grembeter@gmail.com>
commit 5a72477273066b5b357801ab2d315ef14949d402 upstream.
Setting IACK bit when core is disabled does not clear the "Interrupt Flag"
bit in the status register, and the interrupt remains pending.
Sometimes it causes failure for the very first message transfer, that is
usually a device probe.
Hence, set IACK bit after core is enabled to clear pending interrupt.
Fixes: 18f98b1e3147 ("[PATCH] i2c: New bus driver for the OpenCores I2C controller")
Signed-off-by: Grygorii Tertychnyi <grygorii.tertychnyi@leica-geosystems.com>
Acked-by: Peter Korsgaard <peter@korsgaard.com>
Cc: stable@vger.kernel.org
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-ocores.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-ocores.c
+++ b/drivers/i2c/busses/i2c-ocores.c
@@ -442,8 +442,8 @@ static int ocores_init(struct device *de
oc_setreg(i2c, OCI2C_PREHIGH, prescale >> 8);
/* Init the device */
- oc_setreg(i2c, OCI2C_CMD, OCI2C_CMD_IACK);
oc_setreg(i2c, OCI2C_CONTROL, ctrl | OCI2C_CTRL_EN);
+ oc_setreg(i2c, OCI2C_CMD, OCI2C_CMD_IACK);
return 0;
}
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 229/356] dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller schema
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 228/356] i2c: ocores: set IACK bit after core is enabled Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 230/356] arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc Greg Kroah-Hartman
` (134 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Conor Dooley,
Andi Shyti
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 5c8cfd592bb7632200b4edac8f2c7ec892ed9d81 upstream.
The referenced i2c-controller.yaml schema is provided by dtschema
package (outside of Linux kernel), so use full path to reference it.
Cc: stable@vger.kernel.org
Fixes: 1acd4577a66f ("dt-bindings: i2c: convert i2c-cros-ec-tunnel to json-schema")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/i2c/google,cros-ec-i2c-tunnel.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Documentation/devicetree/bindings/i2c/google,cros-ec-i2c-tunnel.yaml
+++ b/Documentation/devicetree/bindings/i2c/google,cros-ec-i2c-tunnel.yaml
@@ -22,7 +22,7 @@ description: |
google,cros-ec-spi or google,cros-ec-i2c.
allOf:
- - $ref: i2c-controller.yaml#
+ - $ref: /schemas/i2c/i2c-controller.yaml#
properties:
compatible:
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 230/356] arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 229/356] dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller schema Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 231/356] drm/amd/display: revert Exit idle optimizations before HDCP execution Greg Kroah-Hartman
` (133 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Shawn Guo
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frank Li <Frank.Li@nxp.com>
commit dfd239a039b3581ca25f932e66b6e2c2bf77c798 upstream.
The gpio in "reg_usdhc2_vmmc" should be 7 instead of 19.
Cc: stable@vger.kernel.org
Fixes: 307fd14d4b14 ("arm64: dts: imx: add imx8qm mek support")
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
+++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
@@ -32,7 +32,7 @@
regulator-name = "SD1_SPWR";
regulator-min-microvolt = <3000000>;
regulator-max-microvolt = <3000000>;
- gpio = <&lsio_gpio4 19 GPIO_ACTIVE_HIGH>;
+ gpio = <&lsio_gpio4 7 GPIO_ACTIVE_HIGH>;
enable-active-high;
};
};
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 231/356] drm/amd/display: revert Exit idle optimizations before HDCP execution
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 230/356] arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 232/356] perf: script: add raw|disasm arguments to --insn-trace option Greg Kroah-Hartman
` (132 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Nicholas Kazlauskas, Wayne Lin, Martin Leung, Daniel Wheeler
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Leung <martin.leung@amd.com>
commit f2703a3596a279b0be6eeed4c500bdbaa8dc3ce4 upstream.
why and how:
causes black screen on PNP on DCN 3.5
This reverts commit f30a3bea92bd ("drm/amd/display: Exit idle
optimizations before HDCP execution")
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Acked-by: Wayne Lin <wayne.lin@amd.com>
Signed-off-by: Martin Leung <martin.leung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c | 10 ----------
drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h | 8 --------
2 files changed, 18 deletions(-)
--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c
+++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c
@@ -88,14 +88,6 @@ static uint8_t is_cp_desired_hdcp2(struc
!hdcp->connection.is_hdcp2_revoked;
}
-static void exit_idle_optimizations(struct mod_hdcp *hdcp)
-{
- struct mod_hdcp_dm *dm = &hdcp->config.dm;
-
- if (dm->funcs.exit_idle_optimizations)
- dm->funcs.exit_idle_optimizations(dm->handle);
-}
-
static enum mod_hdcp_status execution(struct mod_hdcp *hdcp,
struct mod_hdcp_event_context *event_ctx,
union mod_hdcp_transition_input *input)
@@ -515,8 +507,6 @@ enum mod_hdcp_status mod_hdcp_process_ev
memset(&event_ctx, 0, sizeof(struct mod_hdcp_event_context));
event_ctx.event = event;
- exit_idle_optimizations(hdcp);
-
/* execute and transition */
exec_status = execution(hdcp, &event_ctx, &hdcp->auth.trans_input);
trans_status = transition(
--- a/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h
+++ b/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h
@@ -154,13 +154,6 @@ struct mod_hdcp_ddc {
} funcs;
};
-struct mod_hdcp_dm {
- void *handle;
- struct {
- void (*exit_idle_optimizations)(void *handle);
- } funcs;
-};
-
struct mod_hdcp_psp {
void *handle;
void *funcs;
@@ -276,7 +269,6 @@ struct mod_hdcp_display_query {
struct mod_hdcp_config {
struct mod_hdcp_psp psp;
struct mod_hdcp_ddc ddc;
- struct mod_hdcp_dm dm;
uint8_t index;
};
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 232/356] perf: script: add raw|disasm arguments to --insn-trace option
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 231/356] drm/amd/display: revert Exit idle optimizations before HDCP execution Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 233/356] perf script: Show also errors for " Greg Kroah-Hartman
` (131 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Changbin Du, Adrian Hunter,
changbin.du, Thomas Richter, Andi Kleen, Namhyung Kim,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Changbin Du <changbin.du@huawei.com>
[ Upstream commit 6750ba4b6442fa5ea4bf5c0e4b4ff8b0249ef71d ]
Now '--insn-trace' accept a argument to specify the output format:
- raw: display raw instructions.
- disasm: display mnemonic instructions (if capstone is installed).
$ sudo perf script --insn-trace=raw
ls 1443864 [006] 2275506.209908875: 7f216b426100 _start+0x0 (/usr/lib/x86_64-linux-gnu/ld-2.31.so) insn: 48 89 e7
ls 1443864 [006] 2275506.209908875: 7f216b426103 _start+0x3 (/usr/lib/x86_64-linux-gnu/ld-2.31.so) insn: e8 e8 0c 00 00
ls 1443864 [006] 2275506.209908875: 7f216b426df0 _dl_start+0x0 (/usr/lib/x86_64-linux-gnu/ld-2.31.so) insn: f3 0f 1e fa
$ sudo perf script --insn-trace=disasm
ls 1443864 [006] 2275506.209908875: 7f216b426100 _start+0x0 (/usr/lib/x86_64-linux-gnu/ld-2.31.so) movq %rsp, %rdi
ls 1443864 [006] 2275506.209908875: 7f216b426103 _start+0x3 (/usr/lib/x86_64-linux-gnu/ld-2.31.so) callq _dl_start+0x0
ls 1443864 [006] 2275506.209908875: 7f216b426df0 _dl_start+0x0 (/usr/lib/x86_64-linux-gnu/ld-2.31.so) illegal instruction
ls 1443864 [006] 2275506.209908875: 7f216b426df4 _dl_start+0x4 (/usr/lib/x86_64-linux-gnu/ld-2.31.so) pushq %rbp
ls 1443864 [006] 2275506.209908875: 7f216b426df5 _dl_start+0x5 (/usr/lib/x86_64-linux-gnu/ld-2.31.so) movq %rsp, %rbp
ls 1443864 [006] 2275506.209908875: 7f216b426df8 _dl_start+0x8 (/usr/lib/x86_64-linux-gnu/ld-2.31.so) pushq %r15
Signed-off-by: Changbin Du <changbin.du@huawei.com>
Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: changbin.du@gmail.com
Cc: Thomas Richter <tmricht@linux.ibm.com>
Cc: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Link: https://lore.kernel.org/r/20240217074046.4100789-5-changbin.du@huawei.com
Stable-dep-of: d4a98b45fbe6 ("perf script: Show also errors for --insn-trace option")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/Documentation/perf-script.txt | 7 ++++---
tools/perf/builtin-script.c | 22 ++++++++++++++++++----
2 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/tools/perf/Documentation/perf-script.txt b/tools/perf/Documentation/perf-script.txt
index c80515243560c..fa6a78c472bc1 100644
--- a/tools/perf/Documentation/perf-script.txt
+++ b/tools/perf/Documentation/perf-script.txt
@@ -423,9 +423,10 @@ include::itrace.txt[]
will be printed. Each entry has function name and file/line. Enabled by
default, disable with --no-inline.
---insn-trace::
- Show instruction stream for intel_pt traces. Combine with --xed to
- show disassembly.
+--insn-trace[=<raw|disasm>]::
+ Show instruction stream in bytes (raw) or disassembled (disasm)
+ for intel_pt traces. The default is 'raw'. To use xed, combine
+ 'raw' with --xed to show disassembly done by xed.
--xed::
Run xed disassembler on output. Requires installing the xed disassembler.
diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c
index 34e809c934d72..45ccce87d1223 100644
--- a/tools/perf/builtin-script.c
+++ b/tools/perf/builtin-script.c
@@ -3585,10 +3585,24 @@ static int perf_script__process_auxtrace_info(struct perf_session *session,
#endif
static int parse_insn_trace(const struct option *opt __maybe_unused,
- const char *str __maybe_unused,
- int unset __maybe_unused)
+ const char *str, int unset __maybe_unused)
{
- parse_output_fields(NULL, "+insn,-event,-period", 0);
+ const char *fields = "+insn,-event,-period";
+ int ret;
+
+ if (str) {
+ if (strcmp(str, "disasm") == 0)
+ fields = "+disasm,-event,-period";
+ else if (strlen(str) != 0 && strcmp(str, "raw") != 0) {
+ fprintf(stderr, "Only accept raw|disasm\n");
+ return -EINVAL;
+ }
+ }
+
+ ret = parse_output_fields(NULL, fields, 0);
+ if (ret < 0)
+ return ret;
+
itrace_parse_synth_opts(opt, "i0ns", 0);
symbol_conf.nanosecs = true;
return 0;
@@ -3728,7 +3742,7 @@ int cmd_script(int argc, const char **argv)
"only consider these symbols"),
OPT_INTEGER(0, "addr-range", &symbol_conf.addr_range,
"Use with -S to list traced records within address range"),
- OPT_CALLBACK_OPTARG(0, "insn-trace", &itrace_synth_opts, NULL, NULL,
+ OPT_CALLBACK_OPTARG(0, "insn-trace", &itrace_synth_opts, NULL, "raw|disasm",
"Decode instructions from itrace", parse_insn_trace),
OPT_CALLBACK_OPTARG(0, "xed", NULL, NULL, NULL,
"Run xed disassembler on output", parse_xed),
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 233/356] perf script: Show also errors for --insn-trace option
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 232/356] perf: script: add raw|disasm arguments to --insn-trace option Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 234/356] ARM: dts: samsung: smdkv310: fix keypad no-autorepeat Greg Kroah-Hartman
` (130 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andi Kleen, Adrian Hunter,
Ian Rogers, Jiri Olsa, Namhyung Kim, Arnaldo Carvalho de Melo,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
[ Upstream commit d4a98b45fbe6d06f4b79ed90d0bb05ced8674c23 ]
The trace could be misleading if trace errors are not taken into
account, so display them also by adding the itrace "e" option.
Note --call-trace and --call-ret-trace already add the itrace "e"
option.
Fixes: b585ebdb5912cf14 ("perf script: Add --insn-trace for instruction decoding")
Reviewed-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240315071334.3478-1-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-script.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c
index 45ccce87d1223..78ee2c2978ac3 100644
--- a/tools/perf/builtin-script.c
+++ b/tools/perf/builtin-script.c
@@ -3603,7 +3603,7 @@ static int parse_insn_trace(const struct option *opt __maybe_unused,
if (ret < 0)
return ret;
- itrace_parse_synth_opts(opt, "i0ns", 0);
+ itrace_parse_synth_opts(opt, "i0nse", 0);
symbol_conf.nanosecs = true;
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 234/356] ARM: dts: samsung: smdkv310: fix keypad no-autorepeat
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 233/356] perf script: Show also errors for " Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 235/356] ARM: dts: samsung: exynos4412-origen: " Greg Kroah-Hartman
` (129 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit 87d8e522d6f5a004f0aa06c0def302df65aff296 ]
Although the Samsung SoC keypad binding defined
linux,keypad-no-autorepeat property, Linux driver never implemented it
and always used linux,input-no-autorepeat. Correct the DTS to use
property actually implemented.
This also fixes dtbs_check errors like:
exynos4210-smdkv310.dtb: keypad@100a0000: 'linux,keypad-no-autorepeat' does not match any of the regexes: '^key-[0-9a-z]+$', 'pinctrl-[0-9]+'
Cc: <stable@vger.kernel.org>
Fixes: 0561ceabd0f1 ("ARM: dts: Add intial dts file for EXYNOS4210 SoC, SMDKV310 and ORIGEN")
Link: https://lore.kernel.org/r/20240312183105.715735-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/exynos4210-smdkv310.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/exynos4210-smdkv310.dts b/arch/arm/boot/dts/exynos4210-smdkv310.dts
index d5797a67bf48d..4cf6ee4a813fc 100644
--- a/arch/arm/boot/dts/exynos4210-smdkv310.dts
+++ b/arch/arm/boot/dts/exynos4210-smdkv310.dts
@@ -84,7 +84,7 @@
&keypad {
samsung,keypad-num-rows = <2>;
samsung,keypad-num-columns = <8>;
- linux,keypad-no-autorepeat;
+ linux,input-no-autorepeat;
wakeup-source;
pinctrl-names = "default";
pinctrl-0 = <&keypad_rows &keypad_cols>;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 235/356] ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 234/356] ARM: dts: samsung: smdkv310: fix keypad no-autorepeat Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 236/356] ARM: dts: samsung: smdk4412: " Greg Kroah-Hartman
` (128 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit 88208d3cd79821117fd3fb80d9bcab618467d37b ]
Although the Samsung SoC keypad binding defined
linux,keypad-no-autorepeat property, Linux driver never implemented it
and always used linux,input-no-autorepeat. Correct the DTS to use
property actually implemented.
This also fixes dtbs_check errors like:
exynos4412-origen.dtb: keypad@100a0000: 'linux,keypad-no-autorepeat' does not match any of the regexes: '^key-[0-9a-z]+$', 'pinctrl-[0-9]+'
Cc: <stable@vger.kernel.org>
Fixes: bd08f6277e44 ("ARM: dts: Add keypad entries to Exynos4412 based Origen")
Link: https://lore.kernel.org/r/20240312183105.715735-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/exynos4412-origen.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/exynos4412-origen.dts b/arch/arm/boot/dts/exynos4412-origen.dts
index 0acb05f0a2b7c..68ed31821a282 100644
--- a/arch/arm/boot/dts/exynos4412-origen.dts
+++ b/arch/arm/boot/dts/exynos4412-origen.dts
@@ -448,7 +448,7 @@
&keypad {
samsung,keypad-num-rows = <3>;
samsung,keypad-num-columns = <2>;
- linux,keypad-no-autorepeat;
+ linux,input-no-autorepeat;
wakeup-source;
pinctrl-0 = <&keypad_rows &keypad_cols>;
pinctrl-names = "default";
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 236/356] ARM: dts: samsung: smdk4412: fix keypad no-autorepeat
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 235/356] ARM: dts: samsung: exynos4412-origen: " Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 237/356] rtlwifi: rtl8192de: Style clean-ups Greg Kroah-Hartman
` (127 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit 4ac4c1d794e7ff454d191bbdab7585ed8dbf3758 ]
Although the Samsung SoC keypad binding defined
linux,keypad-no-autorepeat property, Linux driver never implemented it
and always used linux,input-no-autorepeat. Correct the DTS to use
property actually implemented.
This also fixes dtbs_check errors like:
exynos4412-smdk4412.dtb: keypad@100a0000: 'key-A', 'key-B', 'key-C', 'key-D', 'key-E', 'linux,keypad-no-autorepeat' do not match any of the regexes: '^key-[0-9a-z]+$', 'pinctrl-[0-9]+'
Cc: <stable@vger.kernel.org>
Fixes: c9b92dd70107 ("ARM: dts: Add keypad entries to SMDK4412")
Link: https://lore.kernel.org/r/20240312183105.715735-3-krzysztof.kozlowski@linaro.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/exynos4412-smdk4412.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/exynos4412-smdk4412.dts b/arch/arm/boot/dts/exynos4412-smdk4412.dts
index cc99b955af0c8..deebed6ea0031 100644
--- a/arch/arm/boot/dts/exynos4412-smdk4412.dts
+++ b/arch/arm/boot/dts/exynos4412-smdk4412.dts
@@ -65,7 +65,7 @@
&keypad {
samsung,keypad-num-rows = <3>;
samsung,keypad-num-columns = <8>;
- linux,keypad-no-autorepeat;
+ linux,input-no-autorepeat;
wakeup-source;
pinctrl-0 = <&keypad_rows &keypad_cols>;
pinctrl-names = "default";
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 237/356] rtlwifi: rtl8192de: Style clean-ups
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 236/356] ARM: dts: samsung: smdk4412: " Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 238/356] wifi: rtlwifi: rtl8192de: Fix 5 GHz TX power Greg Kroah-Hartman
` (126 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ping-Ke Shih, Kees Cook, Kalle Valo,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 69831173fcbbfebb7aa2d76523deaf0b87b8eddd ]
Clean up some style issues:
- Use ARRAY_SIZE() even though it's a u8 array.
- Remove redundant CHANNEL_MAX_NUMBER_2G define.
Additionally fix some dead code WARNs.
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://lore.kernel.org/lkml/57d0d1b6064342309f680f692192556c@realtek.com/
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20211119192233.1021063-1-keescook@chromium.org
Stable-dep-of: de4d4be4fa64 ("wifi: rtlwifi: rtl8192de: Fix 5 GHz TX power")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../wireless/realtek/rtlwifi/rtl8192de/phy.c | 17 +++++++----------
drivers/net/wireless/realtek/rtlwifi/wifi.h | 1 -
2 files changed, 7 insertions(+), 11 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
index c3c07ca77614a..d835a27429f0f 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
@@ -892,7 +892,7 @@ static u8 _rtl92c_phy_get_rightchnlplace(u8 chnl)
u8 place = chnl;
if (chnl > 14) {
- for (place = 14; place < sizeof(channel5g); place++) {
+ for (place = 14; place < ARRAY_SIZE(channel5g); place++) {
if (channel5g[place] == chnl) {
place++;
break;
@@ -1359,7 +1359,7 @@ u8 rtl92d_get_rightchnlplace_for_iqk(u8 chnl)
u8 place;
if (chnl > 14) {
- for (place = 14; place < sizeof(channel_all); place++) {
+ for (place = 14; place < ARRAY_SIZE(channel_all); place++) {
if (channel_all[place] == chnl)
return place - 13;
}
@@ -2417,7 +2417,7 @@ static bool _rtl92d_is_legal_5g_channel(struct ieee80211_hw *hw, u8 channel)
int i;
- for (i = 0; i < sizeof(channel5g); i++)
+ for (i = 0; i < ARRAY_SIZE(channel5g); i++)
if (channel == channel5g[i])
return true;
return false;
@@ -2681,9 +2681,8 @@ void rtl92d_phy_reset_iqk_result(struct ieee80211_hw *hw)
u8 i;
rtl_dbg(rtlpriv, COMP_INIT, DBG_LOUD,
- "settings regs %d default regs %d\n",
- (int)(sizeof(rtlphy->iqk_matrix) /
- sizeof(struct iqk_matrix_regs)),
+ "settings regs %zu default regs %d\n",
+ ARRAY_SIZE(rtlphy->iqk_matrix),
IQK_MATRIX_REG_NUM);
/* 0xe94, 0xe9c, 0xea4, 0xeac, 0xeb4, 0xebc, 0xec4, 0xecc */
for (i = 0; i < IQK_MATRIX_SETTINGS_NUM; i++) {
@@ -2850,16 +2849,14 @@ u8 rtl92d_phy_sw_chnl(struct ieee80211_hw *hw)
case BAND_ON_5G:
/* Get first channel error when change between
* 5G and 2.4G band. */
- if (channel <= 14)
+ if (WARN_ONCE(channel <= 14, "rtl8192de: 5G but channel<=14\n"))
return 0;
- WARN_ONCE((channel <= 14), "rtl8192de: 5G but channel<=14\n");
break;
case BAND_ON_2_4G:
/* Get first channel error when change between
* 5G and 2.4G band. */
- if (channel > 14)
+ if (WARN_ONCE(channel > 14, "rtl8192de: 2G but channel>14\n"))
return 0;
- WARN_ONCE((channel > 14), "rtl8192de: 2G but channel>14\n");
break;
default:
WARN_ONCE(true, "rtl8192de: Invalid WirelessMode(%#x)!!\n",
diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h
index a1f223c8848b9..0bac788ccd6e3 100644
--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
+++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
@@ -108,7 +108,6 @@
#define CHANNEL_GROUP_IDX_5GM 6
#define CHANNEL_GROUP_IDX_5GH 9
#define CHANNEL_GROUP_MAX_5G 9
-#define CHANNEL_MAX_NUMBER_2G 14
#define AVG_THERMAL_NUM 8
#define AVG_THERMAL_NUM_88E 4
#define AVG_THERMAL_NUM_8723BE 4
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 238/356] wifi: rtlwifi: rtl8192de: Fix 5 GHz TX power
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 237/356] rtlwifi: rtl8192de: Style clean-ups Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 239/356] pmdomain: ti-sci: Fix duplicate PD referrals Greg Kroah-Hartman
` (125 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bitterblue Smith, Ping-Ke Shih,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
[ Upstream commit de4d4be4fa64ed7b4aa1c613061015bd8fa98b24 ]
Different channels have different TX power settings. rtl8192de is using
the TX power setting from the wrong channel in the 5 GHz band because
_rtl92c_phy_get_rightchnlplace expects an array which includes all the
channel numbers, but it's using an array which includes only the 5 GHz
channel numbers.
Use the array channel_all (defined in rtl8192de/phy.c) instead of
the incorrect channel5g (defined in core.c).
Tested only with rtl8192du, which will use the same TX power code.
Cc: stable@vger.kernel.org
Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://msgid.link/c7653517-cf88-4f57-b79a-8edb0a8b32f0@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
index d835a27429f0f..56b5cd032a9ac 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
@@ -892,8 +892,8 @@ static u8 _rtl92c_phy_get_rightchnlplace(u8 chnl)
u8 place = chnl;
if (chnl > 14) {
- for (place = 14; place < ARRAY_SIZE(channel5g); place++) {
- if (channel5g[place] == chnl) {
+ for (place = 14; place < ARRAY_SIZE(channel_all); place++) {
+ if (channel_all[place] == chnl) {
place++;
break;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 239/356] pmdomain: ti-sci: Fix duplicate PD referrals
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 238/356] wifi: rtlwifi: rtl8192de: Fix 5 GHz TX power Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 240/356] bcache: fix variable length array abuse in btree_iter Greg Kroah-Hartman
` (124 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomi Valkeinen, Ulf Hansson,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
[ Upstream commit 670c900f69645db394efb38934b3344d8804171a ]
When the dts file has multiple referrers to a single PD (e.g.
simple-framebuffer and dss nodes both point to the DSS power-domain) the
ti-sci driver will create two power domains, both with the same ID, and
that will cause problems as one of the power domains will hide the other
one.
Fix this checking if a PD with the ID has already been created, and only
create a PD for new IDs.
Fixes: efa5c01cd7ee ("soc: ti: ti_sci_pm_domains: switch to use multiple genpds instead of one")
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240415-ti-sci-pd-v1-1-a0e56b8ad897@ideasonboard.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/ti/ti_sci_pm_domains.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/drivers/soc/ti/ti_sci_pm_domains.c b/drivers/soc/ti/ti_sci_pm_domains.c
index a33ec7eaf23d1..17984a7bffba5 100644
--- a/drivers/soc/ti/ti_sci_pm_domains.c
+++ b/drivers/soc/ti/ti_sci_pm_domains.c
@@ -114,6 +114,18 @@ static const struct of_device_id ti_sci_pm_domain_matches[] = {
};
MODULE_DEVICE_TABLE(of, ti_sci_pm_domain_matches);
+static bool ti_sci_pm_idx_exists(struct ti_sci_genpd_provider *pd_provider, u32 idx)
+{
+ struct ti_sci_pm_domain *pd;
+
+ list_for_each_entry(pd, &pd_provider->pd_list, node) {
+ if (pd->idx == idx)
+ return true;
+ }
+
+ return false;
+}
+
static int ti_sci_pm_domain_probe(struct platform_device *pdev)
{
struct device *dev = &pdev->dev;
@@ -153,8 +165,14 @@ static int ti_sci_pm_domain_probe(struct platform_device *pdev)
break;
if (args.args_count >= 1 && args.np == dev->of_node) {
- if (args.args[0] > max_id)
+ if (args.args[0] > max_id) {
max_id = args.args[0];
+ } else {
+ if (ti_sci_pm_idx_exists(pd_provider, args.args[0])) {
+ index++;
+ continue;
+ }
+ }
pd = devm_kzalloc(dev, sizeof(*pd), GFP_KERNEL);
if (!pd)
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 240/356] bcache: fix variable length array abuse in btree_iter
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 239/356] pmdomain: ti-sci: Fix duplicate PD referrals Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 241/356] tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test Greg Kroah-Hartman
` (123 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Mirvish, Coly Li, Jens Axboe,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Mirvish <matthew@mm12.xyz>
[ Upstream commit 3a861560ccb35f2a4f0a4b8207fa7c2a35fc7f31 ]
btree_iter is used in two ways: either allocated on the stack with a
fixed size MAX_BSETS, or from a mempool with a dynamic size based on the
specific cache set. Previously, the struct had a fixed-length array of
size MAX_BSETS which was indexed out-of-bounds for the dynamically-sized
iterators, which causes UBSAN to complain.
This patch uses the same approach as in bcachefs's sort_iter and splits
the iterator into a btree_iter with a flexible array member and a
btree_iter_stack which embeds a btree_iter as well as a fixed-length
data array.
Cc: stable@vger.kernel.org
Closes: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2039368
Signed-off-by: Matthew Mirvish <matthew@mm12.xyz>
Signed-off-by: Coly Li <colyli@suse.de>
Link: https://lore.kernel.org/r/20240509011117.2697-3-colyli@suse.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/bcache/bset.c | 44 +++++++++++++++++------------------
drivers/md/bcache/bset.h | 28 ++++++++++++++--------
drivers/md/bcache/btree.c | 40 ++++++++++++++++---------------
drivers/md/bcache/super.c | 5 ++--
drivers/md/bcache/sysfs.c | 2 +-
drivers/md/bcache/writeback.c | 10 ++++----
6 files changed, 70 insertions(+), 59 deletions(-)
diff --git a/drivers/md/bcache/bset.c b/drivers/md/bcache/bset.c
index 94d38e8a59b32..cb544207427b1 100644
--- a/drivers/md/bcache/bset.c
+++ b/drivers/md/bcache/bset.c
@@ -54,7 +54,7 @@ void bch_dump_bucket(struct btree_keys *b)
int __bch_count_data(struct btree_keys *b)
{
unsigned int ret = 0;
- struct btree_iter iter;
+ struct btree_iter_stack iter;
struct bkey *k;
if (b->ops->is_extents)
@@ -67,7 +67,7 @@ void __bch_check_keys(struct btree_keys *b, const char *fmt, ...)
{
va_list args;
struct bkey *k, *p = NULL;
- struct btree_iter iter;
+ struct btree_iter_stack iter;
const char *err;
for_each_key(b, k, &iter) {
@@ -879,7 +879,7 @@ unsigned int bch_btree_insert_key(struct btree_keys *b, struct bkey *k,
unsigned int status = BTREE_INSERT_STATUS_NO_INSERT;
struct bset *i = bset_tree_last(b)->data;
struct bkey *m, *prev = NULL;
- struct btree_iter iter;
+ struct btree_iter_stack iter;
struct bkey preceding_key_on_stack = ZERO_KEY;
struct bkey *preceding_key_p = &preceding_key_on_stack;
@@ -895,9 +895,9 @@ unsigned int bch_btree_insert_key(struct btree_keys *b, struct bkey *k,
else
preceding_key(k, &preceding_key_p);
- m = bch_btree_iter_init(b, &iter, preceding_key_p);
+ m = bch_btree_iter_stack_init(b, &iter, preceding_key_p);
- if (b->ops->insert_fixup(b, k, &iter, replace_key))
+ if (b->ops->insert_fixup(b, k, &iter.iter, replace_key))
return status;
status = BTREE_INSERT_STATUS_INSERT;
@@ -1100,33 +1100,33 @@ void bch_btree_iter_push(struct btree_iter *iter, struct bkey *k,
btree_iter_cmp));
}
-static struct bkey *__bch_btree_iter_init(struct btree_keys *b,
- struct btree_iter *iter,
- struct bkey *search,
- struct bset_tree *start)
+static struct bkey *__bch_btree_iter_stack_init(struct btree_keys *b,
+ struct btree_iter_stack *iter,
+ struct bkey *search,
+ struct bset_tree *start)
{
struct bkey *ret = NULL;
- iter->size = ARRAY_SIZE(iter->data);
- iter->used = 0;
+ iter->iter.size = ARRAY_SIZE(iter->stack_data);
+ iter->iter.used = 0;
#ifdef CONFIG_BCACHE_DEBUG
- iter->b = b;
+ iter->iter.b = b;
#endif
for (; start <= bset_tree_last(b); start++) {
ret = bch_bset_search(b, start, search);
- bch_btree_iter_push(iter, ret, bset_bkey_last(start->data));
+ bch_btree_iter_push(&iter->iter, ret, bset_bkey_last(start->data));
}
return ret;
}
-struct bkey *bch_btree_iter_init(struct btree_keys *b,
- struct btree_iter *iter,
+struct bkey *bch_btree_iter_stack_init(struct btree_keys *b,
+ struct btree_iter_stack *iter,
struct bkey *search)
{
- return __bch_btree_iter_init(b, iter, search, b->set);
+ return __bch_btree_iter_stack_init(b, iter, search, b->set);
}
static inline struct bkey *__bch_btree_iter_next(struct btree_iter *iter,
@@ -1293,10 +1293,10 @@ void bch_btree_sort_partial(struct btree_keys *b, unsigned int start,
struct bset_sort_state *state)
{
size_t order = b->page_order, keys = 0;
- struct btree_iter iter;
+ struct btree_iter_stack iter;
int oldsize = bch_count_data(b);
- __bch_btree_iter_init(b, &iter, NULL, &b->set[start]);
+ __bch_btree_iter_stack_init(b, &iter, NULL, &b->set[start]);
if (start) {
unsigned int i;
@@ -1307,7 +1307,7 @@ void bch_btree_sort_partial(struct btree_keys *b, unsigned int start,
order = get_order(__set_bytes(b->set->data, keys));
}
- __btree_sort(b, &iter, start, order, false, state);
+ __btree_sort(b, &iter.iter, start, order, false, state);
EBUG_ON(oldsize >= 0 && bch_count_data(b) != oldsize);
}
@@ -1323,11 +1323,11 @@ void bch_btree_sort_into(struct btree_keys *b, struct btree_keys *new,
struct bset_sort_state *state)
{
uint64_t start_time = local_clock();
- struct btree_iter iter;
+ struct btree_iter_stack iter;
- bch_btree_iter_init(b, &iter, NULL);
+ bch_btree_iter_stack_init(b, &iter, NULL);
- btree_mergesort(b, new->set->data, &iter, false, true);
+ btree_mergesort(b, new->set->data, &iter.iter, false, true);
bch_time_stats_update(&state->time, start_time);
diff --git a/drivers/md/bcache/bset.h b/drivers/md/bcache/bset.h
index a50dcfda656f5..2ed6dbd35d6e5 100644
--- a/drivers/md/bcache/bset.h
+++ b/drivers/md/bcache/bset.h
@@ -321,7 +321,14 @@ struct btree_iter {
#endif
struct btree_iter_set {
struct bkey *k, *end;
- } data[MAX_BSETS];
+ } data[];
+};
+
+/* Fixed-size btree_iter that can be allocated on the stack */
+
+struct btree_iter_stack {
+ struct btree_iter iter;
+ struct btree_iter_set stack_data[MAX_BSETS];
};
typedef bool (*ptr_filter_fn)(struct btree_keys *b, const struct bkey *k);
@@ -333,9 +340,9 @@ struct bkey *bch_btree_iter_next_filter(struct btree_iter *iter,
void bch_btree_iter_push(struct btree_iter *iter, struct bkey *k,
struct bkey *end);
-struct bkey *bch_btree_iter_init(struct btree_keys *b,
- struct btree_iter *iter,
- struct bkey *search);
+struct bkey *bch_btree_iter_stack_init(struct btree_keys *b,
+ struct btree_iter_stack *iter,
+ struct bkey *search);
struct bkey *__bch_bset_search(struct btree_keys *b, struct bset_tree *t,
const struct bkey *search);
@@ -350,13 +357,14 @@ static inline struct bkey *bch_bset_search(struct btree_keys *b,
return search ? __bch_bset_search(b, t, search) : t->data->start;
}
-#define for_each_key_filter(b, k, iter, filter) \
- for (bch_btree_iter_init((b), (iter), NULL); \
- ((k) = bch_btree_iter_next_filter((iter), (b), filter));)
+#define for_each_key_filter(b, k, stack_iter, filter) \
+ for (bch_btree_iter_stack_init((b), (stack_iter), NULL); \
+ ((k) = bch_btree_iter_next_filter(&((stack_iter)->iter), (b), \
+ filter));)
-#define for_each_key(b, k, iter) \
- for (bch_btree_iter_init((b), (iter), NULL); \
- ((k) = bch_btree_iter_next(iter));)
+#define for_each_key(b, k, stack_iter) \
+ for (bch_btree_iter_stack_init((b), (stack_iter), NULL); \
+ ((k) = bch_btree_iter_next(&((stack_iter)->iter)));)
/* Sorting */
diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
index e22dfcf1ed6d8..066b4aafd49e5 100644
--- a/drivers/md/bcache/btree.c
+++ b/drivers/md/bcache/btree.c
@@ -1283,7 +1283,7 @@ static bool btree_gc_mark_node(struct btree *b, struct gc_stat *gc)
uint8_t stale = 0;
unsigned int keys = 0, good_keys = 0;
struct bkey *k;
- struct btree_iter iter;
+ struct btree_iter_stack iter;
struct bset_tree *t;
gc->nodes++;
@@ -1544,7 +1544,7 @@ static int btree_gc_rewrite_node(struct btree *b, struct btree_op *op,
static unsigned int btree_gc_count_keys(struct btree *b)
{
struct bkey *k;
- struct btree_iter iter;
+ struct btree_iter_stack iter;
unsigned int ret = 0;
for_each_key_filter(&b->keys, k, &iter, bch_ptr_bad)
@@ -1585,17 +1585,18 @@ static int btree_gc_recurse(struct btree *b, struct btree_op *op,
int ret = 0;
bool should_rewrite;
struct bkey *k;
- struct btree_iter iter;
+ struct btree_iter_stack iter;
struct gc_merge_info r[GC_MERGE_NODES];
struct gc_merge_info *i, *last = r + ARRAY_SIZE(r) - 1;
- bch_btree_iter_init(&b->keys, &iter, &b->c->gc_done);
+ bch_btree_iter_stack_init(&b->keys, &iter, &b->c->gc_done);
for (i = r; i < r + ARRAY_SIZE(r); i++)
i->b = ERR_PTR(-EINTR);
while (1) {
- k = bch_btree_iter_next_filter(&iter, &b->keys, bch_ptr_bad);
+ k = bch_btree_iter_next_filter(&iter.iter, &b->keys,
+ bch_ptr_bad);
if (k) {
r->b = bch_btree_node_get(b->c, op, k, b->level - 1,
true, b);
@@ -1885,7 +1886,7 @@ static int bch_btree_check_recurse(struct btree *b, struct btree_op *op)
{
int ret = 0;
struct bkey *k, *p = NULL;
- struct btree_iter iter;
+ struct btree_iter_stack iter;
for_each_key_filter(&b->keys, k, &iter, bch_ptr_invalid)
bch_initial_mark_key(b->c, b->level, k);
@@ -1893,10 +1894,10 @@ static int bch_btree_check_recurse(struct btree *b, struct btree_op *op)
bch_initial_mark_key(b->c, b->level + 1, &b->key);
if (b->level) {
- bch_btree_iter_init(&b->keys, &iter, NULL);
+ bch_btree_iter_stack_init(&b->keys, &iter, NULL);
do {
- k = bch_btree_iter_next_filter(&iter, &b->keys,
+ k = bch_btree_iter_next_filter(&iter.iter, &b->keys,
bch_ptr_bad);
if (k) {
btree_node_prefetch(b, k);
@@ -1924,7 +1925,7 @@ static int bch_btree_check_thread(void *arg)
struct btree_check_info *info = arg;
struct btree_check_state *check_state = info->state;
struct cache_set *c = check_state->c;
- struct btree_iter iter;
+ struct btree_iter_stack iter;
struct bkey *k, *p;
int cur_idx, prev_idx, skip_nr;
@@ -1933,8 +1934,8 @@ static int bch_btree_check_thread(void *arg)
ret = 0;
/* root node keys are checked before thread created */
- bch_btree_iter_init(&c->root->keys, &iter, NULL);
- k = bch_btree_iter_next_filter(&iter, &c->root->keys, bch_ptr_bad);
+ bch_btree_iter_stack_init(&c->root->keys, &iter, NULL);
+ k = bch_btree_iter_next_filter(&iter.iter, &c->root->keys, bch_ptr_bad);
BUG_ON(!k);
p = k;
@@ -1952,7 +1953,7 @@ static int bch_btree_check_thread(void *arg)
skip_nr = cur_idx - prev_idx;
while (skip_nr) {
- k = bch_btree_iter_next_filter(&iter,
+ k = bch_btree_iter_next_filter(&iter.iter,
&c->root->keys,
bch_ptr_bad);
if (k)
@@ -2025,7 +2026,7 @@ int bch_btree_check(struct cache_set *c)
int ret = 0;
int i;
struct bkey *k = NULL;
- struct btree_iter iter;
+ struct btree_iter_stack iter;
struct btree_check_state check_state;
/* check and mark root node keys */
@@ -2521,11 +2522,11 @@ static int bch_btree_map_nodes_recurse(struct btree *b, struct btree_op *op,
if (b->level) {
struct bkey *k;
- struct btree_iter iter;
+ struct btree_iter_stack iter;
- bch_btree_iter_init(&b->keys, &iter, from);
+ bch_btree_iter_stack_init(&b->keys, &iter, from);
- while ((k = bch_btree_iter_next_filter(&iter, &b->keys,
+ while ((k = bch_btree_iter_next_filter(&iter.iter, &b->keys,
bch_ptr_bad))) {
ret = bcache_btree(map_nodes_recurse, k, b,
op, from, fn, flags);
@@ -2554,11 +2555,12 @@ int bch_btree_map_keys_recurse(struct btree *b, struct btree_op *op,
{
int ret = MAP_CONTINUE;
struct bkey *k;
- struct btree_iter iter;
+ struct btree_iter_stack iter;
- bch_btree_iter_init(&b->keys, &iter, from);
+ bch_btree_iter_stack_init(&b->keys, &iter, from);
- while ((k = bch_btree_iter_next_filter(&iter, &b->keys, bch_ptr_bad))) {
+ while ((k = bch_btree_iter_next_filter(&iter.iter, &b->keys,
+ bch_ptr_bad))) {
ret = !b->level
? fn(op, b, k)
: bcache_btree(map_keys_recurse, k,
diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
index 8ec48d8a5821c..48624e6bf0d79 100644
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1920,8 +1920,9 @@ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)
INIT_LIST_HEAD(&c->btree_cache_freed);
INIT_LIST_HEAD(&c->data_buckets);
- iter_size = ((meta_bucket_pages(sb) * PAGE_SECTORS) / sb->block_size + 1) *
- sizeof(struct btree_iter_set);
+ iter_size = sizeof(struct btree_iter) +
+ ((meta_bucket_pages(sb) * PAGE_SECTORS) / sb->block_size) *
+ sizeof(struct btree_iter_set);
c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL);
if (!c->devices)
diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
index fa146012003df..7024eaed8d486 100644
--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -658,7 +658,7 @@ static unsigned int bch_root_usage(struct cache_set *c)
unsigned int bytes = 0;
struct bkey *k;
struct btree *b;
- struct btree_iter iter;
+ struct btree_iter_stack iter;
goto lock_root;
diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c
index 1e96679afcf4a..142eaf0ff9aea 100644
--- a/drivers/md/bcache/writeback.c
+++ b/drivers/md/bcache/writeback.c
@@ -898,15 +898,15 @@ static int bch_dirty_init_thread(void *arg)
struct dirty_init_thrd_info *info = arg;
struct bch_dirty_init_state *state = info->state;
struct cache_set *c = state->c;
- struct btree_iter iter;
+ struct btree_iter_stack iter;
struct bkey *k, *p;
int cur_idx, prev_idx, skip_nr;
k = p = NULL;
prev_idx = 0;
- bch_btree_iter_init(&c->root->keys, &iter, NULL);
- k = bch_btree_iter_next_filter(&iter, &c->root->keys, bch_ptr_bad);
+ bch_btree_iter_stack_init(&c->root->keys, &iter, NULL);
+ k = bch_btree_iter_next_filter(&iter.iter, &c->root->keys, bch_ptr_bad);
BUG_ON(!k);
p = k;
@@ -920,7 +920,7 @@ static int bch_dirty_init_thread(void *arg)
skip_nr = cur_idx - prev_idx;
while (skip_nr) {
- k = bch_btree_iter_next_filter(&iter,
+ k = bch_btree_iter_next_filter(&iter.iter,
&c->root->keys,
bch_ptr_bad);
if (k)
@@ -969,7 +969,7 @@ void bch_sectors_dirty_init(struct bcache_device *d)
int i;
struct btree *b = NULL;
struct bkey *k = NULL;
- struct btree_iter iter;
+ struct btree_iter_stack iter;
struct sectors_dirty_init op;
struct cache_set *c = d->c;
struct bch_dirty_init_state state;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 241/356] tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 240/356] bcache: fix variable length array abuse in btree_iter Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 242/356] x86/cpu/vfm: Add new macros to work with (vendor/family/model) values Greg Kroah-Hartman
` (122 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers,
Masami Hiramatsu (Google), Jeff Johnson, Steven Rostedt (Google),
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Johnson <quic_jjohnson@quicinc.com>
[ Upstream commit 23748e3e0fbfe471eff5ce439921629f6a427828 ]
Fix the 'make W=1' warning:
WARNING: modpost: missing MODULE_DESCRIPTION() in kernel/trace/preemptirq_delay_test.o
Link: https://lore.kernel.org/linux-trace-kernel/20240518-md-preemptirq_delay_test-v1-1-387d11b30d85@quicinc.com
Cc: stable@vger.kernel.org
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Fixes: f96e8577da10 ("lib: Add module for testing preemptoff/irqsoff latency tracers")
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/preemptirq_delay_test.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/trace/preemptirq_delay_test.c b/kernel/trace/preemptirq_delay_test.c
index 8c4ffd0761624..cb0871fbdb07f 100644
--- a/kernel/trace/preemptirq_delay_test.c
+++ b/kernel/trace/preemptirq_delay_test.c
@@ -215,4 +215,5 @@ static void __exit preemptirq_delay_exit(void)
module_init(preemptirq_delay_init)
module_exit(preemptirq_delay_exit)
+MODULE_DESCRIPTION("Preempt / IRQ disable delay thread to test latency tracers");
MODULE_LICENSE("GPL v2");
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 242/356] x86/cpu/vfm: Add new macros to work with (vendor/family/model) values
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 241/356] tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 243/356] x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL Greg Kroah-Hartman
` (121 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tony Luck, Borislav Petkov (AMD),
Thomas Gleixner, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Luck <tony.luck@intel.com>
[ Upstream commit e6dfdc2e89a0adedf455814c91b977d6a584cc88 ]
To avoid adding a slew of new macros for each new Intel CPU family
switch over from providing CPU model number #defines to a new
scheme that encodes vendor, family, and model in a single number.
[ bp: s/casted/cast/g ]
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20240416211941.9369-3-tony.luck@intel.com
Stable-dep-of: 93022482b294 ("x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/cpu_device_id.h | 93 ++++++++++++++++++++++++++++
1 file changed, 93 insertions(+)
diff --git a/arch/x86/include/asm/cpu_device_id.h b/arch/x86/include/asm/cpu_device_id.h
index eb8fcede9e3bf..dd7b9463696f5 100644
--- a/arch/x86/include/asm/cpu_device_id.h
+++ b/arch/x86/include/asm/cpu_device_id.h
@@ -2,6 +2,39 @@
#ifndef _ASM_X86_CPU_DEVICE_ID
#define _ASM_X86_CPU_DEVICE_ID
+/*
+ * Can't use <linux/bitfield.h> because it generates expressions that
+ * cannot be used in structure initializers. Bitfield construction
+ * here must match the union in struct cpuinfo_86:
+ * union {
+ * struct {
+ * __u8 x86_model;
+ * __u8 x86;
+ * __u8 x86_vendor;
+ * __u8 x86_reserved;
+ * };
+ * __u32 x86_vfm;
+ * };
+ */
+#define VFM_MODEL_BIT 0
+#define VFM_FAMILY_BIT 8
+#define VFM_VENDOR_BIT 16
+#define VFM_RSVD_BIT 24
+
+#define VFM_MODEL_MASK GENMASK(VFM_FAMILY_BIT - 1, VFM_MODEL_BIT)
+#define VFM_FAMILY_MASK GENMASK(VFM_VENDOR_BIT - 1, VFM_FAMILY_BIT)
+#define VFM_VENDOR_MASK GENMASK(VFM_RSVD_BIT - 1, VFM_VENDOR_BIT)
+
+#define VFM_MODEL(vfm) (((vfm) & VFM_MODEL_MASK) >> VFM_MODEL_BIT)
+#define VFM_FAMILY(vfm) (((vfm) & VFM_FAMILY_MASK) >> VFM_FAMILY_BIT)
+#define VFM_VENDOR(vfm) (((vfm) & VFM_VENDOR_MASK) >> VFM_VENDOR_BIT)
+
+#define VFM_MAKE(_vendor, _family, _model) ( \
+ ((_model) << VFM_MODEL_BIT) | \
+ ((_family) << VFM_FAMILY_BIT) | \
+ ((_vendor) << VFM_VENDOR_BIT) \
+)
+
/*
* Declare drivers belonging to specific x86 CPUs
* Similar in spirit to pci_device_id and related PCI functions
@@ -49,6 +82,16 @@
.driver_data = (unsigned long) _data \
}
+#define X86_MATCH_VENDORID_FAM_MODEL_STEPPINGS_FEATURE(_vendor, _family, _model, \
+ _steppings, _feature, _data) { \
+ .vendor = _vendor, \
+ .family = _family, \
+ .model = _model, \
+ .steppings = _steppings, \
+ .feature = _feature, \
+ .driver_data = (unsigned long) _data \
+}
+
/**
* X86_MATCH_VENDOR_FAM_MODEL_FEATURE - Macro for CPU matching
* @_vendor: The vendor name, e.g. INTEL, AMD, HYGON, ..., ANY
@@ -164,6 +207,56 @@
X86_MATCH_VENDOR_FAM_MODEL_STEPPINGS_FEATURE(INTEL, 6, INTEL_FAM6_##model, \
steppings, X86_FEATURE_ANY, data)
+/**
+ * X86_MATCH_VFM - Match encoded vendor/family/model
+ * @vfm: Encoded 8-bits each for vendor, family, model
+ * @data: Driver specific data or NULL. The internal storage
+ * format is unsigned long. The supplied value, pointer
+ * etc. is cast to unsigned long internally.
+ *
+ * Stepping and feature are set to wildcards
+ */
+#define X86_MATCH_VFM(vfm, data) \
+ X86_MATCH_VENDORID_FAM_MODEL_STEPPINGS_FEATURE( \
+ VFM_VENDOR(vfm), \
+ VFM_FAMILY(vfm), \
+ VFM_MODEL(vfm), \
+ X86_STEPPING_ANY, X86_FEATURE_ANY, data)
+
+/**
+ * X86_MATCH_VFM_STEPPINGS - Match encoded vendor/family/model/stepping
+ * @vfm: Encoded 8-bits each for vendor, family, model
+ * @steppings: Bitmask of steppings to match
+ * @data: Driver specific data or NULL. The internal storage
+ * format is unsigned long. The supplied value, pointer
+ * etc. is cast to unsigned long internally.
+ *
+ * feature is set to wildcard
+ */
+#define X86_MATCH_VFM_STEPPINGS(vfm, steppings, data) \
+ X86_MATCH_VENDORID_FAM_MODEL_STEPPINGS_FEATURE( \
+ VFM_VENDOR(vfm), \
+ VFM_FAMILY(vfm), \
+ VFM_MODEL(vfm), \
+ steppings, X86_FEATURE_ANY, data)
+
+/**
+ * X86_MATCH_VFM_FEATURE - Match encoded vendor/family/model/feature
+ * @vfm: Encoded 8-bits each for vendor, family, model
+ * @feature: A X86_FEATURE bit
+ * @data: Driver specific data or NULL. The internal storage
+ * format is unsigned long. The supplied value, pointer
+ * etc. is cast to unsigned long internally.
+ *
+ * Steppings is set to wildcard
+ */
+#define X86_MATCH_VFM_FEATURE(vfm, feature, data) \
+ X86_MATCH_VENDORID_FAM_MODEL_STEPPINGS_FEATURE( \
+ VFM_VENDOR(vfm), \
+ VFM_FAMILY(vfm), \
+ VFM_MODEL(vfm), \
+ X86_STEPPING_ANY, feature, data)
+
/*
* Match specific microcode revisions.
*
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 243/356] x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 242/356] x86/cpu/vfm: Add new macros to work with (vendor/family/model) values Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 244/356] ksmbd: ignore trailing slashes in share paths Greg Kroah-Hartman
` (120 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner, Borislav Petkov,
Tony Luck, Sasha Levin, stable+noautosel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Luck <tony.luck@intel.com>
[ Upstream commit 93022482b2948a9a7e9b5a2bb685f2e1cb4c3348 ]
Code in v6.9 arch/x86/kernel/smpboot.c was changed by commit
4db64279bc2b ("x86/cpu: Switch to new Intel CPU model defines") from:
static const struct x86_cpu_id intel_cod_cpu[] = {
X86_MATCH_INTEL_FAM6_MODEL(HASWELL_X, 0), /* COD */
X86_MATCH_INTEL_FAM6_MODEL(BROADWELL_X, 0), /* COD */
X86_MATCH_INTEL_FAM6_MODEL(ANY, 1), /* SNC */ <--- 443
{}
};
static bool match_llc(struct cpuinfo_x86 *c, struct cpuinfo_x86 *o)
{
const struct x86_cpu_id *id = x86_match_cpu(intel_cod_cpu);
to:
static const struct x86_cpu_id intel_cod_cpu[] = {
X86_MATCH_VFM(INTEL_HASWELL_X, 0), /* COD */
X86_MATCH_VFM(INTEL_BROADWELL_X, 0), /* COD */
X86_MATCH_VFM(INTEL_ANY, 1), /* SNC */
{}
};
static bool match_llc(struct cpuinfo_x86 *c, struct cpuinfo_x86 *o)
{
const struct x86_cpu_id *id = x86_match_cpu(intel_cod_cpu);
On an Intel CPU with SNC enabled this code previously matched the rule on line
443 to avoid printing messages about insane cache configuration. The new code
did not match any rules.
Expanding the macros for the intel_cod_cpu[] array shows that the old is
equivalent to:
static const struct x86_cpu_id intel_cod_cpu[] = {
[0] = { .vendor = 0, .family = 6, .model = 0x3F, .steppings = 0, .feature = 0, .driver_data = 0 },
[1] = { .vendor = 0, .family = 6, .model = 0x4F, .steppings = 0, .feature = 0, .driver_data = 0 },
[2] = { .vendor = 0, .family = 6, .model = 0x00, .steppings = 0, .feature = 0, .driver_data = 1 },
[3] = { .vendor = 0, .family = 0, .model = 0x00, .steppings = 0, .feature = 0, .driver_data = 0 }
}
while the new code expands to:
static const struct x86_cpu_id intel_cod_cpu[] = {
[0] = { .vendor = 0, .family = 6, .model = 0x3F, .steppings = 0, .feature = 0, .driver_data = 0 },
[1] = { .vendor = 0, .family = 6, .model = 0x4F, .steppings = 0, .feature = 0, .driver_data = 0 },
[2] = { .vendor = 0, .family = 0, .model = 0x00, .steppings = 0, .feature = 0, .driver_data = 1 },
[3] = { .vendor = 0, .family = 0, .model = 0x00, .steppings = 0, .feature = 0, .driver_data = 0 }
}
Looking at the code for x86_match_cpu():
const struct x86_cpu_id *x86_match_cpu(const struct x86_cpu_id *match)
{
const struct x86_cpu_id *m;
struct cpuinfo_x86 *c = &boot_cpu_data;
for (m = match;
m->vendor | m->family | m->model | m->steppings | m->feature;
m++) {
...
}
return NULL;
it is clear that there was no match because the ANY entry in the table (array
index 2) is now the loop termination condition (all of vendor, family, model,
steppings, and feature are zero).
So this code was working before because the "ANY" check was looking for any
Intel CPU in family 6. But fails now because the family is a wild card. So the
root cause is that x86_match_cpu() has never been able to match on a rule with
just X86_VENDOR_INTEL and all other fields set to wildcards.
Add a new flags field to struct x86_cpu_id that has a bit set to indicate that
this entry in the array is valid. Update X86_MATCH*() macros to set that bit.
Change the end-marker check in x86_match_cpu() to just check the flags field
for this bit.
Backporter notes: The commit in Fixes is really the one that is broken:
you can't have m->vendor as part of the loop termination conditional in
x86_match_cpu() because it can happen - as it has happened above
- that that whole conditional is 0 albeit vendor == 0 is a valid case
- X86_VENDOR_INTEL is 0.
However, the only case where the above happens is the SNC check added by
4db64279bc2b1 so you only need this fix if you have backported that
other commit
4db64279bc2b ("x86/cpu: Switch to new Intel CPU model defines")
Fixes: 644e9cbbe3fc ("Add driver auto probing for x86 features v4")
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Suggested-by: Borislav Petkov <bp@alien8.de>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: <stable+noautosel@kernel.org> # see above
Link: https://lore.kernel.org/r/20240517144312.GBZkdtAOuJZCvxhFbJ@fat_crate.local
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/cpu_device_id.h | 5 +++++
arch/x86/kernel/cpu/match.c | 4 +---
include/linux/mod_devicetable.h | 2 ++
3 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/arch/x86/include/asm/cpu_device_id.h b/arch/x86/include/asm/cpu_device_id.h
index dd7b9463696f5..e8e3dbe7f1730 100644
--- a/arch/x86/include/asm/cpu_device_id.h
+++ b/arch/x86/include/asm/cpu_device_id.h
@@ -53,6 +53,9 @@
#define X86_CENTAUR_FAM6_C7_D 0xd
#define X86_CENTAUR_FAM6_NANO 0xf
+/* x86_cpu_id::flags */
+#define X86_CPU_ID_FLAG_ENTRY_VALID BIT(0)
+
#define X86_STEPPINGS(mins, maxs) GENMASK(maxs, mins)
/**
* X86_MATCH_VENDOR_FAM_MODEL_STEPPINGS_FEATURE - Base macro for CPU matching
@@ -79,6 +82,7 @@
.model = _model, \
.steppings = _steppings, \
.feature = _feature, \
+ .flags = X86_CPU_ID_FLAG_ENTRY_VALID, \
.driver_data = (unsigned long) _data \
}
@@ -89,6 +93,7 @@
.model = _model, \
.steppings = _steppings, \
.feature = _feature, \
+ .flags = X86_CPU_ID_FLAG_ENTRY_VALID, \
.driver_data = (unsigned long) _data \
}
diff --git a/arch/x86/kernel/cpu/match.c b/arch/x86/kernel/cpu/match.c
index ad6776081e60d..ae71b8ef909c9 100644
--- a/arch/x86/kernel/cpu/match.c
+++ b/arch/x86/kernel/cpu/match.c
@@ -39,9 +39,7 @@ const struct x86_cpu_id *x86_match_cpu(const struct x86_cpu_id *match)
const struct x86_cpu_id *m;
struct cpuinfo_x86 *c = &boot_cpu_data;
- for (m = match;
- m->vendor | m->family | m->model | m->steppings | m->feature;
- m++) {
+ for (m = match; m->flags & X86_CPU_ID_FLAG_ENTRY_VALID; m++) {
if (m->vendor != X86_VENDOR_ANY && c->x86_vendor != m->vendor)
continue;
if (m->family != X86_FAMILY_ANY && c->x86 != m->family)
diff --git a/include/linux/mod_devicetable.h b/include/linux/mod_devicetable.h
index ae2e75d15b219..63f804574c4e9 100644
--- a/include/linux/mod_devicetable.h
+++ b/include/linux/mod_devicetable.h
@@ -676,6 +676,8 @@ struct x86_cpu_id {
__u16 model;
__u16 steppings;
__u16 feature; /* bit index */
+ /* Solely for kernel-internal use: DO NOT EXPORT to userspace! */
+ __u16 flags;
kernel_ulong_t driver_data;
};
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 244/356] ksmbd: ignore trailing slashes in share paths
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 243/356] x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 245/356] drm/i915/gt: Only kick the signal worker if theres been an update Greg Kroah-Hartman
` (119 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nandor Kracser, Namjae Jeon,
Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nandor Kracser <bonifaido@gmail.com>
[ Upstream commit 405ee4097c4bc3e70556520aed5ba52a511c2266 ]
Trailing slashes in share paths (like: /home/me/Share/) caused permission
issues with shares for clients on iOS and on Android TV for me,
but otherwise they work fine with plain old Samba.
Cc: stable@vger.kernel.org
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ksmbd/mgmt/share_config.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/ksmbd/mgmt/share_config.c b/fs/ksmbd/mgmt/share_config.c
index a2f0a2edceb8a..e0a6b758094fc 100644
--- a/fs/ksmbd/mgmt/share_config.c
+++ b/fs/ksmbd/mgmt/share_config.c
@@ -165,8 +165,12 @@ static struct ksmbd_share_config *share_config_request(struct unicode_map *um,
share->path = kstrndup(ksmbd_share_config_path(resp), path_len,
GFP_KERNEL);
- if (share->path)
+ if (share->path) {
share->path_sz = strlen(share->path);
+ while (share->path_sz > 1 &&
+ share->path[share->path_sz - 1] == '/')
+ share->path[--share->path_sz] = '\0';
+ }
share->create_mask = resp->create_mask;
share->directory_mask = resp->directory_mask;
share->force_create_mode = resp->force_create_mode;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 245/356] drm/i915/gt: Only kick the signal worker if theres been an update
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 244/356] ksmbd: ignore trailing slashes in share paths Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 246/356] drm/i915/gt: Disarm breadcrumbs if engines are already idle Greg Kroah-Hartman
` (118 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Wilson, Karolina Drobnik,
Andi Shyti, Rodrigo Vivi, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Wilson <chris@chris-wilson.co.uk>
[ Upstream commit c877bed82e1017c102c137d432933ccbba92c119 ]
One impact of commit 047a1b877ed4 ("dma-buf & drm/amdgpu: remove
dma_resv workaround") is that it stores many, many more fences. Whereas
adding an exclusive fence used to remove the shared fence list, that
list is now preserved and the write fences included into the list. Not
just a single write fence, but now a write/read fence per context. That
causes us to have to track more fences than before (albeit half of those
are redundant), and we trigger more interrupts for multi-engine
workloads.
As part of reducing the impact from handling more signaling, we observe
we only need to kick the signal worker after adding a fence iff we have
good cause to believe that there is work to be done in processing the
fence i.e. we either need to enable the interrupt or the request is
already complete but we don't know if we saw the interrupt and so need
to check signaling.
References: 047a1b877ed4 ("dma-buf & drm/amdgpu: remove dma_resv workaround")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Karolina Drobnik <karolina.drobnik@intel.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/d7b953c7a4ba747c8196a164e2f8c5aef468d048.1657289332.git.karolina.drobnik@intel.com
Stable-dep-of: 70cb9188ffc7 ("drm/i915/gt: Disarm breadcrumbs if engines are already idle")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/gt/intel_breadcrumbs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/gt/intel_breadcrumbs.c b/drivers/gpu/drm/i915/gt/intel_breadcrumbs.c
index 209cf265bf746..e8cd7effea2b0 100644
--- a/drivers/gpu/drm/i915/gt/intel_breadcrumbs.c
+++ b/drivers/gpu/drm/i915/gt/intel_breadcrumbs.c
@@ -398,7 +398,8 @@ static void insert_breadcrumb(struct i915_request *rq)
* the request as it may have completed and raised the interrupt as
* we were attaching it into the lists.
*/
- irq_work_queue(&b->irq_work);
+ if (!b->irq_armed || __i915_request_is_complete(rq))
+ irq_work_queue(&b->irq_work);
}
bool i915_request_enable_breadcrumb(struct i915_request *rq)
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 246/356] drm/i915/gt: Disarm breadcrumbs if engines are already idle
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 245/356] drm/i915/gt: Only kick the signal worker if theres been an update Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 247/356] Revert "kheaders: substituting --sort in archive creation" Greg Kroah-Hartman
` (117 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Wilson, Andrzej Hajda,
Janusz Krzysztofik, Nirmoy Das, Andi Shyti, Jani Nikula,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Wilson <chris@chris-wilson.co.uk>
[ Upstream commit 70cb9188ffc75e643debf292fcddff36c9dbd4ae ]
The breadcrumbs use a GT wakeref for guarding the interrupt, but are
disarmed during release of the engine wakeref. This leaves a hole where
we may attach a breadcrumb just as the engine is parking (after it has
parked its breadcrumbs), execute the irq worker with some signalers still
attached, but never be woken again.
That issue manifests itself in CI with IGT runner timeouts while tests
are waiting indefinitely for release of all GT wakerefs.
<6> [209.151778] i915: Running live_engine_pm_selftests/live_engine_busy_stats
<7> [209.231628] i915 0000:00:02.0: [drm:intel_power_well_disable [i915]] disabling PW_5
<7> [209.231816] i915 0000:00:02.0: [drm:intel_power_well_disable [i915]] disabling PW_4
<7> [209.231944] i915 0000:00:02.0: [drm:intel_power_well_disable [i915]] disabling PW_3
<7> [209.232056] i915 0000:00:02.0: [drm:intel_power_well_disable [i915]] disabling PW_2
<7> [209.232166] i915 0000:00:02.0: [drm:intel_power_well_disable [i915]] disabling DC_off
<7> [209.232270] i915 0000:00:02.0: [drm:skl_enable_dc6 [i915]] Enabling DC6
<7> [209.232368] i915 0000:00:02.0: [drm:gen9_set_dc_state.part.0 [i915]] Setting DC state from 00 to 02
<4> [299.356116] [IGT] Inactivity timeout exceeded. Killing the current test with SIGQUIT.
...
<6> [299.356526] sysrq: Show State
...
<6> [299.373964] task:i915_selftest state:D stack:11784 pid:5578 tgid:5578 ppid:873 flags:0x00004002
<6> [299.373967] Call Trace:
<6> [299.373968] <TASK>
<6> [299.373970] __schedule+0x3bb/0xda0
<6> [299.373974] schedule+0x41/0x110
<6> [299.373976] intel_wakeref_wait_for_idle+0x82/0x100 [i915]
<6> [299.374083] ? __pfx_var_wake_function+0x10/0x10
<6> [299.374087] live_engine_busy_stats+0x9b/0x500 [i915]
<6> [299.374173] __i915_subtests+0xbe/0x240 [i915]
<6> [299.374277] ? __pfx___intel_gt_live_setup+0x10/0x10 [i915]
<6> [299.374369] ? __pfx___intel_gt_live_teardown+0x10/0x10 [i915]
<6> [299.374456] intel_engine_live_selftests+0x1c/0x30 [i915]
<6> [299.374547] __run_selftests+0xbb/0x190 [i915]
<6> [299.374635] i915_live_selftests+0x4b/0x90 [i915]
<6> [299.374717] i915_pci_probe+0x10d/0x210 [i915]
At the end of the interrupt worker, if there are no more engines awake,
disarm the breadcrumb and go to sleep.
Fixes: 9d5612ca165a ("drm/i915/gt: Defer enabling the breadcrumb interrupt to after submission")
Closes: https://gitlab.freedesktop.org/drm/intel/issues/10026
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Andrzej Hajda <andrzej.hajda@intel.com>
Cc: <stable@vger.kernel.org> # v5.12+
Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Acked-by: Nirmoy Das <nirmoy.das@intel.com>
Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240423165505.465734-2-janusz.krzysztofik@linux.intel.com
(cherry picked from commit fbad43eccae5cb14594195c20113369aabaa22b5)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/gt/intel_breadcrumbs.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/drivers/gpu/drm/i915/gt/intel_breadcrumbs.c b/drivers/gpu/drm/i915/gt/intel_breadcrumbs.c
index e8cd7effea2b0..56985edda8baf 100644
--- a/drivers/gpu/drm/i915/gt/intel_breadcrumbs.c
+++ b/drivers/gpu/drm/i915/gt/intel_breadcrumbs.c
@@ -257,8 +257,13 @@ static void signal_irq_work(struct irq_work *work)
i915_request_put(rq);
}
+ /* Lazy irq enabling after HW submission */
if (!READ_ONCE(b->irq_armed) && !list_empty(&b->signalers))
intel_breadcrumbs_arm_irq(b);
+
+ /* And confirm that we still want irqs enabled before we yield */
+ if (READ_ONCE(b->irq_armed) && !atomic_read(&b->active))
+ intel_breadcrumbs_disarm_irq(b);
}
struct intel_breadcrumbs *
@@ -309,13 +314,7 @@ void __intel_breadcrumbs_park(struct intel_breadcrumbs *b)
return;
/* Kick the work once more to drain the signalers, and disarm the irq */
- irq_work_sync(&b->irq_work);
- while (READ_ONCE(b->irq_armed) && !atomic_read(&b->active)) {
- local_irq_disable();
- signal_irq_work(&b->irq_work);
- local_irq_enable();
- cond_resched();
- }
+ irq_work_queue(&b->irq_work);
}
void intel_breadcrumbs_free(struct kref *kref)
@@ -398,7 +397,7 @@ static void insert_breadcrumb(struct i915_request *rq)
* the request as it may have completed and raised the interrupt as
* we were attaching it into the lists.
*/
- if (!b->irq_armed || __i915_request_is_complete(rq))
+ if (!READ_ONCE(b->irq_armed) || __i915_request_is_complete(rq))
irq_work_queue(&b->irq_work);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 247/356] Revert "kheaders: substituting --sort in archive creation"
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 246/356] drm/i915/gt: Disarm breadcrumbs if engines are already idle Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 248/356] kheaders: explicitly define file modes for archived headers Greg Kroah-Hartman
` (116 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masahiro Yamada, Nicolas Schier,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masahiro Yamada <masahiroy@kernel.org>
[ Upstream commit 49c386ebbb43394ff4773ce24f726f6afc4c30c8 ]
This reverts commit 700dea5a0bea9f64eba89fae7cb2540326fdfdc1.
The reason for that commit was --sort=ORDER introduced in
tar 1.28 (2014). More than 3 years have passed since then.
Requiring GNU tar 1.28 should be fine now because we require
GCC 5.1 (2015).
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nicolas Schier <nicolas@fjasle.eu>
Stable-dep-of: 3bd27a847a3a ("kheaders: explicitly define file modes for archived headers")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
| 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--git a/kernel/gen_kheaders.sh b/kernel/gen_kheaders.sh
index 1966a749e0d96..5ab483a3ee5a5 100755
--- a/kernel/gen_kheaders.sh
+++ b/kernel/gen_kheaders.sh
@@ -81,12 +81,9 @@ find $cpio_dir -type f -print0 |
xargs -0 -P8 -n1 perl -pi -e 'BEGIN {undef $/;}; s/\/\*((?!SPDX).)*?\*\///smg;'
# Create archive and try to normalize metadata for reproducibility.
-# For compatibility with older versions of tar, files are fed to tar
-# pre-sorted, as --sort=name might not be available.
-find $cpio_dir -printf "./%P\n" | LC_ALL=C sort | \
- tar "${KBUILD_BUILD_TIMESTAMP:+--mtime=$KBUILD_BUILD_TIMESTAMP}" \
- --owner=0 --group=0 --numeric-owner --no-recursion \
- -I $XZ -cf $tarfile -C $cpio_dir/ -T - > /dev/null
+tar "${KBUILD_BUILD_TIMESTAMP:+--mtime=$KBUILD_BUILD_TIMESTAMP}" \
+ --owner=0 --group=0 --sort=name --numeric-owner \
+ -I $XZ -cf $tarfile -C $cpio_dir/ . > /dev/null
echo $headers_md5 > kernel/kheaders.md5
echo "$this_file_md5" >> kernel/kheaders.md5
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 248/356] kheaders: explicitly define file modes for archived headers
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 247/356] Revert "kheaders: substituting --sort in archive creation" Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 249/356] riscv: mm: init: try best to use IS_ENABLED(CONFIG_64BIT) instead of #ifdef Greg Kroah-Hartman
` (115 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthias Maennich, Masahiro Yamada,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthias Maennich <maennich@google.com>
[ Upstream commit 3bd27a847a3a4827a948387cc8f0dbc9fa5931d5 ]
Build environments might be running with different umask settings
resulting in indeterministic file modes for the files contained in
kheaders.tar.xz. The file itself is served with 444, i.e. world
readable. Archive the files explicitly with 744,a+X to improve
reproducibility across build environments.
--mode=0444 is not suitable as directories need to be executable. Also,
444 makes it hard to delete all the readonly files after extraction.
Cc: stable@vger.kernel.org
Signed-off-by: Matthias Maennich <maennich@google.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
| 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--git a/kernel/gen_kheaders.sh b/kernel/gen_kheaders.sh
index 5ab483a3ee5a5..c618e37ccea98 100755
--- a/kernel/gen_kheaders.sh
+++ b/kernel/gen_kheaders.sh
@@ -82,7 +82,7 @@ find $cpio_dir -type f -print0 |
# Create archive and try to normalize metadata for reproducibility.
tar "${KBUILD_BUILD_TIMESTAMP:+--mtime=$KBUILD_BUILD_TIMESTAMP}" \
- --owner=0 --group=0 --sort=name --numeric-owner \
+ --owner=0 --group=0 --sort=name --numeric-owner --mode=u=rw,go=r,a+X \
-I $XZ -cf $tarfile -C $cpio_dir/ . > /dev/null
echo $headers_md5 > kernel/kheaders.md5
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 249/356] riscv: mm: init: try best to use IS_ENABLED(CONFIG_64BIT) instead of #ifdef
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 248/356] kheaders: explicitly define file modes for archived headers Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 250/356] riscv: fix overlap of allocated page and PTR_ERR Greg Kroah-Hartman
` (114 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jisheng Zhang, Alexandre Ghiti,
Palmer Dabbelt, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jisheng Zhang <jszhang@kernel.org>
[ Upstream commit 07aabe8fb6d1ac3163cc74c856521f2ee746270b ]
Try our best to replace the conditional compilation using
"#ifdef CONFIG_64BIT" by a check for "IS_ENABLED(CONFIG_64BIT)", to
simplify the code and to increase compile coverage.
Now we can also remove the __maybe_unused used in max_mapped_addr
declaration.
We also remove the BUG_ON check of mapping the last 4K bytes of the
addressable memory since this is always true for every kernel actually.
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Reviewed-by: Alexandre Ghiti <alex@ghiti.fr>
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Stable-dep-of: 994af1825a2a ("riscv: fix overlap of allocated page and PTR_ERR")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/mm/init.c | 43 ++++++++++++++++---------------------------
1 file changed, 16 insertions(+), 27 deletions(-)
diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
index d7115acab3501..c9d63c476d315 100644
--- a/arch/riscv/mm/init.c
+++ b/arch/riscv/mm/init.c
@@ -105,10 +105,9 @@ static void __init print_vm_layout(void)
#endif
print_mlm("lowmem", (unsigned long)PAGE_OFFSET,
(unsigned long)high_memory);
-#ifdef CONFIG_64BIT
- print_mlm("kernel", (unsigned long)KERNEL_LINK_ADDR,
- (unsigned long)ADDRESS_SPACE_END);
-#endif
+ if (IS_ENABLED(CONFIG_64BIT))
+ print_mlm("kernel", (unsigned long)KERNEL_LINK_ADDR,
+ (unsigned long)ADDRESS_SPACE_END);
}
#else
static void print_vm_layout(void) { }
@@ -166,7 +165,7 @@ static void __init setup_bootmem(void)
{
phys_addr_t vmlinux_end = __pa_symbol(&_end);
phys_addr_t vmlinux_start = __pa_symbol(&_start);
- phys_addr_t __maybe_unused max_mapped_addr;
+ phys_addr_t max_mapped_addr;
phys_addr_t phys_ram_end;
#ifdef CONFIG_XIP_KERNEL
@@ -175,17 +174,16 @@ static void __init setup_bootmem(void)
memblock_enforce_memory_limit(memory_limit);
- /*
- * Reserve from the start of the kernel to the end of the kernel
- */
-#if defined(CONFIG_64BIT) && defined(CONFIG_STRICT_KERNEL_RWX)
/*
* Make sure we align the reservation on PMD_SIZE since we will
* map the kernel in the linear mapping as read-only: we do not want
* any allocation to happen between _end and the next pmd aligned page.
*/
- vmlinux_end = (vmlinux_end + PMD_SIZE - 1) & PMD_MASK;
-#endif
+ if (IS_ENABLED(CONFIG_64BIT) && IS_ENABLED(CONFIG_STRICT_KERNEL_RWX))
+ vmlinux_end = (vmlinux_end + PMD_SIZE - 1) & PMD_MASK;
+ /*
+ * Reserve from the start of the kernel to the end of the kernel
+ */
memblock_reserve(vmlinux_start, vmlinux_end - vmlinux_start);
@@ -193,7 +191,6 @@ static void __init setup_bootmem(void)
#ifndef CONFIG_XIP_KERNEL
phys_ram_base = memblock_start_of_DRAM();
#endif
-#ifndef CONFIG_64BIT
/*
* memblock allocator is not aware of the fact that last 4K bytes of
* the addressable memory can not be mapped because of IS_ERR_VALUE
@@ -203,10 +200,11 @@ static void __init setup_bootmem(void)
* address space is occupied by the kernel mapping then this check must
* be done as soon as the kernel mapping base address is determined.
*/
- max_mapped_addr = __pa(~(ulong)0);
- if (max_mapped_addr == (phys_ram_end - 1))
- memblock_set_current_limit(max_mapped_addr - 4096);
-#endif
+ if (!IS_ENABLED(CONFIG_64BIT)) {
+ max_mapped_addr = __pa(~(ulong)0);
+ if (max_mapped_addr == (phys_ram_end - 1))
+ memblock_set_current_limit(max_mapped_addr - 4096);
+ }
min_low_pfn = PFN_UP(phys_ram_base);
max_low_pfn = max_pfn = PFN_DOWN(phys_ram_end);
@@ -630,14 +628,6 @@ asmlinkage void __init setup_vm(uintptr_t dtb_pa)
BUG_ON((PAGE_OFFSET % PGDIR_SIZE) != 0);
BUG_ON((kernel_map.phys_addr % PMD_SIZE) != 0);
-#ifdef CONFIG_64BIT
- /*
- * The last 4K bytes of the addressable memory can not be mapped because
- * of IS_ERR_VALUE macro.
- */
- BUG_ON((kernel_map.virt_addr + kernel_map.size) > ADDRESS_SPACE_END - SZ_4K);
-#endif
-
pt_ops.alloc_pte = alloc_pte_early;
pt_ops.get_pte_virt = get_pte_virt_early;
#ifndef __PAGETABLE_PMD_FOLDED
@@ -760,10 +750,9 @@ static void __init setup_vm_final(void)
}
}
-#ifdef CONFIG_64BIT
/* Map the kernel */
- create_kernel_page_table(swapper_pg_dir, false);
-#endif
+ if (IS_ENABLED(CONFIG_64BIT))
+ create_kernel_page_table(swapper_pg_dir, false);
/* Clear fixmap PTE and PMD mappings */
clear_fixmap(FIX_PTE);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 250/356] riscv: fix overlap of allocated page and PTR_ERR
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 249/356] riscv: mm: init: try best to use IS_ENABLED(CONFIG_64BIT) instead of #ifdef Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 251/356] perf/core: Fix missing wakeup when waiting for context reference Greg Kroah-Hartman
` (113 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Björn Töpel, Nam Cao,
Björn Töpel, Mike Rapoport (IBM), Palmer Dabbelt,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nam Cao <namcao@linutronix.de>
[ Upstream commit 994af1825a2aa286f4903ff64a1c7378b52defe6 ]
On riscv32, it is possible for the last page in virtual address space
(0xfffff000) to be allocated. This page overlaps with PTR_ERR, so that
shouldn't happen.
There is already some code to ensure memblock won't allocate the last page.
However, buddy allocator is left unchecked.
Fix this by reserving physical memory that would be mapped at virtual
addresses greater than 0xfffff000.
Reported-by: Björn Töpel <bjorn@kernel.org>
Closes: https://lore.kernel.org/linux-riscv/878r1ibpdn.fsf@all.your.base.are.belong.to.us
Fixes: 76d2a0493a17 ("RISC-V: Init and Halt Code")
Signed-off-by: Nam Cao <namcao@linutronix.de>
Cc: <stable@vger.kernel.org>
Tested-by: Björn Töpel <bjorn@rivosinc.com>
Reviewed-by: Björn Töpel <bjorn@rivosinc.com>
Reviewed-by: Mike Rapoport (IBM) <rppt@kernel.org>
Link: https://lore.kernel.org/r/20240425115201.3044202-1-namcao@linutronix.de
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/mm/init.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
index c9d63c476d315..c30cc3ac93a72 100644
--- a/arch/riscv/mm/init.c
+++ b/arch/riscv/mm/init.c
@@ -192,18 +192,19 @@ static void __init setup_bootmem(void)
phys_ram_base = memblock_start_of_DRAM();
#endif
/*
- * memblock allocator is not aware of the fact that last 4K bytes of
- * the addressable memory can not be mapped because of IS_ERR_VALUE
- * macro. Make sure that last 4k bytes are not usable by memblock
- * if end of dram is equal to maximum addressable memory. For 64-bit
- * kernel, this problem can't happen here as the end of the virtual
- * address space is occupied by the kernel mapping then this check must
- * be done as soon as the kernel mapping base address is determined.
+ * Reserve physical address space that would be mapped to virtual
+ * addresses greater than (void *)(-PAGE_SIZE) because:
+ * - This memory would overlap with ERR_PTR
+ * - This memory belongs to high memory, which is not supported
+ *
+ * This is not applicable to 64-bit kernel, because virtual addresses
+ * after (void *)(-PAGE_SIZE) are not linearly mapped: they are
+ * occupied by kernel mapping. Also it is unrealistic for high memory
+ * to exist on 64-bit platforms.
*/
if (!IS_ENABLED(CONFIG_64BIT)) {
- max_mapped_addr = __pa(~(ulong)0);
- if (max_mapped_addr == (phys_ram_end - 1))
- memblock_set_current_limit(max_mapped_addr - 4096);
+ max_mapped_addr = __va_to_pa_nodebug(-PAGE_SIZE);
+ memblock_reserve(max_mapped_addr, (phys_addr_t)-max_mapped_addr);
}
min_low_pfn = PFN_UP(phys_ram_base);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 251/356] perf/core: Fix missing wakeup when waiting for context reference
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 250/356] riscv: fix overlap of allocated page and PTR_ERR Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 252/356] PCI: Add PCI_ERROR_RESPONSE and related definitions Greg Kroah-Hartman
` (112 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haifeng Xu, Peter Zijlstra (Intel),
Frederic Weisbecker, Mark Rutland, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haifeng Xu <haifeng.xu@shopee.com>
[ Upstream commit 74751ef5c1912ebd3e65c3b65f45587e05ce5d36 ]
In our production environment, we found many hung tasks which are
blocked for more than 18 hours. Their call traces are like this:
[346278.191038] __schedule+0x2d8/0x890
[346278.191046] schedule+0x4e/0xb0
[346278.191049] perf_event_free_task+0x220/0x270
[346278.191056] ? init_wait_var_entry+0x50/0x50
[346278.191060] copy_process+0x663/0x18d0
[346278.191068] kernel_clone+0x9d/0x3d0
[346278.191072] __do_sys_clone+0x5d/0x80
[346278.191076] __x64_sys_clone+0x25/0x30
[346278.191079] do_syscall_64+0x5c/0xc0
[346278.191083] ? syscall_exit_to_user_mode+0x27/0x50
[346278.191086] ? do_syscall_64+0x69/0xc0
[346278.191088] ? irqentry_exit_to_user_mode+0x9/0x20
[346278.191092] ? irqentry_exit+0x19/0x30
[346278.191095] ? exc_page_fault+0x89/0x160
[346278.191097] ? asm_exc_page_fault+0x8/0x30
[346278.191102] entry_SYSCALL_64_after_hwframe+0x44/0xae
The task was waiting for the refcount become to 1, but from the vmcore,
we found the refcount has already been 1. It seems that the task didn't
get woken up by perf_event_release_kernel() and got stuck forever. The
below scenario may cause the problem.
Thread A Thread B
... ...
perf_event_free_task perf_event_release_kernel
...
acquire event->child_mutex
...
get_ctx
... release event->child_mutex
acquire ctx->mutex
...
perf_free_event (acquire/release event->child_mutex)
...
release ctx->mutex
wait_var_event
acquire ctx->mutex
acquire event->child_mutex
# move existing events to free_list
release event->child_mutex
release ctx->mutex
put_ctx
... ...
In this case, all events of the ctx have been freed, so we couldn't
find the ctx in free_list and Thread A will miss the wakeup. It's thus
necessary to add a wakeup after dropping the reference.
Fixes: 1cf8dfe8a661 ("perf/core: Fix race between close() and fork()")
Signed-off-by: Haifeng Xu <haifeng.xu@shopee.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20240513103948.33570-1-haifeng.xu@shopee.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index e79cd0fd1d2b7..80d9c8fcc30a6 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -5276,6 +5276,7 @@ int perf_event_release_kernel(struct perf_event *event)
again:
mutex_lock(&event->child_mutex);
list_for_each_entry(child, &event->child_list, child_list) {
+ void *var = NULL;
/*
* Cannot change, child events are not migrated, see the
@@ -5316,11 +5317,23 @@ int perf_event_release_kernel(struct perf_event *event)
* this can't be the last reference.
*/
put_event(event);
+ } else {
+ var = &ctx->refcount;
}
mutex_unlock(&event->child_mutex);
mutex_unlock(&ctx->mutex);
put_ctx(ctx);
+
+ if (var) {
+ /*
+ * If perf_event_free_task() has deleted all events from the
+ * ctx while the child_mutex got released above, make sure to
+ * notify about the preceding put_ctx().
+ */
+ smp_mb(); /* pairs with wait_var_event() */
+ wake_up_var(var);
+ }
goto again;
}
mutex_unlock(&event->child_mutex);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 252/356] PCI: Add PCI_ERROR_RESPONSE and related definitions
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 251/356] perf/core: Fix missing wakeup when waiting for context reference Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 253/356] x86/amd_nb: Check for invalid SMN reads Greg Kroah-Hartman
` (111 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Helgaas, Naveen Naidu,
Pali Rohár, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naveen Naidu <naveennaidu479@gmail.com>
[ Upstream commit 57bdeef4716689d9b0e3571034d65cf420f6efcd ]
A config or MMIO read from a PCI device that doesn't exist or doesn't
respond causes a PCI error. There's no real data to return to satisfy the
CPU read, so most hardware fabricates ~0 data.
Add a PCI_ERROR_RESPONSE definition for that and use it where appropriate
to make these checks consistent and easier to find.
Also add helper definitions PCI_SET_ERROR_RESPONSE() and
PCI_POSSIBLE_ERROR() to make the code more readable.
Suggested-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://lore.kernel.org/r/55563bf4dfc5d3fdc96695373c659d099bf175b1.1637243717.git.naveennaidu479@gmail.com
Signed-off-by: Naveen Naidu <naveennaidu479@gmail.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Pali Rohár <pali@kernel.org>
Stable-dep-of: c625dabbf1c4 ("x86/amd_nb: Check for invalid SMN reads")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/pci.h | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/include/linux/pci.h b/include/linux/pci.h
index 25e2e7756b1d8..32805c3a37bb3 100644
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
@@ -154,6 +154,15 @@ enum pci_interrupt_pin {
/* The number of legacy PCI INTx interrupts */
#define PCI_NUM_INTX 4
+/*
+ * Reading from a device that doesn't respond typically returns ~0. A
+ * successful read from a device may also return ~0, so you need additional
+ * information to reliably identify errors.
+ */
+#define PCI_ERROR_RESPONSE (~0ULL)
+#define PCI_SET_ERROR_RESPONSE(val) (*(val) = ((typeof(*(val))) PCI_ERROR_RESPONSE))
+#define PCI_POSSIBLE_ERROR(val) ((val) == ((typeof(val)) PCI_ERROR_RESPONSE))
+
/*
* pci_power_t values must match the bits in the Capabilities PME_Support
* and Control/Status PowerState fields in the Power Management capability.
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 253/356] x86/amd_nb: Check for invalid SMN reads
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 252/356] PCI: Add PCI_ERROR_RESPONSE and related definitions Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 254/356] smb: client: fix deadlock in smb2_find_smb_tcon() Greg Kroah-Hartman
` (110 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yazen Ghannam, Borislav Petkov (AMD),
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yazen Ghannam <yazen.ghannam@amd.com>
[ Upstream commit c625dabbf1c4a8e77e4734014f2fde7aa9071a1f ]
AMD Zen-based systems use a System Management Network (SMN) that
provides access to implementation-specific registers.
SMN accesses are done indirectly through an index/data pair in PCI
config space. The PCI config access may fail and return an error code.
This would prevent the "read" value from being updated.
However, the PCI config access may succeed, but the return value may be
invalid. This is in similar fashion to PCI bad reads, i.e. return all
bits set.
Most systems will return 0 for SMN addresses that are not accessible.
This is in line with AMD convention that unavailable registers are
Read-as-Zero/Writes-Ignored.
However, some systems will return a "PCI Error Response" instead. This
value, along with an error code of 0 from the PCI config access, will
confuse callers of the amd_smn_read() function.
Check for this condition, clear the return value, and set a proper error
code.
Fixes: ddfe43cdc0da ("x86/amd_nb: Add SMN and Indirect Data Fabric access for AMD Fam17h")
Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20230403164244.471141-1-yazen.ghannam@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/amd_nb.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c
index c92c9c774c0e5..62cd2af806b47 100644
--- a/arch/x86/kernel/amd_nb.c
+++ b/arch/x86/kernel/amd_nb.c
@@ -172,7 +172,14 @@ static int __amd_smn_rw(u16 node, u32 address, u32 *value, bool write)
int amd_smn_read(u16 node, u32 address, u32 *value)
{
- return __amd_smn_rw(node, address, value, false);
+ int err = __amd_smn_rw(node, address, value, false);
+
+ if (PCI_POSSIBLE_ERROR(*value)) {
+ err = -ENODEV;
+ *value = 0;
+ }
+
+ return err;
}
EXPORT_SYMBOL_GPL(amd_smn_read);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 254/356] smb: client: fix deadlock in smb2_find_smb_tcon()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 253/356] x86/amd_nb: Check for invalid SMN reads Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 255/356] x86/mm/numa: Use NUMA_NO_NODE when calling memblock_set_node() Greg Kroah-Hartman
` (109 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Enzo Matsumiya, Shyam Prasad N,
Paulo Alcantara (Red Hat), Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Enzo Matsumiya <ematsumiya@suse.de>
[ Upstream commit 02c418774f76a0a36a6195c9dbf8971eb4130a15 ]
Unlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such
deadlock.
Cc: stable@vger.kernel.org
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/smb2transport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/cifs/smb2transport.c b/fs/cifs/smb2transport.c
index 0f2e0ce84a03f..ffae3a7f46ce4 100644
--- a/fs/cifs/smb2transport.c
+++ b/fs/cifs/smb2transport.c
@@ -194,8 +194,8 @@ smb2_find_smb_tcon(struct TCP_Server_Info *server, __u64 ses_id, __u32 tid)
}
tcon = smb2_find_smb_sess_tcon_unlocked(ses, tid);
if (!tcon) {
- cifs_put_smb_ses(ses);
spin_unlock(&cifs_tcp_ses_lock);
+ cifs_put_smb_ses(ses);
return NULL;
}
spin_unlock(&cifs_tcp_ses_lock);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 255/356] x86/mm/numa: Use NUMA_NO_NODE when calling memblock_set_node()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 254/356] smb: client: fix deadlock in smb2_find_smb_tcon() Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 12:53 ` Mike Rapoport
2024-07-03 10:39 ` [PATCH 5.15 256/356] ACPI: x86: utils: Add Picasso to the list for forcing StorageD3Enable Greg Kroah-Hartman
` (108 subsequent siblings)
363 siblings, 1 reply; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Narasimhan V, Jan Beulich,
Borislav Petkov (AMD), Mike Rapoport (IBM), Paul E. McKenney,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <jbeulich@suse.com>
[ Upstream commit 3ac36aa7307363b7247ccb6f6a804e11496b2b36 ]
memblock_set_node() warns about using MAX_NUMNODES, see
e0eec24e2e19 ("memblock: make memblock_set_node() also warn about use of MAX_NUMNODES")
for details.
Reported-by: Narasimhan V <Narasimhan.V@amd.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Cc: stable@vger.kernel.org
[bp: commit message]
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Mike Rapoport (IBM) <rppt@kernel.org>
Tested-by: Paul E. McKenney <paulmck@kernel.org>
Link: https://lore.kernel.org/r/20240603141005.23261-1-bp@kernel.org
Link: https://lore.kernel.org/r/abadb736-a239-49e4-ab42-ace7acdd4278@suse.com
Signed-off-by: Mike Rapoport (IBM) <rppt@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/mm/numa.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c
index 1a1c0c242f272..d074a1b4f976c 100644
--- a/arch/x86/mm/numa.c
+++ b/arch/x86/mm/numa.c
@@ -522,7 +522,7 @@ static void __init numa_clear_kernel_node_hotplug(void)
for_each_reserved_mem_region(mb_region) {
int nid = memblock_get_region_node(mb_region);
- if (nid != MAX_NUMNODES)
+ if (nid != NUMA_NO_NODE)
node_set(nid, reserved_nodemask);
}
@@ -642,9 +642,9 @@ static int __init numa_init(int (*init_func)(void))
nodes_clear(node_online_map);
memset(&numa_meminfo, 0, sizeof(numa_meminfo));
WARN_ON(memblock_set_node(0, ULLONG_MAX, &memblock.memory,
- MAX_NUMNODES));
+ NUMA_NO_NODE));
WARN_ON(memblock_set_node(0, ULLONG_MAX, &memblock.reserved,
- MAX_NUMNODES));
+ NUMA_NO_NODE));
/* In case that parsing SRAT failed. */
WARN_ON(memblock_clear_hotplug(0, ULLONG_MAX));
numa_reset_distance();
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 256/356] ACPI: x86: utils: Add Picasso to the list for forcing StorageD3Enable
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 255/356] x86/mm/numa: Use NUMA_NO_NODE when calling memblock_set_node() Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 257/356] ACPI: x86: Force StorageD3Enable on more products Greg Kroah-Hartman
` (107 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stuart Axon, Mario Limonciello,
Rafael J. Wysocki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit 10b6b4a8ac6120ec36555fd286eed577f7632e3b ]
Picasso was the first APU that introduced s2idle support from AMD,
and it was predating before vendors started to use `StorageD3Enable`
in their firmware.
Windows doesn't have problems with this hardware and NVME so it was
likely on the list of hardcoded CPUs to use this behavior in Windows.
Add it to the list for Linux to avoid NVME resume issues.
Reported-by: Stuart Axon <stuaxo2@yahoo.com>
Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2449
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Stable-dep-of: e79a10652bbd ("ACPI: x86: Force StorageD3Enable on more products")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/x86/utils.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c
index f1dd086d0b87d..7d6083d40bf6b 100644
--- a/drivers/acpi/x86/utils.c
+++ b/drivers/acpi/x86/utils.c
@@ -204,6 +204,7 @@ bool acpi_device_override_status(struct acpi_device *adev, unsigned long long *s
disk in the system.
*/
static const struct x86_cpu_id storage_d3_cpu_ids[] = {
+ X86_MATCH_VENDOR_FAM_MODEL(AMD, 23, 24, NULL), /* Picasso */
X86_MATCH_VENDOR_FAM_MODEL(AMD, 23, 96, NULL), /* Renoir */
X86_MATCH_VENDOR_FAM_MODEL(AMD, 23, 104, NULL), /* Lucienne */
X86_MATCH_VENDOR_FAM_MODEL(AMD, 25, 80, NULL), /* Cezanne */
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 257/356] ACPI: x86: Force StorageD3Enable on more products
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 256/356] ACPI: x86: utils: Add Picasso to the list for forcing StorageD3Enable Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 258/356] gve: Add RX context Greg Kroah-Hartman
` (106 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Hans de Goede,
Rafael J. Wysocki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit e79a10652bbd320649da705ca1ea0c04351af403 ]
A Rembrandt-based HP thin client is reported to have problems where
the NVME disk isn't present after resume from s2idle.
This is because the NVME disk wasn't put into D3 at suspend, and
that happened because the StorageD3Enable _DSD was missing in the BIOS.
As AMD's architecture requires that the NVME is in D3 for s2idle, adjust
the criteria for force_storage_d3 to match *all* Zen SoCs when the FADT
advertises low power idle support.
This will ensure that any future products with this BIOS deficiency don't
need to be added to the allow list of overrides.
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/x86/utils.c | 24 ++++++++++--------------
1 file changed, 10 insertions(+), 14 deletions(-)
diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c
index 7d6083d40bf6b..aa4f233373afc 100644
--- a/drivers/acpi/x86/utils.c
+++ b/drivers/acpi/x86/utils.c
@@ -179,16 +179,16 @@ bool acpi_device_override_status(struct acpi_device *adev, unsigned long long *s
}
/*
- * AMD systems from Renoir and Lucienne *require* that the NVME controller
+ * AMD systems from Renoir onwards *require* that the NVME controller
* is put into D3 over a Modern Standby / suspend-to-idle cycle.
*
* This is "typically" accomplished using the `StorageD3Enable`
* property in the _DSD that is checked via the `acpi_storage_d3` function
- * but this property was introduced after many of these systems launched
- * and most OEM systems don't have it in their BIOS.
+ * but some OEM systems still don't have it in their BIOS.
*
* The Microsoft documentation for StorageD3Enable mentioned that Windows has
- * a hardcoded allowlist for D3 support, which was used for these platforms.
+ * a hardcoded allowlist for D3 support as well as a registry key to override
+ * the BIOS, which has been used for these cases.
*
* This allows quirking on Linux in a similar fashion.
*
@@ -201,17 +201,13 @@ bool acpi_device_override_status(struct acpi_device *adev, unsigned long long *s
* https://bugzilla.kernel.org/show_bug.cgi?id=216773
* https://bugzilla.kernel.org/show_bug.cgi?id=217003
* 2) On at least one HP system StorageD3Enable is missing on the second NVME
- disk in the system.
+ * disk in the system.
+ * 3) On at least one HP Rembrandt system StorageD3Enable is missing on the only
+ * NVME device.
*/
-static const struct x86_cpu_id storage_d3_cpu_ids[] = {
- X86_MATCH_VENDOR_FAM_MODEL(AMD, 23, 24, NULL), /* Picasso */
- X86_MATCH_VENDOR_FAM_MODEL(AMD, 23, 96, NULL), /* Renoir */
- X86_MATCH_VENDOR_FAM_MODEL(AMD, 23, 104, NULL), /* Lucienne */
- X86_MATCH_VENDOR_FAM_MODEL(AMD, 25, 80, NULL), /* Cezanne */
- {}
-};
-
bool force_storage_d3(void)
{
- return x86_match_cpu(storage_d3_cpu_ids);
+ if (!cpu_feature_enabled(X86_FEATURE_ZEN))
+ return false;
+ return acpi_gbl_FADT.flags & ACPI_FADT_LOW_POWER_S0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 258/356] gve: Add RX context.
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 257/356] ACPI: x86: Force StorageD3Enable on more products Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 259/356] gve: Clear napi->skb before dev_kfree_skb_any() Greg Kroah-Hartman
` (105 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Awogbemila, Jeroen de Borst,
Catherine Sullivan, David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Awogbemila <awogbemila@google.com>
[ Upstream commit 1344e751e91092ac0cb63b194621e59d2f364197 ]
This refactor moves the skb_head and skb_tail fields into a new
gve_rx_ctx struct. This new struct will contain information about the
current packet being processed. This is in preparation for
multi-descriptor RX packets.
Signed-off-by: David Awogbemila <awogbemila@google.com>
Signed-off-by: Jeroen de Borst <jeroendb@google.com>
Reviewed-by: Catherine Sullivan <csully@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 6f4d93b78ade ("gve: Clear napi->skb before dev_kfree_skb_any()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/google/gve/gve.h | 13 +++-
drivers/net/ethernet/google/gve/gve_rx_dqo.c | 68 ++++++++++----------
2 files changed, 44 insertions(+), 37 deletions(-)
diff --git a/drivers/net/ethernet/google/gve/gve.h b/drivers/net/ethernet/google/gve/gve.h
index 08f4c0595efae..822bdaff66f69 100644
--- a/drivers/net/ethernet/google/gve/gve.h
+++ b/drivers/net/ethernet/google/gve/gve.h
@@ -144,6 +144,15 @@ struct gve_index_list {
s16 tail;
};
+/* A single received packet split across multiple buffers may be
+ * reconstructed using the information in this structure.
+ */
+struct gve_rx_ctx {
+ /* head and tail of skb chain for the current packet or NULL if none */
+ struct sk_buff *skb_head;
+ struct sk_buff *skb_tail;
+};
+
/* Contains datapath state used to represent an RX queue. */
struct gve_rx_ring {
struct gve_priv *gve;
@@ -208,9 +217,7 @@ struct gve_rx_ring {
dma_addr_t q_resources_bus; /* dma address for the queue resources */
struct u64_stats_sync statss; /* sync stats for 32bit archs */
- /* head and tail of skb chain for the current packet or NULL if none */
- struct sk_buff *skb_head;
- struct sk_buff *skb_tail;
+ struct gve_rx_ctx ctx; /* Info for packet currently being processed in this ring. */
};
/* A TX desc ring entry */
diff --git a/drivers/net/ethernet/google/gve/gve_rx_dqo.c b/drivers/net/ethernet/google/gve/gve_rx_dqo.c
index d947c2c334128..630f42a3037b0 100644
--- a/drivers/net/ethernet/google/gve/gve_rx_dqo.c
+++ b/drivers/net/ethernet/google/gve/gve_rx_dqo.c
@@ -240,8 +240,8 @@ static int gve_rx_alloc_ring_dqo(struct gve_priv *priv, int idx)
rx->dqo.bufq.mask = buffer_queue_slots - 1;
rx->dqo.complq.num_free_slots = completion_queue_slots;
rx->dqo.complq.mask = completion_queue_slots - 1;
- rx->skb_head = NULL;
- rx->skb_tail = NULL;
+ rx->ctx.skb_head = NULL;
+ rx->ctx.skb_tail = NULL;
rx->dqo.num_buf_states = min_t(s16, S16_MAX, buffer_queue_slots * 4);
rx->dqo.buf_states = kvcalloc(rx->dqo.num_buf_states,
@@ -467,12 +467,12 @@ static void gve_rx_skb_hash(struct sk_buff *skb,
static void gve_rx_free_skb(struct gve_rx_ring *rx)
{
- if (!rx->skb_head)
+ if (!rx->ctx.skb_head)
return;
- dev_kfree_skb_any(rx->skb_head);
- rx->skb_head = NULL;
- rx->skb_tail = NULL;
+ dev_kfree_skb_any(rx->ctx.skb_head);
+ rx->ctx.skb_head = NULL;
+ rx->ctx.skb_tail = NULL;
}
/* Chains multi skbs for single rx packet.
@@ -483,7 +483,7 @@ static int gve_rx_append_frags(struct napi_struct *napi,
u16 buf_len, struct gve_rx_ring *rx,
struct gve_priv *priv)
{
- int num_frags = skb_shinfo(rx->skb_tail)->nr_frags;
+ int num_frags = skb_shinfo(rx->ctx.skb_tail)->nr_frags;
if (unlikely(num_frags == MAX_SKB_FRAGS)) {
struct sk_buff *skb;
@@ -492,17 +492,17 @@ static int gve_rx_append_frags(struct napi_struct *napi,
if (!skb)
return -1;
- skb_shinfo(rx->skb_tail)->frag_list = skb;
- rx->skb_tail = skb;
+ skb_shinfo(rx->ctx.skb_tail)->frag_list = skb;
+ rx->ctx.skb_tail = skb;
num_frags = 0;
}
- if (rx->skb_tail != rx->skb_head) {
- rx->skb_head->len += buf_len;
- rx->skb_head->data_len += buf_len;
- rx->skb_head->truesize += priv->data_buffer_size_dqo;
+ if (rx->ctx.skb_tail != rx->ctx.skb_head) {
+ rx->ctx.skb_head->len += buf_len;
+ rx->ctx.skb_head->data_len += buf_len;
+ rx->ctx.skb_head->truesize += priv->data_buffer_size_dqo;
}
- skb_add_rx_frag(rx->skb_tail, num_frags,
+ skb_add_rx_frag(rx->ctx.skb_tail, num_frags,
buf_state->page_info.page,
buf_state->page_info.page_offset,
buf_len, priv->data_buffer_size_dqo);
@@ -556,7 +556,7 @@ static int gve_rx_dqo(struct napi_struct *napi, struct gve_rx_ring *rx,
buf_len, DMA_FROM_DEVICE);
/* Append to current skb if one exists. */
- if (rx->skb_head) {
+ if (rx->ctx.skb_head) {
if (unlikely(gve_rx_append_frags(napi, buf_state, buf_len, rx,
priv)) != 0) {
goto error;
@@ -567,11 +567,11 @@ static int gve_rx_dqo(struct napi_struct *napi, struct gve_rx_ring *rx,
}
if (eop && buf_len <= priv->rx_copybreak) {
- rx->skb_head = gve_rx_copy(priv->dev, napi,
- &buf_state->page_info, buf_len, 0);
- if (unlikely(!rx->skb_head))
+ rx->ctx.skb_head = gve_rx_copy(priv->dev, napi,
+ &buf_state->page_info, buf_len, 0);
+ if (unlikely(!rx->ctx.skb_head))
goto error;
- rx->skb_tail = rx->skb_head;
+ rx->ctx.skb_tail = rx->ctx.skb_head;
u64_stats_update_begin(&rx->statss);
rx->rx_copied_pkt++;
@@ -583,12 +583,12 @@ static int gve_rx_dqo(struct napi_struct *napi, struct gve_rx_ring *rx,
return 0;
}
- rx->skb_head = napi_get_frags(napi);
- if (unlikely(!rx->skb_head))
+ rx->ctx.skb_head = napi_get_frags(napi);
+ if (unlikely(!rx->ctx.skb_head))
goto error;
- rx->skb_tail = rx->skb_head;
+ rx->ctx.skb_tail = rx->ctx.skb_head;
- skb_add_rx_frag(rx->skb_head, 0, buf_state->page_info.page,
+ skb_add_rx_frag(rx->ctx.skb_head, 0, buf_state->page_info.page,
buf_state->page_info.page_offset, buf_len,
priv->data_buffer_size_dqo);
gve_dec_pagecnt_bias(&buf_state->page_info);
@@ -635,27 +635,27 @@ static int gve_rx_complete_skb(struct gve_rx_ring *rx, struct napi_struct *napi,
rx->gve->ptype_lut_dqo->ptypes[desc->packet_type];
int err;
- skb_record_rx_queue(rx->skb_head, rx->q_num);
+ skb_record_rx_queue(rx->ctx.skb_head, rx->q_num);
if (feat & NETIF_F_RXHASH)
- gve_rx_skb_hash(rx->skb_head, desc, ptype);
+ gve_rx_skb_hash(rx->ctx.skb_head, desc, ptype);
if (feat & NETIF_F_RXCSUM)
- gve_rx_skb_csum(rx->skb_head, desc, ptype);
+ gve_rx_skb_csum(rx->ctx.skb_head, desc, ptype);
/* RSC packets must set gso_size otherwise the TCP stack will complain
* that packets are larger than MTU.
*/
if (desc->rsc) {
- err = gve_rx_complete_rsc(rx->skb_head, desc, ptype);
+ err = gve_rx_complete_rsc(rx->ctx.skb_head, desc, ptype);
if (err < 0)
return err;
}
- if (skb_headlen(rx->skb_head) == 0)
+ if (skb_headlen(rx->ctx.skb_head) == 0)
napi_gro_frags(napi);
else
- napi_gro_receive(napi, rx->skb_head);
+ napi_gro_receive(napi, rx->ctx.skb_head);
return 0;
}
@@ -717,18 +717,18 @@ int gve_rx_poll_dqo(struct gve_notify_block *block, int budget)
/* Free running counter of completed descriptors */
rx->cnt++;
- if (!rx->skb_head)
+ if (!rx->ctx.skb_head)
continue;
if (!compl_desc->end_of_packet)
continue;
work_done++;
- pkt_bytes = rx->skb_head->len;
+ pkt_bytes = rx->ctx.skb_head->len;
/* The ethernet header (first ETH_HLEN bytes) is snipped off
* by eth_type_trans.
*/
- if (skb_headlen(rx->skb_head))
+ if (skb_headlen(rx->ctx.skb_head))
pkt_bytes += ETH_HLEN;
/* gve_rx_complete_skb() will consume skb if successful */
@@ -741,8 +741,8 @@ int gve_rx_poll_dqo(struct gve_notify_block *block, int budget)
}
bytes += pkt_bytes;
- rx->skb_head = NULL;
- rx->skb_tail = NULL;
+ rx->ctx.skb_head = NULL;
+ rx->ctx.skb_tail = NULL;
}
gve_rx_post_buffers_dqo(rx);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 259/356] gve: Clear napi->skb before dev_kfree_skb_any()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 258/356] gve: Add RX context Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 260/356] Input: ili210x - fix ili251x_read_touch_data() return value Greg Kroah-Hartman
` (104 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shailend Chand, Ziwei Xiao,
Harshitha Ramamurthy, Praveen Kaligineedi, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ziwei Xiao <ziweixiao@google.com>
[ Upstream commit 6f4d93b78ade0a4c2cafd587f7b429ce95abb02e ]
gve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it
is freed with dev_kfree_skb_any(). This can result in a subsequent call
to napi_get_frags returning a dangling pointer.
Fix this by clearing napi->skb before the skb is freed.
Fixes: 9b8dd5e5ea48 ("gve: DQO: Add RX path")
Cc: stable@vger.kernel.org
Reported-by: Shailend Chand <shailend@google.com>
Signed-off-by: Ziwei Xiao <ziweixiao@google.com>
Reviewed-by: Harshitha Ramamurthy <hramamurthy@google.com>
Reviewed-by: Shailend Chand <shailend@google.com>
Reviewed-by: Praveen Kaligineedi <pkaligineedi@google.com>
Link: https://lore.kernel.org/r/20240612001654.923887-1-ziweixiao@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/google/gve/gve_rx_dqo.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/google/gve/gve_rx_dqo.c b/drivers/net/ethernet/google/gve/gve_rx_dqo.c
index 630f42a3037b0..8756f9cbd631e 100644
--- a/drivers/net/ethernet/google/gve/gve_rx_dqo.c
+++ b/drivers/net/ethernet/google/gve/gve_rx_dqo.c
@@ -465,11 +465,13 @@ static void gve_rx_skb_hash(struct sk_buff *skb,
skb_set_hash(skb, le32_to_cpu(compl_desc->hash), hash_type);
}
-static void gve_rx_free_skb(struct gve_rx_ring *rx)
+static void gve_rx_free_skb(struct napi_struct *napi, struct gve_rx_ring *rx)
{
if (!rx->ctx.skb_head)
return;
+ if (rx->ctx.skb_head == napi->skb)
+ napi->skb = NULL;
dev_kfree_skb_any(rx->ctx.skb_head);
rx->ctx.skb_head = NULL;
rx->ctx.skb_tail = NULL;
@@ -690,7 +692,7 @@ int gve_rx_poll_dqo(struct gve_notify_block *block, int budget)
err = gve_rx_dqo(napi, rx, compl_desc, rx->q_num);
if (err < 0) {
- gve_rx_free_skb(rx);
+ gve_rx_free_skb(napi, rx);
u64_stats_update_begin(&rx->statss);
if (err == -ENOMEM)
rx->rx_skb_alloc_fail++;
@@ -733,7 +735,7 @@ int gve_rx_poll_dqo(struct gve_notify_block *block, int budget)
/* gve_rx_complete_skb() will consume skb if successful */
if (gve_rx_complete_skb(rx, napi, compl_desc, feat) != 0) {
- gve_rx_free_skb(rx);
+ gve_rx_free_skb(napi, rx);
u64_stats_update_begin(&rx->statss);
rx->rx_desc_err_dropped_pkt++;
u64_stats_update_end(&rx->statss);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 260/356] Input: ili210x - fix ili251x_read_touch_data() return value
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 259/356] gve: Clear napi->skb before dev_kfree_skb_any() Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 261/356] pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER Greg Kroah-Hartman
` (103 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Keeping, Dmitry Torokhov,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Keeping <jkeeping@inmusicbrands.com>
[ Upstream commit 9f0fad0382124e7e23b3c730fa78818c22c89c0a ]
The caller of this function treats all non-zero values as an error, so
the return value of i2c_master_recv() cannot be returned directly.
This fixes touch reporting when there are more than 6 active touches.
Fixes: ef536abd3afd1 ("Input: ili210x - define and use chip operations structure")
Signed-off-by: John Keeping <jkeeping@inmusicbrands.com>
Link: https://lore.kernel.org/r/20240523085624.2295988-1-jkeeping@inmusicbrands.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/input/touchscreen/ili210x.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/input/touchscreen/ili210x.c b/drivers/input/touchscreen/ili210x.c
index f437eefec94ad..9452a12ddb096 100644
--- a/drivers/input/touchscreen/ili210x.c
+++ b/drivers/input/touchscreen/ili210x.c
@@ -231,8 +231,8 @@ static int ili251x_read_touch_data(struct i2c_client *client, u8 *data)
if (!error && data[0] == 2) {
error = i2c_master_recv(client, data + ILI251X_DATA_SIZE1,
ILI251X_DATA_SIZE2);
- if (error >= 0 && error != ILI251X_DATA_SIZE2)
- error = -EIO;
+ if (error >= 0)
+ error = error == ILI251X_DATA_SIZE2 ? 0 : -EIO;
}
return error;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 261/356] pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 260/356] Input: ili210x - fix ili251x_read_touch_data() return value Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 262/356] pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins Greg Kroah-Hartman
` (102 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maximilian Heyne, Hagar Hemdan,
Linus Walleij, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hagar Hemdan <hagarhem@amazon.com>
[ Upstream commit adec57ff8e66aee632f3dd1f93787c13d112b7a1 ]
In create_pinctrl(), pinctrl_maps_mutex is acquired before calling
add_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl()
calls pinctrl_free(). However, pinctrl_free() attempts to acquire
pinctrl_maps_mutex, which is already held by create_pinctrl(), leading to
a potential deadlock.
This patch resolves the issue by releasing pinctrl_maps_mutex before
calling pinctrl_free(), preventing the deadlock.
This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc.
Fixes: 42fed7ba44e4 ("pinctrl: move subsystem mutex to pinctrl_dev struct")
Suggested-by: Maximilian Heyne <mheyne@amazon.de>
Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
Link: https://lore.kernel.org/r/20240604085838.3344-1-hagarhem@amazon.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c
index 46a06067e9947..f567805cbde8e 100644
--- a/drivers/pinctrl/core.c
+++ b/drivers/pinctrl/core.c
@@ -1092,8 +1092,8 @@ static struct pinctrl *create_pinctrl(struct device *dev,
* an -EPROBE_DEFER later, as that is the worst case.
*/
if (ret == -EPROBE_DEFER) {
- pinctrl_free(p, false);
mutex_unlock(&pinctrl_maps_mutex);
+ pinctrl_free(p, false);
return ERR_PTR(ret);
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 262/356] pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 261/356] pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 263/356] pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins Greg Kroah-Hartman
` (101 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Huang-Huang Bao, Heiko Stuebner,
Linus Walleij, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huang-Huang Bao <i@eh5.me>
[ Upstream commit e8448a6c817c2aa6c6af785b1d45678bd5977e8d ]
The pinmux bits for GPIO2-B0 to GPIO2-B6 actually have 2 bits width,
correct the bank flag for GPIO2-B. The pinmux bits for GPIO2-B7 is
recalculated so it remain unchanged.
The pinmux bits for those pins are not explicitly specified in RK3328
TRM, however we can get hint from pad name and its correspinding IOMUX
setting for pins in interface descriptions. The correspinding IOMIX
settings for GPIO2-B0 to GPIO2-B6 can be found in the same row next to
occurrences of following pad names in RK3328 TRM.
GPIO2-B0: IO_SPIclkm0_GPIO2B0vccio5
GPIO2-B1: IO_SPItxdm0_GPIO2B1vccio5
GPIO2-B2: IO_SPIrxdm0_GPIO2B2vccio5
GPIO2-B3: IO_SPIcsn0m0_GPIO2B3vccio5
GPIO2-B4: IO_SPIcsn1m0_FLASHvol_sel_GPIO2B4vccio5
GPIO2-B5: IO_ I2C2sda_TSADCshut_GPIO2B5vccio5
GPIO2-B6: IO_ I2C2scl_GPIO2B6vccio5
This fix has been tested on NanoPi R2S for fixing confliting pinmux bits
between GPIO2-B7 with GPIO2-B5.
Signed-off-by: Huang-Huang Bao <i@eh5.me>
Reviewed-by: Heiko Stuebner <heiko@sntech.de>
Fixes: 3818e4a7678e ("pinctrl: rockchip: Add rk3328 pinctrl support")
Link: https://lore.kernel.org/r/20240606125755.53778-2-i@eh5.me
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-rockchip.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/drivers/pinctrl/pinctrl-rockchip.c b/drivers/pinctrl/pinctrl-rockchip.c
index a6f4aca9c61c4..693a24eac9892 100644
--- a/drivers/pinctrl/pinctrl-rockchip.c
+++ b/drivers/pinctrl/pinctrl-rockchip.c
@@ -564,12 +564,6 @@ static struct rockchip_mux_recalced_data rk3308_mux_recalced_data[] = {
static struct rockchip_mux_recalced_data rk3328_mux_recalced_data[] = {
{
- .num = 2,
- .pin = 12,
- .reg = 0x24,
- .bit = 8,
- .mask = 0x3
- }, {
.num = 2,
.pin = 15,
.reg = 0x28,
@@ -3181,7 +3175,7 @@ static struct rockchip_pin_bank rk3328_pin_banks[] = {
PIN_BANK_IOMUX_FLAGS(0, 32, "gpio0", 0, 0, 0, 0),
PIN_BANK_IOMUX_FLAGS(1, 32, "gpio1", 0, 0, 0, 0),
PIN_BANK_IOMUX_FLAGS(2, 32, "gpio2", 0,
- IOMUX_WIDTH_3BIT,
+ 0,
IOMUX_WIDTH_3BIT,
0),
PIN_BANK_IOMUX_FLAGS(3, 32, "gpio3",
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 263/356] pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 262/356] pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins Greg Kroah-Hartman
@ 2024-07-03 10:39 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 264/356] pinctrl: rockchip: use dedicated pinctrl type for RK3328 Greg Kroah-Hartman
` (100 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Huang-Huang Bao, Heiko Stuebner,
Linus Walleij, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huang-Huang Bao <i@eh5.me>
[ Upstream commit 5ef6914e0bf578357b4c906ffe6b26e7eedb8ccf ]
The pinmux bits for GPIO3-B1 to GPIO3-B6 pins are not explicitly
specified in RK3328 TRM, however we can get hint from pad name and its
correspinding IOMUX setting for pins in interface descriptions. The
correspinding IOMIX settings for these pins can be found in the same
row next to occurrences of following pad names in RK3328 TRM.
GPIO3-B1: IO_TSPd5m0_CIFdata5m0_GPIO3B1vccio6
GPIO3-B2: IO_TSPd6m0_CIFdata6m0_GPIO3B2vccio6
GPIO3-B3: IO_TSPd7m0_CIFdata7m0_GPIO3B3vccio6
GPIO3-B4: IO_CARDclkm0_GPIO3B4vccio6
GPIO3-B5: IO_CARDrstm0_GPIO3B5vccio6
GPIO3-B6: IO_CARDdetm0_GPIO3B6vccio6
Add pinmux data to rk3328_mux_recalced_data as mux register offset for
these pins does not follow rockchip convention.
Signed-off-by: Huang-Huang Bao <i@eh5.me>
Reviewed-by: Heiko Stuebner <heiko@sntech.de>
Fixes: 3818e4a7678e ("pinctrl: rockchip: Add rk3328 pinctrl support")
Link: https://lore.kernel.org/r/20240606125755.53778-3-i@eh5.me
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-rockchip.c | 51 ++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
diff --git a/drivers/pinctrl/pinctrl-rockchip.c b/drivers/pinctrl/pinctrl-rockchip.c
index 693a24eac9892..965482872646f 100644
--- a/drivers/pinctrl/pinctrl-rockchip.c
+++ b/drivers/pinctrl/pinctrl-rockchip.c
@@ -564,17 +564,68 @@ static struct rockchip_mux_recalced_data rk3308_mux_recalced_data[] = {
static struct rockchip_mux_recalced_data rk3328_mux_recalced_data[] = {
{
+ /* gpio2_b7_sel */
.num = 2,
.pin = 15,
.reg = 0x28,
.bit = 0,
.mask = 0x7
}, {
+ /* gpio2_c7_sel */
.num = 2,
.pin = 23,
.reg = 0x30,
.bit = 14,
.mask = 0x3
+ }, {
+ /* gpio3_b1_sel */
+ .num = 3,
+ .pin = 9,
+ .reg = 0x44,
+ .bit = 2,
+ .mask = 0x3
+ }, {
+ /* gpio3_b2_sel */
+ .num = 3,
+ .pin = 10,
+ .reg = 0x44,
+ .bit = 4,
+ .mask = 0x3
+ }, {
+ /* gpio3_b3_sel */
+ .num = 3,
+ .pin = 11,
+ .reg = 0x44,
+ .bit = 6,
+ .mask = 0x3
+ }, {
+ /* gpio3_b4_sel */
+ .num = 3,
+ .pin = 12,
+ .reg = 0x44,
+ .bit = 8,
+ .mask = 0x3
+ }, {
+ /* gpio3_b5_sel */
+ .num = 3,
+ .pin = 13,
+ .reg = 0x44,
+ .bit = 10,
+ .mask = 0x3
+ }, {
+ /* gpio3_b6_sel */
+ .num = 3,
+ .pin = 14,
+ .reg = 0x44,
+ .bit = 12,
+ .mask = 0x3
+ }, {
+ /* gpio3_b7_sel */
+ .num = 3,
+ .pin = 15,
+ .reg = 0x44,
+ .bit = 14,
+ .mask = 0x3
},
};
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 264/356] pinctrl: rockchip: use dedicated pinctrl type for RK3328
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2024-07-03 10:39 ` [PATCH 5.15 263/356] pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 265/356] pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set Greg Kroah-Hartman
` (99 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Stuebner, Huang-Huang Bao,
Linus Walleij, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huang-Huang Bao <i@eh5.me>
[ Upstream commit 01b4b1d1cec48ef4c26616c2fc4600b2c9fec05a ]
rk3328_pin_ctrl uses type of RK3288 which has a hack in
rockchip_pinctrl_suspend and rockchip_pinctrl_resume to restore GPIO6-C6
at assume, the hack is not applicable to RK3328 as GPIO6 is not even
exist in it. So use a dedicated pinctrl type to skip this hack.
Fixes: 3818e4a7678e ("pinctrl: rockchip: Add rk3328 pinctrl support")
Reviewed-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Huang-Huang Bao <i@eh5.me>
Link: https://lore.kernel.org/r/20240606125755.53778-4-i@eh5.me
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-rockchip.c | 5 ++++-
drivers/pinctrl/pinctrl-rockchip.h | 1 +
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/pinctrl/pinctrl-rockchip.c b/drivers/pinctrl/pinctrl-rockchip.c
index 965482872646f..30e1dec1e2f68 100644
--- a/drivers/pinctrl/pinctrl-rockchip.c
+++ b/drivers/pinctrl/pinctrl-rockchip.c
@@ -1936,6 +1936,7 @@ static int rockchip_get_pull(struct rockchip_pin_bank *bank, int pin_num)
case RK3188:
case RK3288:
case RK3308:
+ case RK3328:
case RK3368:
case RK3399:
case RK3568:
@@ -1992,6 +1993,7 @@ static int rockchip_set_pull(struct rockchip_pin_bank *bank,
case RK3188:
case RK3288:
case RK3308:
+ case RK3328:
case RK3368:
case RK3399:
case RK3568:
@@ -2252,6 +2254,7 @@ static bool rockchip_pinconf_pull_valid(struct rockchip_pin_ctrl *ctrl,
case RK3188:
case RK3288:
case RK3308:
+ case RK3328:
case RK3368:
case RK3399:
case RK3568:
@@ -3240,7 +3243,7 @@ static struct rockchip_pin_ctrl rk3328_pin_ctrl = {
.pin_banks = rk3328_pin_banks,
.nr_banks = ARRAY_SIZE(rk3328_pin_banks),
.label = "RK3328-GPIO",
- .type = RK3288,
+ .type = RK3328,
.grf_mux_offset = 0x0,
.iomux_recalced = rk3328_mux_recalced_data,
.niomux_recalced = ARRAY_SIZE(rk3328_mux_recalced_data),
diff --git a/drivers/pinctrl/pinctrl-rockchip.h b/drivers/pinctrl/pinctrl-rockchip.h
index 59116e13758d0..d4a6e1276bab3 100644
--- a/drivers/pinctrl/pinctrl-rockchip.h
+++ b/drivers/pinctrl/pinctrl-rockchip.h
@@ -27,6 +27,7 @@ enum rockchip_pinctrl_type {
RK3188,
RK3288,
RK3308,
+ RK3328,
RK3368,
RK3399,
RK3568,
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 265/356] pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 264/356] pinctrl: rockchip: use dedicated pinctrl type for RK3328 Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 266/356] cifs: fix typo in module parameter enable_gcm_256 Greg Kroah-Hartman
` (98 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Stuebner, Huang-Huang Bao,
Linus Walleij, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huang-Huang Bao <i@eh5.me>
[ Upstream commit 4ea4d4808e342ddf89ba24b93ffa2057005aaced ]
rockchip_pmx_set reset all pinmuxs in group to 0 in the case of error,
add missing bank data retrieval in that code to avoid setting mux on
unexpected pins.
Fixes: 14797189b35e ("pinctrl: rockchip: add return value to rockchip_set_mux")
Reviewed-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Huang-Huang Bao <i@eh5.me>
Link: https://lore.kernel.org/r/20240606125755.53778-5-i@eh5.me
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-rockchip.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/pinctrl/pinctrl-rockchip.c b/drivers/pinctrl/pinctrl-rockchip.c
index 30e1dec1e2f68..4ff70527755a3 100644
--- a/drivers/pinctrl/pinctrl-rockchip.c
+++ b/drivers/pinctrl/pinctrl-rockchip.c
@@ -2206,8 +2206,10 @@ static int rockchip_pmx_set(struct pinctrl_dev *pctldev, unsigned selector,
if (ret) {
/* revert the already done pin settings */
- for (cnt--; cnt >= 0; cnt--)
+ for (cnt--; cnt >= 0; cnt--) {
+ bank = pin_to_bank(info, pins[cnt]);
rockchip_set_mux(bank, pins[cnt] - bank->pin_base, 0);
+ }
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 266/356] cifs: fix typo in module parameter enable_gcm_256
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 265/356] pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 267/356] drm/amdgpu: fix UBSAN warning in kv_dpm.c Greg Kroah-Hartman
` (97 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steve French <stfrench@microsoft.com>
[ Upstream commit 8bf0287528da1992c5e49d757b99ad6bbc34b522 ]
enable_gcm_256 (which allows the server to require the strongest
encryption) is enabled by default, but the modinfo description
incorrectly showed it disabled by default. Fix the typo.
Cc: stable@vger.kernel.org
Fixes: fee742b50289 ("smb3.1.1: enable negotiating stronger encryption by default")
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/cifsfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index d3adcb9e70a66..c254e714f7ceb 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -99,7 +99,7 @@ module_param(enable_oplocks, bool, 0644);
MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1");
module_param(enable_gcm_256, bool, 0644);
-MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: n/N/0");
+MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/0");
module_param(require_gcm_256, bool, 0644);
MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM encryption. Default: n/N/0");
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 267/356] drm/amdgpu: fix UBSAN warning in kv_dpm.c
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 266/356] cifs: fix typo in module parameter enable_gcm_256 Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 268/356] net: mdio: add helpers to extract clause 45 regad and devad fields Greg Kroah-Hartman
` (96 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit f0d576f840153392d04b2d52cf3adab8f62e8cb6 ]
Adds bounds check for sumo_vid_mapping_entry.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3392
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/kv_dpm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/kv_dpm.c b/drivers/gpu/drm/amd/pm/powerplay/kv_dpm.c
index b56854c03ead6..4291bf09fc7b4 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/kv_dpm.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/kv_dpm.c
@@ -163,6 +163,8 @@ static void sumo_construct_vid_mapping_table(struct amdgpu_device *adev,
for (i = 0; i < SUMO_MAX_HARDWARE_POWERLEVELS; i++) {
if (table[i].ulSupportedSCLK != 0) {
+ if (table[i].usVoltageIndex >= SUMO_MAX_NUMBER_VOLTAGES)
+ continue;
vid_mapping_table->entries[table[i].usVoltageIndex].vid_7bit =
table[i].usVoltageID;
vid_mapping_table->entries[table[i].usVoltageIndex].vid_2bit =
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 268/356] net: mdio: add helpers to extract clause 45 regad and devad fields
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 267/356] drm/amdgpu: fix UBSAN warning in kv_dpm.c Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 269/356] net: stmmac: Assign configured channel value to EXTTS event Greg Kroah-Hartman
` (95 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Golle, Andrew Lunn,
Russell King (Oracle), David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
[ Upstream commit c6af53f038aa32cec12e8a305ba07c7ef168f1b0 ]
Add a couple of helpers and definitions to extract the clause 45 regad
and devad fields from the regnum passed into MDIO drivers.
Tested-by: Daniel Golle <daniel@makrotopia.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 8851346912a1 ("net: stmmac: Assign configured channel value to EXTTS event")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/mdio.h | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/include/linux/mdio.h b/include/linux/mdio.h
index 5e6dc38f418e4..3a6ff4e7284a8 100644
--- a/include/linux/mdio.h
+++ b/include/linux/mdio.h
@@ -7,6 +7,7 @@
#define __LINUX_MDIO_H__
#include <uapi/linux/mdio.h>
+#include <linux/bitfield.h>
#include <linux/mod_devicetable.h>
/* Or MII_ADDR_C45 into regnum for read/write on mii_bus to enable the 21 bit
@@ -14,6 +15,7 @@
*/
#define MII_ADDR_C45 (1<<30)
#define MII_DEVADDR_C45_SHIFT 16
+#define MII_DEVADDR_C45_MASK GENMASK(20, 16)
#define MII_REGADDR_C45_MASK GENMASK(15, 0)
struct gpio_desc;
@@ -355,6 +357,16 @@ static inline u32 mdiobus_c45_addr(int devad, u16 regnum)
return MII_ADDR_C45 | devad << MII_DEVADDR_C45_SHIFT | regnum;
}
+static inline u16 mdiobus_c45_regad(u32 regnum)
+{
+ return FIELD_GET(MII_REGADDR_C45_MASK, regnum);
+}
+
+static inline u16 mdiobus_c45_devad(u32 regnum)
+{
+ return FIELD_GET(MII_DEVADDR_C45_MASK, regnum);
+}
+
static inline int __mdiobus_c45_read(struct mii_bus *bus, int prtad, int devad,
u16 regnum)
{
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 269/356] net: stmmac: Assign configured channel value to EXTTS event
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 268/356] net: mdio: add helpers to extract clause 45 regad and devad fields Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 270/356] ASoC: fsl-asoc-card: set priv->pdev before using it Greg Kroah-Hartman
` (94 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Wojciech Drewek,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
[ Upstream commit 8851346912a1fa33e7a5966fe51f07313b274627 ]
Assign the configured channel value to the EXTTS event in the timestamp
interrupt handler. Without assigning the correct channel, applications
like ts2phc will refuse to accept the event, resulting in errors such
as:
...
ts2phc[656.834]: config item end1.ts2phc.pin_index is 0
ts2phc[656.834]: config item end1.ts2phc.channel is 3
ts2phc[656.834]: config item end1.ts2phc.extts_polarity is 2
ts2phc[656.834]: config item end1.ts2phc.extts_correction is 0
...
ts2phc[656.862]: extts on unexpected channel
ts2phc[658.141]: extts on unexpected channel
ts2phc[659.140]: extts on unexpected channel
Fixes: f4da56529da60 ("net: stmmac: Add support for external trigger timestamping")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
Link: https://lore.kernel.org/r/20240618073821.619751-1-o.rempel@pengutronix.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
index 2c6245b2281ca..0d3d7874f0fc6 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
@@ -176,6 +176,7 @@ static void timestamp_interrupt(struct stmmac_priv *priv)
{
u32 num_snapshot, ts_status, tsync_int;
struct ptp_clock_event event;
+ u32 acr_value, channel;
unsigned long flags;
u64 ptp_time;
int i;
@@ -201,12 +202,15 @@ static void timestamp_interrupt(struct stmmac_priv *priv)
num_snapshot = (ts_status & GMAC_TIMESTAMP_ATSNS_MASK) >>
GMAC_TIMESTAMP_ATSNS_SHIFT;
+ acr_value = readl(priv->ptpaddr + PTP_ACR);
+ channel = ilog2(FIELD_GET(PTP_ACR_MASK, acr_value));
+
for (i = 0; i < num_snapshot; i++) {
spin_lock_irqsave(&priv->ptp_lock, flags);
get_ptptime(priv->ptpaddr, &ptp_time);
spin_unlock_irqrestore(&priv->ptp_lock, flags);
event.type = PTP_CLOCK_EXTTS;
- event.index = 0;
+ event.index = channel;
event.timestamp = ptp_time;
ptp_clock_event(priv->ptp_clock, &event);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 270/356] ASoC: fsl-asoc-card: set priv->pdev before using it
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 269/356] net: stmmac: Assign configured channel value to EXTTS event Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 271/356] net: dsa: microchip: fix initial port flush problem Greg Kroah-Hartman
` (93 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Elinor Montmasson, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Elinor Montmasson <elinor.montmasson@savoirfairelinux.com>
[ Upstream commit 90f3feb24172185f1832636264943e8b5e289245 ]
priv->pdev pointer was set after being used in
fsl_asoc_card_audmux_init().
Move this assignment at the start of the probe function, so
sub-functions can correctly use pdev through priv.
fsl_asoc_card_audmux_init() dereferences priv->pdev to get access to the
dev struct, used with dev_err macros.
As priv is zero-initialised, there would be a NULL pointer dereference.
Note that if priv->dev is dereferenced before assignment but never used,
for example if there is no error to be printed, the driver won't crash
probably due to compiler optimisations.
Fixes: 708b4351f08c ("ASoC: fsl: Add Freescale Generic ASoC Sound Card with ASRC support")
Signed-off-by: Elinor Montmasson <elinor.montmasson@savoirfairelinux.com>
Link: https://patch.msgid.link/20240620132511.4291-2-elinor.montmasson@savoirfairelinux.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl-asoc-card.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/soc/fsl/fsl-asoc-card.c b/sound/soc/fsl/fsl-asoc-card.c
index 5000d779aade2..98a157e46637a 100644
--- a/sound/soc/fsl/fsl-asoc-card.c
+++ b/sound/soc/fsl/fsl-asoc-card.c
@@ -548,6 +548,8 @@ static int fsl_asoc_card_probe(struct platform_device *pdev)
if (!priv)
return -ENOMEM;
+ priv->pdev = pdev;
+
cpu_np = of_parse_phandle(np, "audio-cpu", 0);
/* Give a chance to old DT binding */
if (!cpu_np)
@@ -742,7 +744,6 @@ static int fsl_asoc_card_probe(struct platform_device *pdev)
}
/* Initialize sound card */
- priv->pdev = pdev;
priv->card.dev = &pdev->dev;
priv->card.owner = THIS_MODULE;
ret = snd_soc_of_parse_card_name(&priv->card, "model");
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 271/356] net: dsa: microchip: fix initial port flush problem
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 270/356] ASoC: fsl-asoc-card: set priv->pdev before using it Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 272/356] ibmvnic: Free any outstanding tx skbs during scrq reset Greg Kroah-Hartman
` (92 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tristram Ha, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tristram Ha <tristram.ha@microchip.com>
[ Upstream commit ad53f5f54f351e967128edbc431f0f26427172cf ]
The very first flush in any port will flush all learned addresses in all
ports. This can be observed by unplugging the cable from one port while
additional ports are connected and dumping the fdb entries.
This problem is caused by the initially wrong value programmed to the
REG_SW_LUE_CTRL_1 register. Setting SW_FLUSH_STP_TABLE and
SW_FLUSH_MSTP_TABLE bits does not have an immediate effect. It is when
ksz9477_flush_dyn_mac_table() is called then the SW_FLUSH_STP_TABLE bit
takes effect and flushes all learned entries. After that call both bits
are reset and so the next port flush will not cause such problem again.
Fixes: b987e98e50ab ("dsa: add DSA switch driver for Microchip KSZ9477")
Signed-off-by: Tristram Ha <tristram.ha@microchip.com>
Link: https://patch.msgid.link/1718756202-2731-1-git-send-email-Tristram.Ha@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/microchip/ksz9477.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- a/drivers/net/dsa/microchip/ksz9477.c
+++ b/drivers/net/dsa/microchip/ksz9477.c
@@ -195,7 +195,6 @@ static int ksz9477_wait_alu_sta_ready(st
static int ksz9477_reset_switch(struct ksz_device *dev)
{
- u8 data8;
u32 data32;
/* reset switch */
@@ -206,10 +205,8 @@ static int ksz9477_reset_switch(struct k
SPI_AUTO_EDGE_DETECTION, 0);
/* default configuration */
- ksz_read8(dev, REG_SW_LUE_CTRL_1, &data8);
- data8 = SW_AGING_ENABLE | SW_LINK_AUTO_AGING |
- SW_SRC_ADDR_FILTER | SW_FLUSH_STP_TABLE | SW_FLUSH_MSTP_TABLE;
- ksz_write8(dev, REG_SW_LUE_CTRL_1, data8);
+ ksz_write8(dev, REG_SW_LUE_CTRL_1,
+ SW_AGING_ENABLE | SW_LINK_AUTO_AGING | SW_SRC_ADDR_FILTER);
/* disable interrupts */
ksz_write32(dev, REG_SW_INT_MASK__4, SWITCH_INT_MASK);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 272/356] ibmvnic: Free any outstanding tx skbs during scrq reset
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 271/356] net: dsa: microchip: fix initial port flush problem Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 273/356] net: phy: micrel: add Microchip KSZ 9477 to the device table Greg Kroah-Hartman
` (91 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nick Child, David S. Miller,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nick Child <nnac123@linux.ibm.com>
[ Upstream commit 49bbeb5719c2f56907d3a9623b47c6c15c2c431d ]
There are 2 types of outstanding tx skb's:
Type 1: Packets that are sitting in the drivers ind_buff that are
waiting to be batch sent to the NIC. During a device reset, these are
freed with a call to ibmvnic_tx_scrq_clean_buffer()
Type 2: Packets that have been sent to the NIC and are awaiting a TX
completion IRQ. These are free'd during a reset with a call to
clean_tx_pools()
During any reset which requires us to free the tx irq, ensure that the
Type 2 skb references are freed. Since the irq is released, it is
impossible for the NIC to inform of any completions.
Furthermore, later in the reset process is a call to init_tx_pools()
which marks every entry in the tx pool as free (ie not outstanding).
So if the driver is to make a call to init_tx_pools(), it must first
be sure that the tx pool is empty of skb references.
This issue was discovered by observing the following in the logs during
EEH testing:
TX free map points to untracked skb (tso_pool 0 idx=4)
TX free map points to untracked skb (tso_pool 0 idx=5)
TX free map points to untracked skb (tso_pool 1 idx=36)
Fixes: 65d6470d139a ("ibmvnic: clean pending indirect buffs during reset")
Signed-off-by: Nick Child <nnac123@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/ibm/ibmvnic.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
index 890e27b986e2a..7f4539a2e5517 100644
--- a/drivers/net/ethernet/ibm/ibmvnic.c
+++ b/drivers/net/ethernet/ibm/ibmvnic.c
@@ -3409,6 +3409,12 @@ static void release_sub_crqs(struct ibmvnic_adapter *adapter, bool do_h_free)
adapter->num_active_tx_scrqs = 0;
}
+ /* Clean any remaining outstanding SKBs
+ * we freed the irq so we won't be hearing
+ * from them
+ */
+ clean_tx_pools(adapter);
+
if (adapter->rx_scrq) {
for (i = 0; i < adapter->num_active_rx_scrqs; i++) {
if (!adapter->rx_scrq[i])
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 273/356] net: phy: micrel: add Microchip KSZ 9477 to the device table
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 272/356] ibmvnic: Free any outstanding tx skbs during scrq reset Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 274/356] xdp: Remove WARN() from __xdp_reg_mem_model() Greg Kroah-Hartman
` (90 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Enguerrand de Ribaucourt,
Andrew Lunn, David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
[ Upstream commit 54a4e5c16382e871c01dd82b47e930fdce30406b ]
PHY_ID_KSZ9477 was supported but not added to the device table passed to
MODULE_DEVICE_TABLE.
Fixes: fc3973a1fa09 ("phy: micrel: add Microchip KSZ 9477 Switch PHY support")
Signed-off-by: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/micrel.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
index 59d05a1672ece..f1a6cc7ccf1a3 100644
--- a/drivers/net/phy/micrel.c
+++ b/drivers/net/phy/micrel.c
@@ -1798,6 +1798,7 @@ static struct mdio_device_id __maybe_unused micrel_tbl[] = {
{ PHY_ID_KSZ8081, MICREL_PHY_ID_MASK },
{ PHY_ID_KSZ8873MLL, MICREL_PHY_ID_MASK },
{ PHY_ID_KSZ886X, MICREL_PHY_ID_MASK },
+ { PHY_ID_KSZ9477, MICREL_PHY_ID_MASK },
{ PHY_ID_LAN8814, MICREL_PHY_ID_MASK },
{ }
};
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 274/356] xdp: Remove WARN() from __xdp_reg_mem_model()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 273/356] net: phy: micrel: add Microchip KSZ 9477 to the device table Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 275/356] tcp: Use BPF timeout setting for SYN ACK RTO Greg Kroah-Hartman
` (89 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniil Dulov, Daniel Borkmann,
Jesper Dangaard Brouer, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniil Dulov <d.dulov@aladdin.ru>
[ Upstream commit 7e9f79428372c6eab92271390851be34ab26bfb4 ]
syzkaller reports a warning in __xdp_reg_mem_model().
The warning occurs only if __mem_id_init_hash_table() returns an error. It
returns the error in two cases:
1. memory allocation fails;
2. rhashtable_init() fails when some fields of rhashtable_params
struct are not initialized properly.
The second case cannot happen since there is a static const rhashtable_params
struct with valid fields. So, warning is only triggered when there is a
problem with memory allocation.
Thus, there is no sense in using WARN() to handle this error and it can be
safely removed.
WARNING: CPU: 0 PID: 5065 at net/core/xdp.c:299 __xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299
CPU: 0 PID: 5065 Comm: syz-executor883 Not tainted 6.8.0-syzkaller-05271-gf99c5f563c17 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:__xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299
Call Trace:
xdp_reg_mem_model+0x22/0x40 net/core/xdp.c:344
xdp_test_run_setup net/bpf/test_run.c:188 [inline]
bpf_test_run_xdp_live+0x365/0x1e90 net/bpf/test_run.c:377
bpf_prog_test_run_xdp+0x813/0x11b0 net/bpf/test_run.c:1267
bpf_prog_test_run+0x33a/0x3b0 kernel/bpf/syscall.c:4240
__sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5649
__do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Found by Linux Verification Center (linuxtesting.org) with syzkaller.
Fixes: 8d5d88527587 ("xdp: rhashtable with allocator ID to pointer mapping")
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Jesper Dangaard Brouer <hawk@kernel.org>
Link: https://lore.kernel.org/all/20240617162708.492159-1-d.dulov@aladdin.ru
Link: https://lore.kernel.org/bpf/20240624080747.36858-1-d.dulov@aladdin.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/xdp.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/core/xdp.c b/net/core/xdp.c
index a3e3d2538a3a8..e9a9694c4fdcc 100644
--- a/net/core/xdp.c
+++ b/net/core/xdp.c
@@ -292,10 +292,8 @@ static struct xdp_mem_allocator *__xdp_reg_mem_model(struct xdp_mem_info *mem,
mutex_lock(&mem_id_lock);
ret = __mem_id_init_hash_table();
mutex_unlock(&mem_id_lock);
- if (ret < 0) {
- WARN_ON(1);
+ if (ret < 0)
return ERR_PTR(ret);
- }
}
xdp_alloc = kzalloc(sizeof(*xdp_alloc), gfp);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 275/356] tcp: Use BPF timeout setting for SYN ACK RTO
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 274/356] xdp: Remove WARN() from __xdp_reg_mem_model() Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 276/356] Fix race for duplicate reqsk on identical SYN Greg Kroah-Hartman
` (88 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akhmat Karakotov, Martin KaFai Lau,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhmat Karakotov <hmukos@yandex-team.ru>
[ Upstream commit 5903123f662ed18483f05cac3f9e800a074c29ff ]
When setting RTO through BPF program, some SYN ACK packets were unaffected
and continued to use TCP_TIMEOUT_INIT constant. This patch adds timeout
option to struct request_sock. Option is initialized with TCP_TIMEOUT_INIT
and is reassigned through BPF using tcp_timeout_init call. SYN ACK
retransmits now use newly added timeout option.
Signed-off-by: Akhmat Karakotov <hmukos@yandex-team.ru>
Acked-by: Martin KaFai Lau <kafai@fb.com>
v2:
- Add timeout option to struct request_sock. Do not call
tcp_timeout_init on every syn ack retransmit.
v3:
- Use unsigned long for min. Bound tcp_timeout_init to TCP_RTO_MAX.
v4: - Refactor duplicate code by adding reqsk_timeout function.
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: ff46e3b44219 ("Fix race for duplicate reqsk on identical SYN")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/inet_connection_sock.h | 8 ++++++++
include/net/request_sock.h | 2 ++
include/net/tcp.h | 2 +-
net/ipv4/inet_connection_sock.c | 5 +----
net/ipv4/tcp_input.c | 8 +++++---
net/ipv4/tcp_minisocks.c | 5 ++---
6 files changed, 19 insertions(+), 11 deletions(-)
diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h
index b6b7e210f9d7a..7794cf2b5ef50 100644
--- a/include/net/inet_connection_sock.h
+++ b/include/net/inet_connection_sock.h
@@ -284,6 +284,14 @@ static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk)
bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req);
void inet_csk_reqsk_queue_drop_and_put(struct sock *sk, struct request_sock *req);
+static inline unsigned long
+reqsk_timeout(struct request_sock *req, unsigned long max_timeout)
+{
+ u64 timeout = (u64)req->timeout << req->num_timeout;
+
+ return (unsigned long)min_t(u64, timeout, max_timeout);
+}
+
static inline void inet_csk_prepare_for_destroy_sock(struct sock *sk)
{
/* The below has to be done to allow calling inet_csk_destroy_sock */
diff --git a/include/net/request_sock.h b/include/net/request_sock.h
index 29e41ff3ec933..144c39db9898a 100644
--- a/include/net/request_sock.h
+++ b/include/net/request_sock.h
@@ -70,6 +70,7 @@ struct request_sock {
struct saved_syn *saved_syn;
u32 secid;
u32 peer_secid;
+ u32 timeout;
};
static inline struct request_sock *inet_reqsk(const struct sock *sk)
@@ -104,6 +105,7 @@ reqsk_alloc(const struct request_sock_ops *ops, struct sock *sk_listener,
sk_node_init(&req_to_sk(req)->sk_node);
sk_tx_queue_clear(req_to_sk(req));
req->saved_syn = NULL;
+ req->timeout = 0;
req->num_timeout = 0;
req->num_retrans = 0;
req->sk = NULL;
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 08923ed4278f0..30f8111f750b5 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -2362,7 +2362,7 @@ static inline u32 tcp_timeout_init(struct sock *sk)
if (timeout <= 0)
timeout = TCP_TIMEOUT_INIT;
- return timeout;
+ return min_t(int, timeout, TCP_RTO_MAX);
}
static inline u32 tcp_rwnd_init_bpf(struct sock *sk)
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 27975a44d1f9d..43e370f45b81d 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -889,12 +889,9 @@ static void reqsk_timer_handler(struct timer_list *t)
(!resend ||
!inet_rtx_syn_ack(sk_listener, req) ||
inet_rsk(req)->acked)) {
- unsigned long timeo;
-
if (req->num_timeout++ == 0)
atomic_dec(&queue->young);
- timeo = min(TCP_TIMEOUT_INIT << req->num_timeout, TCP_RTO_MAX);
- mod_timer(&req->rsk_timer, jiffies + timeo);
+ mod_timer(&req->rsk_timer, jiffies + reqsk_timeout(req, TCP_RTO_MAX));
if (!nreq)
return;
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 5ad7e6965a645..ca72dbaa27b46 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -6769,6 +6769,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops,
ireq->ireq_state = TCP_NEW_SYN_RECV;
write_pnet(&ireq->ireq_net, sock_net(sk_listener));
ireq->ireq_family = sk_listener->sk_family;
+ req->timeout = TCP_TIMEOUT_INIT;
}
return req;
@@ -6991,9 +6992,10 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
sock_put(fastopen_sk);
} else {
tcp_rsk(req)->tfo_listener = false;
- if (!want_cookie)
- inet_csk_reqsk_queue_hash_add(sk, req,
- tcp_timeout_init((struct sock *)req));
+ if (!want_cookie) {
+ req->timeout = tcp_timeout_init((struct sock *)req);
+ inet_csk_reqsk_queue_hash_add(sk, req, req->timeout);
+ }
af_ops->send_synack(sk, dst, &fl, req, &foc,
!want_cookie ? TCP_SYNACK_NORMAL :
TCP_SYNACK_COOKIE,
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 2606a5571116a..d84b71f70766b 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -593,7 +593,7 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb,
* it can be estimated (approximately)
* from another data.
*/
- tmp_opt.ts_recent_stamp = ktime_get_seconds() - ((TCP_TIMEOUT_INIT/HZ)<<req->num_timeout);
+ tmp_opt.ts_recent_stamp = ktime_get_seconds() - reqsk_timeout(req, TCP_RTO_MAX) / HZ;
paws_reject = tcp_paws_reject(&tmp_opt, th->rst);
}
}
@@ -632,8 +632,7 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb,
!inet_rtx_syn_ack(sk, req)) {
unsigned long expires = jiffies;
- expires += min(TCP_TIMEOUT_INIT << req->num_timeout,
- TCP_RTO_MAX);
+ expires += reqsk_timeout(req, TCP_RTO_MAX);
if (!fastopen)
mod_timer_pending(&req->rsk_timer, expires);
else
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 276/356] Fix race for duplicate reqsk on identical SYN
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 275/356] tcp: Use BPF timeout setting for SYN ACK RTO Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 277/356] sparc: fix old compat_sys_select() Greg Kroah-Hartman
` (87 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, luoxuanqiang, Kuniyuki Iwashima,
Eric Dumazet, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: luoxuanqiang <luoxuanqiang@kylinos.cn>
[ Upstream commit ff46e3b4421923937b7f6e44ffcd3549a074f321 ]
When bonding is configured in BOND_MODE_BROADCAST mode, if two identical
SYN packets are received at the same time and processed on different CPUs,
it can potentially create the same sk (sock) but two different reqsk
(request_sock) in tcp_conn_request().
These two different reqsk will respond with two SYNACK packets, and since
the generation of the seq (ISN) incorporates a timestamp, the final two
SYNACK packets will have different seq values.
The consequence is that when the Client receives and replies with an ACK
to the earlier SYNACK packet, we will reset(RST) it.
========================================================================
This behavior is consistently reproducible in my local setup,
which comprises:
| NETA1 ------ NETB1 |
PC_A --- bond --- | | --- bond --- PC_B
| NETA2 ------ NETB2 |
- PC_A is the Server and has two network cards, NETA1 and NETA2. I have
bonded these two cards using BOND_MODE_BROADCAST mode and configured
them to be handled by different CPU.
- PC_B is the Client, also equipped with two network cards, NETB1 and
NETB2, which are also bonded and configured in BOND_MODE_BROADCAST mode.
If the client attempts a TCP connection to the server, it might encounter
a failure. Capturing packets from the server side reveals:
10.10.10.10.45182 > localhost: Flags [S], seq 320236027,
10.10.10.10.45182 > localhost: Flags [S], seq 320236027,
localhost > 10.10.10.10.45182: Flags [S.], seq 2967855116,
localhost > 10.10.10.10.45182: Flags [S.], seq 2967855123, <==
10.10.10.10.45182 > localhost: Flags [.], ack 4294967290,
10.10.10.10.45182 > localhost: Flags [.], ack 4294967290,
localhost > 10.10.10.10.45182: Flags [R], seq 2967855117, <==
localhost > 10.10.10.10.45182: Flags [R], seq 2967855117,
Two SYNACKs with different seq numbers are sent by localhost,
resulting in an anomaly.
========================================================================
The attempted solution is as follows:
Add a return value to inet_csk_reqsk_queue_hash_add() to confirm if the
ehash insertion is successful (Up to now, the reason for unsuccessful
insertion is that a reqsk for the same connection has already been
inserted). If the insertion fails, release the reqsk.
Due to the refcnt, Kuniyuki suggests also adding a return value check
for the DCCP module; if ehash insertion fails, indicating a successful
insertion of the same connection, simply release the reqsk as well.
Simultaneously, In the reqsk_queue_hash_req(), the start of the
req->rsk_timer is adjusted to be after successful insertion.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: luoxuanqiang <luoxuanqiang@kylinos.cn>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20240621013929.1386815-1-luoxuanqiang@kylinos.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/inet_connection_sock.h | 2 +-
net/dccp/ipv4.c | 7 +++++--
net/dccp/ipv6.c | 7 +++++--
net/ipv4/inet_connection_sock.c | 17 +++++++++++++----
net/ipv4/tcp_input.c | 7 ++++++-
5 files changed, 30 insertions(+), 10 deletions(-)
diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h
index 7794cf2b5ef50..53ec06703fe4e 100644
--- a/include/net/inet_connection_sock.h
+++ b/include/net/inet_connection_sock.h
@@ -260,7 +260,7 @@ struct dst_entry *inet_csk_route_child_sock(const struct sock *sk,
struct sock *inet_csk_reqsk_queue_add(struct sock *sk,
struct request_sock *req,
struct sock *child);
-void inet_csk_reqsk_queue_hash_add(struct sock *sk, struct request_sock *req,
+bool inet_csk_reqsk_queue_hash_add(struct sock *sk, struct request_sock *req,
unsigned long timeout);
struct sock *inet_csk_complete_hashdance(struct sock *sk, struct sock *child,
struct request_sock *req,
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index cab82344de9be..aaef9557d9425 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -649,8 +649,11 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
if (dccp_v4_send_response(sk, req))
goto drop_and_free;
- inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT);
- reqsk_put(req);
+ if (unlikely(!inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT)))
+ reqsk_free(req);
+ else
+ reqsk_put(req);
+
return 0;
drop_and_free:
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 6f05e9d0d4287..f7c88b860d5d5 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -397,8 +397,11 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
if (dccp_v6_send_response(sk, req))
goto drop_and_free;
- inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT);
- reqsk_put(req);
+ if (unlikely(!inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT)))
+ reqsk_free(req);
+ else
+ reqsk_put(req);
+
return 0;
drop_and_free:
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 43e370f45b81d..75c2f7ffe5be4 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -927,25 +927,34 @@ static void reqsk_timer_handler(struct timer_list *t)
inet_csk_reqsk_queue_drop_and_put(oreq->rsk_listener, oreq);
}
-static void reqsk_queue_hash_req(struct request_sock *req,
+static bool reqsk_queue_hash_req(struct request_sock *req,
unsigned long timeout)
{
+ bool found_dup_sk = false;
+
+ if (!inet_ehash_insert(req_to_sk(req), NULL, &found_dup_sk))
+ return false;
+
+ /* The timer needs to be setup after a successful insertion. */
timer_setup(&req->rsk_timer, reqsk_timer_handler, TIMER_PINNED);
mod_timer(&req->rsk_timer, jiffies + timeout);
- inet_ehash_insert(req_to_sk(req), NULL, NULL);
/* before letting lookups find us, make sure all req fields
* are committed to memory and refcnt initialized.
*/
smp_wmb();
refcount_set(&req->rsk_refcnt, 2 + 1);
+ return true;
}
-void inet_csk_reqsk_queue_hash_add(struct sock *sk, struct request_sock *req,
+bool inet_csk_reqsk_queue_hash_add(struct sock *sk, struct request_sock *req,
unsigned long timeout)
{
- reqsk_queue_hash_req(req, timeout);
+ if (!reqsk_queue_hash_req(req, timeout))
+ return false;
+
inet_csk_reqsk_queue_added(sk);
+ return true;
}
EXPORT_SYMBOL_GPL(inet_csk_reqsk_queue_hash_add);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index ca72dbaa27b46..d6330c26e0e10 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -6994,7 +6994,12 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
tcp_rsk(req)->tfo_listener = false;
if (!want_cookie) {
req->timeout = tcp_timeout_init((struct sock *)req);
- inet_csk_reqsk_queue_hash_add(sk, req, req->timeout);
+ if (unlikely(!inet_csk_reqsk_queue_hash_add(sk, req,
+ req->timeout))) {
+ reqsk_free(req);
+ return 0;
+ }
+
}
af_ops->send_synack(sk, dst, &fl, req, &foc,
!want_cookie ? TCP_SYNACK_NORMAL :
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 277/356] sparc: fix old compat_sys_select()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 276/356] Fix race for duplicate reqsk on identical SYN Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 278/356] sparc: fix compat recv/recvfrom syscalls Greg Kroah-Hartman
` (86 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit bae6428a9fffb2023191b0723e276cf1377a7c9f ]
sparc has two identical select syscalls at numbers 93 and 230, respectively.
During the conversion to the modern syscall.tbl format, the older one of the
two broke in compat mode, and now refers to the native 64-bit syscall.
Restore the correct behavior. This has very little effect, as glibc has
been using the newer number anyway.
Fixes: 6ff645dd683a ("sparc: add system call table generation support")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/sparc/kernel/syscalls/syscall.tbl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/sparc/kernel/syscalls/syscall.tbl b/arch/sparc/kernel/syscalls/syscall.tbl
index c37764dc764d1..7925e762e7b7e 100644
--- a/arch/sparc/kernel/syscalls/syscall.tbl
+++ b/arch/sparc/kernel/syscalls/syscall.tbl
@@ -117,7 +117,7 @@
90 common dup2 sys_dup2
91 32 setfsuid32 sys_setfsuid
92 common fcntl sys_fcntl compat_sys_fcntl
-93 common select sys_select
+93 common select sys_select compat_sys_select
94 32 setfsgid32 sys_setfsgid
95 common fsync sys_fsync
96 common setpriority sys_setpriority
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 278/356] sparc: fix compat recv/recvfrom syscalls
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 277/356] sparc: fix old compat_sys_select() Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 279/356] parisc: use correct " Greg Kroah-Hartman
` (85 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit d6fbd26fb872ec518d25433a12e8ce8163e20909 ]
sparc has the wrong compat version of recv() and recvfrom() for both the
direct syscalls and socketcall().
The direct syscalls just need to use the compat version. For socketcall,
the same thing could be done, but it seems better to completely remove
the custom assembler code for it and just use the same implementation that
everyone else has.
Fixes: 1dacc76d0014 ("net/compat/wext: send different messages to compat tasks")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/sparc/kernel/sys32.S | 221 -------------------------
arch/sparc/kernel/syscalls/syscall.tbl | 4 +-
2 files changed, 2 insertions(+), 223 deletions(-)
diff --git a/arch/sparc/kernel/sys32.S b/arch/sparc/kernel/sys32.S
index a45f0f31fe51a..a3d308f2043e5 100644
--- a/arch/sparc/kernel/sys32.S
+++ b/arch/sparc/kernel/sys32.S
@@ -18,224 +18,3 @@ sys32_mmap2:
sethi %hi(sys_mmap), %g1
jmpl %g1 + %lo(sys_mmap), %g0
sllx %o5, 12, %o5
-
- .align 32
- .globl sys32_socketcall
-sys32_socketcall: /* %o0=call, %o1=args */
- cmp %o0, 1
- bl,pn %xcc, do_einval
- cmp %o0, 18
- bg,pn %xcc, do_einval
- sub %o0, 1, %o0
- sllx %o0, 5, %o0
- sethi %hi(__socketcall_table_begin), %g2
- or %g2, %lo(__socketcall_table_begin), %g2
- jmpl %g2 + %o0, %g0
- nop
-do_einval:
- retl
- mov -EINVAL, %o0
-
- .align 32
-__socketcall_table_begin:
-
- /* Each entry is exactly 32 bytes. */
-do_sys_socket: /* sys_socket(int, int, int) */
-1: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(sys_socket), %g1
-2: ldswa [%o1 + 0x8] %asi, %o2
- jmpl %g1 + %lo(sys_socket), %g0
-3: ldswa [%o1 + 0x4] %asi, %o1
- nop
- nop
- nop
-do_sys_bind: /* sys_bind(int fd, struct sockaddr *, int) */
-4: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(sys_bind), %g1
-5: ldswa [%o1 + 0x8] %asi, %o2
- jmpl %g1 + %lo(sys_bind), %g0
-6: lduwa [%o1 + 0x4] %asi, %o1
- nop
- nop
- nop
-do_sys_connect: /* sys_connect(int, struct sockaddr *, int) */
-7: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(sys_connect), %g1
-8: ldswa [%o1 + 0x8] %asi, %o2
- jmpl %g1 + %lo(sys_connect), %g0
-9: lduwa [%o1 + 0x4] %asi, %o1
- nop
- nop
- nop
-do_sys_listen: /* sys_listen(int, int) */
-10: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(sys_listen), %g1
- jmpl %g1 + %lo(sys_listen), %g0
-11: ldswa [%o1 + 0x4] %asi, %o1
- nop
- nop
- nop
- nop
-do_sys_accept: /* sys_accept(int, struct sockaddr *, int *) */
-12: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(sys_accept), %g1
-13: lduwa [%o1 + 0x8] %asi, %o2
- jmpl %g1 + %lo(sys_accept), %g0
-14: lduwa [%o1 + 0x4] %asi, %o1
- nop
- nop
- nop
-do_sys_getsockname: /* sys_getsockname(int, struct sockaddr *, int *) */
-15: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(sys_getsockname), %g1
-16: lduwa [%o1 + 0x8] %asi, %o2
- jmpl %g1 + %lo(sys_getsockname), %g0
-17: lduwa [%o1 + 0x4] %asi, %o1
- nop
- nop
- nop
-do_sys_getpeername: /* sys_getpeername(int, struct sockaddr *, int *) */
-18: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(sys_getpeername), %g1
-19: lduwa [%o1 + 0x8] %asi, %o2
- jmpl %g1 + %lo(sys_getpeername), %g0
-20: lduwa [%o1 + 0x4] %asi, %o1
- nop
- nop
- nop
-do_sys_socketpair: /* sys_socketpair(int, int, int, int *) */
-21: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(sys_socketpair), %g1
-22: ldswa [%o1 + 0x8] %asi, %o2
-23: lduwa [%o1 + 0xc] %asi, %o3
- jmpl %g1 + %lo(sys_socketpair), %g0
-24: ldswa [%o1 + 0x4] %asi, %o1
- nop
- nop
-do_sys_send: /* sys_send(int, void *, size_t, unsigned int) */
-25: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(sys_send), %g1
-26: lduwa [%o1 + 0x8] %asi, %o2
-27: lduwa [%o1 + 0xc] %asi, %o3
- jmpl %g1 + %lo(sys_send), %g0
-28: lduwa [%o1 + 0x4] %asi, %o1
- nop
- nop
-do_sys_recv: /* sys_recv(int, void *, size_t, unsigned int) */
-29: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(sys_recv), %g1
-30: lduwa [%o1 + 0x8] %asi, %o2
-31: lduwa [%o1 + 0xc] %asi, %o3
- jmpl %g1 + %lo(sys_recv), %g0
-32: lduwa [%o1 + 0x4] %asi, %o1
- nop
- nop
-do_sys_sendto: /* sys_sendto(int, u32, compat_size_t, unsigned int, u32, int) */
-33: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(sys_sendto), %g1
-34: lduwa [%o1 + 0x8] %asi, %o2
-35: lduwa [%o1 + 0xc] %asi, %o3
-36: lduwa [%o1 + 0x10] %asi, %o4
-37: ldswa [%o1 + 0x14] %asi, %o5
- jmpl %g1 + %lo(sys_sendto), %g0
-38: lduwa [%o1 + 0x4] %asi, %o1
-do_sys_recvfrom: /* sys_recvfrom(int, u32, compat_size_t, unsigned int, u32, u32) */
-39: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(sys_recvfrom), %g1
-40: lduwa [%o1 + 0x8] %asi, %o2
-41: lduwa [%o1 + 0xc] %asi, %o3
-42: lduwa [%o1 + 0x10] %asi, %o4
-43: lduwa [%o1 + 0x14] %asi, %o5
- jmpl %g1 + %lo(sys_recvfrom), %g0
-44: lduwa [%o1 + 0x4] %asi, %o1
-do_sys_shutdown: /* sys_shutdown(int, int) */
-45: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(sys_shutdown), %g1
- jmpl %g1 + %lo(sys_shutdown), %g0
-46: ldswa [%o1 + 0x4] %asi, %o1
- nop
- nop
- nop
- nop
-do_sys_setsockopt: /* sys_setsockopt(int, int, int, char *, int) */
-47: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(sys_setsockopt), %g1
-48: ldswa [%o1 + 0x8] %asi, %o2
-49: lduwa [%o1 + 0xc] %asi, %o3
-50: ldswa [%o1 + 0x10] %asi, %o4
- jmpl %g1 + %lo(sys_setsockopt), %g0
-51: ldswa [%o1 + 0x4] %asi, %o1
- nop
-do_sys_getsockopt: /* sys_getsockopt(int, int, int, u32, u32) */
-52: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(sys_getsockopt), %g1
-53: ldswa [%o1 + 0x8] %asi, %o2
-54: lduwa [%o1 + 0xc] %asi, %o3
-55: lduwa [%o1 + 0x10] %asi, %o4
- jmpl %g1 + %lo(sys_getsockopt), %g0
-56: ldswa [%o1 + 0x4] %asi, %o1
- nop
-do_sys_sendmsg: /* compat_sys_sendmsg(int, struct compat_msghdr *, unsigned int) */
-57: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(compat_sys_sendmsg), %g1
-58: lduwa [%o1 + 0x8] %asi, %o2
- jmpl %g1 + %lo(compat_sys_sendmsg), %g0
-59: lduwa [%o1 + 0x4] %asi, %o1
- nop
- nop
- nop
-do_sys_recvmsg: /* compat_sys_recvmsg(int, struct compat_msghdr *, unsigned int) */
-60: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(compat_sys_recvmsg), %g1
-61: lduwa [%o1 + 0x8] %asi, %o2
- jmpl %g1 + %lo(compat_sys_recvmsg), %g0
-62: lduwa [%o1 + 0x4] %asi, %o1
- nop
- nop
- nop
-do_sys_accept4: /* sys_accept4(int, struct sockaddr *, int *, int) */
-63: ldswa [%o1 + 0x0] %asi, %o0
- sethi %hi(sys_accept4), %g1
-64: lduwa [%o1 + 0x8] %asi, %o2
-65: ldswa [%o1 + 0xc] %asi, %o3
- jmpl %g1 + %lo(sys_accept4), %g0
-66: lduwa [%o1 + 0x4] %asi, %o1
- nop
- nop
-
- .section __ex_table,"a"
- .align 4
- .word 1b, __retl_efault, 2b, __retl_efault
- .word 3b, __retl_efault, 4b, __retl_efault
- .word 5b, __retl_efault, 6b, __retl_efault
- .word 7b, __retl_efault, 8b, __retl_efault
- .word 9b, __retl_efault, 10b, __retl_efault
- .word 11b, __retl_efault, 12b, __retl_efault
- .word 13b, __retl_efault, 14b, __retl_efault
- .word 15b, __retl_efault, 16b, __retl_efault
- .word 17b, __retl_efault, 18b, __retl_efault
- .word 19b, __retl_efault, 20b, __retl_efault
- .word 21b, __retl_efault, 22b, __retl_efault
- .word 23b, __retl_efault, 24b, __retl_efault
- .word 25b, __retl_efault, 26b, __retl_efault
- .word 27b, __retl_efault, 28b, __retl_efault
- .word 29b, __retl_efault, 30b, __retl_efault
- .word 31b, __retl_efault, 32b, __retl_efault
- .word 33b, __retl_efault, 34b, __retl_efault
- .word 35b, __retl_efault, 36b, __retl_efault
- .word 37b, __retl_efault, 38b, __retl_efault
- .word 39b, __retl_efault, 40b, __retl_efault
- .word 41b, __retl_efault, 42b, __retl_efault
- .word 43b, __retl_efault, 44b, __retl_efault
- .word 45b, __retl_efault, 46b, __retl_efault
- .word 47b, __retl_efault, 48b, __retl_efault
- .word 49b, __retl_efault, 50b, __retl_efault
- .word 51b, __retl_efault, 52b, __retl_efault
- .word 53b, __retl_efault, 54b, __retl_efault
- .word 55b, __retl_efault, 56b, __retl_efault
- .word 57b, __retl_efault, 58b, __retl_efault
- .word 59b, __retl_efault, 60b, __retl_efault
- .word 61b, __retl_efault, 62b, __retl_efault
- .word 63b, __retl_efault, 64b, __retl_efault
- .word 65b, __retl_efault, 66b, __retl_efault
- .previous
diff --git a/arch/sparc/kernel/syscalls/syscall.tbl b/arch/sparc/kernel/syscalls/syscall.tbl
index 7925e762e7b7e..4c3ee869ea46d 100644
--- a/arch/sparc/kernel/syscalls/syscall.tbl
+++ b/arch/sparc/kernel/syscalls/syscall.tbl
@@ -155,7 +155,7 @@
123 32 fchown sys_fchown16
123 64 fchown sys_fchown
124 common fchmod sys_fchmod
-125 common recvfrom sys_recvfrom
+125 common recvfrom sys_recvfrom compat_sys_recvfrom
126 32 setreuid sys_setreuid16
126 64 setreuid sys_setreuid
127 32 setregid sys_setregid16
@@ -247,7 +247,7 @@
204 32 readdir sys_old_readdir compat_sys_old_readdir
204 64 readdir sys_nis_syscall
205 common readahead sys_readahead compat_sys_readahead
-206 common socketcall sys_socketcall sys32_socketcall
+206 common socketcall sys_socketcall compat_sys_socketcall
207 common syslog sys_syslog
208 common lookup_dcookie sys_lookup_dcookie compat_sys_lookup_dcookie
209 common fadvise64 sys_fadvise64 compat_sys_fadvise64
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 279/356] parisc: use correct compat recv/recvfrom syscalls
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 278/356] sparc: fix compat recv/recvfrom syscalls Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 280/356] tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO Greg Kroah-Hartman
` (84 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Helge Deller, Arnd Bergmann,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 20a50787349fadf66ac5c48f62e58d753878d2bb ]
Johannes missed parisc back when he introduced the compat version
of these syscalls, so receiving cmsg messages that require a compat
conversion is still broken.
Use the correct calls like the other architectures do.
Fixes: 1dacc76d0014 ("net/compat/wext: send different messages to compat tasks")
Acked-by: Helge Deller <deller@gmx.de>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/parisc/kernel/syscalls/syscall.tbl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/parisc/kernel/syscalls/syscall.tbl b/arch/parisc/kernel/syscalls/syscall.tbl
index 50c759f11c25d..3e7ded09e00a5 100644
--- a/arch/parisc/kernel/syscalls/syscall.tbl
+++ b/arch/parisc/kernel/syscalls/syscall.tbl
@@ -108,7 +108,7 @@
95 common fchown sys_fchown
96 common getpriority sys_getpriority
97 common setpriority sys_setpriority
-98 common recv sys_recv
+98 common recv sys_recv compat_sys_recv
99 common statfs sys_statfs compat_sys_statfs
100 common fstatfs sys_fstatfs compat_sys_fstatfs
101 common stat64 sys_stat64
@@ -135,7 +135,7 @@
120 common clone sys_clone_wrapper
121 common setdomainname sys_setdomainname
122 common sendfile sys_sendfile compat_sys_sendfile
-123 common recvfrom sys_recvfrom
+123 common recvfrom sys_recvfrom compat_sys_recvfrom
124 32 adjtimex sys_adjtimex_time32
124 64 adjtimex sys_adjtimex
125 common mprotect sys_mprotect
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 280/356] tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 279/356] parisc: use correct " Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 281/356] netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers Greg Kroah-Hartman
` (83 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neal Cardwell, Eric Dumazet,
Yuchung Cheng, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neal Cardwell <ncardwell@google.com>
[ Upstream commit 5dfe9d273932c647bdc9d664f939af9a5a398cbc ]
Testing determined that the recent commit 9e046bb111f1 ("tcp: clear
tp->retrans_stamp in tcp_rcv_fastopen_synack()") has a race, and does
not always ensure retrans_stamp is 0 after a TFO payload retransmit.
If transmit completion for the SYN+data skb happens after the client
TCP stack receives the SYNACK (which sometimes happens), then
retrans_stamp can erroneously remain non-zero for the lifetime of the
connection, causing a premature ETIMEDOUT later.
Testing and tracing showed that the buggy scenario is the following
somewhat tricky sequence:
+ Client attempts a TFO handshake. tcp_send_syn_data() sends SYN + TFO
cookie + data in a single packet in the syn_data skb. It hands the
syn_data skb to tcp_transmit_skb(), which makes a clone. Crucially,
it then reuses the same original (non-clone) syn_data skb,
transforming it by advancing the seq by one byte and removing the
FIN bit, and enques the resulting payload-only skb in the
sk->tcp_rtx_queue.
+ Client sets retrans_stamp to the start time of the three-way
handshake.
+ Cookie mismatches or server has TFO disabled, and server only ACKs
SYN.
+ tcp_ack() sees SYN is acked, tcp_clean_rtx_queue() clears
retrans_stamp.
+ Since the client SYN was acked but not the payload, the TFO failure
code path in tcp_rcv_fastopen_synack() tries to retransmit the
payload skb. However, in some cases the transmit completion for the
clone of the syn_data (which had SYN + TFO cookie + data) hasn't
happened. In those cases, skb_still_in_host_queue() returns true
for the retransmitted TFO payload, because the clone of the syn_data
skb has not had its tx completetion.
+ Because skb_still_in_host_queue() finds skb_fclone_busy() is true,
it sets the TSQ_THROTTLED bit and the retransmit does not happen in
the tcp_rcv_fastopen_synack() call chain.
+ The tcp_rcv_fastopen_synack() code next implicitly assumes the
retransmit process is finished, and sets retrans_stamp to 0 to clear
it, but this is later overwritten (see below).
+ Later, upon tx completion, tcp_tsq_write() calls
tcp_xmit_retransmit_queue(), which puts the retransmit in flight and
sets retrans_stamp to a non-zero value.
+ The client receives an ACK for the retransmitted TFO payload data.
+ Since we're in CA_Open and there are no dupacks/SACKs/DSACKs/ECN to
make tcp_ack_is_dubious() true and make us call
tcp_fastretrans_alert() and reach a code path that clears
retrans_stamp, retrans_stamp stays nonzero.
+ Later, if there is a TLP, RTO, RTO sequence, then the connection
will suffer an early ETIMEDOUT due to the erroneously ancient
retrans_stamp.
The fix: this commit refactors the code to have
tcp_rcv_fastopen_synack() retransmit by reusing the relevant parts of
tcp_simple_retransmit() that enter CA_Loss (without changing cwnd) and
call tcp_xmit_retransmit_queue(). We have tcp_simple_retransmit() and
tcp_rcv_fastopen_synack() share code in this way because in both cases
we get a packet indicating non-congestion loss (MTU reduction or TFO
failure) and thus in both cases we want to retransmit as many packets
as cwnd allows, without reducing cwnd. And given that retransmits will
set retrans_stamp to a non-zero value (and may do so in a later
calling context due to TSQ), we also want to enter CA_Loss so that we
track when all retransmitted packets are ACked and clear retrans_stamp
when that happens (to ensure later recurring RTOs are using the
correct retrans_stamp and don't declare ETIMEDOUT prematurely).
Fixes: 9e046bb111f1 ("tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack()")
Fixes: a7abf3cd76e1 ("tcp: consider using standard rtx logic in tcp_rcv_fastopen_synack()")
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Link: https://patch.msgid.link/20240624144323.2371403-1-ncardwell.sw@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_input.c | 38 +++++++++++++++++++++++++++-----------
1 file changed, 27 insertions(+), 11 deletions(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index d6330c26e0e10..eaa66f51c6a84 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2747,13 +2747,37 @@ static void tcp_mtup_probe_success(struct sock *sk)
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMTUPSUCCESS);
}
+/* Sometimes we deduce that packets have been dropped due to reasons other than
+ * congestion, like path MTU reductions or failed client TFO attempts. In these
+ * cases we call this function to retransmit as many packets as cwnd allows,
+ * without reducing cwnd. Given that retransmits will set retrans_stamp to a
+ * non-zero value (and may do so in a later calling context due to TSQ), we
+ * also enter CA_Loss so that we track when all retransmitted packets are ACKed
+ * and clear retrans_stamp when that happens (to ensure later recurring RTOs
+ * are using the correct retrans_stamp and don't declare ETIMEDOUT
+ * prematurely).
+ */
+static void tcp_non_congestion_loss_retransmit(struct sock *sk)
+{
+ const struct inet_connection_sock *icsk = inet_csk(sk);
+ struct tcp_sock *tp = tcp_sk(sk);
+
+ if (icsk->icsk_ca_state != TCP_CA_Loss) {
+ tp->high_seq = tp->snd_nxt;
+ tp->snd_ssthresh = tcp_current_ssthresh(sk);
+ tp->prior_ssthresh = 0;
+ tp->undo_marker = 0;
+ tcp_set_ca_state(sk, TCP_CA_Loss);
+ }
+ tcp_xmit_retransmit_queue(sk);
+}
+
/* Do a simple retransmit without using the backoff mechanisms in
* tcp_timer. This is used for path mtu discovery.
* The socket is already locked here.
*/
void tcp_simple_retransmit(struct sock *sk)
{
- const struct inet_connection_sock *icsk = inet_csk(sk);
struct tcp_sock *tp = tcp_sk(sk);
struct sk_buff *skb;
int mss;
@@ -2793,14 +2817,7 @@ void tcp_simple_retransmit(struct sock *sk)
* in network, but units changed and effective
* cwnd/ssthresh really reduced now.
*/
- if (icsk->icsk_ca_state != TCP_CA_Loss) {
- tp->high_seq = tp->snd_nxt;
- tp->snd_ssthresh = tcp_current_ssthresh(sk);
- tp->prior_ssthresh = 0;
- tp->undo_marker = 0;
- tcp_set_ca_state(sk, TCP_CA_Loss);
- }
- tcp_xmit_retransmit_queue(sk);
+ tcp_non_congestion_loss_retransmit(sk);
}
EXPORT_SYMBOL(tcp_simple_retransmit);
@@ -6103,8 +6120,7 @@ static bool tcp_rcv_fastopen_synack(struct sock *sk, struct sk_buff *synack,
tp->fastopen_client_fail = TFO_DATA_NOT_ACKED;
skb_rbtree_walk_from(data)
tcp_mark_skb_lost(sk, data);
- tcp_xmit_retransmit_queue(sk);
- tp->retrans_stamp = 0;
+ tcp_non_congestion_loss_retransmit(sk);
NET_INC_STATS(sock_net(sk),
LINUX_MIB_TCPFASTOPENACTIVEFAIL);
return true;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 281/356] netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 280/356] tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 282/356] tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset() Greg Kroah-Hartman
` (82 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Torvalds, Pablo Neira Ayuso,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 7931d32955e09d0a11b1fe0b6aac1bfa061c005c ]
register store validation for NFT_DATA_VALUE is conditional, however,
the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This
only requires a new helper function to infer the register type from the
set datatype so this conditional check can be removed. Otherwise,
pointer to chain object can be leaked through the registers.
Fixes: 96518518cc41 ("netfilter: add nftables")
Reported-by: Linus Torvalds <torvalds@linuxfoundation.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_tables.h | 5 +++++
net/netfilter/nf_tables_api.c | 8 ++++----
net/netfilter/nft_lookup.c | 3 ++-
3 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 1e6e4af4df0ae..3ff6b3362800b 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -567,6 +567,11 @@ static inline void *nft_set_priv(const struct nft_set *set)
return (void *)set->data;
}
+static inline enum nft_data_types nft_set_datatype(const struct nft_set *set)
+{
+ return set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
+}
+
static inline bool nft_set_gc_is_pending(const struct nft_set *s)
{
return refcount_read(&s->refs) != 1;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 3999b89793fce..506dc5c4cdccb 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5328,8 +5328,7 @@ static int nf_tables_fill_setelem(struct sk_buff *skb,
if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
- set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
- set->dlen) < 0)
+ nft_set_datatype(set), set->dlen) < 0)
goto nla_put_failure;
if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
@@ -10249,6 +10248,9 @@ static int nft_validate_register_store(const struct nft_ctx *ctx,
return 0;
default:
+ if (type != NFT_DATA_VALUE)
+ return -EINVAL;
+
if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
return -EINVAL;
if (len == 0)
@@ -10257,8 +10259,6 @@ static int nft_validate_register_store(const struct nft_ctx *ctx,
sizeof_field(struct nft_regs, data))
return -ERANGE;
- if (data != NULL && type != NFT_DATA_VALUE)
- return -EINVAL;
return 0;
}
}
diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
index 9d18c5428d53c..b9df27c2718be 100644
--- a/net/netfilter/nft_lookup.c
+++ b/net/netfilter/nft_lookup.c
@@ -136,7 +136,8 @@ static int nft_lookup_init(const struct nft_ctx *ctx,
return -EINVAL;
err = nft_parse_register_store(ctx, tb[NFTA_LOOKUP_DREG],
- &priv->dreg, NULL, set->dtype,
+ &priv->dreg, NULL,
+ nft_set_datatype(set),
set->dlen);
if (err < 0)
return err;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 282/356] tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 281/356] netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 283/356] bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro() Greg Kroah-Hartman
` (81 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, netdev, Yunseong Kim, Yeoreum Yun,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yunseong Kim <yskelg@gmail.com>
[ Upstream commit bab4923132feb3e439ae45962979c5d9d5c7c1f1 ]
In the TRACE_EVENT(qdisc_reset) NULL dereference occurred from
qdisc->dev_queue->dev <NULL> ->name
This situation simulated from bunch of veths and Bluetooth disconnection
and reconnection.
During qdisc initialization, qdisc was being set to noop_queue.
In veth_init_queue, the initial tx_num was reduced back to one,
causing the qdisc reset to be called with noop, which led to the kernel
panic.
I've attached the GitHub gist link that C converted syz-execprogram
source code and 3 log of reproduced vmcore-dmesg.
https://gist.github.com/yskelg/cc64562873ce249cdd0d5a358b77d740
Yeoreum and I use two fuzzing tool simultaneously.
One process with syz-executor : https://github.com/google/syzkaller
$ ./syz-execprog -executor=./syz-executor -repeat=1 -sandbox=setuid \
-enable=none -collide=false log1
The other process with perf fuzzer:
https://github.com/deater/perf_event_tests/tree/master/fuzzer
$ perf_event_tests/fuzzer/perf_fuzzer
I think this will happen on the kernel version.
Linux kernel version +v6.7.10, +v6.8, +v6.9 and it could happen in v6.10.
This occurred from 51270d573a8d. I think this patch is absolutely
necessary. Previously, It was showing not intended string value of name.
I've reproduced 3 time from my fedora 40 Debug Kernel with any other module
or patched.
version: 6.10.0-0.rc2.20240608gitdc772f8237f9.29.fc41.aarch64+debug
[ 5287.164555] veth0_vlan: left promiscuous mode
[ 5287.164929] veth1_macvtap: left promiscuous mode
[ 5287.164950] veth0_macvtap: left promiscuous mode
[ 5287.164983] veth1_vlan: left promiscuous mode
[ 5287.165008] veth0_vlan: left promiscuous mode
[ 5287.165450] veth1_macvtap: left promiscuous mode
[ 5287.165472] veth0_macvtap: left promiscuous mode
[ 5287.165502] veth1_vlan: left promiscuous mode
…
[ 5297.598240] bridge0: port 2(bridge_slave_1) entered blocking state
[ 5297.598262] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 5297.598296] bridge0: port 1(bridge_slave_0) entered blocking state
[ 5297.598313] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 5297.616090] 8021q: adding VLAN 0 to HW filter on device bond0
[ 5297.620405] bridge0: port 1(bridge_slave_0) entered disabled state
[ 5297.620730] bridge0: port 2(bridge_slave_1) entered disabled state
[ 5297.627247] 8021q: adding VLAN 0 to HW filter on device team0
[ 5297.629636] bridge0: port 1(bridge_slave_0) entered blocking state
…
[ 5298.002798] bridge_slave_0: left promiscuous mode
[ 5298.002869] bridge0: port 1(bridge_slave_0) entered disabled state
[ 5298.309444] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 5298.315206] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 5298.320207] bond0 (unregistering): Released all slaves
[ 5298.354296] hsr_slave_0: left promiscuous mode
[ 5298.360750] hsr_slave_1: left promiscuous mode
[ 5298.374889] veth1_macvtap: left promiscuous mode
[ 5298.374931] veth0_macvtap: left promiscuous mode
[ 5298.374988] veth1_vlan: left promiscuous mode
[ 5298.375024] veth0_vlan: left promiscuous mode
[ 5299.109741] team0 (unregistering): Port device team_slave_1 removed
[ 5299.185870] team0 (unregistering): Port device team_slave_0 removed
…
[ 5300.155443] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 5300.155724] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 5300.155988] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
….
[ 5301.075531] team0: Port device team_slave_1 added
[ 5301.085515] bridge0: port 1(bridge_slave_0) entered blocking state
[ 5301.085531] bridge0: port 1(bridge_slave_0) entered disabled state
[ 5301.085588] bridge_slave_0: entered allmulticast mode
[ 5301.085800] bridge_slave_0: entered promiscuous mode
[ 5301.095617] bridge0: port 1(bridge_slave_0) entered blocking state
[ 5301.095633] bridge0: port 1(bridge_slave_0) entered disabled state
…
[ 5301.149734] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 5301.173234] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 5301.180517] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 5301.193481] hsr_slave_0: entered promiscuous mode
[ 5301.204425] hsr_slave_1: entered promiscuous mode
[ 5301.210172] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[ 5301.210185] Cannot create hsr debugfs directory
[ 5301.224061] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 5301.246901] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 5301.255934] team0: Port device team_slave_0 added
[ 5301.256480] team0: Port device team_slave_1 added
[ 5301.256948] team0: Port device team_slave_0 added
…
[ 5301.435928] hsr_slave_0: entered promiscuous mode
[ 5301.446029] hsr_slave_1: entered promiscuous mode
[ 5301.455872] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[ 5301.455884] Cannot create hsr debugfs directory
[ 5301.502664] hsr_slave_0: entered promiscuous mode
[ 5301.513675] hsr_slave_1: entered promiscuous mode
[ 5301.526155] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[ 5301.526164] Cannot create hsr debugfs directory
[ 5301.563662] hsr_slave_0: entered promiscuous mode
[ 5301.576129] hsr_slave_1: entered promiscuous mode
[ 5301.580259] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[ 5301.580270] Cannot create hsr debugfs directory
[ 5301.590269] 8021q: adding VLAN 0 to HW filter on device bond0
[ 5301.595872] KASAN: null-ptr-deref in range [0x0000000000000130-0x0000000000000137]
[ 5301.595877] Mem abort info:
[ 5301.595881] ESR = 0x0000000096000006
[ 5301.595885] EC = 0x25: DABT (current EL), IL = 32 bits
[ 5301.595889] SET = 0, FnV = 0
[ 5301.595893] EA = 0, S1PTW = 0
[ 5301.595896] FSC = 0x06: level 2 translation fault
[ 5301.595900] Data abort info:
[ 5301.595903] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
[ 5301.595907] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 5301.595911] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 5301.595915] [dfff800000000026] address between user and kernel address ranges
[ 5301.595971] Internal error: Oops: 0000000096000006 [#1] SMP
…
[ 5301.596076] CPU: 2 PID: 102769 Comm:
syz-executor.3 Kdump: loaded Tainted:
G W ------- --- 6.10.0-0.rc2.20240608gitdc772f8237f9.29.fc41.aarch64+debug #1
[ 5301.596080] Hardware name: VMware, Inc. VMware20,1/VBSA,
BIOS VMW201.00V.21805430.BA64.2305221830 05/22/2023
[ 5301.596082] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 5301.596085] pc : strnlen+0x40/0x88
[ 5301.596114] lr : trace_event_get_offsets_qdisc_reset+0x6c/0x2b0
[ 5301.596124] sp : ffff8000beef6b40
[ 5301.596126] x29: ffff8000beef6b40 x28: dfff800000000000 x27: 0000000000000001
[ 5301.596131] x26: 6de1800082c62bd0 x25: 1ffff000110aa9e0 x24: ffff800088554f00
[ 5301.596136] x23: ffff800088554ec0 x22: 0000000000000130 x21: 0000000000000140
[ 5301.596140] x20: dfff800000000000 x19: ffff8000beef6c60 x18: ffff7000115106d8
[ 5301.596143] x17: ffff800121bad000 x16: ffff800080020000 x15: 0000000000000006
[ 5301.596147] x14: 0000000000000002 x13: ffff0001f3ed8d14 x12: ffff700017ddeda5
[ 5301.596151] x11: 1ffff00017ddeda4 x10: ffff700017ddeda4 x9 : ffff800082cc5eec
[ 5301.596155] x8 : 0000000000000004 x7 : 00000000f1f1f1f1 x6 : 00000000f2f2f200
[ 5301.596158] x5 : 00000000f3f3f3f3 x4 : ffff700017dded80 x3 : 00000000f204f1f1
[ 5301.596162] x2 : 0000000000000026 x1 : 0000000000000000 x0 : 0000000000000130
[ 5301.596166] Call trace:
[ 5301.596175] strnlen+0x40/0x88
[ 5301.596179] trace_event_get_offsets_qdisc_reset+0x6c/0x2b0
[ 5301.596182] perf_trace_qdisc_reset+0xb0/0x538
[ 5301.596184] __traceiter_qdisc_reset+0x68/0xc0
[ 5301.596188] qdisc_reset+0x43c/0x5e8
[ 5301.596190] netif_set_real_num_tx_queues+0x288/0x770
[ 5301.596194] veth_init_queues+0xfc/0x130 [veth]
[ 5301.596198] veth_newlink+0x45c/0x850 [veth]
[ 5301.596202] rtnl_newlink_create+0x2c8/0x798
[ 5301.596205] __rtnl_newlink+0x92c/0xb60
[ 5301.596208] rtnl_newlink+0xd8/0x130
[ 5301.596211] rtnetlink_rcv_msg+0x2e0/0x890
[ 5301.596214] netlink_rcv_skb+0x1c4/0x380
[ 5301.596225] rtnetlink_rcv+0x20/0x38
[ 5301.596227] netlink_unicast+0x3c8/0x640
[ 5301.596231] netlink_sendmsg+0x658/0xa60
[ 5301.596234] __sock_sendmsg+0xd0/0x180
[ 5301.596243] __sys_sendto+0x1c0/0x280
[ 5301.596246] __arm64_sys_sendto+0xc8/0x150
[ 5301.596249] invoke_syscall+0xdc/0x268
[ 5301.596256] el0_svc_common.constprop.0+0x16c/0x240
[ 5301.596259] do_el0_svc+0x48/0x68
[ 5301.596261] el0_svc+0x50/0x188
[ 5301.596265] el0t_64_sync_handler+0x120/0x130
[ 5301.596268] el0t_64_sync+0x194/0x198
[ 5301.596272] Code: eb15001f 54000120 d343fc02 12000801 (38f46842)
[ 5301.596285] SMP: stopping secondary CPUs
[ 5301.597053] Starting crashdump kernel...
[ 5301.597057] Bye!
After applying our patch, I didn't find any kernel panic errors.
We've found a simple reproducer
# echo 1 > /sys/kernel/debug/tracing/events/qdisc/qdisc_reset/enable
# ip link add veth0 type veth peer name veth1
Error: Unknown device type.
However, without our patch applied, I tested upstream 6.10.0-rc3 kernel
using the qdisc_reset event and the ip command on my qemu virtual machine.
This 2 commands makes always kernel panic.
Linux version: 6.10.0-rc3
[ 0.000000] Linux version 6.10.0-rc3-00164-g44ef20baed8e-dirty
(paran@fedora) (gcc (GCC) 14.1.1 20240522 (Red Hat 14.1.1-4), GNU ld
version 2.41-34.fc40) #20 SMP PREEMPT Sat Jun 15 16:51:25 KST 2024
Kernel panic message:
[ 615.236484] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
[ 615.237250] Dumping ftrace buffer:
[ 615.237679] (ftrace buffer empty)
[ 615.238097] Modules linked in: veth crct10dif_ce virtio_gpu
virtio_dma_buf drm_shmem_helper drm_kms_helper zynqmp_fpga xilinx_can
xilinx_spi xilinx_selectmap xilinx_core xilinx_pr_decoupler versal_fpga
uvcvideo uvc videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videodev
videobuf2_common mc usbnet deflate zstd ubifs ubi rcar_canfd rcar_can
omap_mailbox ntb_msi_test ntb_hw_epf lattice_sysconfig_spi
lattice_sysconfig ice40_spi gpio_xilinx dwmac_altr_socfpga mdio_regmap
stmmac_platform stmmac pcs_xpcs dfl_fme_region dfl_fme_mgr dfl_fme_br
dfl_afu dfl fpga_region fpga_bridge can can_dev br_netfilter bridge stp
llc atl1c ath11k_pci mhi ath11k_ahb ath11k qmi_helpers ath10k_sdio
ath10k_pci ath10k_core ath mac80211 libarc4 cfg80211 drm fuse backlight ipv6
Jun 22 02:36:5[3 6k152.62-4sm98k4-0k]v kCePUr:n e1l :P IUDn:a b4le6
8t oC ohmma: nidpl eN oketr nteali nptaedg i6n.g1 0re.0q-urecs3t- 0at0
1v6i4r-tgu4a4le fa2d0dbraeeds0se-dir tyd f#f2f08
615.252376] Hardware name: linux,dummy-virt (DT)
[ 615.253220] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS
BTYPE=--)
[ 615.254433] pc : strnlen+0x6c/0xe0
[ 615.255096] lr : trace_event_get_offsets_qdisc_reset+0x94/0x3d0
[ 615.256088] sp : ffff800080b269a0
[ 615.256615] x29: ffff800080b269a0 x28: ffffc070f3f98500 x27:
0000000000000001
[ 615.257831] x26: 0000000000000010 x25: ffffc070f3f98540 x24:
ffffc070f619cf60
[ 615.259020] x23: 0000000000000128 x22: 0000000000000138 x21:
dfff800000000000
[ 615.260241] x20: ffffc070f631ad00 x19: 0000000000000128 x18:
ffffc070f448b800
[ 615.261454] x17: 0000000000000000 x16: 0000000000000001 x15:
ffffc070f4ba2a90
[ 615.262635] x14: ffff700010164d73 x13: 1ffff80e1e8d5eb3 x12:
1ffff00010164d72
[ 615.263877] x11: ffff700010164d72 x10: dfff800000000000 x9 :
ffffc070e85d6184
[ 615.265047] x8 : ffffc070e4402070 x7 : 000000000000f1f1 x6 :
000000001504a6d3
[ 615.266336] x5 : ffff28ca21122140 x4 : ffffc070f5043ea8 x3 :
0000000000000000
[ 615.267528] x2 : 0000000000000025 x1 : 0000000000000000 x0 :
0000000000000000
[ 615.268747] Call trace:
[ 615.269180] strnlen+0x6c/0xe0
[ 615.269767] trace_event_get_offsets_qdisc_reset+0x94/0x3d0
[ 615.270716] trace_event_raw_event_qdisc_reset+0xe8/0x4e8
[ 615.271667] __traceiter_qdisc_reset+0xa0/0x140
[ 615.272499] qdisc_reset+0x554/0x848
[ 615.273134] netif_set_real_num_tx_queues+0x360/0x9a8
[ 615.274050] veth_init_queues+0x110/0x220 [veth]
[ 615.275110] veth_newlink+0x538/0xa50 [veth]
[ 615.276172] __rtnl_newlink+0x11e4/0x1bc8
[ 615.276944] rtnl_newlink+0xac/0x120
[ 615.277657] rtnetlink_rcv_msg+0x4e4/0x1370
[ 615.278409] netlink_rcv_skb+0x25c/0x4f0
[ 615.279122] rtnetlink_rcv+0x48/0x70
[ 615.279769] netlink_unicast+0x5a8/0x7b8
[ 615.280462] netlink_sendmsg+0xa70/0x1190
Yeoreum and I don't know if the patch we wrote will fix the underlying
cause, but we think that priority is to prevent kernel panic happening.
So, we're sending this patch.
Fixes: 51270d573a8d ("tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string")
Link: https://lore.kernel.org/lkml/20240229143432.273b4871@gandalf.local.home/t/
Cc: netdev@vger.kernel.org
Tested-by: Yunseong Kim <yskelg@gmail.com>
Signed-off-by: Yunseong Kim <yskelg@gmail.com>
Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
Link: https://lore.kernel.org/r/20240624173320.24945-4-yskelg@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/trace/events/qdisc.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/trace/events/qdisc.h b/include/trace/events/qdisc.h
index 5180da19d837f..fc77362386a5b 100644
--- a/include/trace/events/qdisc.h
+++ b/include/trace/events/qdisc.h
@@ -81,7 +81,7 @@ TRACE_EVENT(qdisc_reset,
TP_ARGS(q),
TP_STRUCT__entry(
- __string( dev, qdisc_dev(q)->name )
+ __string( dev, qdisc_dev(q) ? qdisc_dev(q)->name : "(null)" )
__string( kind, q->ops->id )
__field( u32, parent )
__field( u32, handle )
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 283/356] bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 282/356] tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset() Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 284/356] drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep Greg Kroah-Hartman
` (80 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy,
linux-hardening@vger.kernel.org, Kees Cook, Alexei Starovoitov,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@csgroup.eu>
[ Upstream commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 ]
set_memory_ro() can fail, leaving memory unprotected.
Check its return and take it into account as an error.
Link: https://github.com/KSPP/linux/issues/7
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: linux-hardening@vger.kernel.org <linux-hardening@vger.kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/filter.h | 5 +++--
kernel/bpf/core.c | 4 +++-
kernel/bpf/verifier.c | 8 ++++++--
3 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/include/linux/filter.h b/include/linux/filter.h
index af0103bebb7bf..9cb3558683393 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -875,14 +875,15 @@ bpf_ctx_narrow_access_offset(u32 off, u32 size, u32 size_default)
#define bpf_classic_proglen(fprog) (fprog->len * sizeof(fprog->filter[0]))
-static inline void bpf_prog_lock_ro(struct bpf_prog *fp)
+static inline int __must_check bpf_prog_lock_ro(struct bpf_prog *fp)
{
#ifndef CONFIG_BPF_JIT_ALWAYS_ON
if (!fp->jited) {
set_vm_flush_reset_perms(fp);
- set_memory_ro((unsigned long)fp, fp->pages);
+ return set_memory_ro((unsigned long)fp, fp->pages);
}
#endif
+ return 0;
}
static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr)
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 36c2896ee45f4..f36f7b71dc07b 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -1940,7 +1940,9 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err)
}
finalize:
- bpf_prog_lock_ro(fp);
+ *err = bpf_prog_lock_ro(fp);
+ if (*err)
+ return fp;
/* The tail call compatibility check can only be done at
* this late stage as we need to determine, if we deal
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 07ca1157f97cf..b9f63c4b8598c 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -12812,10 +12812,14 @@ static int jit_subprogs(struct bpf_verifier_env *env)
* bpf_prog_load will add the kallsyms for the main program.
*/
for (i = 1; i < env->subprog_cnt; i++) {
- bpf_prog_lock_ro(func[i]);
- bpf_prog_kallsyms_add(func[i]);
+ err = bpf_prog_lock_ro(func[i]);
+ if (err)
+ goto out_free;
}
+ for (i = 1; i < env->subprog_cnt; i++)
+ bpf_prog_kallsyms_add(func[i]);
+
/* Last step: make now unused interpreter insns from main
* prog consistent for later dump requests, so they can
* later look the same as if they were interpreted only.
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 284/356] drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 283/356] bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro() Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 285/356] vduse: validate block features only with block devices Greg Kroah-Hartman
` (79 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Neil Armstrong,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
[ Upstream commit ee7860cd8b5763017f8dc785c2851fecb7a0c565 ]
The ilitek-ili9881c controls the reset GPIO using the non-sleeping
gpiod_set_value() function. This complains loudly when the GPIO
controller needs to sleep. As the caller can sleep, use
gpiod_set_value_cansleep() to fix the issue.
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20240317154839.21260-1-laurent.pinchart@ideasonboard.com
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20240317154839.21260-1-laurent.pinchart@ideasonboard.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/panel/panel-ilitek-ili9881c.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c b/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c
index 534dd7414d428..917cb322bab1a 100644
--- a/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c
+++ b/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c
@@ -506,10 +506,10 @@ static int ili9881c_prepare(struct drm_panel *panel)
msleep(5);
/* And reset it */
- gpiod_set_value(ctx->reset, 1);
+ gpiod_set_value_cansleep(ctx->reset, 1);
msleep(20);
- gpiod_set_value(ctx->reset, 0);
+ gpiod_set_value_cansleep(ctx->reset, 0);
msleep(20);
for (i = 0; i < ctx->desc->init_length; i++) {
@@ -564,7 +564,7 @@ static int ili9881c_unprepare(struct drm_panel *panel)
mipi_dsi_dcs_enter_sleep_mode(ctx->dsi);
regulator_disable(ctx->power);
- gpiod_set_value(ctx->reset, 1);
+ gpiod_set_value_cansleep(ctx->reset, 1);
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 285/356] vduse: validate block features only with block devices
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 284/356] drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 286/356] vduse: Temporarily fail if control queue feature requested Greg Kroah-Hartman
` (78 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Wang, Xie Yongji,
Eugenio Pérez, Maxime Coquelin, Michael S. Tsirkin,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Coquelin <maxime.coquelin@redhat.com>
[ Upstream commit a115b5716fc9a64652aa9cb332070087178ffafa ]
This patch is preliminary work to enable network device
type support to VDUSE.
As VIRTIO_BLK_F_CONFIG_WCE shares the same value as
VIRTIO_NET_F_HOST_TSO4, we need to restrict its check
to Virtio-blk device type.
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Xie Yongji <xieyongji@bytedance.com>
Reviewed-by: Eugenio Pérez <eperezma@redhat.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Message-Id: <20240109111025.1320976-2-maxime.coquelin@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vdpa/vdpa_user/vduse_dev.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
index 564864f039d20..898ef597338a2 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -1227,13 +1227,14 @@ static bool device_is_allowed(u32 device_id)
return false;
}
-static bool features_is_valid(u64 features)
+static bool features_is_valid(struct vduse_dev_config *config)
{
- if (!(features & (1ULL << VIRTIO_F_ACCESS_PLATFORM)))
+ if (!(config->features & BIT_ULL(VIRTIO_F_ACCESS_PLATFORM)))
return false;
/* Now we only support read-only configuration space */
- if (features & (1ULL << VIRTIO_BLK_F_CONFIG_WCE))
+ if ((config->device_id == VIRTIO_ID_BLOCK) &&
+ (config->features & BIT_ULL(VIRTIO_BLK_F_CONFIG_WCE)))
return false;
return true;
@@ -1260,7 +1261,7 @@ static bool vduse_validate_config(struct vduse_dev_config *config)
if (!device_is_allowed(config->device_id))
return false;
- if (!features_is_valid(config->features))
+ if (!features_is_valid(config))
return false;
return true;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 286/356] vduse: Temporarily fail if control queue feature requested
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 285/356] vduse: validate block features only with block devices Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 287/356] x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup Greg Kroah-Hartman
` (77 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Coquelin, Michael S. Tsirkin,
Eugenio Pérez, Xie Yongji, Jason Wang, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Coquelin <maxime.coquelin@redhat.com>
[ Upstream commit 56e71885b0349241c07631a7b979b61e81afab6a ]
Virtio-net driver control queue implementation is not safe
when used with VDUSE. If the VDUSE application does not
reply to control queue messages, it currently ends up
hanging the kernel thread sending this command.
Some work is on-going to make the control queue
implementation robust with VDUSE. Until it is completed,
let's fail features check if control-queue feature is
requested.
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Message-Id: <20240109111025.1320976-3-maxime.coquelin@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Eugenio Pérez <eperezma@redhat.com>
Reviewed-by: Xie Yongji <xieyongji@bytedance.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vdpa/vdpa_user/vduse_dev.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
index 898ef597338a2..4684d4756b427 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -8,6 +8,7 @@
*
*/
+#include "linux/virtio_net.h"
#include <linux/init.h>
#include <linux/module.h>
#include <linux/cdev.h>
@@ -26,6 +27,7 @@
#include <uapi/linux/virtio_config.h>
#include <uapi/linux/virtio_ids.h>
#include <uapi/linux/virtio_blk.h>
+#include <uapi/linux/virtio_ring.h>
#include <linux/mod_devicetable.h>
#include "iova_domain.h"
@@ -1236,6 +1238,9 @@ static bool features_is_valid(struct vduse_dev_config *config)
if ((config->device_id == VIRTIO_ID_BLOCK) &&
(config->features & BIT_ULL(VIRTIO_BLK_F_CONFIG_WCE)))
return false;
+ else if ((config->device_id == VIRTIO_ID_NET) &&
+ (config->features & BIT_ULL(VIRTIO_NET_F_CTRL_VQ)))
+ return false;
return true;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 287/356] x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 286/356] vduse: Temporarily fail if control queue feature requested Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 288/356] mtd: partitions: redboot: Added conversion of operands to a larger type Greg Kroah-Hartman
` (76 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uros Bizjak, Ingo Molnar,
Andy Lutomirski, H. Peter Anvin, Linus Torvalds, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uros Bizjak <ubizjak@gmail.com>
[ Upstream commit 5d31174f3c8c465d9dbe88f6b9d1fe5716f44981 ]
The assembly snippet in restore_fpregs_from_fpstate() that implements
X86_BUG_FXSAVE_LEAK fixup loads the value from a random variable,
preferably the one that is already in the L1 cache.
However, the access to fpinit_state via *fpstate pointer is not
implemented correctly. The "m" asm constraint requires dereferenced
pointer variable, otherwise the compiler just reloads the value
via temporary stack slot. The current asm code reflects this:
mov %rdi,(%rsp)
...
fildl (%rsp)
With dereferenced pointer variable, the code does what the
comment above the asm snippet says:
fildl (%rdi)
Also, remove the pointless %P operand modifier. The modifier is
ineffective on non-symbolic references - it was used to prevent
%rip-relative addresses in .altinstr sections, but FILDL in the
.text section can use %rip-relative addresses without problems.
Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/r/20240315081849.5187-1-ubizjak@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/fpu/core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
index 3ad1bf5de7373..157008d99f951 100644
--- a/arch/x86/kernel/fpu/core.c
+++ b/arch/x86/kernel/fpu/core.c
@@ -121,8 +121,8 @@ void __restore_fpregs_from_fpstate(union fpregs_state *fpstate, u64 mask)
asm volatile(
"fnclex\n\t"
"emms\n\t"
- "fildl %P[addr]" /* set F?P to defined value */
- : : [addr] "m" (fpstate));
+ "fildl %[addr]" /* set F?P to defined value */
+ : : [addr] "m" (*fpstate));
}
if (use_xsave()) {
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 288/356] mtd: partitions: redboot: Added conversion of operands to a larger type
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 287/356] x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 289/356] bpf: Add a check for struct bpf_fib_lookup size Greg Kroah-Hartman
` (75 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Denis Arefev, Miquel Raynal,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Arefev <arefev@swemel.ru>
[ Upstream commit 1162bc2f8f5de7da23d18aa4b7fbd4e93c369c50 ]
The value of an arithmetic expression directory * master->erasesize is
subject to overflow due to a failure to cast operands to a larger data
type before perfroming arithmetic
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Denis Arefev <arefev@swemel.ru>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20240315093758.20790-1-arefev@swemel.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/parsers/redboot.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/parsers/redboot.c b/drivers/mtd/parsers/redboot.c
index a16b42a885816..3b55b676ca6b9 100644
--- a/drivers/mtd/parsers/redboot.c
+++ b/drivers/mtd/parsers/redboot.c
@@ -102,7 +102,7 @@ static int parse_redboot_partitions(struct mtd_info *master,
offset -= master->erasesize;
}
} else {
- offset = directory * master->erasesize;
+ offset = (unsigned long) directory * master->erasesize;
while (mtd_block_isbad(master, offset)) {
offset += master->erasesize;
if (offset == master->size)
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 289/356] bpf: Add a check for struct bpf_fib_lookup size
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 288/356] mtd: partitions: redboot: Added conversion of operands to a larger type Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 290/356] RDMA/restrack: Fix potential invalid address access Greg Kroah-Hartman
` (74 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Ahern, Anton Protopopov,
Daniel Borkmann, Alexei Starovoitov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anton Protopopov <aspsk@isovalent.com>
[ Upstream commit 59b418c7063d30e0a3e1f592d47df096db83185c ]
The struct bpf_fib_lookup should not grow outside of its 64 bytes.
Add a static assert to validate this.
Suggested-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Anton Protopopov <aspsk@isovalent.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20240326101742.17421-4-aspsk@isovalent.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index 47eb1bd47aa6e..a873c8fd51b67 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -79,6 +79,9 @@
#include <net/tls.h>
#include <net/xdp.h>
+/* Keep the struct bpf_fib_lookup small so that it fits into a cacheline */
+static_assert(sizeof(struct bpf_fib_lookup) == 64, "struct bpf_fib_lookup size check");
+
static const struct bpf_func_proto *
bpf_sk_base_func_proto(enum bpf_func_id func_id);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 290/356] RDMA/restrack: Fix potential invalid address access
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 289/356] bpf: Add a check for struct bpf_fib_lookup size Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 291/356] net/iucv: Avoid explicit cpumask var allocation on stack Greg Kroah-Hartman
` (73 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenchao Hao, Leon Romanovsky,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenchao Hao <haowenchao2@huawei.com>
[ Upstream commit ca537a34775c103f7b14d7bbd976403f1d1525d8 ]
struct rdma_restrack_entry's kern_name was set to KBUILD_MODNAME
in ib_create_cq(), while if the module exited but forgot del this
rdma_restrack_entry, it would cause a invalid address access in
rdma_restrack_clean() when print the owner of this rdma_restrack_entry.
These code is used to help find one forgotten PD release in one of the
ULPs. But it is not needed anymore, so delete them.
Signed-off-by: Wenchao Hao <haowenchao2@huawei.com>
Link: https://lore.kernel.org/r/20240318092320.1215235-1-haowenchao2@huawei.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/restrack.c | 51 +-----------------------------
1 file changed, 1 insertion(+), 50 deletions(-)
diff --git a/drivers/infiniband/core/restrack.c b/drivers/infiniband/core/restrack.c
index 01a499a8b88db..438ed35881752 100644
--- a/drivers/infiniband/core/restrack.c
+++ b/drivers/infiniband/core/restrack.c
@@ -37,22 +37,6 @@ int rdma_restrack_init(struct ib_device *dev)
return 0;
}
-static const char *type2str(enum rdma_restrack_type type)
-{
- static const char * const names[RDMA_RESTRACK_MAX] = {
- [RDMA_RESTRACK_PD] = "PD",
- [RDMA_RESTRACK_CQ] = "CQ",
- [RDMA_RESTRACK_QP] = "QP",
- [RDMA_RESTRACK_CM_ID] = "CM_ID",
- [RDMA_RESTRACK_MR] = "MR",
- [RDMA_RESTRACK_CTX] = "CTX",
- [RDMA_RESTRACK_COUNTER] = "COUNTER",
- [RDMA_RESTRACK_SRQ] = "SRQ",
- };
-
- return names[type];
-};
-
/**
* rdma_restrack_clean() - clean resource tracking
* @dev: IB device
@@ -60,47 +44,14 @@ static const char *type2str(enum rdma_restrack_type type)
void rdma_restrack_clean(struct ib_device *dev)
{
struct rdma_restrack_root *rt = dev->res;
- struct rdma_restrack_entry *e;
- char buf[TASK_COMM_LEN];
- bool found = false;
- const char *owner;
int i;
for (i = 0 ; i < RDMA_RESTRACK_MAX; i++) {
struct xarray *xa = &dev->res[i].xa;
- if (!xa_empty(xa)) {
- unsigned long index;
-
- if (!found) {
- pr_err("restrack: %s", CUT_HERE);
- dev_err(&dev->dev, "BUG: RESTRACK detected leak of resources\n");
- }
- xa_for_each(xa, index, e) {
- if (rdma_is_kernel_res(e)) {
- owner = e->kern_name;
- } else {
- /*
- * There is no need to call get_task_struct here,
- * because we can be here only if there are more
- * get_task_struct() call than put_task_struct().
- */
- get_task_comm(buf, e->task);
- owner = buf;
- }
-
- pr_err("restrack: %s %s object allocated by %s is not freed\n",
- rdma_is_kernel_res(e) ? "Kernel" :
- "User",
- type2str(e->type), owner);
- }
- found = true;
- }
+ WARN_ON(!xa_empty(xa));
xa_destroy(xa);
}
- if (found)
- pr_err("restrack: %s", CUT_HERE);
-
kfree(rt);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 291/356] net/iucv: Avoid explicit cpumask var allocation on stack
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 290/356] RDMA/restrack: Fix potential invalid address access Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 292/356] net/dpaa2: " Greg Kroah-Hartman
` (72 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dawei Li, Alexandra Winter,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Li <dawei.li@shingroup.cn>
[ Upstream commit be4e1304419c99a164b4c0e101c7c2a756b635b9 ]
For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask
variable on stack is not recommended since it can cause potential stack
overflow.
Instead, kernel code should always use *cpumask_var API(s) to allocate
cpumask var in config-neutral way, leaving allocation strategy to
CONFIG_CPUMASK_OFFSTACK.
Use *cpumask_var API(s) to address it.
Signed-off-by: Dawei Li <dawei.li@shingroup.cn>
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Link: https://lore.kernel.org/r/20240331053441.1276826-2-dawei.li@shingroup.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/iucv/iucv.c | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
index 68edefed79f16..30fc78236050a 100644
--- a/net/iucv/iucv.c
+++ b/net/iucv/iucv.c
@@ -519,7 +519,7 @@ static void iucv_setmask_mp(void)
*/
static void iucv_setmask_up(void)
{
- cpumask_t cpumask;
+ static cpumask_t cpumask;
int cpu;
/* Disable all cpu but the first in cpu_irq_cpumask. */
@@ -627,23 +627,33 @@ static int iucv_cpu_online(unsigned int cpu)
static int iucv_cpu_down_prep(unsigned int cpu)
{
- cpumask_t cpumask;
+ cpumask_var_t cpumask;
+ int ret = 0;
if (!iucv_path_table)
return 0;
- cpumask_copy(&cpumask, &iucv_buffer_cpumask);
- cpumask_clear_cpu(cpu, &cpumask);
- if (cpumask_empty(&cpumask))
+ if (!alloc_cpumask_var(&cpumask, GFP_KERNEL))
+ return -ENOMEM;
+
+ cpumask_copy(cpumask, &iucv_buffer_cpumask);
+ cpumask_clear_cpu(cpu, cpumask);
+ if (cpumask_empty(cpumask)) {
/* Can't offline last IUCV enabled cpu. */
- return -EINVAL;
+ ret = -EINVAL;
+ goto __free_cpumask;
+ }
iucv_retrieve_cpu(NULL);
if (!cpumask_empty(&iucv_irq_cpumask))
- return 0;
+ goto __free_cpumask;
+
smp_call_function_single(cpumask_first(&iucv_buffer_cpumask),
iucv_allow_cpu, NULL, 1);
- return 0;
+
+__free_cpumask:
+ free_cpumask_var(cpumask);
+ return ret;
}
/**
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 292/356] net/dpaa2: Avoid explicit cpumask var allocation on stack
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 291/356] net/iucv: Avoid explicit cpumask var allocation on stack Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 293/356] crypto: ecdh - explicitly zeroize private_key Greg Kroah-Hartman
` (71 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dawei Li, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Li <dawei.li@shingroup.cn>
[ Upstream commit d33fe1714a44ff540629b149d8fab4ac6967585c ]
For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask
variable on stack is not recommended since it can cause potential stack
overflow.
Instead, kernel code should always use *cpumask_var API(s) to allocate
cpumask var in config-neutral way, leaving allocation strategy to
CONFIG_CPUMASK_OFFSTACK.
Use *cpumask_var API(s) to address it.
Signed-off-by: Dawei Li <dawei.li@shingroup.cn>
Link: https://lore.kernel.org/r/20240331053441.1276826-3-dawei.li@shingroup.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
index 78040a09313ef..fa1b1b7dd8a06 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
@@ -2468,11 +2468,14 @@ static int dpaa2_eth_xdp_xmit(struct net_device *net_dev, int n,
static int update_xps(struct dpaa2_eth_priv *priv)
{
struct net_device *net_dev = priv->net_dev;
- struct cpumask xps_mask;
- struct dpaa2_eth_fq *fq;
int i, num_queues, netdev_queues;
+ struct dpaa2_eth_fq *fq;
+ cpumask_var_t xps_mask;
int err = 0;
+ if (!alloc_cpumask_var(&xps_mask, GFP_KERNEL))
+ return -ENOMEM;
+
num_queues = dpaa2_eth_queue_count(priv);
netdev_queues = (net_dev->num_tc ? : 1) * num_queues;
@@ -2482,16 +2485,17 @@ static int update_xps(struct dpaa2_eth_priv *priv)
for (i = 0; i < netdev_queues; i++) {
fq = &priv->fq[i % num_queues];
- cpumask_clear(&xps_mask);
- cpumask_set_cpu(fq->target_cpu, &xps_mask);
+ cpumask_clear(xps_mask);
+ cpumask_set_cpu(fq->target_cpu, xps_mask);
- err = netif_set_xps_queue(net_dev, &xps_mask, i);
+ err = netif_set_xps_queue(net_dev, xps_mask, i);
if (err) {
netdev_warn_once(net_dev, "Error setting XPS queue\n");
break;
}
}
+ free_cpumask_var(xps_mask);
return err;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 293/356] crypto: ecdh - explicitly zeroize private_key
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 292/356] net/dpaa2: " Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 294/356] ALSA: emux: improve patch ioctl data validation Greg Kroah-Hartman
` (70 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joachim Vandersmissen, Herbert Xu,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joachim Vandersmissen <git@jvdsn.com>
[ Upstream commit 73e5984e540a76a2ee1868b91590c922da8c24c9 ]
private_key is overwritten with the key parameter passed in by the
caller (if present), or alternatively a newly generated private key.
However, it is possible that the caller provides a key (or the newly
generated key) which is shorter than the previous key. In that
scenario, some key material from the previous key would not be
overwritten. The easiest solution is to explicitly zeroize the entire
private_key array first.
Note that this patch slightly changes the behavior of this function:
previously, if the ecc_gen_privkey failed, the old private_key would
remain. Now, the private_key is always zeroized. This behavior is
consistent with the case where params.key is set and ecc_is_key_valid
fails.
Signed-off-by: Joachim Vandersmissen <git@jvdsn.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/ecdh.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/crypto/ecdh.c b/crypto/ecdh.c
index c6f61c2211dc7..865e76e5a51c4 100644
--- a/crypto/ecdh.c
+++ b/crypto/ecdh.c
@@ -33,6 +33,8 @@ static int ecdh_set_secret(struct crypto_kpp *tfm, const void *buf,
params.key_size > sizeof(u64) * ctx->ndigits)
return -EINVAL;
+ memset(ctx->private_key, 0, sizeof(ctx->private_key));
+
if (!params.key || !params.key_size)
return ecc_gen_privkey(ctx->curve_id, ctx->ndigits,
ctx->private_key);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 294/356] ALSA: emux: improve patch ioctl data validation
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 293/356] crypto: ecdh - explicitly zeroize private_key Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 295/356] media: dvbdev: Initialize sbuf Greg Kroah-Hartman
` (69 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oswald Buddenhagen, Takashi Iwai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
[ Upstream commit 89b32ccb12ae67e630c6453d778ec30a592a212f ]
In load_data(), make the validation of and skipping over the main info
block match that in load_guspatch().
In load_guspatch(), add checking that the specified patch length matches
the actually supplied data, like load_data() already did.
Signed-off-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
Message-ID: <20240406064830.1029573-8-oswald.buddenhagen@gmx.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/synth/emux/soundfont.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/sound/synth/emux/soundfont.c b/sound/synth/emux/soundfont.c
index 16f00097cb95a..eed47e4830248 100644
--- a/sound/synth/emux/soundfont.c
+++ b/sound/synth/emux/soundfont.c
@@ -701,7 +701,6 @@ load_data(struct snd_sf_list *sflist, const void __user *data, long count)
struct snd_soundfont *sf;
struct soundfont_sample_info sample_info;
struct snd_sf_sample *sp;
- long off;
/* patch must be opened */
sf = sflist->currsf;
@@ -711,12 +710,16 @@ load_data(struct snd_sf_list *sflist, const void __user *data, long count)
if (is_special_type(sf->type))
return -EINVAL;
+ if (count < (long)sizeof(sample_info)) {
+ return -EINVAL;
+ }
if (copy_from_user(&sample_info, data, sizeof(sample_info)))
return -EFAULT;
+ data += sizeof(sample_info);
+ count -= sizeof(sample_info);
- off = sizeof(sample_info);
-
- if (sample_info.size != (count-off)/2)
+ // SoundFont uses S16LE samples.
+ if (sample_info.size * 2 != count)
return -EINVAL;
/* Check for dup */
@@ -744,7 +747,7 @@ load_data(struct snd_sf_list *sflist, const void __user *data, long count)
int rc;
rc = sflist->callback.sample_new
(sflist->callback.private_data, sp, sflist->memhdr,
- data + off, count - off);
+ data, count);
if (rc < 0) {
sf_sample_delete(sflist, sf, sp);
return rc;
@@ -957,10 +960,12 @@ load_guspatch(struct snd_sf_list *sflist, const char __user *data,
}
if (copy_from_user(&patch, data, sizeof(patch)))
return -EFAULT;
-
count -= sizeof(patch);
data += sizeof(patch);
+ if ((patch.len << (patch.mode & WAVE_16_BITS ? 1 : 0)) != count)
+ return -EINVAL;
+
sf = newsf(sflist, SNDRV_SFNT_PAT_TYPE_GUS|SNDRV_SFNT_PAT_SHARED, NULL);
if (sf == NULL)
return -ENOMEM;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 295/356] media: dvbdev: Initialize sbuf
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 294/356] ALSA: emux: improve patch ioctl data validation Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 296/356] soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message Greg Kroah-Hartman
` (68 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricardo Ribalda, Hans Verkuil,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
[ Upstream commit 17d1316de0d7dc1bdc5d6e3ad4efd30a9bf1a381 ]
Because the size passed to copy_from_user() cannot be known beforehand,
it needs to be checked during runtime with check_object_size. That makes
gcc believe that the content of sbuf can be used before init.
Fix:
./include/linux/thread_info.h:215:17: warning: ‘sbuf’ may be used uninitialized [-Wmaybe-uninitialized]
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/dvb-core/dvbdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
index 23a0c209744dc..661588fc64f6a 100644
--- a/drivers/media/dvb-core/dvbdev.c
+++ b/drivers/media/dvb-core/dvbdev.c
@@ -974,7 +974,7 @@ int dvb_usercopy(struct file *file,
int (*func)(struct file *file,
unsigned int cmd, void *arg))
{
- char sbuf[128];
+ char sbuf[128] = {};
void *mbuf = NULL;
void *parg = NULL;
int err = -EINVAL;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 296/356] soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 295/356] media: dvbdev: Initialize sbuf Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 297/356] drm/radeon/radeon_display: Decrease the size of allocated memory Greg Kroah-Hartman
` (67 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Davis, Nishanth Menon,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Davis <afd@ti.com>
[ Upstream commit ddbf3204f600a4d1f153498f618369fca352ae00 ]
mbox_send_message() sends a u32 bit message, not a pointer to a message.
We only convert to a pointer type as a generic type. If we want to send
a dummy message of 0, then simply send 0 (NULL).
Signed-off-by: Andrew Davis <afd@ti.com>
Link: https://lore.kernel.org/r/20240325165507.30323-1-afd@ti.com
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/ti/wkup_m3_ipc.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/soc/ti/wkup_m3_ipc.c b/drivers/soc/ti/wkup_m3_ipc.c
index 8b3ff44fd9010..967c40059a431 100644
--- a/drivers/soc/ti/wkup_m3_ipc.c
+++ b/drivers/soc/ti/wkup_m3_ipc.c
@@ -14,7 +14,6 @@
#include <linux/irq.h>
#include <linux/module.h>
#include <linux/of.h>
-#include <linux/omap-mailbox.h>
#include <linux/platform_device.h>
#include <linux/remoteproc.h>
#include <linux/suspend.h>
@@ -151,7 +150,6 @@ static irqreturn_t wkup_m3_txev_handler(int irq, void *ipc_data)
static int wkup_m3_ping(struct wkup_m3_ipc *m3_ipc)
{
struct device *dev = m3_ipc->dev;
- mbox_msg_t dummy_msg = 0;
int ret;
if (!m3_ipc->mbox) {
@@ -167,7 +165,7 @@ static int wkup_m3_ping(struct wkup_m3_ipc *m3_ipc)
* the RX callback to avoid multiple interrupts being received
* by the CM3.
*/
- ret = mbox_send_message(m3_ipc->mbox, &dummy_msg);
+ ret = mbox_send_message(m3_ipc->mbox, NULL);
if (ret < 0) {
dev_err(dev, "%s: mbox_send_message() failed: %d\n",
__func__, ret);
@@ -189,7 +187,6 @@ static int wkup_m3_ping(struct wkup_m3_ipc *m3_ipc)
static int wkup_m3_ping_noirq(struct wkup_m3_ipc *m3_ipc)
{
struct device *dev = m3_ipc->dev;
- mbox_msg_t dummy_msg = 0;
int ret;
if (!m3_ipc->mbox) {
@@ -198,7 +195,7 @@ static int wkup_m3_ping_noirq(struct wkup_m3_ipc *m3_ipc)
return -EIO;
}
- ret = mbox_send_message(m3_ipc->mbox, &dummy_msg);
+ ret = mbox_send_message(m3_ipc->mbox, NULL);
if (ret < 0) {
dev_err(dev, "%s: mbox_send_message() failed: %d\n",
__func__, ret);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 297/356] drm/radeon/radeon_display: Decrease the size of allocated memory
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 296/356] soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 298/356] nvme: fixup comment for nvme RDMA Provider Type Greg Kroah-Hartman
` (66 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Erick Archer,
Alex Deucher, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erick Archer <erick.archer@outlook.com>
[ Upstream commit ae6a233092747e9652eb793d92f79d0820e01c6a ]
This is an effort to get rid of all multiplications from allocation
functions in order to prevent integer overflows [1] [2].
In this case, the memory allocated to store RADEONFB_CONN_LIMIT pointers
to "drm_connector" structures can be avoided. This is because this
memory area is never accessed.
Also, in the kzalloc function, it is preferred to use sizeof(*pointer)
instead of sizeof(type) due to the type of the variable can change and
one needs not change the former (unlike the latter).
At the same time take advantage to remove the "#if 0" block, the code
where the removed memory area was accessed, and the RADEONFB_CONN_LIMIT
constant due to now is never used.
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1]
Link: https://github.com/KSPP/linux/issues/160 [2]
Acked-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Erick Archer <erick.archer@outlook.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/radeon/radeon.h | 1 -
drivers/gpu/drm/radeon/radeon_display.c | 8 +-------
2 files changed, 1 insertion(+), 8 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon.h b/drivers/gpu/drm/radeon/radeon.h
index 895776c421d4d..71037061a317b 100644
--- a/drivers/gpu/drm/radeon/radeon.h
+++ b/drivers/gpu/drm/radeon/radeon.h
@@ -132,7 +132,6 @@ extern int radeon_cik_support;
/* RADEON_IB_POOL_SIZE must be a power of 2 */
#define RADEON_IB_POOL_SIZE 16
#define RADEON_DEBUGFS_MAX_COMPONENTS 32
-#define RADEONFB_CONN_LIMIT 4
#define RADEON_BIOS_NUM_SCRATCH 8
/* internal ring indices */
diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c
index 6337fad441df3..05c88e41663ee 100644
--- a/drivers/gpu/drm/radeon/radeon_display.c
+++ b/drivers/gpu/drm/radeon/radeon_display.c
@@ -677,7 +677,7 @@ static void radeon_crtc_init(struct drm_device *dev, int index)
struct radeon_device *rdev = dev->dev_private;
struct radeon_crtc *radeon_crtc;
- radeon_crtc = kzalloc(sizeof(struct radeon_crtc) + (RADEONFB_CONN_LIMIT * sizeof(struct drm_connector *)), GFP_KERNEL);
+ radeon_crtc = kzalloc(sizeof(*radeon_crtc), GFP_KERNEL);
if (radeon_crtc == NULL)
return;
@@ -703,12 +703,6 @@ static void radeon_crtc_init(struct drm_device *dev, int index)
dev->mode_config.cursor_width = radeon_crtc->max_cursor_width;
dev->mode_config.cursor_height = radeon_crtc->max_cursor_height;
-#if 0
- radeon_crtc->mode_set.crtc = &radeon_crtc->base;
- radeon_crtc->mode_set.connectors = (struct drm_connector **)(radeon_crtc + 1);
- radeon_crtc->mode_set.num_connectors = 0;
-#endif
-
if (rdev->is_atom_bios && (ASIC_IS_AVIVO(rdev) || radeon_r4xx_atom))
radeon_atombios_init_crtc(dev, radeon_crtc);
else
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 298/356] nvme: fixup comment for nvme RDMA Provider Type
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 297/356] drm/radeon/radeon_display: Decrease the size of allocated memory Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 299/356] drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA Greg Kroah-Hartman
` (65 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hannes Reinecke, Christoph Hellwig,
Keith Busch, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hannes Reinecke <hare@suse.de>
[ Upstream commit f80a55fa90fa76d01e3fffaa5d0413e522ab9a00 ]
PRTYPE is the provider type, not the QP service type.
Fixes: eb793e2c9286 ("nvme.h: add NVMe over Fabrics definitions")
Signed-off-by: Hannes Reinecke <hare@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/nvme.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/nvme.h b/include/linux/nvme.h
index 461ee0ee59fe4..537cc5b7e0500 100644
--- a/include/linux/nvme.h
+++ b/include/linux/nvme.h
@@ -71,8 +71,8 @@ enum {
NVMF_RDMA_QPTYPE_DATAGRAM = 2, /* Reliable Datagram */
};
-/* RDMA QP Service Type codes for Discovery Log Page entry TSAS
- * RDMA_QPTYPE field
+/* RDMA Provider Type codes for Discovery Log Page entry TSAS
+ * RDMA_PRTYPE field
*/
enum {
NVMF_RDMA_PRTYPE_NOT_SPECIFIED = 1, /* No Provider Specified */
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 299/356] drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 298/356] nvme: fixup comment for nvme RDMA Provider Type Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 300/356] gpio: davinci: Validate the obtained number of IRQs Greg Kroah-Hartman
` (64 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liu Ying, Neil Armstrong,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liu Ying <victor.liu@nxp.com>
[ Upstream commit 37ce99b77762256ec9fda58d58fd613230151456 ]
KOE TX26D202VM0BWA panel spec indicates the DE signal is active high in
timing chart, so add DISPLAY_FLAGS_DE_HIGH flag in display timing flags.
This aligns display_timing with panel_desc.
Fixes: 8a07052440c2 ("drm/panel: simple: Add support for KOE TX26D202VM0BWA panel")
Signed-off-by: Liu Ying <victor.liu@nxp.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20240624015612.341983-1-victor.liu@nxp.com
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20240624015612.341983-1-victor.liu@nxp.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/panel/panel-simple.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
index 0dc4d891fedc2..26c99ffe787cd 100644
--- a/drivers/gpu/drm/panel/panel-simple.c
+++ b/drivers/gpu/drm/panel/panel-simple.c
@@ -2873,6 +2873,7 @@ static const struct display_timing koe_tx26d202vm0bwa_timing = {
.vfront_porch = { 3, 5, 10 },
.vback_porch = { 2, 5, 10 },
.vsync_len = { 5, 5, 5 },
+ .flags = DISPLAY_FLAGS_DE_HIGH,
};
static const struct panel_desc koe_tx26d202vm0bwa = {
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 300/356] gpio: davinci: Validate the obtained number of IRQs
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 299/356] drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 301/356] gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1) Greg Kroah-Hartman
` (63 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Mishin,
Bartosz Golaszewski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandr Mishin <amishin@t-argos.ru>
[ Upstream commit 7aa9b96e9a73e4ec1771492d0527bd5fc5ef9164 ]
Value of pdata->gpio_unbanked is taken from Device Tree. In case of broken
DT due to any error this value can be any. Without this value validation
there can be out of chips->irqs array boundaries access in
davinci_gpio_probe().
Validate the obtained nirq value so that it won't exceed the maximum
number of IRQs per bank.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: eb3744a2dd01 ("gpio: davinci: Do not assume continuous IRQ numbering")
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
Link: https://lore.kernel.org/r/20240618144344.16943-1-amishin@t-argos.ru
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-davinci.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpio/gpio-davinci.c b/drivers/gpio/gpio-davinci.c
index 0214244e9f01f..d691e2ed88a08 100644
--- a/drivers/gpio/gpio-davinci.c
+++ b/drivers/gpio/gpio-davinci.c
@@ -227,6 +227,11 @@ static int davinci_gpio_probe(struct platform_device *pdev)
else
nirq = DIV_ROUND_UP(ngpio, 16);
+ if (nirq > MAX_INT_PER_BANK) {
+ dev_err(dev, "Too many IRQs!\n");
+ return -EINVAL;
+ }
+
chips = devm_kzalloc(dev, sizeof(*chips), GFP_KERNEL);
if (!chips)
return -ENOMEM;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 301/356] gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1)
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 300/356] gpio: davinci: Validate the obtained number of IRQs Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 302/356] x86: stop playing stack games in profile_pc() Greg Kroah-Hartman
` (62 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kent Gibson, Bartosz Golaszewski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kent Gibson <warthog618@gmail.com>
[ Upstream commit 9919cce62f68e6ab68dc2a975b5dc670f8ca7d40 ]
linehandle_set_config() behaves badly when direction is not set.
The configuration validation is borrowed from linehandle_create(), where,
to verify the intent of the user, the direction must be set to in order
to effect a change to the electrical configuration of a line. But, when
applied to reconfiguration, that validation does not allow for the unset
direction case, making it possible to clear flags set previously without
specifying the line direction.
Adding to the inconsistency, those changes are not immediately applied by
linehandle_set_config(), but will take effect when the line value is next
get or set.
For example, by requesting a configuration with no flags set, an output
line with GPIOHANDLE_REQUEST_ACTIVE_LOW and GPIOHANDLE_REQUEST_OPEN_DRAIN
requested could have those flags cleared, inverting the sense of the line
and changing the line drive to push-pull on the next line value set.
Ensure the intent of the user by disallowing configurations which do not
have direction set, returning an error to userspace to indicate that the
configuration is invalid.
And, for clarity, use lflags, a local copy of gcnf.flags, throughout when
dealing with the requested flags, rather than a mixture of both.
Fixes: e588bb1eae31 ("gpio: add new SET_CONFIG ioctl() to gpio chardev")
Signed-off-by: Kent Gibson <warthog618@gmail.com>
Link: https://lore.kernel.org/r/20240626052925.174272-2-warthog618@gmail.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib-cdev.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index 1db991cb2efce..c2f9d95d1086f 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -127,6 +127,10 @@ struct linehandle_state {
GPIOHANDLE_REQUEST_OPEN_DRAIN | \
GPIOHANDLE_REQUEST_OPEN_SOURCE)
+#define GPIOHANDLE_REQUEST_DIRECTION_FLAGS \
+ (GPIOHANDLE_REQUEST_INPUT | \
+ GPIOHANDLE_REQUEST_OUTPUT)
+
static int linehandle_validate_flags(u32 flags)
{
/* Return an error if an unknown flag is set */
@@ -207,21 +211,21 @@ static long linehandle_set_config(struct linehandle_state *lh,
if (ret)
return ret;
+ /* Lines must be reconfigured explicitly as input or output. */
+ if (!(lflags & GPIOHANDLE_REQUEST_DIRECTION_FLAGS))
+ return -EINVAL;
+
for (i = 0; i < lh->num_descs; i++) {
desc = lh->descs[i];
- linehandle_flags_to_desc_flags(gcnf.flags, &desc->flags);
+ linehandle_flags_to_desc_flags(lflags, &desc->flags);
- /*
- * Lines have to be requested explicitly for input
- * or output, else the line will be treated "as is".
- */
if (lflags & GPIOHANDLE_REQUEST_OUTPUT) {
int val = !!gcnf.default_values[i];
ret = gpiod_direction_output(desc, val);
if (ret)
return ret;
- } else if (lflags & GPIOHANDLE_REQUEST_INPUT) {
+ } else {
ret = gpiod_direction_input(desc);
if (ret)
return ret;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 302/356] x86: stop playing stack games in profile_pc()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 301/356] gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1) Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 303/356] parisc: use generic sys_fanotify_mark implementation Greg Kroah-Hartman
` (61 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Linus Torvalds, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linux-foundation.org>
[ Upstream commit 093d9603b60093a9aaae942db56107f6432a5dca ]
The 'profile_pc()' function is used for timer-based profiling, which
isn't really all that relevant any more to begin with, but it also ends
up making assumptions based on the stack layout that aren't necessarily
valid.
Basically, the code tries to account the time spent in spinlocks to the
caller rather than the spinlock, and while I support that as a concept,
it's not worth the code complexity or the KASAN warnings when no serious
profiling is done using timers anyway these days.
And the code really does depend on stack layout that is only true in the
simplest of cases. We've lost the comment at some point (I think when
the 32-bit and 64-bit code was unified), but it used to say:
Assume the lock function has either no stack frame or a copy
of eflags from PUSHF.
which explains why it just blindly loads a word or two straight off the
stack pointer and then takes a minimal look at the values to just check
if they might be eflags or the return pc:
Eflags always has bits 22 and up cleared unlike kernel addresses
but that basic stack layout assumption assumes that there isn't any lock
debugging etc going on that would complicate the code and cause a stack
frame.
It causes KASAN unhappiness reported for years by syzkaller [1] and
others [2].
With no real practical reason for this any more, just remove the code.
Just for historical interest, here's some background commits relating to
this code from 2006:
0cb91a229364 ("i386: Account spinlocks to the caller during profiling for !FP kernels")
31679f38d886 ("Simplify profile_pc on x86-64")
and a code unification from 2009:
ef4512882dbe ("x86: time_32/64.c unify profile_pc")
but the basics of this thing actually goes back to before the git tree.
Link: https://syzkaller.appspot.com/bug?extid=84fe685c02cd112a2ac3 [1]
Link: https://lore.kernel.org/all/CAK55_s7Xyq=nh97=K=G1sxueOFrJDAvPOJAL4TPTCAYvmxO9_A@mail.gmail.com/ [2]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/time.c | 20 +-------------------
1 file changed, 1 insertion(+), 19 deletions(-)
diff --git a/arch/x86/kernel/time.c b/arch/x86/kernel/time.c
index e42faa792c079..52e1f3f0b361c 100644
--- a/arch/x86/kernel/time.c
+++ b/arch/x86/kernel/time.c
@@ -27,25 +27,7 @@
unsigned long profile_pc(struct pt_regs *regs)
{
- unsigned long pc = instruction_pointer(regs);
-
- if (!user_mode(regs) && in_lock_functions(pc)) {
-#ifdef CONFIG_FRAME_POINTER
- return *(unsigned long *)(regs->bp + sizeof(long));
-#else
- unsigned long *sp = (unsigned long *)regs->sp;
- /*
- * Return address is either directly at stack pointer
- * or above a saved flags. Eflags has bits 22-31 zero,
- * kernel addresses don't.
- */
- if (sp[0] >> 22)
- return sp[0];
- if (sp[1] >> 22)
- return sp[1];
-#endif
- }
- return pc;
+ return instruction_pointer(regs);
}
EXPORT_SYMBOL(profile_pc);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 303/356] parisc: use generic sys_fanotify_mark implementation
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 302/356] x86: stop playing stack games in profile_pc() Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 304/356] ocfs2: fix DIO failure due to insufficient transaction credits Greg Kroah-Hartman
` (60 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adhemerval Zanella, Helge Deller,
Arnd Bergmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 403f17a330732a666ae793f3b15bc75bb5540524 ]
The sys_fanotify_mark() syscall on parisc uses the reverse word order
for the two halves of the 64-bit argument compared to all syscalls on
all 32-bit architectures. As far as I can tell, the problem is that
the function arguments on parisc are sorted backwards (26, 25, 24, 23,
...) compared to everyone else, so the calling conventions of using an
even/odd register pair in native word order result in the lower word
coming first in function arguments, matching the expected behavior
on little-endian architectures. The system call conventions however
ended up matching what the other 32-bit architectures do.
A glibc cleanup in 2020 changed the userspace behavior in a way that
handles all architectures consistently, but this inadvertently broke
parisc32 by changing to the same method as everyone else.
The change made it into glibc-2.35 and subsequently into debian 12
(bookworm), which is the latest stable release. This means we
need to choose between reverting the glibc change or changing the
kernel to match it again, but either hange will leave some systems
broken.
Pick the option that is more likely to help current and future
users and change the kernel to match current glibc. This also
means the behavior is now consistent across architectures, but
it breaks running new kernels with old glibc builds before 2.35.
Link: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=d150181d73d9
Link: https://git.kernel.org/pub/scm/linux/kernel/git/history/history.git/commit/arch/parisc/kernel/sys_parisc.c?h=57b1dfbd5b4a39d
Cc: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Tested-by: Helge Deller <deller@gmx.de>
Acked-by: Helge Deller <deller@gmx.de>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
I found this through code inspection, please double-check to make
sure I got the bug and the fix right.
The alternative is to fix this by reverting glibc back to the
unusual behavior.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/parisc/Kconfig | 1 +
arch/parisc/kernel/sys_parisc32.c | 9 ---------
arch/parisc/kernel/syscalls/syscall.tbl | 2 +-
3 files changed, 2 insertions(+), 10 deletions(-)
diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig
index 117b0f882750a..6ac0c4b98e281 100644
--- a/arch/parisc/Kconfig
+++ b/arch/parisc/Kconfig
@@ -12,6 +12,7 @@ config PARISC
select ARCH_HAS_STRICT_MODULE_RWX
select ARCH_HAS_UBSAN_SANITIZE_ALL
select ARCH_NO_SG_CHAIN
+ select ARCH_SPLIT_ARG64 if !64BIT
select ARCH_SUPPORTS_HUGETLBFS if PA20
select ARCH_SUPPORTS_MEMORY_FAILURE
select DMA_OPS
diff --git a/arch/parisc/kernel/sys_parisc32.c b/arch/parisc/kernel/sys_parisc32.c
index 2a12a547b447b..826c8e51b5853 100644
--- a/arch/parisc/kernel/sys_parisc32.c
+++ b/arch/parisc/kernel/sys_parisc32.c
@@ -23,12 +23,3 @@ asmlinkage long sys32_unimplemented(int r26, int r25, int r24, int r23,
current->comm, current->pid, r20);
return -ENOSYS;
}
-
-asmlinkage long sys32_fanotify_mark(compat_int_t fanotify_fd, compat_uint_t flags,
- compat_uint_t mask0, compat_uint_t mask1, compat_int_t dfd,
- const char __user * pathname)
-{
- return sys_fanotify_mark(fanotify_fd, flags,
- ((__u64)mask1 << 32) | mask0,
- dfd, pathname);
-}
diff --git a/arch/parisc/kernel/syscalls/syscall.tbl b/arch/parisc/kernel/syscalls/syscall.tbl
index 3e7ded09e00a5..5774509ea4a3b 100644
--- a/arch/parisc/kernel/syscalls/syscall.tbl
+++ b/arch/parisc/kernel/syscalls/syscall.tbl
@@ -364,7 +364,7 @@
320 common accept4 sys_accept4
321 common prlimit64 sys_prlimit64
322 common fanotify_init sys_fanotify_init
-323 common fanotify_mark sys_fanotify_mark sys32_fanotify_mark
+323 common fanotify_mark sys_fanotify_mark compat_sys_fanotify_mark
324 32 clock_adjtime sys_clock_adjtime32
324 64 clock_adjtime sys_clock_adjtime
325 common name_to_handle_at sys_name_to_handle_at
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 304/356] ocfs2: fix DIO failure due to insufficient transaction credits
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 303/356] parisc: use generic sys_fanotify_mark implementation Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 305/356] mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos Greg Kroah-Hartman
` (59 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Joseph Qi, Heming Zhao,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Gang He,
Jun Piao, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit be346c1a6eeb49d8fda827d2a9522124c2f72f36 upstream.
The code in ocfs2_dio_end_io_write() estimates number of necessary
transaction credits using ocfs2_calc_extend_credits(). This however does
not take into account that the IO could be arbitrarily large and can
contain arbitrary number of extents.
Extent tree manipulations do often extend the current transaction but not
in all of the cases. For example if we have only single block extents in
the tree, ocfs2_mark_extent_written() will end up calling
ocfs2_replace_extent_rec() all the time and we will never extend the
current transaction and eventually exhaust all the transaction credits if
the IO contains many single block extents. Once that happens a
WARN_ON(jbd2_handle_buffer_credits(handle) <= 0) is triggered in
jbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to
this error. This was actually triggered by one of our customers on a
heavily fragmented OCFS2 filesystem.
To fix the issue make sure the transaction always has enough credits for
one extent insert before each call of ocfs2_mark_extent_written().
Heming Zhao said:
------
PANIC: "Kernel panic - not syncing: OCFS2: (device dm-1): panic forced after error"
PID: xxx TASK: xxxx CPU: 5 COMMAND: "SubmitThread-CA"
#0 machine_kexec at ffffffff8c069932
#1 __crash_kexec at ffffffff8c1338fa
#2 panic at ffffffff8c1d69b9
#3 ocfs2_handle_error at ffffffffc0c86c0c [ocfs2]
#4 __ocfs2_abort at ffffffffc0c88387 [ocfs2]
#5 ocfs2_journal_dirty at ffffffffc0c51e98 [ocfs2]
#6 ocfs2_split_extent at ffffffffc0c27ea3 [ocfs2]
#7 ocfs2_change_extent_flag at ffffffffc0c28053 [ocfs2]
#8 ocfs2_mark_extent_written at ffffffffc0c28347 [ocfs2]
#9 ocfs2_dio_end_io_write at ffffffffc0c2bef9 [ocfs2]
#10 ocfs2_dio_end_io at ffffffffc0c2c0f5 [ocfs2]
#11 dio_complete at ffffffff8c2b9fa7
#12 do_blockdev_direct_IO at ffffffff8c2bc09f
#13 ocfs2_direct_IO at ffffffffc0c2b653 [ocfs2]
#14 generic_file_direct_write at ffffffff8c1dcf14
#15 __generic_file_write_iter at ffffffff8c1dd07b
#16 ocfs2_file_write_iter at ffffffffc0c49f1f [ocfs2]
#17 aio_write at ffffffff8c2cc72e
#18 kmem_cache_alloc at ffffffff8c248dde
#19 do_io_submit at ffffffff8c2ccada
#20 do_syscall_64 at ffffffff8c004984
#21 entry_SYSCALL_64_after_hwframe at ffffffff8c8000ba
Link: https://lkml.kernel.org/r/20240617095543.6971-1-jack@suse.cz
Link: https://lkml.kernel.org/r/20240614145243.8837-1-jack@suse.cz
Fixes: c15471f79506 ("ocfs2: fix sparse file & data ordering issue in direct io")
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reviewed-by: Heming Zhao <heming.zhao@suse.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/aops.c | 5 +++++
fs/ocfs2/journal.c | 17 +++++++++++++++++
fs/ocfs2/journal.h | 2 ++
fs/ocfs2/ocfs2_trace.h | 2 ++
4 files changed, 26 insertions(+)
--- a/fs/ocfs2/aops.c
+++ b/fs/ocfs2/aops.c
@@ -2370,6 +2370,11 @@ static int ocfs2_dio_end_io_write(struct
}
list_for_each_entry(ue, &dwc->dw_zero_list, ue_node) {
+ ret = ocfs2_assure_trans_credits(handle, credits);
+ if (ret < 0) {
+ mlog_errno(ret);
+ break;
+ }
ret = ocfs2_mark_extent_written(inode, &et, handle,
ue->ue_cpos, 1,
ue->ue_phys,
--- a/fs/ocfs2/journal.c
+++ b/fs/ocfs2/journal.c
@@ -448,6 +448,23 @@ bail:
}
/*
+ * Make sure handle has at least 'nblocks' credits available. If it does not
+ * have that many credits available, we will try to extend the handle to have
+ * enough credits. If that fails, we will restart transaction to have enough
+ * credits. Similar notes regarding data consistency and locking implications
+ * as for ocfs2_extend_trans() apply here.
+ */
+int ocfs2_assure_trans_credits(handle_t *handle, int nblocks)
+{
+ int old_nblks = jbd2_handle_buffer_credits(handle);
+
+ trace_ocfs2_assure_trans_credits(old_nblks);
+ if (old_nblks >= nblocks)
+ return 0;
+ return ocfs2_extend_trans(handle, nblocks - old_nblks);
+}
+
+/*
* If we have fewer than thresh credits, extend by OCFS2_MAX_TRANS_DATA.
* If that fails, restart the transaction & regain write access for the
* buffer head which is used for metadata modifications.
--- a/fs/ocfs2/journal.h
+++ b/fs/ocfs2/journal.h
@@ -242,6 +242,8 @@ handle_t *ocfs2_start_trans(struct
int ocfs2_commit_trans(struct ocfs2_super *osb,
handle_t *handle);
int ocfs2_extend_trans(handle_t *handle, int nblocks);
+int ocfs2_assure_trans_credits(handle_t *handle,
+ int nblocks);
int ocfs2_allocate_extend_trans(handle_t *handle,
int thresh);
--- a/fs/ocfs2/ocfs2_trace.h
+++ b/fs/ocfs2/ocfs2_trace.h
@@ -2578,6 +2578,8 @@ DEFINE_OCFS2_ULL_UINT_EVENT(ocfs2_commit
DEFINE_OCFS2_INT_INT_EVENT(ocfs2_extend_trans);
+DEFINE_OCFS2_INT_EVENT(ocfs2_assure_trans_credits);
+
DEFINE_OCFS2_INT_EVENT(ocfs2_extend_trans_restart);
DEFINE_OCFS2_INT_INT_EVENT(ocfs2_allocate_extend_trans);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 305/356] mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 304/356] ocfs2: fix DIO failure due to insufficient transaction credits Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 306/356] mmc: sdhci: Do not invert write-protect twice Greg Kroah-Hartman
` (58 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Adrian Hunter,
Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
commit ebc4fc34eae8ddfbef49f2bdaced1bf4167ef80d upstream.
jmicron_pmos() and sdhci_pci_probe() use pci_{read,write}_config_byte()
that return PCIBIOS_* codes. The return code is then returned as is by
jmicron_probe() and sdhci_pci_probe(). Similarly, the return code is
also returned as is from jmicron_resume(). Both probe and resume
functions should return normal errnos.
Convert PCIBIOS_* returns code using pcibios_err_to_errno() into normal
errno before returning them the fix these issues.
Fixes: 7582041ff3d4 ("mmc: sdhci-pci: fix simple_return.cocci warnings")
Fixes: 45211e215984 ("sdhci: toggle JMicron PMOS setting")
Cc: stable@vger.kernel.org
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Link: https://lore.kernel.org/r/20240527132443.14038-1-ilpo.jarvinen@linux.intel.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-pci-core.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/drivers/mmc/host/sdhci-pci-core.c
+++ b/drivers/mmc/host/sdhci-pci-core.c
@@ -1399,7 +1399,7 @@ static int jmicron_pmos(struct sdhci_pci
ret = pci_read_config_byte(chip->pdev, 0xAE, &scratch);
if (ret)
- return ret;
+ goto fail;
/*
* Turn PMOS on [bit 0], set over current detection to 2.4 V
@@ -1410,7 +1410,10 @@ static int jmicron_pmos(struct sdhci_pci
else
scratch &= ~0x47;
- return pci_write_config_byte(chip->pdev, 0xAE, scratch);
+ ret = pci_write_config_byte(chip->pdev, 0xAE, scratch);
+
+fail:
+ return pcibios_err_to_errno(ret);
}
static int jmicron_probe(struct sdhci_pci_chip *chip)
@@ -2327,7 +2330,7 @@ static int sdhci_pci_probe(struct pci_de
ret = pci_read_config_byte(pdev, PCI_SLOT_INFO, &slots);
if (ret)
- return ret;
+ return pcibios_err_to_errno(ret);
slots = PCI_SLOT_INFO_SLOTS(slots) + 1;
dev_dbg(&pdev->dev, "found %d slot(s)\n", slots);
@@ -2336,7 +2339,7 @@ static int sdhci_pci_probe(struct pci_de
ret = pci_read_config_byte(pdev, PCI_SLOT_INFO, &first_bar);
if (ret)
- return ret;
+ return pcibios_err_to_errno(ret);
first_bar &= PCI_SLOT_INFO_FIRST_BAR_MASK;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 306/356] mmc: sdhci: Do not invert write-protect twice
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 305/356] mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 307/356] mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro() Greg Kroah-Hartman
` (57 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit fbd64f902b93fe9658b855b9892ae59ef6ea22b9 upstream.
mmc_of_parse() reads device property "wp-inverted" and sets
MMC_CAP2_RO_ACTIVE_HIGH if it is true. MMC_CAP2_RO_ACTIVE_HIGH is used
to invert a write-protect (AKA read-only) GPIO value.
sdhci_get_property() also reads "wp-inverted" and sets
SDHCI_QUIRK_INVERTED_WRITE_PROTECT which is used to invert the
write-protect value as well but also acts upon a value read out from the
SDHCI_PRESENT_STATE register.
Many drivers call both mmc_of_parse() and sdhci_get_property(),
so that both MMC_CAP2_RO_ACTIVE_HIGH and
SDHCI_QUIRK_INVERTED_WRITE_PROTECT will be set if the controller has
device property "wp-inverted".
Amend the logic in sdhci_check_ro() to allow for that possibility,
so that the write-protect value is not inverted twice.
Also do not invert the value if it is a negative error value. Note that
callers treat an error the same as not-write-protected, so the result is
functionally the same in that case.
Also do not invert the value if sdhci host operation ->get_ro() is used.
None of the users of that callback set SDHCI_QUIRK_INVERTED_WRITE_PROTECT
directly or indirectly, but two do call mmc_gpio_get_ro(), so leave it to
them to deal with that if they ever set SDHCI_QUIRK_INVERTED_WRITE_PROTECT
in the future.
Fixes: 6d5cd068ee59 ("mmc: sdhci: use WP GPIO in sdhci_check_ro()")
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240614080051.4005-2-adrian.hunter@intel.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci.c | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -2487,26 +2487,34 @@ static int sdhci_get_cd(struct mmc_host
static int sdhci_check_ro(struct sdhci_host *host)
{
+ bool allow_invert = false;
unsigned long flags;
int is_readonly;
spin_lock_irqsave(&host->lock, flags);
- if (host->flags & SDHCI_DEVICE_DEAD)
+ if (host->flags & SDHCI_DEVICE_DEAD) {
is_readonly = 0;
- else if (host->ops->get_ro)
+ } else if (host->ops->get_ro) {
is_readonly = host->ops->get_ro(host);
- else if (mmc_can_gpio_ro(host->mmc))
+ } else if (mmc_can_gpio_ro(host->mmc)) {
is_readonly = mmc_gpio_get_ro(host->mmc);
- else
+ /* Do not invert twice */
+ allow_invert = !(host->mmc->caps2 & MMC_CAP2_RO_ACTIVE_HIGH);
+ } else {
is_readonly = !(sdhci_readl(host, SDHCI_PRESENT_STATE)
& SDHCI_WRITE_PROTECT);
+ allow_invert = true;
+ }
spin_unlock_irqrestore(&host->lock, flags);
- /* This quirk needs to be replaced by a callback-function later */
- return host->quirks & SDHCI_QUIRK_INVERTED_WRITE_PROTECT ?
- !is_readonly : is_readonly;
+ if (is_readonly >= 0 &&
+ allow_invert &&
+ (host->quirks & SDHCI_QUIRK_INVERTED_WRITE_PROTECT))
+ is_readonly = !is_readonly;
+
+ return is_readonly;
}
#define SAMPLE_COUNT 5
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 307/356] mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 306/356] mmc: sdhci: Do not invert write-protect twice Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 308/356] i2c: testunit: dont erase registers after STOP Greg Kroah-Hartman
` (56 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit ab069ce125965a5e282f7b53b86aee76ab32975c upstream.
sdhci_check_ro() can call mmc_gpio_get_ro() while holding the sdhci
host->lock spinlock. That would be a problem if the GPIO access done by
mmc_gpio_get_ro() needed to sleep.
However, host->lock is not needed anyway. The mmc core ensures that host
operations do not race with each other, and asynchronous callbacks like the
interrupt handler, software timeouts, completion work etc, cannot affect
sdhci_check_ro().
So remove the locking.
Fixes: 6d5cd068ee59 ("mmc: sdhci: use WP GPIO in sdhci_check_ro()")
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240614080051.4005-3-adrian.hunter@intel.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci.c | 5 -----
1 file changed, 5 deletions(-)
--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -2488,11 +2488,8 @@ static int sdhci_get_cd(struct mmc_host
static int sdhci_check_ro(struct sdhci_host *host)
{
bool allow_invert = false;
- unsigned long flags;
int is_readonly;
- spin_lock_irqsave(&host->lock, flags);
-
if (host->flags & SDHCI_DEVICE_DEAD) {
is_readonly = 0;
} else if (host->ops->get_ro) {
@@ -2507,8 +2504,6 @@ static int sdhci_check_ro(struct sdhci_h
allow_invert = true;
}
- spin_unlock_irqrestore(&host->lock, flags);
-
if (is_readonly >= 0 &&
allow_invert &&
(host->quirks & SDHCI_QUIRK_INVERTED_WRITE_PROTECT))
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 308/356] i2c: testunit: dont erase registers after STOP
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 307/356] mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro() Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 309/356] i2c: testunit: discard write requests while old command is running Greg Kroah-Hartman
` (55 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Andi Shyti,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit c422b6a630240f706063e0ecbb894aa8491b1fa1 ]
STOP fallsthrough to WRITE_REQUESTED but this became problematic when
clearing the testunit registers was added to the latter. Actually, there
is no reason to clear the testunit state after STOP. Doing it when a new
WRITE_REQUESTED arrives is enough. So, no need to fallthrough, at all.
Fixes: b39ab96aa894 ("i2c: testunit: add support for block process calls")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/i2c-slave-testunit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i2c/i2c-slave-testunit.c b/drivers/i2c/i2c-slave-testunit.c
index 56dae08dfd489..1beae30c418b8 100644
--- a/drivers/i2c/i2c-slave-testunit.c
+++ b/drivers/i2c/i2c-slave-testunit.c
@@ -118,7 +118,7 @@ static int i2c_slave_testunit_slave_cb(struct i2c_client *client,
queue_delayed_work(system_long_wq, &tu->worker,
msecs_to_jiffies(10 * tu->regs[TU_REG_DELAY]));
}
- fallthrough;
+ break;
case I2C_SLAVE_WRITE_REQUESTED:
memset(tu->regs, 0, TU_NUM_REGS);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 309/356] i2c: testunit: discard write requests while old command is running
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 308/356] i2c: testunit: dont erase registers after STOP Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 310/356] iio: adc: ad7266: Fix variable checking bug Greg Kroah-Hartman
` (54 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Andi Shyti,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit c116deafd1a5cc1e9739099eb32114e90623209c ]
When clearing registers on new write requests was added, the protection
for currently running commands was missed leading to concurrent access
to the testunit registers. Check the flag beforehand.
Fixes: b39ab96aa894 ("i2c: testunit: add support for block process calls")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/i2c-slave-testunit.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/i2c/i2c-slave-testunit.c b/drivers/i2c/i2c-slave-testunit.c
index 1beae30c418b8..cd0d87b089fec 100644
--- a/drivers/i2c/i2c-slave-testunit.c
+++ b/drivers/i2c/i2c-slave-testunit.c
@@ -121,6 +121,9 @@ static int i2c_slave_testunit_slave_cb(struct i2c_client *client,
break;
case I2C_SLAVE_WRITE_REQUESTED:
+ if (test_bit(TU_FLAG_IN_PROCESS, &tu->flags))
+ return -EBUSY;
+
memset(tu->regs, 0, TU_NUM_REGS);
tu->reg_idx = 0;
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 310/356] iio: adc: ad7266: Fix variable checking bug
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 309/356] i2c: testunit: discard write requests while old command is running Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 311/356] iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF Greg Kroah-Hartman
` (53 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fernando Yang, Stable,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Yang <hagisf@usp.br>
commit a2b86132955268b2a1703082fbc2d4832fc001b8 upstream.
The ret variable was not checked after iio_device_release_direct_mode(),
which could possibly cause errors
Fixes: c70df20e3159 ("iio: adc: ad7266: claim direct mode during sensor read")
Signed-off-by: Fernando Yang <hagisf@usp.br>
Link: https://lore.kernel.org/r/20240603180757.8560-1-hagisf@usp.br
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad7266.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iio/adc/ad7266.c
+++ b/drivers/iio/adc/ad7266.c
@@ -157,6 +157,8 @@ static int ad7266_read_raw(struct iio_de
ret = ad7266_read_single(st, val, chan->address);
iio_device_release_direct_mode(indio_dev);
+ if (ret < 0)
+ return ret;
*val = (*val >> 2) & 0xfff;
if (chan->scan_type.sign == 's')
*val = sign_extend32(*val, 11);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 311/356] iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 310/356] iio: adc: ad7266: Fix variable checking bug Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 312/356] iio: chemical: bme680: Fix pressure value output Greg Kroah-Hartman
` (52 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Sverdlin, Sean Nyekjaer,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
commit a821d7111e3f7c8869961b606714a299bfe20014 upstream.
Provide missing symbols to the module:
ERROR: modpost: iio_push_to_buffers [drivers/iio/accel/fxls8962af-core.ko] undefined!
ERROR: modpost: devm_iio_kfifo_buffer_setup_ext [drivers/iio/accel/fxls8962af-core.ko] undefined!
Cc: stable@vger.kernel.org
Fixes: 79e3a5bdd9ef ("iio: accel: fxls8962af: add hw buffered sampling")
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Reviewed-by: Sean Nyekjaer <sean@geanix.com>
Link: https://lore.kernel.org/r/20240605203810.2908980-2-alexander.sverdlin@siemens.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/accel/Kconfig | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iio/accel/Kconfig
+++ b/drivers/iio/accel/Kconfig
@@ -235,6 +235,8 @@ config DMARD10
config FXLS8962AF
tristate
depends on I2C || !I2C # cannot be built-in for modular I2C
+ select IIO_BUFFER
+ select IIO_KFIFO_BUF
config FXLS8962AF_I2C
tristate "NXP FXLS8962AF/FXLS8964AF Accelerometer I2C Driver"
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 312/356] iio: chemical: bme680: Fix pressure value output
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 311/356] iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 313/356] iio: chemical: bme680: Fix calibration data variable Greg Kroah-Hartman
` (51 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vasileios Amoiridis, Stable,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasileios Amoiridis <vassilisamir@gmail.com>
commit ae1f7b93b52095be6776d0f34957b4f35dda44d9 upstream.
The IIO standard units are measured in kPa while the driver
is using hPa.
Apart from checking the userspace value itself, it is mentioned also
in the Bosch API [1] that the pressure value is in Pascal.
[1]: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x_defs.h#L742
Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor")
Signed-off-by: Vasileios Amoiridis <vassilisamir@gmail.com>
Link: https://lore.kernel.org/r/20240606212313.207550-2-vassilisamir@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/bme680_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/bme680_core.c
+++ b/drivers/iio/chemical/bme680_core.c
@@ -678,7 +678,7 @@ static int bme680_read_press(struct bme6
}
*val = bme680_compensate_press(data, adc_press);
- *val2 = 100;
+ *val2 = 1000;
return IIO_VAL_FRACTIONAL;
}
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 313/356] iio: chemical: bme680: Fix calibration data variable
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 312/356] iio: chemical: bme680: Fix pressure value output Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 314/356] iio: chemical: bme680: Fix overflows in compensate() functions Greg Kroah-Hartman
` (50 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vasileios Amoiridis, Stable,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasileios Amoiridis <vassilisamir@gmail.com>
commit b47c0fee73a810c4503c4a94ea34858a1d865bba upstream.
According to the BME68x Sensor API [1], the h6 calibration
data variable should be an unsigned integer of size 8.
[1]: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x_defs.h#L789
Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor")
Signed-off-by: Vasileios Amoiridis <vassilisamir@gmail.com>
Link: https://lore.kernel.org/r/20240606212313.207550-3-vassilisamir@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/bme680_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/bme680_core.c
+++ b/drivers/iio/chemical/bme680_core.c
@@ -38,7 +38,7 @@ struct bme680_calib {
s8 par_h3;
s8 par_h4;
s8 par_h5;
- s8 par_h6;
+ u8 par_h6;
s8 par_h7;
s8 par_gh1;
s16 par_gh2;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 314/356] iio: chemical: bme680: Fix overflows in compensate() functions
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 313/356] iio: chemical: bme680: Fix calibration data variable Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 315/356] iio: chemical: bme680: Fix sensor data read operation Greg Kroah-Hartman
` (49 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vasileios Amoiridis, Stable,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasileios Amoiridis <vassilisamir@gmail.com>
commit fdd478c3ae98c3f13628e110dce9b6cfb0d9b3c8 upstream.
There are cases in the compensate functions of the driver that
there could be overflows of variables due to bit shifting ops.
These implications were initially discussed here [1] and they
were mentioned in log message of Commit 1b3bd8592780 ("iio:
chemical: Add support for Bosch BME680 sensor").
[1]: https://lore.kernel.org/linux-iio/20180728114028.3c1bbe81@archlinux/
Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor")
Signed-off-by: Vasileios Amoiridis <vassilisamir@gmail.com>
Link: https://lore.kernel.org/r/20240606212313.207550-4-vassilisamir@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/bme680_core.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/iio/chemical/bme680_core.c
+++ b/drivers/iio/chemical/bme680_core.c
@@ -342,10 +342,10 @@ static s16 bme680_compensate_temp(struct
if (!calib->par_t2)
bme680_read_calib(data, calib);
- var1 = (adc_temp >> 3) - (calib->par_t1 << 1);
+ var1 = (adc_temp >> 3) - ((s32)calib->par_t1 << 1);
var2 = (var1 * calib->par_t2) >> 11;
var3 = ((var1 >> 1) * (var1 >> 1)) >> 12;
- var3 = (var3 * (calib->par_t3 << 4)) >> 14;
+ var3 = (var3 * ((s32)calib->par_t3 << 4)) >> 14;
data->t_fine = var2 + var3;
calc_temp = (data->t_fine * 5 + 128) >> 8;
@@ -368,9 +368,9 @@ static u32 bme680_compensate_press(struc
var1 = (data->t_fine >> 1) - 64000;
var2 = ((((var1 >> 2) * (var1 >> 2)) >> 11) * calib->par_p6) >> 2;
var2 = var2 + (var1 * calib->par_p5 << 1);
- var2 = (var2 >> 2) + (calib->par_p4 << 16);
+ var2 = (var2 >> 2) + ((s32)calib->par_p4 << 16);
var1 = (((((var1 >> 2) * (var1 >> 2)) >> 13) *
- (calib->par_p3 << 5)) >> 3) +
+ ((s32)calib->par_p3 << 5)) >> 3) +
((calib->par_p2 * var1) >> 1);
var1 = var1 >> 18;
var1 = ((32768 + var1) * calib->par_p1) >> 15;
@@ -388,7 +388,7 @@ static u32 bme680_compensate_press(struc
var3 = ((press_comp >> 8) * (press_comp >> 8) *
(press_comp >> 8) * calib->par_p10) >> 17;
- press_comp += (var1 + var2 + var3 + (calib->par_p7 << 7)) >> 4;
+ press_comp += (var1 + var2 + var3 + ((s32)calib->par_p7 << 7)) >> 4;
return press_comp;
}
@@ -414,7 +414,7 @@ static u32 bme680_compensate_humid(struc
(((temp_scaled * ((temp_scaled * calib->par_h5) / 100))
>> 6) / 100) + (1 << 14))) >> 10;
var3 = var1 * var2;
- var4 = calib->par_h6 << 7;
+ var4 = (s32)calib->par_h6 << 7;
var4 = (var4 + ((temp_scaled * calib->par_h7) / 100)) >> 4;
var5 = ((var3 >> 14) * (var3 >> 14)) >> 10;
var6 = (var4 * var5) >> 1;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 315/356] iio: chemical: bme680: Fix sensor data read operation
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 314/356] iio: chemical: bme680: Fix overflows in compensate() functions Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 316/356] net: usb: ax88179_178a: improve link status logs Greg Kroah-Hartman
` (48 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vasileios Amoiridis, Stable,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasileios Amoiridis <vassilisamir@gmail.com>
commit 4241665e6ea063a9c1d734de790121a71db763fc upstream.
A read operation is happening as follows:
a) Set sensor to forced mode
b) Sensor measures values and update data registers and sleeps again
c) Read data registers
In the current implementation the read operation happens immediately
after the sensor is set to forced mode so the sensor does not have
the time to update properly the registers. This leads to the following
2 problems:
1) The first ever value which is read by the register is always wrong
2) Every read operation, puts the register into forced mode and reads
the data that were calculated in the previous conversion.
This behaviour was tested in 2 ways:
1) The internal meas_status_0 register was read before and after every
read operation in order to verify that the data were ready even before
the register was set to forced mode and also to check that after the
forced mode was set the new data were not yet ready.
2) Physically changing the temperature and measuring the temperature
This commit adds the waiting time in between the set of the forced mode
and the read of the data. The function is taken from the Bosch BME68x
Sensor API [1].
[1]: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x.c#L490
Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor")
Signed-off-by: Vasileios Amoiridis <vassilisamir@gmail.com>
Link: https://lore.kernel.org/r/20240606212313.207550-5-vassilisamir@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/bme680.h | 2 +
drivers/iio/chemical/bme680_core.c | 46 +++++++++++++++++++++++++++++++++++++
2 files changed, 48 insertions(+)
--- a/drivers/iio/chemical/bme680.h
+++ b/drivers/iio/chemical/bme680.h
@@ -54,7 +54,9 @@
#define BME680_NB_CONV_MASK GENMASK(3, 0)
#define BME680_REG_MEAS_STAT_0 0x1D
+#define BME680_NEW_DATA_BIT BIT(7)
#define BME680_GAS_MEAS_BIT BIT(6)
+#define BME680_MEAS_BIT BIT(5)
/* Calibration Parameters */
#define BME680_T2_LSB_REG 0x8A
--- a/drivers/iio/chemical/bme680_core.c
+++ b/drivers/iio/chemical/bme680_core.c
@@ -10,6 +10,7 @@
*/
#include <linux/acpi.h>
#include <linux/bitfield.h>
+#include <linux/delay.h>
#include <linux/device.h>
#include <linux/module.h>
#include <linux/log2.h>
@@ -532,6 +533,43 @@ static u8 bme680_oversampling_to_reg(u8
return ilog2(val) + 1;
}
+/*
+ * Taken from Bosch BME680 API:
+ * https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x.c#L490
+ */
+static int bme680_wait_for_eoc(struct bme680_data *data)
+{
+ struct device *dev = regmap_get_device(data->regmap);
+ unsigned int check;
+ int ret;
+ /*
+ * (Sum of oversampling ratios * time per oversampling) +
+ * TPH measurement + gas measurement + wait transition from forced mode
+ * + heater duration
+ */
+ int wait_eoc_us = ((data->oversampling_temp + data->oversampling_press +
+ data->oversampling_humid) * 1936) + (477 * 4) +
+ (477 * 5) + 1000 + (data->heater_dur * 1000);
+
+ usleep_range(wait_eoc_us, wait_eoc_us + 100);
+
+ ret = regmap_read(data->regmap, BME680_REG_MEAS_STAT_0, &check);
+ if (ret) {
+ dev_err(dev, "failed to read measurement status register.\n");
+ return ret;
+ }
+ if (check & BME680_MEAS_BIT) {
+ dev_err(dev, "Device measurement cycle incomplete.\n");
+ return -EBUSY;
+ }
+ if (!(check & BME680_NEW_DATA_BIT)) {
+ dev_err(dev, "No new data available from the device.\n");
+ return -ENODATA;
+ }
+
+ return 0;
+}
+
static int bme680_chip_config(struct bme680_data *data)
{
struct device *dev = regmap_get_device(data->regmap);
@@ -622,6 +660,10 @@ static int bme680_read_temp(struct bme68
if (ret < 0)
return ret;
+ ret = bme680_wait_for_eoc(data);
+ if (ret)
+ return ret;
+
ret = regmap_bulk_read(data->regmap, BME680_REG_TEMP_MSB,
&tmp, 3);
if (ret < 0) {
@@ -738,6 +780,10 @@ static int bme680_read_gas(struct bme680
if (ret < 0)
return ret;
+ ret = bme680_wait_for_eoc(data);
+ if (ret)
+ return ret;
+
ret = regmap_read(data->regmap, BME680_REG_MEAS_STAT_0, &check);
if (check & BME680_GAS_MEAS_BIT) {
dev_err(dev, "gas measurement incomplete\n");
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 316/356] net: usb: ax88179_178a: improve link status logs
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 315/356] iio: chemical: bme680: Fix sensor data read operation Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 317/356] usb: gadget: printer: SS+ support Greg Kroah-Hartman
` (47 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jose Ignacio Tornos Martinez,
Simon Horman, David S. Miller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
commit 058722ee350c0bdd664e467156feb2bf5d9cc271 upstream.
Avoid spurious link status logs that may ultimately be wrong; for example,
if the link is set to down with the cable plugged, then the cable is
unplugged and after this the link is set to up, the last new log that is
appearing is incorrectly telling that the link is up.
In order to avoid errors, show link status logs after link_reset
processing, and in order to avoid spurious as much as possible, only show
the link loss when some link status change is detected.
cc: stable@vger.kernel.org
Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver")
Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/ax88179_178a.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/net/usb/ax88179_178a.c
+++ b/drivers/net/usb/ax88179_178a.c
@@ -326,7 +326,8 @@ static void ax88179_status(struct usbnet
if (netif_carrier_ok(dev->net) != link) {
usbnet_link_change(dev, link, 1);
- netdev_info(dev->net, "ax88179 - Link status is: %d\n", link);
+ if (!link)
+ netdev_info(dev->net, "ax88179 - Link status is: 0\n");
}
}
@@ -1558,6 +1559,7 @@ static int ax88179_link_reset(struct usb
GMII_PHY_PHYSR, 2, &tmp16);
if (!(tmp16 & GMII_PHY_PHYSR_LINK)) {
+ netdev_info(dev->net, "ax88179 - Link status is: 0\n");
return 0;
} else if (GMII_PHY_PHYSR_GIGA == (tmp16 & GMII_PHY_PHYSR_SMASK)) {
mode |= AX_MEDIUM_GIGAMODE | AX_MEDIUM_EN_125MHZ;
@@ -1595,6 +1597,8 @@ static int ax88179_link_reset(struct usb
netif_carrier_on(dev->net);
+ netdev_info(dev->net, "ax88179 - Link status is: 1\n");
+
return 0;
}
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 317/356] usb: gadget: printer: SS+ support
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 316/356] net: usb: ax88179_178a: improve link status logs Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 318/356] usb: gadget: printer: fix races against disable Greg Kroah-Hartman
` (46 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit fd80731e5e9d1402cb2f85022a6abf9b1982ec5f upstream.
We need to treat super speed plus as super speed, not the default,
which is full speed.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20240620093800.28901-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_printer.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/gadget/function/f_printer.c
+++ b/drivers/usb/gadget/function/f_printer.c
@@ -210,6 +210,7 @@ static inline struct usb_endpoint_descri
struct usb_endpoint_descriptor *ss)
{
switch (gadget->speed) {
+ case USB_SPEED_SUPER_PLUS:
case USB_SPEED_SUPER:
return ss;
case USB_SPEED_HIGH:
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 318/356] usb: gadget: printer: fix races against disable
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 317/356] usb: gadget: printer: SS+ support Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 319/356] usb: musb: da8xx: fix a resource leak in probe() Greg Kroah-Hartman
` (45 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Oliver Neukum
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit e587a7633dfee8987a999cf253f7c52a8e09276c upstream.
printer_read() and printer_write() guard against the race
against disable() by checking the dev->interface flag,
which in turn is guarded by a spinlock.
These functions, however, drop the lock on multiple occasions.
This means that the test has to be redone after reacquiring
the lock and before doing IO.
Add the tests.
This also addresses CVE-2024-25741
Fixes: 7f2ca14d2f9b9 ("usb: gadget: function: printer: Interface is disabled and returns error")
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20240620114039.5767-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_printer.c | 39 +++++++++++++++++++++++---------
1 file changed, 29 insertions(+), 10 deletions(-)
--- a/drivers/usb/gadget/function/f_printer.c
+++ b/drivers/usb/gadget/function/f_printer.c
@@ -448,11 +448,8 @@ printer_read(struct file *fd, char __use
mutex_lock(&dev->lock_printer_io);
spin_lock_irqsave(&dev->lock, flags);
- if (dev->interface < 0) {
- spin_unlock_irqrestore(&dev->lock, flags);
- mutex_unlock(&dev->lock_printer_io);
- return -ENODEV;
- }
+ if (dev->interface < 0)
+ goto out_disabled;
/* We will use this flag later to check if a printer reset happened
* after we turn interrupts back on.
@@ -460,6 +457,9 @@ printer_read(struct file *fd, char __use
dev->reset_printer = 0;
setup_rx_reqs(dev);
+ /* this dropped the lock - need to retest */
+ if (dev->interface < 0)
+ goto out_disabled;
bytes_copied = 0;
current_rx_req = dev->current_rx_req;
@@ -493,6 +493,8 @@ printer_read(struct file *fd, char __use
wait_event_interruptible(dev->rx_wait,
(likely(!list_empty(&dev->rx_buffers))));
spin_lock_irqsave(&dev->lock, flags);
+ if (dev->interface < 0)
+ goto out_disabled;
}
/* We have data to return then copy it to the caller's buffer.*/
@@ -536,6 +538,9 @@ printer_read(struct file *fd, char __use
return -EAGAIN;
}
+ if (dev->interface < 0)
+ goto out_disabled;
+
/* If we not returning all the data left in this RX request
* buffer then adjust the amount of data left in the buffer.
* Othewise if we are done with this RX request buffer then
@@ -565,6 +570,11 @@ printer_read(struct file *fd, char __use
return bytes_copied;
else
return -EAGAIN;
+
+out_disabled:
+ spin_unlock_irqrestore(&dev->lock, flags);
+ mutex_unlock(&dev->lock_printer_io);
+ return -ENODEV;
}
static ssize_t
@@ -585,11 +595,8 @@ printer_write(struct file *fd, const cha
mutex_lock(&dev->lock_printer_io);
spin_lock_irqsave(&dev->lock, flags);
- if (dev->interface < 0) {
- spin_unlock_irqrestore(&dev->lock, flags);
- mutex_unlock(&dev->lock_printer_io);
- return -ENODEV;
- }
+ if (dev->interface < 0)
+ goto out_disabled;
/* Check if a printer reset happens while we have interrupts on */
dev->reset_printer = 0;
@@ -612,6 +619,8 @@ printer_write(struct file *fd, const cha
wait_event_interruptible(dev->tx_wait,
(likely(!list_empty(&dev->tx_reqs))));
spin_lock_irqsave(&dev->lock, flags);
+ if (dev->interface < 0)
+ goto out_disabled;
}
while (likely(!list_empty(&dev->tx_reqs)) && len) {
@@ -661,6 +670,9 @@ printer_write(struct file *fd, const cha
return -EAGAIN;
}
+ if (dev->interface < 0)
+ goto out_disabled;
+
list_add(&req->list, &dev->tx_reqs_active);
/* here, we unlock, and only unlock, to avoid deadlock. */
@@ -673,6 +685,8 @@ printer_write(struct file *fd, const cha
mutex_unlock(&dev->lock_printer_io);
return -EAGAIN;
}
+ if (dev->interface < 0)
+ goto out_disabled;
}
spin_unlock_irqrestore(&dev->lock, flags);
@@ -684,6 +698,11 @@ printer_write(struct file *fd, const cha
return bytes_copied;
else
return -EAGAIN;
+
+out_disabled:
+ spin_unlock_irqrestore(&dev->lock, flags);
+ mutex_unlock(&dev->lock_printer_io);
+ return -ENODEV;
}
static int
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 319/356] usb: musb: da8xx: fix a resource leak in probe()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 318/356] usb: gadget: printer: fix races against disable Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 320/356] usb: atm: cxacru: fix endpoint checking in cxacru_bind() Greg Kroah-Hartman
` (44 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Dan Carpenter
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
commit de644a4a86be04ed8a43ef8267d0f7d021941c5e upstream.
Call usb_phy_generic_unregister() if of_platform_populate() fails.
Fixes: d6299b6efbf6 ("usb: musb: Add support of CPPI 4.1 DMA controller to DA8xx")
Cc: stable <stable@kernel.org>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/69af1b1d-d3f4-492b-bcea-359ca5949f30@moroto.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/musb/da8xx.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/usb/musb/da8xx.c
+++ b/drivers/usb/musb/da8xx.c
@@ -556,7 +556,7 @@ static int da8xx_probe(struct platform_d
ret = of_platform_populate(pdev->dev.of_node, NULL,
da8xx_auxdata_lookup, &pdev->dev);
if (ret)
- return ret;
+ goto err_unregister_phy;
memset(musb_resources, 0x00, sizeof(*musb_resources) *
ARRAY_SIZE(musb_resources));
@@ -582,9 +582,13 @@ static int da8xx_probe(struct platform_d
ret = PTR_ERR_OR_ZERO(glue->musb);
if (ret) {
dev_err(&pdev->dev, "failed to register musb device: %d\n", ret);
- usb_phy_generic_unregister(glue->usb_phy);
+ goto err_unregister_phy;
}
+ return 0;
+
+err_unregister_phy:
+ usb_phy_generic_unregister(glue->usb_phy);
return ret;
}
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 320/356] usb: atm: cxacru: fix endpoint checking in cxacru_bind()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 319/356] usb: musb: da8xx: fix a resource leak in probe() Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 321/356] usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock Greg Kroah-Hartman
` (43 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Nikita Zhandarovich,
syzbot+00c18ee8497dd3be6ade
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
commit 2eabb655a968b862bc0c31629a09f0fbf3c80d51 upstream.
Syzbot is still reporting quite an old issue [1] that occurs due to
incomplete checking of present usb endpoints. As such, wrong
endpoints types may be used at urb sumbitting stage which in turn
triggers a warning in usb_submit_urb().
Fix the issue by verifying that required endpoint types are present
for both in and out endpoints, taking into account cmd endpoint type.
Unfortunately, this patch has not been tested on real hardware.
[1] Syzbot report:
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
Modules linked in:
CPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
...
Call Trace:
cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649
cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760
cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209
usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055
cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363
usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:517 [inline]
really_probe+0x23c/0xcd0 drivers/base/dd.c:595
__driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
__device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
__device_attach+0x228/0x4a0 drivers/base/dd.c:965
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
device_add+0xc2f/0x2180 drivers/base/core.c:3354
usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170
usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
Reported-and-tested-by: syzbot+00c18ee8497dd3be6ade@syzkaller.appspotmail.com
Fixes: 902ffc3c707c ("USB: cxacru: Use a bulk/int URB to access the command endpoint")
Cc: stable <stable@kernel.org>
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Link: https://lore.kernel.org/r/20240609131546.3932-1-n.zhandarovich@fintech.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/atm/cxacru.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/usb/atm/cxacru.c
+++ b/drivers/usb/atm/cxacru.c
@@ -1131,6 +1131,7 @@ static int cxacru_bind(struct usbatm_dat
struct cxacru_data *instance;
struct usb_device *usb_dev = interface_to_usbdev(intf);
struct usb_host_endpoint *cmd_ep = usb_dev->ep_in[CXACRU_EP_CMD];
+ struct usb_endpoint_descriptor *in, *out;
int ret;
/* instance init */
@@ -1176,6 +1177,19 @@ static int cxacru_bind(struct usbatm_dat
ret = -ENODEV;
goto fail;
}
+
+ if (usb_endpoint_xfer_int(&cmd_ep->desc))
+ ret = usb_find_common_endpoints(intf->cur_altsetting,
+ NULL, NULL, &in, &out);
+ else
+ ret = usb_find_common_endpoints(intf->cur_altsetting,
+ &in, &out, NULL, NULL);
+
+ if (ret) {
+ usb_err(usbatm_instance, "cxacru_bind: interface has incorrect endpoints\n");
+ ret = -ENODEV;
+ goto fail;
+ }
if ((cmd_ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK)
== USB_ENDPOINT_XFER_INT) {
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 321/356] usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 320/356] usb: atm: cxacru: fix endpoint checking in cxacru_bind() Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 322/356] serial: 8250_omap: Implementation of Errata i2310 Greg Kroah-Hartman
` (42 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xu Yang, Meng Li, Thinh Nguyen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Meng Li <Meng.Li@windriver.com>
commit 7838de15bb700c2898a7d741db9b1f3cbc86c136 upstream.
When config CONFIG_USB_DWC3_DUAL_ROLE is selected, and trigger system
to enter suspend status with below command:
echo mem > /sys/power/state
There will be a deadlock issue occurring. Detailed invoking path as
below:
dwc3_suspend_common()
spin_lock_irqsave(&dwc->lock, flags); <-- 1st
dwc3_gadget_suspend(dwc);
dwc3_gadget_soft_disconnect(dwc);
spin_lock_irqsave(&dwc->lock, flags); <-- 2nd
This issue is exposed by commit c7ebd8149ee5 ("usb: dwc3: gadget: Fix
NULL pointer dereference in dwc3_gadget_suspend") that removes the code
of checking whether dwc->gadget_driver is NULL or not. It causes the
following code is executed and deadlock occurs when trying to get the
spinlock. In fact, the root cause is the commit 5265397f9442("usb: dwc3:
Remove DWC3 locking during gadget suspend/resume") that forgot to remove
the lock of otg mode. So, remove the redundant lock of otg mode during
gadget suspend/resume.
Fixes: 5265397f9442 ("usb: dwc3: Remove DWC3 locking during gadget suspend/resume")
Cc: Xu Yang <xu.yang_2@nxp.com>
Cc: stable@vger.kernel.org
Signed-off-by: Meng Li <Meng.Li@windriver.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/20240618031918.2585799-1-Meng.Li@windriver.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/core.c | 6 ------
1 file changed, 6 deletions(-)
--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -1752,7 +1752,6 @@ assert_reset:
static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg)
{
- unsigned long flags;
u32 reg;
switch (dwc->current_dr_role) {
@@ -1790,9 +1789,7 @@ static int dwc3_suspend_common(struct dw
break;
if (dwc->current_otg_role == DWC3_OTG_ROLE_DEVICE) {
- spin_lock_irqsave(&dwc->lock, flags);
dwc3_gadget_suspend(dwc);
- spin_unlock_irqrestore(&dwc->lock, flags);
synchronize_irq(dwc->irq_gadget);
}
@@ -1809,7 +1806,6 @@ static int dwc3_suspend_common(struct dw
static int dwc3_resume_common(struct dwc3 *dwc, pm_message_t msg)
{
- unsigned long flags;
int ret;
u32 reg;
@@ -1858,9 +1854,7 @@ static int dwc3_resume_common(struct dwc
if (dwc->current_otg_role == DWC3_OTG_ROLE_HOST) {
dwc3_otg_host_init(dwc);
} else if (dwc->current_otg_role == DWC3_OTG_ROLE_DEVICE) {
- spin_lock_irqsave(&dwc->lock, flags);
dwc3_gadget_resume(dwc);
- spin_unlock_irqrestore(&dwc->lock, flags);
}
break;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 322/356] serial: 8250_omap: Implementation of Errata i2310
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 321/356] usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 323/356] serial: imx: set receiver level before starting uart Greg Kroah-Hartman
` (41 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Udit Kumar
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Udit Kumar <u-kumar1@ti.com>
commit 9d141c1e615795eeb93cd35501ad144ee997a826 upstream.
As per Errata i2310[0], Erroneous timeout can be triggered,
if this Erroneous interrupt is not cleared then it may leads
to storm of interrupts, therefore apply Errata i2310 solution.
[0] https://www.ti.com/lit/pdf/sprz536 page 23
Fixes: b67e830d38fa ("serial: 8250: 8250_omap: Fix possible interrupt storm on K3 SoCs")
Cc: stable@vger.kernel.org
Signed-off-by: Udit Kumar <u-kumar1@ti.com>
Link: https://lore.kernel.org/r/20240619105903.165434-1-u-kumar1@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_omap.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
--- a/drivers/tty/serial/8250/8250_omap.c
+++ b/drivers/tty/serial/8250/8250_omap.c
@@ -159,6 +159,10 @@ static u32 uart_read(struct omap8250_pri
return readl(priv->membase + (reg << OMAP_UART_REGSHIFT));
}
+/* Timeout low and High */
+#define UART_OMAP_TO_L 0x26
+#define UART_OMAP_TO_H 0x27
+
/*
* Called on runtime PM resume path from omap8250_restore_regs(), and
* omap8250_set_mctrl().
@@ -642,13 +646,24 @@ static irqreturn_t omap8250_irq(int irq,
/*
* On K3 SoCs, it is observed that RX TIMEOUT is signalled after
- * FIFO has been drained, in which case a dummy read of RX FIFO
- * is required to clear RX TIMEOUT condition.
+ * FIFO has been drained or erroneously.
+ * So apply solution of Errata i2310 as mentioned in
+ * https://www.ti.com/lit/pdf/sprz536
*/
if (priv->habit & UART_RX_TIMEOUT_QUIRK &&
- (iir & UART_IIR_RX_TIMEOUT) == UART_IIR_RX_TIMEOUT &&
- serial_port_in(port, UART_OMAP_RX_LVL) == 0) {
- serial_port_in(port, UART_RX);
+ (iir & UART_IIR_RX_TIMEOUT) == UART_IIR_RX_TIMEOUT) {
+ unsigned char efr2, timeout_h, timeout_l;
+
+ efr2 = serial_in(up, UART_OMAP_EFR2);
+ timeout_h = serial_in(up, UART_OMAP_TO_H);
+ timeout_l = serial_in(up, UART_OMAP_TO_L);
+ serial_out(up, UART_OMAP_TO_H, 0xFF);
+ serial_out(up, UART_OMAP_TO_L, 0xFF);
+ serial_out(up, UART_OMAP_EFR2, UART_OMAP_EFR2_TIMEOUT_BEHAVE);
+ serial_in(up, UART_IIR);
+ serial_out(up, UART_OMAP_EFR2, efr2);
+ serial_out(up, UART_OMAP_TO_H, timeout_h);
+ serial_out(up, UART_OMAP_TO_L, timeout_l);
}
/* Stop processing interrupts on input overrun */
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 323/356] serial: imx: set receiver level before starting uart
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 322/356] serial: 8250_omap: Implementation of Errata i2310 Greg Kroah-Hartman
@ 2024-07-03 10:40 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 324/356] tty: mcf: MCF54418 has 10 UARTS Greg Kroah-Hartman
` (40 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Stefan Eichenberger
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
commit a81dbd0463eca317eee44985a66aa6cc2ce5c101 upstream.
Set the receiver level to something > 0 before calling imx_uart_start_rx
in rs485_config. This is necessary to avoid an interrupt storm that
might prevent the system from booting. This was seen on an i.MX7 device
when the rs485-rts-active-low property was active in the device tree.
Fixes: 6d215f83e5fc ("serial: imx: warn user when using unsupported configuration")
Cc: stable <stable@kernel.org>
Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com>
Link: https://lore.kernel.org/r/20240621153829.183780-1-eichest@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/imx.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/tty/serial/imx.c
+++ b/drivers/tty/serial/imx.c
@@ -1972,8 +1972,10 @@ static int imx_uart_rs485_config(struct
/* Make sure Rx is enabled in case Tx is active with Rx disabled */
if (!(rs485conf->flags & SER_RS485_ENABLED) ||
- rs485conf->flags & SER_RS485_RX_DURING_TX)
+ rs485conf->flags & SER_RS485_RX_DURING_TX) {
+ imx_uart_setup_ufcr(sport, TXTL_DEFAULT, RXTL_DEFAULT);
imx_uart_start_rx(port);
+ }
port->rs485 = *rs485conf;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 324/356] tty: mcf: MCF54418 has 10 UARTS
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2024-07-03 10:40 ` [PATCH 5.15 323/356] serial: imx: set receiver level before starting uart Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 325/356] net: can: j1939: Initialize unused data in j1939_send_one() Greg Kroah-Hartman
` (39 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jean-Michel Hautbois, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean-Michel Hautbois <jeanmichel.hautbois@yoseli.org>
commit 7c92a8bd53f24d50c8cf4aba53bb75505b382fed upstream.
Most of the colfires have up to 5 UARTs but MCF54418 has up-to 10 !
Change the maximum value authorized.
Signed-off-by: Jean-Michel Hautbois <jeanmichel.hautbois@yoseli.org>
Cc: stable <stable@kernel.org>
Fixes: 2545cf6e94b4 ("m68knommu: allow 4 coldfire serial ports")
Link: https://lore.kernel.org/r/20240620-upstream-uart-v1-1-a9d0d95fb19e@yoseli.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/mcf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/mcf.c
+++ b/drivers/tty/serial/mcf.c
@@ -477,7 +477,7 @@ static const struct uart_ops mcf_uart_op
.verify_port = mcf_verify_port,
};
-static struct mcf_uart mcf_ports[4];
+static struct mcf_uart mcf_ports[10];
#define MCF_MAXPORTS ARRAY_SIZE(mcf_ports)
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 325/356] net: can: j1939: Initialize unused data in j1939_send_one()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 324/356] tty: mcf: MCF54418 has 10 UARTS Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 326/356] net: can: j1939: recover socket queue on CAN bus error during BAM transmission Greg Kroah-Hartman
` (38 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Shigeru Yoshida,
Marc Kleine-Budde, syzbot+5681e40d297b30f5b513
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shigeru Yoshida <syoshida@redhat.com>
commit b7cdf1dd5d2a2d8200efd98d1893684db48fe134 upstream.
syzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one()
creates full frame including unused data, but it doesn't initialize
it. This causes the kernel-infoleak issue. Fix this by initializing
unused data.
[1]
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copy_to_user_iter lib/iov_iter.c:24 [inline]
iterate_ubuf include/linux/iov_iter.h:29 [inline]
iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
iterate_and_advance include/linux/iov_iter.h:271 [inline]
_copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
copy_to_iter include/linux/uio.h:196 [inline]
memcpy_to_msg include/linux/skbuff.h:4113 [inline]
raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg+0x2c4/0x340 net/socket.c:1068
____sys_recvmsg+0x18a/0x620 net/socket.c:2803
___sys_recvmsg+0x223/0x840 net/socket.c:2845
do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939
__sys_recvmmsg net/socket.c:3018 [inline]
__do_sys_recvmmsg net/socket.c:3041 [inline]
__se_sys_recvmmsg net/socket.c:3034 [inline]
__x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034
x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3804 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
__alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
alloc_skb include/linux/skbuff.h:1313 [inline]
alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
sock_alloc_send_skb include/net/sock.h:1842 [inline]
j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline]
j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline]
j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:745
____sys_sendmsg+0x877/0xb60 net/socket.c:2584
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline]
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Bytes 12-15 of 16 are uninitialized
Memory access of size 16 starts at ffff888120969690
Data copied to user address 00000000200017c0
CPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Reported-and-tested-by: syzbot+5681e40d297b30f5b513@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5681e40d297b30f5b513
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Link: https://lore.kernel.org/all/20240517035953.2617090-1-syoshida@redhat.com
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/j1939/main.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
--- a/net/can/j1939/main.c
+++ b/net/can/j1939/main.c
@@ -30,10 +30,6 @@ MODULE_ALIAS("can-proto-" __stringify(CA
/* CAN_HDR: #bytes before can_frame data part */
#define J1939_CAN_HDR (offsetof(struct can_frame, data))
-/* CAN_FTR: #bytes beyond data part */
-#define J1939_CAN_FTR (sizeof(struct can_frame) - J1939_CAN_HDR - \
- sizeof(((struct can_frame *)0)->data))
-
/* lowest layer */
static void j1939_can_recv(struct sk_buff *iskb, void *data)
{
@@ -338,7 +334,7 @@ int j1939_send_one(struct j1939_priv *pr
memset(cf, 0, J1939_CAN_HDR);
/* make it a full can frame again */
- skb_put(skb, J1939_CAN_FTR + (8 - dlc));
+ skb_put_zero(skb, 8 - dlc);
canid = CAN_EFF_FLAG |
(skcb->priority << 26) |
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 326/356] net: can: j1939: recover socket queue on CAN bus error during BAM transmission
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 325/356] net: can: j1939: Initialize unused data in j1939_send_one() Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 327/356] net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new Greg Kroah-Hartman
` (37 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Hölzl, Oleksij Rempel,
Marc Kleine-Budde
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit 9ad1da14ab3bf23087ae45fe399d84a109ddb81a upstream.
Addresses an issue where a CAN bus error during a BAM transmission
could stall the socket queue, preventing further transmissions even
after the bus error is resolved. The fix activates the next queued
session after the error recovery, allowing communication to continue.
Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol")
Cc: stable@vger.kernel.org
Reported-by: Alexander Hölzl <alexander.hoelzl@gmx.net>
Tested-by: Alexander Hölzl <alexander.hoelzl@gmx.net>
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://lore.kernel.org/all/20240528070648.1947203-1-o.rempel@pengutronix.de
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/j1939/transport.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -1681,6 +1681,8 @@ static int j1939_xtp_rx_rts_session_acti
j1939_session_timers_cancel(session);
j1939_session_cancel(session, J1939_XTP_ABORT_BUSY);
+ if (session->transmission)
+ j1939_session_deactivate_activate_next(session);
return -EBUSY;
}
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 327/356] net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 326/356] net: can: j1939: recover socket queue on CAN bus error during BAM transmission Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 328/356] cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked() Greg Kroah-Hartman
` (36 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+daa36413a5cedf799ae4,
Oleksij Rempel, Marc Kleine-Budde
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit d3e2904f71ea0fe7eaff1d68a2b0363c888ea0fb upstream.
This patch enhances error handling in scenarios with RTS (Request to
Send) messages arriving closely. It replaces the less informative WARN_ON_ONCE
backtraces with a new error handling method. This provides clearer error
messages and allows for the early termination of problematic sessions.
Previously, sessions were only released at the end of j1939_xtp_rx_rts().
Potentially this could be reproduced with something like:
testj1939 -r vcan0:0x80 &
while true; do
# send first RTS
cansend vcan0 18EC8090#1014000303002301;
# send second RTS
cansend vcan0 18EC8090#1014000303002301;
# send abort
cansend vcan0 18EC8090#ff00000000002301;
done
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Reported-by: syzbot+daa36413a5cedf799ae4@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://lore.kernel.org/all/20231117124959.961171-1-o.rempel@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/j1939/transport.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -1593,8 +1593,8 @@ j1939_session *j1939_xtp_rx_rts_session_
struct j1939_sk_buff_cb skcb = *j1939_skb_to_cb(skb);
struct j1939_session *session;
const u8 *dat;
+ int len, ret;
pgn_t pgn;
- int len;
netdev_dbg(priv->ndev, "%s\n", __func__);
@@ -1653,7 +1653,22 @@ j1939_session *j1939_xtp_rx_rts_session_
session->tskey = priv->rx_tskey++;
j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_RTS);
- WARN_ON_ONCE(j1939_session_activate(session));
+ ret = j1939_session_activate(session);
+ if (ret) {
+ /* Entering this scope indicates an issue with the J1939 bus.
+ * Possible scenarios include:
+ * - A time lapse occurred, and a new session was initiated
+ * due to another packet being sent correctly. This could
+ * have been caused by too long interrupt, debugger, or being
+ * out-scheduled by another task.
+ * - The bus is receiving numerous erroneous packets, either
+ * from a malfunctioning device or during a test scenario.
+ */
+ netdev_alert(priv->ndev, "%s: 0x%p: concurrent session with same addr (%02x %02x) is already active.\n",
+ __func__, session, skcb.addr.sa, skcb.addr.da);
+ j1939_session_put(session);
+ return NULL;
+ }
return session;
}
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 328/356] cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked()
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 327/356] net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 329/356] kbuild: Install dtb files as 0644 in Makefile.dtbinst Greg Kroah-Hartman
` (35 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuntao Wang, Thomas Gleixner
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuntao Wang <ytcoode@gmail.com>
commit 932d8476399f622aa0767a4a0a9e78e5341dc0e1 upstream.
Commit 4205e4786d0b ("cpu/hotplug: Provide dynamic range for prepare
stage") added a dynamic range for the prepare states, but did not handle
the assignment of the dynstate variable in __cpuhp_setup_state_cpuslocked().
This causes the corresponding startup callback not to be invoked when
calling __cpuhp_setup_state_cpuslocked() with the CPUHP_BP_PREPARE_DYN
parameter, even though it should be.
Currently, the users of __cpuhp_setup_state_cpuslocked(), for one reason or
another, have not triggered this bug.
Fixes: 4205e4786d0b ("cpu/hotplug: Provide dynamic range for prepare stage")
Signed-off-by: Yuntao Wang <ytcoode@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240515134554.427071-1-ytcoode@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/cpu.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -2058,7 +2058,7 @@ EXPORT_SYMBOL_GPL(__cpuhp_state_add_inst
* The caller needs to hold cpus read locked while calling this function.
* Return:
* On success:
- * Positive state number if @state is CPUHP_AP_ONLINE_DYN;
+ * Positive state number if @state is CPUHP_AP_ONLINE_DYN or CPUHP_BP_PREPARE_DYN;
* 0 for all other states
* On failure: proper (negative) error code
*/
@@ -2081,7 +2081,7 @@ int __cpuhp_setup_state_cpuslocked(enum
ret = cpuhp_store_callbacks(state, name, startup, teardown,
multi_instance);
- dynstate = state == CPUHP_AP_ONLINE_DYN;
+ dynstate = state == CPUHP_AP_ONLINE_DYN || state == CPUHP_BP_PREPARE_DYN;
if (ret > 0 && dynstate) {
state = ret;
ret = 0;
@@ -2112,8 +2112,8 @@ int __cpuhp_setup_state_cpuslocked(enum
out:
mutex_unlock(&cpuhp_state_mutex);
/*
- * If the requested state is CPUHP_AP_ONLINE_DYN, return the
- * dynamically allocated state in case of success.
+ * If the requested state is CPUHP_AP_ONLINE_DYN or CPUHP_BP_PREPARE_DYN,
+ * return the dynamically allocated state in case of success.
*/
if (!ret && dynstate)
return state;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 329/356] kbuild: Install dtb files as 0644 in Makefile.dtbinst
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 328/356] cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked() Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 330/356] sh: rework sync_file_range ABI Greg Kroah-Hartman
` (34 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Diederik de Haas, Dragan Simic,
Nicolas Schier, Masahiro Yamada
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dragan Simic <dsimic@manjaro.org>
commit 9cc5f3bf63aa98bd7cc7ce8a8599077fde13283e upstream.
The compiled dtb files aren't executable, so install them with 0644 as their
permission mode, instead of defaulting to 0755 for the permission mode and
installing them with the executable bits set.
Some Linux distributions, including Debian, [1][2][3] already include fixes
in their kernel package build recipes to change the dtb file permissions to
0644 in their kernel packages. These changes, when additionally propagated
into the long-term kernel versions, will allow such distributions to remove
their downstream fixes.
[1] https://salsa.debian.org/kernel-team/linux/-/merge_requests/642
[2] https://salsa.debian.org/kernel-team/linux/-/merge_requests/749
[3] https://salsa.debian.org/kernel-team/linux/-/blob/debian/6.8.12-1/debian/rules.real#L193
Cc: Diederik de Haas <didi.debian@cknow.org>
Cc: <stable@vger.kernel.org>
Fixes: aefd80307a05 ("kbuild: refactor Makefile.dtbinst more")
Signed-off-by: Dragan Simic <dsimic@manjaro.org>
Reviewed-by: Nicolas Schier <nicolas@fjasle.eu>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
scripts/Makefile.dtbinst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/scripts/Makefile.dtbinst
+++ b/scripts/Makefile.dtbinst
@@ -24,7 +24,7 @@ __dtbs_install: $(dtbs) $(subdirs)
@:
quiet_cmd_dtb_install = INSTALL $@
- cmd_dtb_install = install -D $< $@
+ cmd_dtb_install = install -D -m 0644 $< $@
$(dst)/%.dtb: $(obj)/%.dtb
$(call cmd,dtb_install)
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 330/356] sh: rework sync_file_range ABI
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 329/356] kbuild: Install dtb files as 0644 in Makefile.dtbinst Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 331/356] csky, hexagon: fix broken sys_sync_file_range Greg Kroah-Hartman
` (33 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Paul Adrian Glaubitz,
Arnd Bergmann
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 30766f1105d6d2459c3b9fe34a3e52b637a72950 upstream.
The unusual function calling conventions on SuperH ended up causing
sync_file_range to have the wrong argument order, with the 'flags'
argument getting sorted before 'nbytes' by the compiler.
In userspace, I found that musl, glibc, uclibc and strace all expect the
normal calling conventions with 'nbytes' last, so changing the kernel
to match them should make all of those work.
In order to be able to also fix libc implementations to work with existing
kernels, they need to be able to tell which ABI is used. An easy way
to do this is to add yet another system call using the sync_file_range2
ABI that works the same on all architectures.
Old user binaries can now work on new kernels, and new binaries can
try the new sync_file_range2() to work with new kernels or fall back
to the old sync_file_range() version if that doesn't exist.
Cc: stable@vger.kernel.org
Fixes: 75c92acdd5b1 ("sh: Wire up new syscalls.")
Acked-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/sh/kernel/sys_sh32.c | 11 +++++++++++
arch/sh/kernel/syscalls/syscall.tbl | 3 ++-
2 files changed, 13 insertions(+), 1 deletion(-)
--- a/arch/sh/kernel/sys_sh32.c
+++ b/arch/sh/kernel/sys_sh32.c
@@ -59,3 +59,14 @@ asmlinkage int sys_fadvise64_64_wrapper(
(u64)len0 << 32 | len1, advice);
#endif
}
+
+/*
+ * swap the arguments the way that libc wants them instead of
+ * moving flags ahead of the 64-bit nbytes argument
+ */
+SYSCALL_DEFINE6(sh_sync_file_range6, int, fd, SC_ARG64(offset),
+ SC_ARG64(nbytes), unsigned int, flags)
+{
+ return ksys_sync_file_range(fd, SC_VAL64(loff_t, offset),
+ SC_VAL64(loff_t, nbytes), flags);
+}
--- a/arch/sh/kernel/syscalls/syscall.tbl
+++ b/arch/sh/kernel/syscalls/syscall.tbl
@@ -321,7 +321,7 @@
311 common set_robust_list sys_set_robust_list
312 common get_robust_list sys_get_robust_list
313 common splice sys_splice
-314 common sync_file_range sys_sync_file_range
+314 common sync_file_range sys_sh_sync_file_range6
315 common tee sys_tee
316 common vmsplice sys_vmsplice
317 common move_pages sys_move_pages
@@ -395,6 +395,7 @@
385 common pkey_alloc sys_pkey_alloc
386 common pkey_free sys_pkey_free
387 common rseq sys_rseq
+388 common sync_file_range2 sys_sync_file_range2
# room for arch specific syscalls
393 common semget sys_semget
394 common semctl sys_semctl
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 331/356] csky, hexagon: fix broken sys_sync_file_range
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 330/356] sh: rework sync_file_range ABI Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 332/356] hexagon: fix fadvise64_64 calling conventions Greg Kroah-Hartman
` (32 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guo Ren, Arnd Bergmann
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 3339b99ef6fe38dac43b534cba3a8a0e29fb2eff upstream.
Both of these architectures require u64 function arguments to be
passed in even/odd pairs of registers or stack slots, which in case of
sync_file_range would result in a seven-argument system call that is
not currently possible. The system call is therefore incompatible with
all existing binaries.
While it would be possible to implement support for seven arguments
like on mips, it seems better to use a six-argument version, either
with the normal argument order but misaligned as on most architectures
or with the reordered sync_file_range2() calling conventions as on
arm and powerpc.
Cc: stable@vger.kernel.org
Acked-by: Guo Ren <guoren@kernel.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/csky/include/uapi/asm/unistd.h | 1 +
arch/hexagon/include/uapi/asm/unistd.h | 1 +
2 files changed, 2 insertions(+)
--- a/arch/csky/include/uapi/asm/unistd.h
+++ b/arch/csky/include/uapi/asm/unistd.h
@@ -6,6 +6,7 @@
#define __ARCH_WANT_SYS_CLONE3
#define __ARCH_WANT_SET_GET_RLIMIT
#define __ARCH_WANT_TIME32_SYSCALLS
+#define __ARCH_WANT_SYNC_FILE_RANGE2
#include <asm-generic/unistd.h>
#define __NR_set_thread_area (__NR_arch_specific_syscall + 0)
--- a/arch/hexagon/include/uapi/asm/unistd.h
+++ b/arch/hexagon/include/uapi/asm/unistd.h
@@ -36,5 +36,6 @@
#define __ARCH_WANT_SYS_VFORK
#define __ARCH_WANT_SYS_FORK
#define __ARCH_WANT_TIME32_SYSCALLS
+#define __ARCH_WANT_SYNC_FILE_RANGE2
#include <asm-generic/unistd.h>
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 332/356] hexagon: fix fadvise64_64 calling conventions
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 331/356] csky, hexagon: fix broken sys_sync_file_range Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 333/356] drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes Greg Kroah-Hartman
` (31 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Arnd Bergmann
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 896842284c6ccba25ec9d78b7b6e62cdd507c083 upstream.
fadvise64_64() has two 64-bit arguments at the wrong alignment
for hexagon, which turns them into a 7-argument syscall that is
not supported by Linux.
The downstream musl port for hexagon actually asks for a 6-argument
version the same way we do it on arm, csky, powerpc, so make the
kernel do it the same way to avoid having to change both.
Link: https://github.com/quic/musl/blob/hexagon/arch/hexagon/syscall_arch.h#L78
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/hexagon/include/asm/syscalls.h | 6 ++++++
arch/hexagon/kernel/syscalltab.c | 7 +++++++
2 files changed, 13 insertions(+)
create mode 100644 arch/hexagon/include/asm/syscalls.h
--- /dev/null
+++ b/arch/hexagon/include/asm/syscalls.h
@@ -0,0 +1,6 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+#include <asm-generic/syscalls.h>
+
+asmlinkage long sys_hexagon_fadvise64_64(int fd, int advice,
+ u32 a2, u32 a3, u32 a4, u32 a5);
--- a/arch/hexagon/kernel/syscalltab.c
+++ b/arch/hexagon/kernel/syscalltab.c
@@ -14,6 +14,13 @@
#undef __SYSCALL
#define __SYSCALL(nr, call) [nr] = (call),
+SYSCALL_DEFINE6(hexagon_fadvise64_64, int, fd, int, advice,
+ SC_ARG64(offset), SC_ARG64(len))
+{
+ return ksys_fadvise64_64(fd, SC_VAL64(loff_t, offset), SC_VAL64(loff_t, len), advice);
+}
+#define sys_fadvise64_64 sys_hexagon_fadvise64_64
+
void *sys_call_table[__NR_syscalls] = {
#include <asm/unistd.h>
};
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 333/356] drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 332/356] hexagon: fix fadvise64_64 calling conventions Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 334/356] drm/amdgpu: avoid using null object of framebuffer Greg Kroah-Hartman
` (30 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Lyude Paul
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 66edf3fb331b6c55439b10f9862987b0916b3726 upstream.
In nv17_tv_get_ld_modes(), the return value of drm_mode_duplicate() is
assigned to mode, which will lead to a possible NULL pointer dereference
on failure of drm_mode_duplicate(). Add a check to avoid npd.
Cc: stable@vger.kernel.org
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Lyude Paul <lyude@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240625081828.2620794-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
+++ b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
@@ -208,6 +208,8 @@ static int nv17_tv_get_ld_modes(struct d
struct drm_display_mode *mode;
mode = drm_mode_duplicate(encoder->dev, tv_mode);
+ if (!mode)
+ continue;
mode->clock = tv_norm->tv_enc_mode.vrefresh *
mode->htotal / 1000 *
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 334/356] drm/amdgpu: avoid using null object of framebuffer
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 333/356] drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 335/356] drm/i915/gt: Fix potential UAF by revoke of fence registers Greg Kroah-Hartman
` (29 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fusheng Huang, Julia Zhang,
Huang Rui, Alex Deucher
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julia Zhang <julia.zhang@amd.com>
commit bcfa48ff785bd121316592b131ff6531e3e696bb upstream.
Instead of using state->fb->obj[0] directly, get object from framebuffer
by calling drm_gem_fb_get_obj() and return error code when object is
null to avoid using null object of framebuffer.
Reported-by: Fusheng Huang <fusheng.huang@ecarxgroup.com>
Signed-off-by: Julia Zhang <Julia.Zhang@amd.com>
Reviewed-by: Huang Rui <ray.huang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c
@@ -2,6 +2,7 @@
#include <drm/drm_atomic_helper.h>
#include <drm/drm_simple_kms_helper.h>
+#include <drm/drm_gem_framebuffer_helper.h>
#include <drm/drm_vblank.h>
#include "amdgpu.h"
@@ -315,7 +316,13 @@ static int amdgpu_vkms_prepare_fb(struct
return 0;
}
afb = to_amdgpu_framebuffer(new_state->fb);
- obj = new_state->fb->obj[0];
+
+ obj = drm_gem_fb_get_obj(new_state->fb, 0);
+ if (!obj) {
+ DRM_ERROR("Failed to get obj from framebuffer\n");
+ return -EINVAL;
+ }
+
rbo = gem_to_amdgpu_bo(obj);
adev = amdgpu_ttm_adev(rbo->tbo.bdev);
INIT_LIST_HEAD(&list);
@@ -364,12 +371,19 @@ static void amdgpu_vkms_cleanup_fb(struc
struct drm_plane_state *old_state)
{
struct amdgpu_bo *rbo;
+ struct drm_gem_object *obj;
int r;
if (!old_state->fb)
return;
- rbo = gem_to_amdgpu_bo(old_state->fb->obj[0]);
+ obj = drm_gem_fb_get_obj(old_state->fb, 0);
+ if (!obj) {
+ DRM_ERROR("Failed to get obj from framebuffer\n");
+ return;
+ }
+
+ rbo = gem_to_amdgpu_bo(obj);
r = amdgpu_bo_reserve(rbo, false);
if (unlikely(r)) {
DRM_ERROR("failed to reserve rbo before unpin\n");
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 335/356] drm/i915/gt: Fix potential UAF by revoke of fence registers
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 334/356] drm/amdgpu: avoid using null object of framebuffer Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 336/356] drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes Greg Kroah-Hartman
` (28 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Janusz Krzysztofik, Andi Shyti,
Jani Nikula
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
commit 996c3412a06578e9d779a16b9e79ace18125ab50 upstream.
CI has been sporadically reporting the following issue triggered by
igt@i915_selftest@live@hangcheck on ADL-P and similar machines:
<6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence
...
<6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled
<6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled
<3> [414.070354] Unable to pin Y-tiled fence; err:-4
<3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active))
...
<4>[ 609.603992] ------------[ cut here ]------------
<2>[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301!
<4>[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
<4>[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1
<4>[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023
<4>[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915]
<4>[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915]
...
<4>[ 609.604271] Call Trace:
<4>[ 609.604273] <TASK>
...
<4>[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915]
<4>[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915]
<4>[ 609.604977] force_unbind+0x24/0xa0 [i915]
<4>[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915]
<4>[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915]
<4>[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915]
<4>[ 609.605440] process_scheduled_works+0x351/0x690
...
In the past, there were similar failures reported by CI from other IGT
tests, observed on other platforms.
Before commit 63baf4f3d587 ("drm/i915/gt: Only wait for GPU activity
before unbinding a GGTT fence"), i915_vma_revoke_fence() was waiting for
idleness of vma->active via fence_update(). That commit introduced
vma->fence->active in order for the fence_update() to be able to wait
selectively on that one instead of vma->active since only idleness of
fence registers was needed. But then, another commit 0d86ee35097a
("drm/i915/gt: Make fence revocation unequivocal") replaced the call to
fence_update() in i915_vma_revoke_fence() with only fence_write(), and
also added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front.
No justification was provided on why we might then expect idleness of
vma->fence->active without first waiting on it.
The issue can be potentially caused by a race among revocation of fence
registers on one side and sequential execution of signal callbacks invoked
on completion of a request that was using them on the other, still
processed in parallel to revocation of those fence registers. Fix it by
waiting for idleness of vma->fence->active in i915_vma_revoke_fence().
Fixes: 0d86ee35097a ("drm/i915/gt: Make fence revocation unequivocal")
Closes: https://gitlab.freedesktop.org/drm/intel/issues/10021
Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Cc: stable@vger.kernel.org # v5.8+
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240603195446.297690-2-janusz.krzysztofik@linux.intel.com
(cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c
+++ b/drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c
@@ -291,6 +291,7 @@ void i915_vma_revoke_fence(struct i915_v
return;
GEM_BUG_ON(fence->vma != vma);
+ i915_active_wait(&fence->active);
GEM_BUG_ON(!i915_active_is_idle(&fence->active));
GEM_BUG_ON(atomic_read(&fence->pin_count));
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 336/356] drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 335/356] drm/i915/gt: Fix potential UAF by revoke of fence registers Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 337/356] batman-adv: Dont accept TT entries for out-of-spec VIDs Greg Kroah-Hartman
` (27 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Lyude Paul
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 6d411c8ccc0137a612e0044489030a194ff5c843 upstream.
In nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is
assigned to mode, which will lead to a possible NULL pointer dereference
on failure of drm_mode_duplicate(). The same applies to drm_cvt_mode().
Add a check to avoid null pointer dereference.
Cc: stable@vger.kernel.org
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Lyude Paul <lyude@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240625081029.2619437-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
+++ b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
@@ -259,6 +259,8 @@ static int nv17_tv_get_hd_modes(struct d
if (modes[i].hdisplay == output_mode->hdisplay &&
modes[i].vdisplay == output_mode->vdisplay) {
mode = drm_mode_duplicate(encoder->dev, output_mode);
+ if (!mode)
+ continue;
mode->type |= DRM_MODE_TYPE_PREFERRED;
} else {
@@ -266,6 +268,8 @@ static int nv17_tv_get_hd_modes(struct d
modes[i].vdisplay, 60, false,
(output_mode->flags &
DRM_MODE_FLAG_INTERLACE), false);
+ if (!mode)
+ continue;
}
/* CVT modes are sometimes unsuitable... */
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 337/356] batman-adv: Dont accept TT entries for out-of-spec VIDs
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 336/356] drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 338/356] ata: ahci: Clean up sysfs file on error Greg Kroah-Hartman
` (26 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Lüssing, Sven Eckelmann,
Simon Wunderlich
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 537a350d14321c8cca5efbf0a33a404fec3a9f9e upstream.
The internal handling of VLAN IDs in batman-adv is only specified for
following encodings:
* VLAN is used
- bit 15 is 1
- bit 11 - bit 0 is the VLAN ID (0-4095)
- remaining bits are 0
* No VLAN is used
- bit 15 is 0
- remaining bits are 0
batman-adv was only preparing new translation table entries (based on its
soft interface information) using this encoding format. But the receive
path was never checking if entries in the roam or TT TVLVs were also
following this encoding.
It was therefore possible to create more than the expected maximum of 4096
+ 1 entries in the originator VLAN list. Simply by setting the "remaining
bits" to "random" values in corresponding TVLV.
Cc: stable@vger.kernel.org
Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/originator.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
--- a/net/batman-adv/originator.c
+++ b/net/batman-adv/originator.c
@@ -11,6 +11,7 @@
#include <linux/errno.h>
#include <linux/etherdevice.h>
#include <linux/gfp.h>
+#include <linux/if_vlan.h>
#include <linux/jiffies.h>
#include <linux/kernel.h>
#include <linux/kref.h>
@@ -132,6 +133,29 @@ batadv_orig_node_vlan_get(struct batadv_
}
/**
+ * batadv_vlan_id_valid() - check if vlan id is in valid batman-adv encoding
+ * @vid: the VLAN identifier
+ *
+ * Return: true when either no vlan is set or if VLAN is in correct range,
+ * false otherwise
+ */
+static bool batadv_vlan_id_valid(unsigned short vid)
+{
+ unsigned short non_vlan = vid & ~(BATADV_VLAN_HAS_TAG | VLAN_VID_MASK);
+
+ if (vid == 0)
+ return true;
+
+ if (!(vid & BATADV_VLAN_HAS_TAG))
+ return false;
+
+ if (non_vlan)
+ return false;
+
+ return true;
+}
+
+/**
* batadv_orig_node_vlan_new() - search and possibly create an orig_node_vlan
* object
* @orig_node: the originator serving the VLAN
@@ -149,6 +173,9 @@ batadv_orig_node_vlan_new(struct batadv_
{
struct batadv_orig_node_vlan *vlan;
+ if (!batadv_vlan_id_valid(vid))
+ return NULL;
+
spin_lock_bh(&orig_node->vlan_list_lock);
/* first look if an object for this vid already exists */
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 338/356] ata: ahci: Clean up sysfs file on error
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 337/356] batman-adv: Dont accept TT entries for out-of-spec VIDs Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 339/356] ata: libata-core: Fix double free " Greg Kroah-Hartman
` (25 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Hannes Reinecke,
Niklas Cassel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
commit eeb25a09c5e0805d92e4ebd12c4b0ad0df1b0295 upstream.
.probe() (ahci_init_one()) calls sysfs_add_file_to_group(), however,
if probe() fails after this call, we currently never call
sysfs_remove_file_from_group().
(The sysfs_remove_file_from_group() call in .remove() (ahci_remove_one())
does not help, as .remove() is not called on .probe() error.)
Thus, if probe() fails after the sysfs_add_file_to_group() call, the next
time we insmod the module we will get:
sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:04.0/remapped_nvme'
CPU: 11 PID: 954 Comm: modprobe Not tainted 6.10.0-rc5 #43
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
sysfs_warn_dup.cold+0x17/0x23
sysfs_add_file_mode_ns+0x11a/0x130
sysfs_add_file_to_group+0x7e/0xc0
ahci_init_one+0x31f/0xd40 [ahci]
Fixes: 894fba7f434a ("ata: ahci: Add sysfs attribute to show remapped NVMe device count")
Cc: stable@vger.kernel.org
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Link: https://lore.kernel.org/r/20240629124210.181537-10-cassel@kernel.org
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/ahci.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -1897,8 +1897,10 @@ static int ahci_init_one(struct pci_dev
n_ports = max(ahci_nr_ports(hpriv->cap), fls(hpriv->port_map));
host = ata_host_alloc_pinfo(&pdev->dev, ppi, n_ports);
- if (!host)
- return -ENOMEM;
+ if (!host) {
+ rc = -ENOMEM;
+ goto err_rm_sysfs_file;
+ }
host->private_data = hpriv;
if (ahci_init_msi(pdev, n_ports, hpriv) < 0) {
@@ -1951,11 +1953,11 @@ static int ahci_init_one(struct pci_dev
/* initialize adapter */
rc = ahci_configure_dma_masks(pdev, hpriv);
if (rc)
- return rc;
+ goto err_rm_sysfs_file;
rc = ahci_pci_reset_controller(host);
if (rc)
- return rc;
+ goto err_rm_sysfs_file;
ahci_pci_init_controller(host);
ahci_pci_print_info(host);
@@ -1964,10 +1966,15 @@ static int ahci_init_one(struct pci_dev
rc = ahci_host_activate(host, &ahci_sht);
if (rc)
- return rc;
+ goto err_rm_sysfs_file;
pm_runtime_put_noidle(&pdev->dev);
return 0;
+
+err_rm_sysfs_file:
+ sysfs_remove_file_from_group(&pdev->dev.kobj,
+ &dev_attr_remapped_nvme.attr, NULL);
+ return rc;
}
static void ahci_shutdown_one(struct pci_dev *pdev)
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 339/356] ata: libata-core: Fix double free on error
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 338/356] ata: ahci: Clean up sysfs file on error Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 340/356] ftruncate: pass a signed offset Greg Kroah-Hartman
` (24 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Hannes Reinecke,
Niklas Cassel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
commit ab9e0c529eb7cafebdd31fe1644524e80a48b05d upstream.
If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump
to the err_out label, which will call devres_release_group().
devres_release_group() will trigger a call to ata_host_release().
ata_host_release() calls kfree(host), so executing the kfree(host) in
ata_host_alloc() will lead to a double free:
kernel BUG at mm/slub.c:553!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:kfree+0x2cf/0x2f0
Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da
RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246
RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320
RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0
RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780
R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006
FS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
? __die_body.cold+0x19/0x27
? die+0x2e/0x50
? do_trap+0xca/0x110
? do_error_trap+0x6a/0x90
? kfree+0x2cf/0x2f0
? exc_invalid_op+0x50/0x70
? kfree+0x2cf/0x2f0
? asm_exc_invalid_op+0x1a/0x20
? ata_host_alloc+0xf5/0x120 [libata]
? ata_host_alloc+0xf5/0x120 [libata]
? kfree+0x2cf/0x2f0
ata_host_alloc+0xf5/0x120 [libata]
ata_host_alloc_pinfo+0x14/0xa0 [libata]
ahci_init_one+0x6c9/0xd20 [ahci]
Ensure that we will not call kfree(host) twice, by performing the kfree()
only if the devres_open_group() call failed.
Fixes: dafd6c496381 ("libata: ensure host is free'd on error exit paths")
Cc: stable@vger.kernel.org
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Link: https://lore.kernel.org/r/20240629124210.181537-9-cassel@kernel.org
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/libata-core.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -5445,8 +5445,10 @@ struct ata_host *ata_host_alloc(struct d
if (!host)
return NULL;
- if (!devres_open_group(dev, NULL, GFP_KERNEL))
- goto err_free;
+ if (!devres_open_group(dev, NULL, GFP_KERNEL)) {
+ kfree(host);
+ return NULL;
+ }
dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL);
if (!dr)
@@ -5478,8 +5480,6 @@ struct ata_host *ata_host_alloc(struct d
err_out:
devres_release_group(dev, NULL);
- err_free:
- kfree(host);
return NULL;
}
EXPORT_SYMBOL_GPL(ata_host_alloc);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 340/356] ftruncate: pass a signed offset
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 339/356] ata: libata-core: Fix double free " Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 341/356] syscalls: fix compat_sys_io_pgetevents_time64 usage Greg Kroah-Hartman
` (23 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Brauner, Arnd Bergmann
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 4b8e88e563b5f666446d002ad0dc1e6e8e7102b0 upstream.
The old ftruncate() syscall, using the 32-bit off_t misses a sign
extension when called in compat mode on 64-bit architectures. As a
result, passing a negative length accidentally succeeds in truncating
to file size between 2GiB and 4GiB.
Changing the type of the compat syscall to the signed compat_off_t
changes the behavior so it instead returns -EINVAL.
The native entry point, the truncate() syscall and the corresponding
loff_t based variants are all correct already and do not suffer
from this mistake.
Fixes: 3f6d078d4acc ("fix compat truncate/ftruncate")
Reviewed-by: Christian Brauner <brauner@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/open.c | 4 ++--
include/linux/compat.h | 2 +-
include/linux/syscalls.h | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
--- a/fs/open.c
+++ b/fs/open.c
@@ -199,13 +199,13 @@ out:
return error;
}
-SYSCALL_DEFINE2(ftruncate, unsigned int, fd, unsigned long, length)
+SYSCALL_DEFINE2(ftruncate, unsigned int, fd, off_t, length)
{
return do_sys_ftruncate(fd, length, 1);
}
#ifdef CONFIG_COMPAT
-COMPAT_SYSCALL_DEFINE2(ftruncate, unsigned int, fd, compat_ulong_t, length)
+COMPAT_SYSCALL_DEFINE2(ftruncate, unsigned int, fd, compat_off_t, length)
{
return do_sys_ftruncate(fd, length, 1);
}
--- a/include/linux/compat.h
+++ b/include/linux/compat.h
@@ -590,7 +590,7 @@ asmlinkage long compat_sys_fstatfs(unsig
asmlinkage long compat_sys_fstatfs64(unsigned int fd, compat_size_t sz,
struct compat_statfs64 __user *buf);
asmlinkage long compat_sys_truncate(const char __user *, compat_off_t);
-asmlinkage long compat_sys_ftruncate(unsigned int, compat_ulong_t);
+asmlinkage long compat_sys_ftruncate(unsigned int, compat_off_t);
/* No generic prototype for truncate64, ftruncate64, fallocate */
asmlinkage long compat_sys_openat(int dfd, const char __user *filename,
int flags, umode_t mode);
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -453,7 +453,7 @@ asmlinkage long sys_fstatfs(unsigned int
asmlinkage long sys_fstatfs64(unsigned int fd, size_t sz,
struct statfs64 __user *buf);
asmlinkage long sys_truncate(const char __user *path, long length);
-asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length);
+asmlinkage long sys_ftruncate(unsigned int fd, off_t length);
#if BITS_PER_LONG == 32
asmlinkage long sys_truncate64(const char __user *path, loff_t length);
asmlinkage long sys_ftruncate64(unsigned int fd, loff_t length);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 341/356] syscalls: fix compat_sys_io_pgetevents_time64 usage
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 340/356] ftruncate: pass a signed offset Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 342/356] syscalls: fix sys_fanotify_mark prototype Greg Kroah-Hartman
` (22 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Heiko Carstens
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit d3882564a77c21eb746ba5364f3fa89b88de3d61 upstream.
Using sys_io_pgetevents() as the entry point for compat mode tasks
works almost correctly, but misses the sign extension for the min_nr
and nr arguments.
This was addressed on parisc by switching to
compat_sys_io_pgetevents_time64() in commit 6431e92fc827 ("parisc:
io_pgetevents_time64() needs compat syscall in 32-bit compat mode"),
as well as by using more sophisticated system call wrappers on x86 and
s390. However, arm64, mips, powerpc, sparc and riscv still have the
same bug.
Change all of them over to use compat_sys_io_pgetevents_time64()
like parisc already does. This was clearly the intention when the
function was originally added, but it got hooked up incorrectly in
the tables.
Cc: stable@vger.kernel.org
Fixes: 48166e6ea47d ("y2038: add 64-bit time_t syscalls to all 32-bit architectures")
Acked-by: Heiko Carstens <hca@linux.ibm.com> # s390
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/unistd32.h | 2 +-
arch/mips/kernel/syscalls/syscall_n32.tbl | 2 +-
arch/mips/kernel/syscalls/syscall_o32.tbl | 2 +-
arch/powerpc/kernel/syscalls/syscall.tbl | 2 +-
arch/s390/kernel/syscalls/syscall.tbl | 2 +-
arch/sparc/kernel/syscalls/syscall.tbl | 2 +-
arch/x86/entry/syscalls/syscall_32.tbl | 2 +-
include/uapi/asm-generic/unistd.h | 2 +-
kernel/sys_ni.c | 2 +-
9 files changed, 9 insertions(+), 9 deletions(-)
--- a/arch/arm64/include/asm/unistd32.h
+++ b/arch/arm64/include/asm/unistd32.h
@@ -840,7 +840,7 @@ __SYSCALL(__NR_pselect6_time64, compat_s
#define __NR_ppoll_time64 414
__SYSCALL(__NR_ppoll_time64, compat_sys_ppoll_time64)
#define __NR_io_pgetevents_time64 416
-__SYSCALL(__NR_io_pgetevents_time64, sys_io_pgetevents)
+__SYSCALL(__NR_io_pgetevents_time64, compat_sys_io_pgetevents_time64)
#define __NR_recvmmsg_time64 417
__SYSCALL(__NR_recvmmsg_time64, compat_sys_recvmmsg_time64)
#define __NR_mq_timedsend_time64 418
--- a/arch/mips/kernel/syscalls/syscall_n32.tbl
+++ b/arch/mips/kernel/syscalls/syscall_n32.tbl
@@ -354,7 +354,7 @@
412 n32 utimensat_time64 sys_utimensat
413 n32 pselect6_time64 compat_sys_pselect6_time64
414 n32 ppoll_time64 compat_sys_ppoll_time64
-416 n32 io_pgetevents_time64 sys_io_pgetevents
+416 n32 io_pgetevents_time64 compat_sys_io_pgetevents_time64
417 n32 recvmmsg_time64 compat_sys_recvmmsg_time64
418 n32 mq_timedsend_time64 sys_mq_timedsend
419 n32 mq_timedreceive_time64 sys_mq_timedreceive
--- a/arch/mips/kernel/syscalls/syscall_o32.tbl
+++ b/arch/mips/kernel/syscalls/syscall_o32.tbl
@@ -403,7 +403,7 @@
412 o32 utimensat_time64 sys_utimensat sys_utimensat
413 o32 pselect6_time64 sys_pselect6 compat_sys_pselect6_time64
414 o32 ppoll_time64 sys_ppoll compat_sys_ppoll_time64
-416 o32 io_pgetevents_time64 sys_io_pgetevents sys_io_pgetevents
+416 o32 io_pgetevents_time64 sys_io_pgetevents compat_sys_io_pgetevents_time64
417 o32 recvmmsg_time64 sys_recvmmsg compat_sys_recvmmsg_time64
418 o32 mq_timedsend_time64 sys_mq_timedsend sys_mq_timedsend
419 o32 mq_timedreceive_time64 sys_mq_timedreceive sys_mq_timedreceive
--- a/arch/powerpc/kernel/syscalls/syscall.tbl
+++ b/arch/powerpc/kernel/syscalls/syscall.tbl
@@ -495,7 +495,7 @@
412 32 utimensat_time64 sys_utimensat sys_utimensat
413 32 pselect6_time64 sys_pselect6 compat_sys_pselect6_time64
414 32 ppoll_time64 sys_ppoll compat_sys_ppoll_time64
-416 32 io_pgetevents_time64 sys_io_pgetevents sys_io_pgetevents
+416 32 io_pgetevents_time64 sys_io_pgetevents compat_sys_io_pgetevents_time64
417 32 recvmmsg_time64 sys_recvmmsg compat_sys_recvmmsg_time64
418 32 mq_timedsend_time64 sys_mq_timedsend sys_mq_timedsend
419 32 mq_timedreceive_time64 sys_mq_timedreceive sys_mq_timedreceive
--- a/arch/s390/kernel/syscalls/syscall.tbl
+++ b/arch/s390/kernel/syscalls/syscall.tbl
@@ -418,7 +418,7 @@
412 32 utimensat_time64 - sys_utimensat
413 32 pselect6_time64 - compat_sys_pselect6_time64
414 32 ppoll_time64 - compat_sys_ppoll_time64
-416 32 io_pgetevents_time64 - sys_io_pgetevents
+416 32 io_pgetevents_time64 - compat_sys_io_pgetevents_time64
417 32 recvmmsg_time64 - compat_sys_recvmmsg_time64
418 32 mq_timedsend_time64 - sys_mq_timedsend
419 32 mq_timedreceive_time64 - sys_mq_timedreceive
--- a/arch/sparc/kernel/syscalls/syscall.tbl
+++ b/arch/sparc/kernel/syscalls/syscall.tbl
@@ -461,7 +461,7 @@
412 32 utimensat_time64 sys_utimensat sys_utimensat
413 32 pselect6_time64 sys_pselect6 compat_sys_pselect6_time64
414 32 ppoll_time64 sys_ppoll compat_sys_ppoll_time64
-416 32 io_pgetevents_time64 sys_io_pgetevents sys_io_pgetevents
+416 32 io_pgetevents_time64 sys_io_pgetevents compat_sys_io_pgetevents_time64
417 32 recvmmsg_time64 sys_recvmmsg compat_sys_recvmmsg_time64
418 32 mq_timedsend_time64 sys_mq_timedsend sys_mq_timedsend
419 32 mq_timedreceive_time64 sys_mq_timedreceive sys_mq_timedreceive
--- a/arch/x86/entry/syscalls/syscall_32.tbl
+++ b/arch/x86/entry/syscalls/syscall_32.tbl
@@ -420,7 +420,7 @@
412 i386 utimensat_time64 sys_utimensat
413 i386 pselect6_time64 sys_pselect6 compat_sys_pselect6_time64
414 i386 ppoll_time64 sys_ppoll compat_sys_ppoll_time64
-416 i386 io_pgetevents_time64 sys_io_pgetevents
+416 i386 io_pgetevents_time64 sys_io_pgetevents compat_sys_io_pgetevents_time64
417 i386 recvmmsg_time64 sys_recvmmsg compat_sys_recvmmsg_time64
418 i386 mq_timedsend_time64 sys_mq_timedsend
419 i386 mq_timedreceive_time64 sys_mq_timedreceive
--- a/include/uapi/asm-generic/unistd.h
+++ b/include/uapi/asm-generic/unistd.h
@@ -805,7 +805,7 @@ __SC_COMP(__NR_pselect6_time64, sys_psel
#define __NR_ppoll_time64 414
__SC_COMP(__NR_ppoll_time64, sys_ppoll, compat_sys_ppoll_time64)
#define __NR_io_pgetevents_time64 416
-__SYSCALL(__NR_io_pgetevents_time64, sys_io_pgetevents)
+__SC_COMP(__NR_io_pgetevents_time64, sys_io_pgetevents, compat_sys_io_pgetevents_time64)
#define __NR_recvmmsg_time64 417
__SC_COMP(__NR_recvmmsg_time64, sys_recvmmsg, compat_sys_recvmmsg_time64)
#define __NR_mq_timedsend_time64 418
--- a/kernel/sys_ni.c
+++ b/kernel/sys_ni.c
@@ -46,8 +46,8 @@ COND_SYSCALL(io_getevents_time32);
COND_SYSCALL(io_getevents);
COND_SYSCALL(io_pgetevents_time32);
COND_SYSCALL(io_pgetevents);
-COND_SYSCALL_COMPAT(io_pgetevents_time32);
COND_SYSCALL_COMPAT(io_pgetevents);
+COND_SYSCALL_COMPAT(io_pgetevents_time64);
COND_SYSCALL(io_uring_setup);
COND_SYSCALL(io_uring_enter);
COND_SYSCALL(io_uring_register);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 342/356] syscalls: fix sys_fanotify_mark prototype
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 341/356] syscalls: fix compat_sys_io_pgetevents_time64 usage Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 343/356] pwm: stm32: Refuse too small period requests Greg Kroah-Hartman
` (21 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Geert Uytterhoeven,
kernel test robot, Arnd Bergmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 63e2f40c9e3187641afacde4153f54b3ee4dbc8c ]
My earlier fix missed an incorrect function prototype that shows up on
native 32-bit builds:
In file included from fs/notify/fanotify/fanotify_user.c:14:
include/linux/syscalls.h:248:25: error: conflicting types for 'sys_fanotify_mark'; have 'long int(int, unsigned int, u32, u32, int, const char *)' {aka 'long int(int, unsigned int, unsigned int, unsigned int, int, const char *)'}
1924 | SYSCALL32_DEFINE6(fanotify_mark,
| ^~~~~~~~~~~~~~~~~
include/linux/syscalls.h:862:17: note: previous declaration of 'sys_fanotify_mark' with type 'long int(int, unsigned int, u64, int, const char *)' {aka 'long int(int, unsigned int, long long unsigned int, int, const char *)'}
On x86 and powerpc, the prototype is also wrong but hidden in an #ifdef,
so it never caused problems.
Add another alternative declaration that matches the conditional function
definition.
Fixes: 403f17a33073 ("parisc: use generic sys_fanotify_mark implementation")
Cc: stable@vger.kernel.org
Reported-by: Guenter Roeck <linux@roeck-us.net>
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/syscalls.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index fed3d440b6548..b8037a46ff41d 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -959,9 +959,15 @@ asmlinkage long sys_prlimit64(pid_t pid, unsigned int resource,
const struct rlimit64 __user *new_rlim,
struct rlimit64 __user *old_rlim);
asmlinkage long sys_fanotify_init(unsigned int flags, unsigned int event_f_flags);
+#if defined(CONFIG_ARCH_SPLIT_ARG64)
+asmlinkage long sys_fanotify_mark(int fanotify_fd, unsigned int flags,
+ unsigned int mask_1, unsigned int mask_2,
+ int dfd, const char __user * pathname);
+#else
asmlinkage long sys_fanotify_mark(int fanotify_fd, unsigned int flags,
u64 mask, int fd,
const char __user *pathname);
+#endif
asmlinkage long sys_name_to_handle_at(int dfd, const char __user *name,
struct file_handle __user *handle,
int __user *mnt_id, int flag);
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 343/356] pwm: stm32: Refuse too small period requests
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 342/356] syscalls: fix sys_fanotify_mark prototype Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 344/356] nfs: Leave pages in the pagecache if readpage failed Greg Kroah-Hartman
` (20 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Trevor Gamblin,
Uwe Kleine-König, Uwe Kleine-König
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
commit c45fcf46ca2368dafe7e5c513a711a6f0f974308 upstream.
If period_ns is small, prd might well become 0. Catch that case because
otherwise with
regmap_write(priv->regmap, TIM_ARR, prd - 1);
a few lines down quite a big period is configured.
Fixes: 7edf7369205b ("pwm: Add driver for STM32 plaftorm")
Cc: stable@vger.kernel.org
Reviewed-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/b86f62f099983646f97eeb6bfc0117bb2d0c340d.1718979150.git.u.kleine-koenig@baylibre.com
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pwm/pwm-stm32.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/pwm/pwm-stm32.c
+++ b/drivers/pwm/pwm-stm32.c
@@ -340,6 +340,9 @@ static int stm32_pwm_config(struct stm32
prd = div;
+ if (!prd)
+ return -EINVAL;
+
if (prescaler > MAX_TIM_PSC)
return -EINVAL;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 344/356] nfs: Leave pages in the pagecache if readpage failed
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 343/356] pwm: stm32: Refuse too small period requests Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 345/356] ipv6: annotate some data-races around sk->sk_prot Greg Kroah-Hartman
` (19 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Kuniyuki Iwashima
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
commit 0b768a9610c6de9811c6d33900bebfb665192ee1 upstream.
The pagecache handles readpage failing by itself; it doesn't want
filesystems to remove pages from under it.
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/read.c | 4 ----
1 file changed, 4 deletions(-)
--- a/fs/nfs/read.c
+++ b/fs/nfs/read.c
@@ -120,12 +120,8 @@ static void nfs_readpage_release(struct
if (nfs_error_is_fatal_on_server(error) && error != -ETIMEDOUT)
SetPageError(page);
if (nfs_page_group_sync_on_bit(req, PG_UNLOCKPAGE)) {
- struct address_space *mapping = page_file_mapping(page);
-
if (PageUptodate(page))
nfs_readpage_to_fscache(inode, page, 0);
- else if (!PageError(page) && !PagePrivate(page))
- generic_error_remove_page(mapping, page);
unlock_page(page);
}
nfs_release_request(req);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 345/356] ipv6: annotate some data-races around sk->sk_prot
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 344/356] nfs: Leave pages in the pagecache if readpage failed Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 346/356] ipv6: Fix data races " Greg Kroah-Hartman
` (18 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet,
David S. Miller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 086d49058cd8471046ae9927524708820f5fd1c7 upstream.
IPv6 has this hack changing sk->sk_prot when an IPv6 socket
is 'converted' to an IPv4 one with IPV6_ADDRFORM option.
This operation is only performed for TCP and UDP, knowing
their 'struct proto' for the two network families are populated
in the same way, and can not disappear while a reader
might use and dereference sk->sk_prot.
If we think about it all reads of sk->sk_prot while
either socket lock or RTNL is not acquired should be using READ_ONCE().
Also note that other layers like MPTCP, XFRM, CHELSIO_TLS also
write over sk->sk_prot.
BUG: KCSAN: data-race in inet6_recvmsg / ipv6_setsockopt
write to 0xffff8881386f7aa8 of 8 bytes by task 26932 on cpu 0:
do_ipv6_setsockopt net/ipv6/ipv6_sockglue.c:492 [inline]
ipv6_setsockopt+0x3758/0x3910 net/ipv6/ipv6_sockglue.c:1019
udpv6_setsockopt+0x85/0x90 net/ipv6/udp.c:1649
sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3489
__sys_setsockopt+0x209/0x2a0 net/socket.c:2180
__do_sys_setsockopt net/socket.c:2191 [inline]
__se_sys_setsockopt net/socket.c:2188 [inline]
__x64_sys_setsockopt+0x62/0x70 net/socket.c:2188
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
read to 0xffff8881386f7aa8 of 8 bytes by task 26911 on cpu 1:
inet6_recvmsg+0x7a/0x210 net/ipv6/af_inet6.c:659
____sys_recvmsg+0x16c/0x320
___sys_recvmsg net/socket.c:2674 [inline]
do_recvmmsg+0x3f5/0xae0 net/socket.c:2768
__sys_recvmmsg net/socket.c:2847 [inline]
__do_sys_recvmmsg net/socket.c:2870 [inline]
__se_sys_recvmmsg net/socket.c:2863 [inline]
__x64_sys_recvmmsg+0xde/0x160 net/socket.c:2863
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
value changed: 0xffffffff85e0e980 -> 0xffffffff85e01580
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 26911 Comm: syz-executor.3 Not tainted 5.17.0-rc2-syzkaller-00316-g0457e5153e0e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/af_inet6.c | 24 ++++++++++++++++++------
net/ipv6/ipv6_sockglue.c | 6 ++++--
2 files changed, 22 insertions(+), 8 deletions(-)
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -452,11 +452,14 @@ int inet6_bind(struct socket *sock, stru
{
struct sock *sk = sock->sk;
u32 flags = BIND_WITH_LOCK;
+ const struct proto *prot;
int err = 0;
+ /* IPV6_ADDRFORM can change sk->sk_prot under us. */
+ prot = READ_ONCE(sk->sk_prot);
/* If the socket has its own bind function then use it. */
- if (sk->sk_prot->bind)
- return sk->sk_prot->bind(sk, uaddr, addr_len);
+ if (prot->bind)
+ return prot->bind(sk, uaddr, addr_len);
if (addr_len < SIN6_LEN_RFC2133)
return -EINVAL;
@@ -572,6 +575,7 @@ int inet6_ioctl(struct socket *sock, uns
void __user *argp = (void __user *)arg;
struct sock *sk = sock->sk;
struct net *net = sock_net(sk);
+ const struct proto *prot;
switch (cmd) {
case SIOCADDRT:
@@ -589,9 +593,11 @@ int inet6_ioctl(struct socket *sock, uns
case SIOCSIFDSTADDR:
return addrconf_set_dstaddr(net, argp);
default:
- if (!sk->sk_prot->ioctl)
+ /* IPV6_ADDRFORM can change sk->sk_prot under us. */
+ prot = READ_ONCE(sk->sk_prot);
+ if (!prot->ioctl)
return -ENOIOCTLCMD;
- return sk->sk_prot->ioctl(sk, cmd, arg);
+ return prot->ioctl(sk, cmd, arg);
}
/*NOTREACHED*/
return 0;
@@ -653,11 +659,14 @@ INDIRECT_CALLABLE_DECLARE(int udpv6_send
int inet6_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
{
struct sock *sk = sock->sk;
+ const struct proto *prot;
if (unlikely(inet_send_prepare(sk)))
return -EAGAIN;
- return INDIRECT_CALL_2(sk->sk_prot->sendmsg, tcp_sendmsg, udpv6_sendmsg,
+ /* IPV6_ADDRFORM can change sk->sk_prot under us. */
+ prot = READ_ONCE(sk->sk_prot);
+ return INDIRECT_CALL_2(prot->sendmsg, tcp_sendmsg, udpv6_sendmsg,
sk, msg, size);
}
@@ -667,13 +676,16 @@ int inet6_recvmsg(struct socket *sock, s
int flags)
{
struct sock *sk = sock->sk;
+ const struct proto *prot;
int addr_len = 0;
int err;
if (likely(!(flags & MSG_ERRQUEUE)))
sock_rps_record_flow(sk);
- err = INDIRECT_CALL_2(sk->sk_prot->recvmsg, tcp_recvmsg, udpv6_recvmsg,
+ /* IPV6_ADDRFORM can change sk->sk_prot under us. */
+ prot = READ_ONCE(sk->sk_prot);
+ err = INDIRECT_CALL_2(prot->recvmsg, tcp_recvmsg, udpv6_recvmsg,
sk, msg, size, flags & MSG_DONTWAIT,
flags & ~MSG_DONTWAIT, &addr_len);
if (err >= 0)
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -475,7 +475,8 @@ static int do_ipv6_setsockopt(struct soc
sock_prot_inuse_add(net, sk->sk_prot, -1);
sock_prot_inuse_add(net, &tcp_prot, 1);
- sk->sk_prot = &tcp_prot;
+ /* Paired with READ_ONCE(sk->sk_prot) in net/ipv6/af_inet6.c */
+ WRITE_ONCE(sk->sk_prot, &tcp_prot);
icsk->icsk_af_ops = &ipv4_specific;
sk->sk_socket->ops = &inet_stream_ops;
sk->sk_family = PF_INET;
@@ -489,7 +490,8 @@ static int do_ipv6_setsockopt(struct soc
sock_prot_inuse_add(net, sk->sk_prot, -1);
sock_prot_inuse_add(net, prot, 1);
- sk->sk_prot = prot;
+ /* Paired with READ_ONCE(sk->sk_prot) in net/ipv6/af_inet6.c */
+ WRITE_ONCE(sk->sk_prot, prot);
sk->sk_socket->ops = &inet_dgram_ops;
sk->sk_family = PF_INET;
}
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 346/356] ipv6: Fix data races around sk->sk_prot.
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 345/356] ipv6: annotate some data-races around sk->sk_prot Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 347/356] tcp: Fix data races around icsk->icsk_af_ops Greg Kroah-Hartman
` (17 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
commit 364f997b5cfe1db0d63a390fe7c801fa2b3115f6 upstream.
Commit 086d49058cd8 ("ipv6: annotate some data-races around sk->sk_prot")
fixed some data-races around sk->sk_prot but it was not enough.
Some functions in inet6_(stream|dgram)_ops still access sk->sk_prot
without lock_sock() or rtnl_lock(), so they need READ_ONCE() to avoid
load tearing.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/sock.c | 6 ++++--
net/ipv4/af_inet.c | 23 ++++++++++++++++-------
net/ipv6/ipv6_sockglue.c | 4 ++--
3 files changed, 22 insertions(+), 11 deletions(-)
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -3413,7 +3413,8 @@ int sock_common_getsockopt(struct socket
{
struct sock *sk = sock->sk;
- return sk->sk_prot->getsockopt(sk, level, optname, optval, optlen);
+ /* IPV6_ADDRFORM can change sk->sk_prot under us. */
+ return READ_ONCE(sk->sk_prot)->getsockopt(sk, level, optname, optval, optlen);
}
EXPORT_SYMBOL(sock_common_getsockopt);
@@ -3440,7 +3441,8 @@ int sock_common_setsockopt(struct socket
{
struct sock *sk = sock->sk;
- return sk->sk_prot->setsockopt(sk, level, optname, optval, optlen);
+ /* IPV6_ADDRFORM can change sk->sk_prot under us. */
+ return READ_ONCE(sk->sk_prot)->setsockopt(sk, level, optname, optval, optlen);
}
EXPORT_SYMBOL(sock_common_setsockopt);
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -565,22 +565,27 @@ int inet_dgram_connect(struct socket *so
int addr_len, int flags)
{
struct sock *sk = sock->sk;
+ const struct proto *prot;
int err;
if (addr_len < sizeof(uaddr->sa_family))
return -EINVAL;
+
+ /* IPV6_ADDRFORM can change sk->sk_prot under us. */
+ prot = READ_ONCE(sk->sk_prot);
+
if (uaddr->sa_family == AF_UNSPEC)
- return sk->sk_prot->disconnect(sk, flags);
+ return prot->disconnect(sk, flags);
if (BPF_CGROUP_PRE_CONNECT_ENABLED(sk)) {
- err = sk->sk_prot->pre_connect(sk, uaddr, addr_len);
+ err = prot->pre_connect(sk, uaddr, addr_len);
if (err)
return err;
}
if (data_race(!inet_sk(sk)->inet_num) && inet_autobind(sk))
return -EAGAIN;
- return sk->sk_prot->connect(sk, uaddr, addr_len);
+ return prot->connect(sk, uaddr, addr_len);
}
EXPORT_SYMBOL(inet_dgram_connect);
@@ -743,10 +748,11 @@ EXPORT_SYMBOL(inet_stream_connect);
int inet_accept(struct socket *sock, struct socket *newsock, int flags,
bool kern)
{
- struct sock *sk1 = sock->sk;
+ struct sock *sk1 = sock->sk, *sk2;
int err = -EINVAL;
- struct sock *sk2 = sk1->sk_prot->accept(sk1, flags, &err, kern);
+ /* IPV6_ADDRFORM can change sk->sk_prot under us. */
+ sk2 = READ_ONCE(sk1->sk_prot)->accept(sk1, flags, &err, kern);
if (!sk2)
goto do_err;
@@ -834,12 +840,15 @@ ssize_t inet_sendpage(struct socket *soc
size_t size, int flags)
{
struct sock *sk = sock->sk;
+ const struct proto *prot;
if (unlikely(inet_send_prepare(sk)))
return -EAGAIN;
- if (sk->sk_prot->sendpage)
- return sk->sk_prot->sendpage(sk, page, offset, size, flags);
+ /* IPV6_ADDRFORM can change sk->sk_prot under us. */
+ prot = READ_ONCE(sk->sk_prot);
+ if (prot->sendpage)
+ return prot->sendpage(sk, page, offset, size, flags);
return sock_no_sendpage(sock, page, offset, size, flags);
}
EXPORT_SYMBOL(inet_sendpage);
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -475,7 +475,7 @@ static int do_ipv6_setsockopt(struct soc
sock_prot_inuse_add(net, sk->sk_prot, -1);
sock_prot_inuse_add(net, &tcp_prot, 1);
- /* Paired with READ_ONCE(sk->sk_prot) in net/ipv6/af_inet6.c */
+ /* Paired with READ_ONCE(sk->sk_prot) in inet6_stream_ops */
WRITE_ONCE(sk->sk_prot, &tcp_prot);
icsk->icsk_af_ops = &ipv4_specific;
sk->sk_socket->ops = &inet_stream_ops;
@@ -490,7 +490,7 @@ static int do_ipv6_setsockopt(struct soc
sock_prot_inuse_add(net, sk->sk_prot, -1);
sock_prot_inuse_add(net, prot, 1);
- /* Paired with READ_ONCE(sk->sk_prot) in net/ipv6/af_inet6.c */
+ /* Paired with READ_ONCE(sk->sk_prot) in inet6_dgram_ops */
WRITE_ONCE(sk->sk_prot, prot);
sk->sk_socket->ops = &inet_dgram_ops;
sk->sk_family = PF_INET;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 347/356] tcp: Fix data races around icsk->icsk_af_ops.
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 346/356] ipv6: Fix data races " Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 348/356] drivers: fix typo in firmware/efi/memmap.c Greg Kroah-Hartman
` (16 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet,
Kuniyuki Iwashima, Jakub Kicinski, Kazunori Kobayashi
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
commit f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57 upstream.
setsockopt(IPV6_ADDRFORM) and tcp_v6_connect() change icsk->icsk_af_ops
under lock_sock(), but tcp_(get|set)sockopt() read it locklessly. To
avoid load/store tearing, we need to add READ_ONCE() and WRITE_ONCE()
for the reads and writes.
Thanks to Eric Dumazet for providing the syzbot report:
BUG: KCSAN: data-race in tcp_setsockopt / tcp_v6_connect
write to 0xffff88813c624518 of 8 bytes by task 23936 on cpu 0:
tcp_v6_connect+0x5b3/0xce0 net/ipv6/tcp_ipv6.c:240
__inet_stream_connect+0x159/0x6d0 net/ipv4/af_inet.c:660
inet_stream_connect+0x44/0x70 net/ipv4/af_inet.c:724
__sys_connect_file net/socket.c:1976 [inline]
__sys_connect+0x197/0x1b0 net/socket.c:1993
__do_sys_connect net/socket.c:2003 [inline]
__se_sys_connect net/socket.c:2000 [inline]
__x64_sys_connect+0x3d/0x50 net/socket.c:2000
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
read to 0xffff88813c624518 of 8 bytes by task 23937 on cpu 1:
tcp_setsockopt+0x147/0x1c80 net/ipv4/tcp.c:3789
sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3585
__sys_setsockopt+0x212/0x2b0 net/socket.c:2252
__do_sys_setsockopt net/socket.c:2263 [inline]
__se_sys_setsockopt net/socket.c:2260 [inline]
__x64_sys_setsockopt+0x62/0x70 net/socket.c:2260
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0xffffffff8539af68 -> 0xffffffff8539aff8
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 23937 Comm: syz-executor.5 Not tainted
6.0.0-rc4-syzkaller-00331-g4ed9c1e971b1-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 08/26/2022
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot <syzkaller@googlegroups.com>
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Kazunori Kobayashi <kazunori.kobayashi@miraclelinux.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp.c | 10 ++++++----
net/ipv6/ipv6_sockglue.c | 3 ++-
net/ipv6/tcp_ipv6.c | 6 ++++--
3 files changed, 12 insertions(+), 7 deletions(-)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3708,8 +3708,9 @@ int tcp_setsockopt(struct sock *sk, int
const struct inet_connection_sock *icsk = inet_csk(sk);
if (level != SOL_TCP)
- return icsk->icsk_af_ops->setsockopt(sk, level, optname,
- optval, optlen);
+ /* Paired with WRITE_ONCE() in do_ipv6_setsockopt() and tcp_v6_connect() */
+ return READ_ONCE(icsk->icsk_af_ops)->setsockopt(sk, level, optname,
+ optval, optlen);
return do_tcp_setsockopt(sk, level, optname, optval, optlen);
}
EXPORT_SYMBOL(tcp_setsockopt);
@@ -4307,8 +4308,9 @@ int tcp_getsockopt(struct sock *sk, int
struct inet_connection_sock *icsk = inet_csk(sk);
if (level != SOL_TCP)
- return icsk->icsk_af_ops->getsockopt(sk, level, optname,
- optval, optlen);
+ /* Paired with WRITE_ONCE() in do_ipv6_setsockopt() and tcp_v6_connect() */
+ return READ_ONCE(icsk->icsk_af_ops)->getsockopt(sk, level, optname,
+ optval, optlen);
return do_tcp_getsockopt(sk, level, optname, optval, optlen);
}
EXPORT_SYMBOL(tcp_getsockopt);
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -477,7 +477,8 @@ static int do_ipv6_setsockopt(struct soc
/* Paired with READ_ONCE(sk->sk_prot) in inet6_stream_ops */
WRITE_ONCE(sk->sk_prot, &tcp_prot);
- icsk->icsk_af_ops = &ipv4_specific;
+ /* Paired with READ_ONCE() in tcp_(get|set)sockopt() */
+ WRITE_ONCE(icsk->icsk_af_ops, &ipv4_specific);
sk->sk_socket->ops = &inet_stream_ops;
sk->sk_family = PF_INET;
tcp_sync_mss(sk, icsk->icsk_pmtu_cookie);
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -237,7 +237,8 @@ static int tcp_v6_connect(struct sock *s
sin.sin_port = usin->sin6_port;
sin.sin_addr.s_addr = usin->sin6_addr.s6_addr32[3];
- icsk->icsk_af_ops = &ipv6_mapped;
+ /* Paired with READ_ONCE() in tcp_(get|set)sockopt() */
+ WRITE_ONCE(icsk->icsk_af_ops, &ipv6_mapped);
if (sk_is_mptcp(sk))
mptcpv6_handle_mapped(sk, true);
sk->sk_backlog_rcv = tcp_v4_do_rcv;
@@ -249,7 +250,8 @@ static int tcp_v6_connect(struct sock *s
if (err) {
icsk->icsk_ext_hdr_len = exthdrlen;
- icsk->icsk_af_ops = &ipv6_specific;
+ /* Paired with READ_ONCE() in tcp_(get|set)sockopt() */
+ WRITE_ONCE(icsk->icsk_af_ops, &ipv6_specific);
if (sk_is_mptcp(sk))
mptcpv6_handle_mapped(sk, false);
sk->sk_backlog_rcv = tcp_v6_do_rcv;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 348/356] drivers: fix typo in firmware/efi/memmap.c
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 347/356] tcp: Fix data races around icsk->icsk_af_ops Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 349/356] efi: Correct comment on efi_memmap_alloc Greg Kroah-Hartman
` (15 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zheng Zhi Yuan, Ard Biesheuvel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zheng Zhi Yuan <kevinjone25@g.ncu.edu.tw>
[ Commit 1df4d1724baafa55e9803414ebcdf1ca702bc958 upstream ]
This patch fixes the spelling error in firmware/efi/memmap.c, changing
it to the correct word.
Signed-off-by: Zheng Zhi Yuan <kevinjone25@g.ncu.edu.tw>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/efi/memmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/firmware/efi/memmap.c
+++ b/drivers/firmware/efi/memmap.c
@@ -245,7 +245,7 @@ int __init efi_memmap_install(struct efi
* @range: Address range (start, end) to split around
*
* Returns the number of additional EFI memmap entries required to
- * accomodate @range.
+ * accommodate @range.
*/
int __init efi_memmap_split_count(efi_memory_desc_t *md, struct range *range)
{
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 349/356] efi: Correct comment on efi_memmap_alloc
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 348/356] drivers: fix typo in firmware/efi/memmap.c Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 350/356] efi: memmap: Move manipulation routines into x86 arch tree Greg Kroah-Hartman
` (14 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liu Zixian, Ard Biesheuvel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liu Zixian <liuzixian4@huawei.com>
[ Commit db01ea882bf601252dad57242655da17fd9ad2f5 upstream ]
Returning zero means success now.
Signed-off-by: Liu Zixian <liuzixian4@huawei.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/efi/memmap.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/firmware/efi/memmap.c
+++ b/drivers/firmware/efi/memmap.c
@@ -59,8 +59,7 @@ static void __init efi_memmap_free(void)
* Depending on whether mm_init() has already been invoked or not,
* either memblock or "normal" page allocation is used.
*
- * Returns the physical address of the allocated memory map on
- * success, zero on failure.
+ * Returns zero on success, a negative error code on failure.
*/
int __init efi_memmap_alloc(unsigned int num_entries,
struct efi_memory_map_data *data)
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 350/356] efi: memmap: Move manipulation routines into x86 arch tree
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 349/356] efi: Correct comment on efi_memmap_alloc Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 351/356] efi: xen: Set EFI_PARAVIRT for Xen dom0 boot on all architectures Greg Kroah-Hartman
` (13 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ardb@kernel.org>
[ Commit fdc6d38d64a20c542b1867ebeb8dd03b98829336 upstream ]
The EFI memory map is a description of the memory layout as provided by
the firmware, and only x86 manipulates it in various different ways for
its own memory bookkeeping. So let's move the memmap routines that are
only used by x86 into the x86 arch tree.
[ardb: s/memblock_phys_free/memblock_free for linux-5.15.y backport]
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/efi.h | 12 ++
arch/x86/platform/efi/Makefile | 3
arch/x86/platform/efi/memmap.c | 236 ++++++++++++++++++++++++++++++++++++++++
drivers/firmware/efi/memmap.c | 240 +----------------------------------------
include/linux/efi.h | 10 -
5 files changed, 261 insertions(+), 240 deletions(-)
create mode 100644 arch/x86/platform/efi/memmap.c
--- a/arch/x86/include/asm/efi.h
+++ b/arch/x86/include/asm/efi.h
@@ -386,6 +386,18 @@ static inline void efi_fake_memmap_early
}
#endif
+extern int __init efi_memmap_alloc(unsigned int num_entries,
+ struct efi_memory_map_data *data);
+extern void __efi_memmap_free(u64 phys, unsigned long size,
+ unsigned long flags);
+#define __efi_memmap_free __efi_memmap_free
+
+extern int __init efi_memmap_install(struct efi_memory_map_data *data);
+extern int __init efi_memmap_split_count(efi_memory_desc_t *md,
+ struct range *range);
+extern void __init efi_memmap_insert(struct efi_memory_map *old_memmap,
+ void *buf, struct efi_mem_range *mem);
+
#define arch_ima_efi_boot_mode \
({ extern struct boot_params boot_params; boot_params.secure_boot; })
--- a/arch/x86/platform/efi/Makefile
+++ b/arch/x86/platform/efi/Makefile
@@ -3,5 +3,6 @@ OBJECT_FILES_NON_STANDARD_efi_thunk_$(BI
KASAN_SANITIZE := n
GCOV_PROFILE := n
-obj-$(CONFIG_EFI) += quirks.o efi.o efi_$(BITS).o efi_stub_$(BITS).o
+obj-$(CONFIG_EFI) += memmap.o quirks.o efi.o efi_$(BITS).o \
+ efi_stub_$(BITS).o
obj-$(CONFIG_EFI_MIXED) += efi_thunk_$(BITS).o
--- /dev/null
+++ b/arch/x86/platform/efi/memmap.c
@@ -0,0 +1,236 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Common EFI memory map functions.
+ */
+
+#define pr_fmt(fmt) "efi: " fmt
+
+#include <linux/init.h>
+#include <linux/kernel.h>
+#include <linux/efi.h>
+#include <linux/io.h>
+#include <asm/early_ioremap.h>
+#include <asm/efi.h>
+#include <linux/memblock.h>
+#include <linux/slab.h>
+
+static phys_addr_t __init __efi_memmap_alloc_early(unsigned long size)
+{
+ return memblock_phys_alloc(size, SMP_CACHE_BYTES);
+}
+
+static phys_addr_t __init __efi_memmap_alloc_late(unsigned long size)
+{
+ unsigned int order = get_order(size);
+ struct page *p = alloc_pages(GFP_KERNEL, order);
+
+ if (!p)
+ return 0;
+
+ return PFN_PHYS(page_to_pfn(p));
+}
+
+void __init __efi_memmap_free(u64 phys, unsigned long size, unsigned long flags)
+{
+ if (flags & EFI_MEMMAP_MEMBLOCK) {
+ if (slab_is_available())
+ memblock_free_late(phys, size);
+ else
+ memblock_free(phys, size);
+ } else if (flags & EFI_MEMMAP_SLAB) {
+ struct page *p = pfn_to_page(PHYS_PFN(phys));
+ unsigned int order = get_order(size);
+
+ free_pages((unsigned long) page_address(p), order);
+ }
+}
+
+/**
+ * efi_memmap_alloc - Allocate memory for the EFI memory map
+ * @num_entries: Number of entries in the allocated map.
+ * @data: efi memmap installation parameters
+ *
+ * Depending on whether mm_init() has already been invoked or not,
+ * either memblock or "normal" page allocation is used.
+ *
+ * Returns zero on success, a negative error code on failure.
+ */
+int __init efi_memmap_alloc(unsigned int num_entries,
+ struct efi_memory_map_data *data)
+{
+ /* Expect allocation parameters are zero initialized */
+ WARN_ON(data->phys_map || data->size);
+
+ data->size = num_entries * efi.memmap.desc_size;
+ data->desc_version = efi.memmap.desc_version;
+ data->desc_size = efi.memmap.desc_size;
+ data->flags &= ~(EFI_MEMMAP_SLAB | EFI_MEMMAP_MEMBLOCK);
+ data->flags |= efi.memmap.flags & EFI_MEMMAP_LATE;
+
+ if (slab_is_available()) {
+ data->flags |= EFI_MEMMAP_SLAB;
+ data->phys_map = __efi_memmap_alloc_late(data->size);
+ } else {
+ data->flags |= EFI_MEMMAP_MEMBLOCK;
+ data->phys_map = __efi_memmap_alloc_early(data->size);
+ }
+
+ if (!data->phys_map)
+ return -ENOMEM;
+ return 0;
+}
+
+/**
+ * efi_memmap_install - Install a new EFI memory map in efi.memmap
+ * @ctx: map allocation parameters (address, size, flags)
+ *
+ * Unlike efi_memmap_init_*(), this function does not allow the caller
+ * to switch from early to late mappings. It simply uses the existing
+ * mapping function and installs the new memmap.
+ *
+ * Returns zero on success, a negative error code on failure.
+ */
+int __init efi_memmap_install(struct efi_memory_map_data *data)
+{
+ efi_memmap_unmap();
+
+ return __efi_memmap_init(data);
+}
+
+/**
+ * efi_memmap_split_count - Count number of additional EFI memmap entries
+ * @md: EFI memory descriptor to split
+ * @range: Address range (start, end) to split around
+ *
+ * Returns the number of additional EFI memmap entries required to
+ * accommodate @range.
+ */
+int __init efi_memmap_split_count(efi_memory_desc_t *md, struct range *range)
+{
+ u64 m_start, m_end;
+ u64 start, end;
+ int count = 0;
+
+ start = md->phys_addr;
+ end = start + (md->num_pages << EFI_PAGE_SHIFT) - 1;
+
+ /* modifying range */
+ m_start = range->start;
+ m_end = range->end;
+
+ if (m_start <= start) {
+ /* split into 2 parts */
+ if (start < m_end && m_end < end)
+ count++;
+ }
+
+ if (start < m_start && m_start < end) {
+ /* split into 3 parts */
+ if (m_end < end)
+ count += 2;
+ /* split into 2 parts */
+ if (end <= m_end)
+ count++;
+ }
+
+ return count;
+}
+
+/**
+ * efi_memmap_insert - Insert a memory region in an EFI memmap
+ * @old_memmap: The existing EFI memory map structure
+ * @buf: Address of buffer to store new map
+ * @mem: Memory map entry to insert
+ *
+ * It is suggested that you call efi_memmap_split_count() first
+ * to see how large @buf needs to be.
+ */
+void __init efi_memmap_insert(struct efi_memory_map *old_memmap, void *buf,
+ struct efi_mem_range *mem)
+{
+ u64 m_start, m_end, m_attr;
+ efi_memory_desc_t *md;
+ u64 start, end;
+ void *old, *new;
+
+ /* modifying range */
+ m_start = mem->range.start;
+ m_end = mem->range.end;
+ m_attr = mem->attribute;
+
+ /*
+ * The EFI memory map deals with regions in EFI_PAGE_SIZE
+ * units. Ensure that the region described by 'mem' is aligned
+ * correctly.
+ */
+ if (!IS_ALIGNED(m_start, EFI_PAGE_SIZE) ||
+ !IS_ALIGNED(m_end + 1, EFI_PAGE_SIZE)) {
+ WARN_ON(1);
+ return;
+ }
+
+ for (old = old_memmap->map, new = buf;
+ old < old_memmap->map_end;
+ old += old_memmap->desc_size, new += old_memmap->desc_size) {
+
+ /* copy original EFI memory descriptor */
+ memcpy(new, old, old_memmap->desc_size);
+ md = new;
+ start = md->phys_addr;
+ end = md->phys_addr + (md->num_pages << EFI_PAGE_SHIFT) - 1;
+
+ if (m_start <= start && end <= m_end)
+ md->attribute |= m_attr;
+
+ if (m_start <= start &&
+ (start < m_end && m_end < end)) {
+ /* first part */
+ md->attribute |= m_attr;
+ md->num_pages = (m_end - md->phys_addr + 1) >>
+ EFI_PAGE_SHIFT;
+ /* latter part */
+ new += old_memmap->desc_size;
+ memcpy(new, old, old_memmap->desc_size);
+ md = new;
+ md->phys_addr = m_end + 1;
+ md->num_pages = (end - md->phys_addr + 1) >>
+ EFI_PAGE_SHIFT;
+ }
+
+ if ((start < m_start && m_start < end) && m_end < end) {
+ /* first part */
+ md->num_pages = (m_start - md->phys_addr) >>
+ EFI_PAGE_SHIFT;
+ /* middle part */
+ new += old_memmap->desc_size;
+ memcpy(new, old, old_memmap->desc_size);
+ md = new;
+ md->attribute |= m_attr;
+ md->phys_addr = m_start;
+ md->num_pages = (m_end - m_start + 1) >>
+ EFI_PAGE_SHIFT;
+ /* last part */
+ new += old_memmap->desc_size;
+ memcpy(new, old, old_memmap->desc_size);
+ md = new;
+ md->phys_addr = m_end + 1;
+ md->num_pages = (end - m_end) >>
+ EFI_PAGE_SHIFT;
+ }
+
+ if ((start < m_start && m_start < end) &&
+ (end <= m_end)) {
+ /* first part */
+ md->num_pages = (m_start - md->phys_addr) >>
+ EFI_PAGE_SHIFT;
+ /* latter part */
+ new += old_memmap->desc_size;
+ memcpy(new, old, old_memmap->desc_size);
+ md = new;
+ md->phys_addr = m_start;
+ md->num_pages = (end - md->phys_addr + 1) >>
+ EFI_PAGE_SHIFT;
+ md->attribute |= m_attr;
+ }
+ }
+}
--- a/drivers/firmware/efi/memmap.c
+++ b/drivers/firmware/efi/memmap.c
@@ -9,82 +9,15 @@
#include <linux/kernel.h>
#include <linux/efi.h>
#include <linux/io.h>
-#include <asm/early_ioremap.h>
#include <linux/memblock.h>
#include <linux/slab.h>
-static phys_addr_t __init __efi_memmap_alloc_early(unsigned long size)
-{
- return memblock_phys_alloc(size, SMP_CACHE_BYTES);
-}
-
-static phys_addr_t __init __efi_memmap_alloc_late(unsigned long size)
-{
- unsigned int order = get_order(size);
- struct page *p = alloc_pages(GFP_KERNEL, order);
-
- if (!p)
- return 0;
-
- return PFN_PHYS(page_to_pfn(p));
-}
-
-void __init __efi_memmap_free(u64 phys, unsigned long size, unsigned long flags)
-{
- if (flags & EFI_MEMMAP_MEMBLOCK) {
- if (slab_is_available())
- memblock_free_late(phys, size);
- else
- memblock_free(phys, size);
- } else if (flags & EFI_MEMMAP_SLAB) {
- struct page *p = pfn_to_page(PHYS_PFN(phys));
- unsigned int order = get_order(size);
-
- free_pages((unsigned long) page_address(p), order);
- }
-}
-
-static void __init efi_memmap_free(void)
-{
- __efi_memmap_free(efi.memmap.phys_map,
- efi.memmap.desc_size * efi.memmap.nr_map,
- efi.memmap.flags);
-}
-
-/**
- * efi_memmap_alloc - Allocate memory for the EFI memory map
- * @num_entries: Number of entries in the allocated map.
- * @data: efi memmap installation parameters
- *
- * Depending on whether mm_init() has already been invoked or not,
- * either memblock or "normal" page allocation is used.
- *
- * Returns zero on success, a negative error code on failure.
- */
-int __init efi_memmap_alloc(unsigned int num_entries,
- struct efi_memory_map_data *data)
-{
- /* Expect allocation parameters are zero initialized */
- WARN_ON(data->phys_map || data->size);
-
- data->size = num_entries * efi.memmap.desc_size;
- data->desc_version = efi.memmap.desc_version;
- data->desc_size = efi.memmap.desc_size;
- data->flags &= ~(EFI_MEMMAP_SLAB | EFI_MEMMAP_MEMBLOCK);
- data->flags |= efi.memmap.flags & EFI_MEMMAP_LATE;
-
- if (slab_is_available()) {
- data->flags |= EFI_MEMMAP_SLAB;
- data->phys_map = __efi_memmap_alloc_late(data->size);
- } else {
- data->flags |= EFI_MEMMAP_MEMBLOCK;
- data->phys_map = __efi_memmap_alloc_early(data->size);
- }
+#include <asm/early_ioremap.h>
+#include <asm/efi.h>
- if (!data->phys_map)
- return -ENOMEM;
- return 0;
-}
+#ifndef __efi_memmap_free
+#define __efi_memmap_free(phys, size, flags) do { } while (0)
+#endif
/**
* __efi_memmap_init - Common code for mapping the EFI memory map
@@ -101,7 +34,7 @@ int __init efi_memmap_alloc(unsigned int
*
* Returns zero on success, a negative error code on failure.
*/
-static int __init __efi_memmap_init(struct efi_memory_map_data *data)
+int __init __efi_memmap_init(struct efi_memory_map_data *data)
{
struct efi_memory_map map;
phys_addr_t phys_map;
@@ -121,8 +54,10 @@ static int __init __efi_memmap_init(stru
return -ENOMEM;
}
- /* NOP if data->flags & (EFI_MEMMAP_MEMBLOCK | EFI_MEMMAP_SLAB) == 0 */
- efi_memmap_free();
+ if (efi.memmap.flags & (EFI_MEMMAP_MEMBLOCK | EFI_MEMMAP_SLAB))
+ __efi_memmap_free(efi.memmap.phys_map,
+ efi.memmap.desc_size * efi.memmap.nr_map,
+ efi.memmap.flags);
map.phys_map = data->phys_map;
map.nr_map = data->size / data->desc_size;
@@ -220,158 +155,3 @@ int __init efi_memmap_init_late(phys_add
return __efi_memmap_init(&data);
}
-
-/**
- * efi_memmap_install - Install a new EFI memory map in efi.memmap
- * @ctx: map allocation parameters (address, size, flags)
- *
- * Unlike efi_memmap_init_*(), this function does not allow the caller
- * to switch from early to late mappings. It simply uses the existing
- * mapping function and installs the new memmap.
- *
- * Returns zero on success, a negative error code on failure.
- */
-int __init efi_memmap_install(struct efi_memory_map_data *data)
-{
- efi_memmap_unmap();
-
- return __efi_memmap_init(data);
-}
-
-/**
- * efi_memmap_split_count - Count number of additional EFI memmap entries
- * @md: EFI memory descriptor to split
- * @range: Address range (start, end) to split around
- *
- * Returns the number of additional EFI memmap entries required to
- * accommodate @range.
- */
-int __init efi_memmap_split_count(efi_memory_desc_t *md, struct range *range)
-{
- u64 m_start, m_end;
- u64 start, end;
- int count = 0;
-
- start = md->phys_addr;
- end = start + (md->num_pages << EFI_PAGE_SHIFT) - 1;
-
- /* modifying range */
- m_start = range->start;
- m_end = range->end;
-
- if (m_start <= start) {
- /* split into 2 parts */
- if (start < m_end && m_end < end)
- count++;
- }
-
- if (start < m_start && m_start < end) {
- /* split into 3 parts */
- if (m_end < end)
- count += 2;
- /* split into 2 parts */
- if (end <= m_end)
- count++;
- }
-
- return count;
-}
-
-/**
- * efi_memmap_insert - Insert a memory region in an EFI memmap
- * @old_memmap: The existing EFI memory map structure
- * @buf: Address of buffer to store new map
- * @mem: Memory map entry to insert
- *
- * It is suggested that you call efi_memmap_split_count() first
- * to see how large @buf needs to be.
- */
-void __init efi_memmap_insert(struct efi_memory_map *old_memmap, void *buf,
- struct efi_mem_range *mem)
-{
- u64 m_start, m_end, m_attr;
- efi_memory_desc_t *md;
- u64 start, end;
- void *old, *new;
-
- /* modifying range */
- m_start = mem->range.start;
- m_end = mem->range.end;
- m_attr = mem->attribute;
-
- /*
- * The EFI memory map deals with regions in EFI_PAGE_SIZE
- * units. Ensure that the region described by 'mem' is aligned
- * correctly.
- */
- if (!IS_ALIGNED(m_start, EFI_PAGE_SIZE) ||
- !IS_ALIGNED(m_end + 1, EFI_PAGE_SIZE)) {
- WARN_ON(1);
- return;
- }
-
- for (old = old_memmap->map, new = buf;
- old < old_memmap->map_end;
- old += old_memmap->desc_size, new += old_memmap->desc_size) {
-
- /* copy original EFI memory descriptor */
- memcpy(new, old, old_memmap->desc_size);
- md = new;
- start = md->phys_addr;
- end = md->phys_addr + (md->num_pages << EFI_PAGE_SHIFT) - 1;
-
- if (m_start <= start && end <= m_end)
- md->attribute |= m_attr;
-
- if (m_start <= start &&
- (start < m_end && m_end < end)) {
- /* first part */
- md->attribute |= m_attr;
- md->num_pages = (m_end - md->phys_addr + 1) >>
- EFI_PAGE_SHIFT;
- /* latter part */
- new += old_memmap->desc_size;
- memcpy(new, old, old_memmap->desc_size);
- md = new;
- md->phys_addr = m_end + 1;
- md->num_pages = (end - md->phys_addr + 1) >>
- EFI_PAGE_SHIFT;
- }
-
- if ((start < m_start && m_start < end) && m_end < end) {
- /* first part */
- md->num_pages = (m_start - md->phys_addr) >>
- EFI_PAGE_SHIFT;
- /* middle part */
- new += old_memmap->desc_size;
- memcpy(new, old, old_memmap->desc_size);
- md = new;
- md->attribute |= m_attr;
- md->phys_addr = m_start;
- md->num_pages = (m_end - m_start + 1) >>
- EFI_PAGE_SHIFT;
- /* last part */
- new += old_memmap->desc_size;
- memcpy(new, old, old_memmap->desc_size);
- md = new;
- md->phys_addr = m_end + 1;
- md->num_pages = (end - m_end) >>
- EFI_PAGE_SHIFT;
- }
-
- if ((start < m_start && m_start < end) &&
- (end <= m_end)) {
- /* first part */
- md->num_pages = (m_start - md->phys_addr) >>
- EFI_PAGE_SHIFT;
- /* latter part */
- new += old_memmap->desc_size;
- memcpy(new, old, old_memmap->desc_size);
- md = new;
- md->phys_addr = m_start;
- md->num_pages = (end - md->phys_addr + 1) >>
- EFI_PAGE_SHIFT;
- md->attribute |= m_attr;
- }
- }
-}
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -627,18 +627,10 @@ static inline efi_status_t efi_query_var
#endif
extern void __iomem *efi_lookup_mapped_addr(u64 phys_addr);
-extern int __init efi_memmap_alloc(unsigned int num_entries,
- struct efi_memory_map_data *data);
-extern void __efi_memmap_free(u64 phys, unsigned long size,
- unsigned long flags);
+extern int __init __efi_memmap_init(struct efi_memory_map_data *data);
extern int __init efi_memmap_init_early(struct efi_memory_map_data *data);
extern int __init efi_memmap_init_late(phys_addr_t addr, unsigned long size);
extern void __init efi_memmap_unmap(void);
-extern int __init efi_memmap_install(struct efi_memory_map_data *data);
-extern int __init efi_memmap_split_count(efi_memory_desc_t *md,
- struct range *range);
-extern void __init efi_memmap_insert(struct efi_memory_map *old_memmap,
- void *buf, struct efi_mem_range *mem);
#ifdef CONFIG_EFI_ESRT
extern void __init efi_esrt_init(void);
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 351/356] efi: xen: Set EFI_PARAVIRT for Xen dom0 boot on all architectures
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 350/356] efi: memmap: Move manipulation routines into x86 arch tree Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 352/356] efi/x86: Free EFI memory map only when installing a new one Greg Kroah-Hartman
` (12 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ardb@kernel.org>
[ Commit d85e3e34940788578eeffd94e8b7e1d28e7278e9 upstream ]
Currently, the EFI_PARAVIRT flag is only used by Xen dom0 boot on x86,
even though other architectures also support pseudo-EFI boot, where the
core kernel is invoked directly and provided with a set of data tables
that resemble the ones constructed by the EFI stub, which never actually
runs in that case.
Let's fix this inconsistency, and always set this flag when booting dom0
via the EFI boot path. Note that Xen on x86 does not provide the EFI
memory map in this case, whereas other architectures do, so move the
associated EFI_PARAVIRT check into the x86 platform code.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/platform/efi/efi.c | 8 +++++---
arch/x86/platform/efi/memmap.c | 3 +++
drivers/firmware/efi/fdtparams.c | 4 ++++
drivers/firmware/efi/memmap.c | 3 ---
4 files changed, 12 insertions(+), 6 deletions(-)
--- a/arch/x86/platform/efi/efi.c
+++ b/arch/x86/platform/efi/efi.c
@@ -234,9 +234,11 @@ int __init efi_memblock_x86_reserve_rang
data.desc_size = e->efi_memdesc_size;
data.desc_version = e->efi_memdesc_version;
- rv = efi_memmap_init_early(&data);
- if (rv)
- return rv;
+ if (!efi_enabled(EFI_PARAVIRT)) {
+ rv = efi_memmap_init_early(&data);
+ if (rv)
+ return rv;
+ }
if (add_efi_memmap || do_efi_soft_reserve())
do_add_efi_memmap();
--- a/arch/x86/platform/efi/memmap.c
+++ b/arch/x86/platform/efi/memmap.c
@@ -94,6 +94,9 @@ int __init efi_memmap_install(struct efi
{
efi_memmap_unmap();
+ if (efi_enabled(EFI_PARAVIRT))
+ return 0;
+
return __efi_memmap_init(data);
}
--- a/drivers/firmware/efi/fdtparams.c
+++ b/drivers/firmware/efi/fdtparams.c
@@ -30,11 +30,13 @@ static __initconst const char name[][22]
static __initconst const struct {
const char path[17];
+ u8 paravirt;
const char params[PARAMCOUNT][26];
} dt_params[] = {
{
#ifdef CONFIG_XEN // <-------17------>
.path = "/hypervisor/uefi",
+ .paravirt = 1,
.params = {
[SYSTAB] = "xen,uefi-system-table",
[MMBASE] = "xen,uefi-mmap-start",
@@ -121,6 +123,8 @@ u64 __init efi_get_fdt_params(struct efi
pr_err("Can't find property '%s' in DT!\n", pname);
return 0;
}
+ if (dt_params[i].paravirt)
+ set_bit(EFI_PARAVIRT, &efi.flags);
return systab;
}
notfound:
--- a/drivers/firmware/efi/memmap.c
+++ b/drivers/firmware/efi/memmap.c
@@ -39,9 +39,6 @@ int __init __efi_memmap_init(struct efi_
struct efi_memory_map map;
phys_addr_t phys_map;
- if (efi_enabled(EFI_PARAVIRT))
- return 0;
-
phys_map = data->phys_map;
if (data->flags & EFI_MEMMAP_LATE)
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 352/356] efi/x86: Free EFI memory map only when installing a new one.
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 351/356] efi: xen: Set EFI_PARAVIRT for Xen dom0 boot on all architectures Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 353/356] KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption Greg Kroah-Hartman
` (11 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ashish Kalra, Ard Biesheuvel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ardb@kernel.org>
[ Commit 75dde792d6f6c2d0af50278bd374bf0c512fe196 upstream ]
The logic in __efi_memmap_init() is shared between two different
execution flows:
- mapping the EFI memory map early or late into the kernel VA space, so
that its entries can be accessed;
- the x86 specific cloning of the EFI memory map in order to insert new
entries that are created as a result of making a memory reservation
via a call to efi_mem_reserve().
In the former case, the underlying memory containing the kernel's view
of the EFI memory map (which may be heavily modified by the kernel
itself on x86) is not modified at all, and the only thing that changes
is the virtual mapping of this memory, which is different between early
and late boot.
In the latter case, an entirely new allocation is created that carries a
new, updated version of the kernel's view of the EFI memory map. When
installing this new version, the old version will no longer be
referenced, and if the memory was allocated by the kernel, it will leak
unless it gets freed.
The logic that implements this freeing currently lives on the code path
that is shared between these two use cases, but it should only apply to
the latter. So move it to the correct spot.
While at it, drop the dummy definition for non-x86 architectures, as
that is no longer needed.
Cc: <stable@vger.kernel.org>
Fixes: f0ef6523475f ("efi: Fix efi_memmap_alloc() leaks")
Tested-by: Ashish Kalra <Ashish.Kalra@amd.com>
Link: https://lore.kernel.org/all/36ad5079-4326-45ed-85f6-928ff76483d3@amd.com
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/efi.h | 1 -
arch/x86/platform/efi/memmap.c | 12 +++++++++++-
drivers/firmware/efi/memmap.c | 9 ---------
3 files changed, 11 insertions(+), 11 deletions(-)
--- a/arch/x86/include/asm/efi.h
+++ b/arch/x86/include/asm/efi.h
@@ -390,7 +390,6 @@ extern int __init efi_memmap_alloc(unsig
struct efi_memory_map_data *data);
extern void __efi_memmap_free(u64 phys, unsigned long size,
unsigned long flags);
-#define __efi_memmap_free __efi_memmap_free
extern int __init efi_memmap_install(struct efi_memory_map_data *data);
extern int __init efi_memmap_split_count(efi_memory_desc_t *md,
--- a/arch/x86/platform/efi/memmap.c
+++ b/arch/x86/platform/efi/memmap.c
@@ -92,12 +92,22 @@ int __init efi_memmap_alloc(unsigned int
*/
int __init efi_memmap_install(struct efi_memory_map_data *data)
{
+ unsigned long size = efi.memmap.desc_size * efi.memmap.nr_map;
+ unsigned long flags = efi.memmap.flags;
+ u64 phys = efi.memmap.phys_map;
+ int ret;
+
efi_memmap_unmap();
if (efi_enabled(EFI_PARAVIRT))
return 0;
- return __efi_memmap_init(data);
+ ret = __efi_memmap_init(data);
+ if (ret)
+ return ret;
+
+ __efi_memmap_free(phys, size, flags);
+ return 0;
}
/**
--- a/drivers/firmware/efi/memmap.c
+++ b/drivers/firmware/efi/memmap.c
@@ -15,10 +15,6 @@
#include <asm/early_ioremap.h>
#include <asm/efi.h>
-#ifndef __efi_memmap_free
-#define __efi_memmap_free(phys, size, flags) do { } while (0)
-#endif
-
/**
* __efi_memmap_init - Common code for mapping the EFI memory map
* @data: EFI memory map data
@@ -51,11 +47,6 @@ int __init __efi_memmap_init(struct efi_
return -ENOMEM;
}
- if (efi.memmap.flags & (EFI_MEMMAP_MEMBLOCK | EFI_MEMMAP_SLAB))
- __efi_memmap_free(efi.memmap.phys_map,
- efi.memmap.desc_size * efi.memmap.nr_map,
- efi.memmap.flags);
-
map.phys_map = data->phys_map;
map.nr_map = data->size / data->desc_size;
map.map_end = map.map + data->size;
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 353/356] KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 352/356] efi/x86: Free EFI memory map only when installing a new one Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 354/356] ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node Greg Kroah-Hartman
` (10 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Chen, Zenghui Yu, Marc Zyngier,
Oliver Upton, James Gowans
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit b321c31c9b7b309dcde5e8854b741c8e6a9a05f0 upstream.
Xiang reports that VMs occasionally fail to boot on GICv4.1 systems when
running a preemptible kernel, as it is possible that a vCPU is blocked
without requesting a doorbell interrupt.
The issue is that any preemption that occurs between vgic_v4_put() and
schedule() on the block path will mark the vPE as nonresident and *not*
request a doorbell irq. This occurs because when the vcpu thread is
resumed on its way to block, vcpu_load() will make the vPE resident
again. Once the vcpu actually blocks, we don't request a doorbell
anymore, and the vcpu won't be woken up on interrupt delivery.
Fix it by tracking that we're entering WFI, and key the doorbell
request on that flag. This allows us not to make the vPE resident
when going through a preempt/schedule cycle, meaning we don't lose
any state.
Cc: stable@vger.kernel.org
Fixes: 8e01d9a396e6 ("KVM: arm64: vgic-v4: Move the GICv4 residency flow to be driven by vcpu_load/put")
Reported-by: Xiang Chen <chenxiang66@hisilicon.com>
Suggested-by: Zenghui Yu <yuzenghui@huawei.com>
Tested-by: Xiang Chen <chenxiang66@hisilicon.com>
Co-developed-by: Oliver Upton <oliver.upton@linux.dev>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Acked-by: Zenghui Yu <yuzenghui@huawei.com>
Link: https://lore.kernel.org/r/20230713070657.3873244-1-maz@kernel.org
Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
[ modified to wrangle the vCPU flags directly instead of going through
the flag helper macros as they have not yet been introduced. Also doing
the flag wranging in the kvm_arch_vcpu_{un}blocking() hooks as the
introduction of kvm_vcpu_wfi has not yet happened. See:
6109c5a6ab7f ("KVM: arm64: Move vGIC v4 handling for WFI out arch callback hook") ]
Signed-off-by: James Gowans <jgowans@amazon.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/kvm_host.h | 1 +
arch/arm64/kvm/arm.c | 6 ++++--
arch/arm64/kvm/vgic/vgic-v3.c | 2 +-
arch/arm64/kvm/vgic/vgic-v4.c | 8 ++++++--
include/kvm/arm_vgic.h | 2 +-
5 files changed, 13 insertions(+), 6 deletions(-)
--- a/arch/arm64/include/asm/kvm_host.h
+++ b/arch/arm64/include/asm/kvm_host.h
@@ -419,6 +419,7 @@ struct kvm_vcpu_arch {
#define KVM_ARM64_EXCEPT_MASK (7 << 9) /* Target EL/MODE */
#define KVM_ARM64_DEBUG_STATE_SAVE_SPE (1 << 12) /* Save SPE context if active */
#define KVM_ARM64_DEBUG_STATE_SAVE_TRBE (1 << 13) /* Save TRBE context if active */
+#define KVM_ARM64_VCPU_IN_WFI (1 << 14) /* WFI instruction trapped */
#define KVM_GUESTDBG_VALID_MASK (KVM_GUESTDBG_ENABLE | \
KVM_GUESTDBG_USE_SW_BP | \
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -379,13 +379,15 @@ void kvm_arch_vcpu_blocking(struct kvm_v
*/
preempt_disable();
kvm_vgic_vmcr_sync(vcpu);
- vgic_v4_put(vcpu, true);
+ vcpu->arch.flags |= KVM_ARM64_VCPU_IN_WFI;
+ vgic_v4_put(vcpu);
preempt_enable();
}
void kvm_arch_vcpu_unblocking(struct kvm_vcpu *vcpu)
{
preempt_disable();
+ vcpu->arch.flags &= ~KVM_ARM64_VCPU_IN_WFI;
vgic_v4_load(vcpu);
preempt_enable();
}
@@ -696,7 +698,7 @@ static void check_vcpu_requests(struct k
if (kvm_check_request(KVM_REQ_RELOAD_GICv4, vcpu)) {
/* The distributor enable bits were changed */
preempt_disable();
- vgic_v4_put(vcpu, false);
+ vgic_v4_put(vcpu);
vgic_v4_load(vcpu);
preempt_enable();
}
--- a/arch/arm64/kvm/vgic/vgic-v3.c
+++ b/arch/arm64/kvm/vgic/vgic-v3.c
@@ -715,7 +715,7 @@ void vgic_v3_put(struct kvm_vcpu *vcpu)
{
struct vgic_v3_cpu_if *cpu_if = &vcpu->arch.vgic_cpu.vgic_v3;
- WARN_ON(vgic_v4_put(vcpu, false));
+ WARN_ON(vgic_v4_put(vcpu));
vgic_v3_vmcr_sync(vcpu);
--- a/arch/arm64/kvm/vgic/vgic-v4.c
+++ b/arch/arm64/kvm/vgic/vgic-v4.c
@@ -333,14 +333,15 @@ void vgic_v4_teardown(struct kvm *kvm)
its_vm->vpes = NULL;
}
-int vgic_v4_put(struct kvm_vcpu *vcpu, bool need_db)
+int vgic_v4_put(struct kvm_vcpu *vcpu)
{
struct its_vpe *vpe = &vcpu->arch.vgic_cpu.vgic_v3.its_vpe;
if (!vgic_supports_direct_msis(vcpu->kvm) || !vpe->resident)
return 0;
- return its_make_vpe_non_resident(vpe, need_db);
+ return its_make_vpe_non_resident(vpe,
+ vcpu->arch.flags & KVM_ARM64_VCPU_IN_WFI);
}
int vgic_v4_load(struct kvm_vcpu *vcpu)
@@ -351,6 +352,9 @@ int vgic_v4_load(struct kvm_vcpu *vcpu)
if (!vgic_supports_direct_msis(vcpu->kvm) || vpe->resident)
return 0;
+ if (vcpu->arch.flags & KVM_ARM64_VCPU_IN_WFI)
+ return 0;
+
/*
* Before making the VPE resident, make sure the redistributor
* corresponding to our current CPU expects us here. See the
--- a/include/kvm/arm_vgic.h
+++ b/include/kvm/arm_vgic.h
@@ -423,6 +423,6 @@ int kvm_vgic_v4_unset_forwarding(struct
int vgic_v4_load(struct kvm_vcpu *vcpu);
void vgic_v4_commit(struct kvm_vcpu *vcpu);
-int vgic_v4_put(struct kvm_vcpu *vcpu, bool need_db);
+int vgic_v4_put(struct kvm_vcpu *vcpu);
#endif /* __KVM_ARM_VGIC_H */
^ permalink raw reply [flat|nested] 372+ messages in thread
* [PATCH 5.15 354/356] ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 353/356] KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 355/356] arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E Greg Kroah-Hartman
` (9 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Jonker, Heiko Stuebner,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Jonker <jbx6244@gmail.com>
[ Upstream commit cca46f811d0000c1522a5e18ea48c27a15e45c05 ]
'#sound-dai-cells' is required to properly interpret
the list of DAI specified in the 'sound-dai' property,
so add them to the 'hdmi' node for 'rk3066a.dtsi'.
Fixes: fadc78062477 ("ARM: dts: rockchip: add rk3066 hdmi nodes")
Signed-off-by: Johan Jonker <jbx6244@gmail.com>
Link: https://lore.kernel.org/r/8b229dcc-94e4-4bbc-9efc-9d5ddd694532@gmail.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/rk3066a.dtsi | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm/boot/dts/rk3066a.dtsi b/arch/arm/boot/dts/rk3066a.dtsi
index ae4055428c5e1..85b5c506662eb 100644
--- a/arch/arm/boot/dts/rk3066a.dtsi
+++ b/arch/arm/boot/dts/rk3066a.dtsi
@@ -124,6 +124,7 @@
pinctrl-0 = <&hdmii2c_xfer>, <&hdmi_hpd>;
power-domains = <&power RK3066_PD_VIO>;
rockchip,grf = <&grf>;
+ #sound-dai-cells = <0>;
status = "disabled";
ports {
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 355/356] arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 354/356] ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 356/356] arm64: dts: rockchip: Add sound-dai-cells for RK3368 Greg Kroah-Hartman
` (8 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, FUKAUMI Naoki, Heiko Stuebner,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: FUKAUMI Naoki <naoki@radxa.com>
[ Upstream commit 02afd3d5b9fa4ffed284c0f7e7bec609097804fc ]
use GPIO0_A2 as interrupt pin for PMIC. GPIO2_A6 was used for
pre-production board.
Fixes: b918e81f2145 ("arm64: dts: rockchip: rk3328: Add Radxa ROCK Pi E")
Signed-off-by: FUKAUMI Naoki <naoki@radxa.com>
Link: https://lore.kernel.org/r/20240619050047.1217-1-naoki@radxa.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts b/arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts
index 018a3a5075c72..d9905a08c6ce8 100644
--- a/arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts
@@ -186,8 +186,8 @@
rk805: pmic@18 {
compatible = "rockchip,rk805";
reg = <0x18>;
- interrupt-parent = <&gpio2>;
- interrupts = <6 IRQ_TYPE_LEVEL_LOW>;
+ interrupt-parent = <&gpio0>;
+ interrupts = <2 IRQ_TYPE_LEVEL_LOW>;
#clock-cells = <1>;
clock-output-names = "xin32k", "rk805-clkout2";
gpio-controller;
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* [PATCH 5.15 356/356] arm64: dts: rockchip: Add sound-dai-cells for RK3368
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 355/356] arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E Greg Kroah-Hartman
@ 2024-07-03 10:41 ` Greg Kroah-Hartman
2024-07-03 13:27 ` [PATCH 5.15 000/356] 5.15.162-rc1 review Jon Hunter
` (7 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 10:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Bee, Heiko Stuebner,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Bee <knaerzche@gmail.com>
[ Upstream commit 8d7ec44aa5d1eb94a30319074762a1740440cdc8 ]
Add the missing #sound-dai-cells for RK3368's I2S and S/PDIF controllers.
Fixes: f7d89dfe1e31 ("arm64: dts: rockchip: add i2s nodes support for RK3368 SoCs")
Fixes: 0328d68ea76d ("arm64: dts: rockchip: add rk3368 spdif node")
Signed-off-by: Alex Bee <knaerzche@gmail.com>
Link: https://lore.kernel.org/r/20240623090116.670607-4-knaerzche@gmail.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3368.dtsi | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/arm64/boot/dts/rockchip/rk3368.dtsi b/arch/arm64/boot/dts/rockchip/rk3368.dtsi
index 4c64fbefb4834..ad58930d5ccec 100644
--- a/arch/arm64/boot/dts/rockchip/rk3368.dtsi
+++ b/arch/arm64/boot/dts/rockchip/rk3368.dtsi
@@ -678,6 +678,7 @@
dma-names = "tx";
pinctrl-names = "default";
pinctrl-0 = <&spdif_tx>;
+ #sound-dai-cells = <0>;
status = "disabled";
};
@@ -689,6 +690,7 @@
clocks = <&cru SCLK_I2S_2CH>, <&cru HCLK_I2S_2CH>;
dmas = <&dmac_bus 6>, <&dmac_bus 7>;
dma-names = "tx", "rx";
+ #sound-dai-cells = <0>;
status = "disabled";
};
@@ -702,6 +704,7 @@
dma-names = "tx", "rx";
pinctrl-names = "default";
pinctrl-0 = <&i2s_8ch_bus>;
+ #sound-dai-cells = <0>;
status = "disabled";
};
--
2.43.0
^ permalink raw reply related [flat|nested] 372+ messages in thread
* Re: [PATCH 5.15 067/356] selftests/mm: log a consistent test name for check_compaction
2024-07-03 10:36 ` [PATCH 5.15 067/356] selftests/mm: log a consistent test name for check_compaction Greg Kroah-Hartman
@ 2024-07-03 12:02 ` Mark Brown
2024-07-03 12:52 ` Greg Kroah-Hartman
0 siblings, 1 reply; 372+ messages in thread
From: Mark Brown @ 2024-07-03 12:02 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Muhammad Usama Anjum, Ryan Roberts, Shuah Khan,
Andrew Morton, Sasha Levin
[-- Attachment #1: Type: text/plain, Size: 918 bytes --]
On Wed, Jul 03, 2024 at 12:36:43PM +0200, Greg Kroah-Hartman wrote:
> Every test result report in the compaction test prints a distinct log
> messae, and some of the reports print a name that varies at runtime. This
> causes problems for automation since a lot of automation software uses the
> printed string as the name of the test, if the name varies from run to run
> and from pass to fail then the automation software can't identify that a
> test changed result or that the same tests are being run.
>
> Refactor the logging to use a consistent name when printing the result of
> the test, printing the existing messages as diagnostic information instead
> so they are still available for people trying to interpret the results.
I'm not convinced that this is a good stable candidate, it will change
the output people are seeing in their test environment which might be an
undesirable change.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 372+ messages in thread
* Re: [PATCH 5.15 067/356] selftests/mm: log a consistent test name for check_compaction
2024-07-03 12:02 ` Mark Brown
@ 2024-07-03 12:52 ` Greg Kroah-Hartman
2024-07-03 13:36 ` Mark Brown
0 siblings, 1 reply; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-03 12:52 UTC (permalink / raw)
To: Mark Brown
Cc: stable, patches, Muhammad Usama Anjum, Ryan Roberts, Shuah Khan,
Andrew Morton, Sasha Levin
On Wed, Jul 03, 2024 at 01:02:18PM +0100, Mark Brown wrote:
> On Wed, Jul 03, 2024 at 12:36:43PM +0200, Greg Kroah-Hartman wrote:
>
> > Every test result report in the compaction test prints a distinct log
> > messae, and some of the reports print a name that varies at runtime. This
> > causes problems for automation since a lot of automation software uses the
> > printed string as the name of the test, if the name varies from run to run
> > and from pass to fail then the automation software can't identify that a
> > test changed result or that the same tests are being run.
> >
> > Refactor the logging to use a consistent name when printing the result of
> > the test, printing the existing messages as diagnostic information instead
> > so they are still available for people trying to interpret the results.
>
> I'm not convinced that this is a good stable candidate, it will change
> the output people are seeing in their test environment which might be an
> undesirable change.
Did it change the output in a breaking way in the other stable trees and
normal releases that happened with this commit in it?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 372+ messages in thread
* Re: [PATCH 5.15 255/356] x86/mm/numa: Use NUMA_NO_NODE when calling memblock_set_node()
2024-07-03 10:39 ` [PATCH 5.15 255/356] x86/mm/numa: Use NUMA_NO_NODE when calling memblock_set_node() Greg Kroah-Hartman
@ 2024-07-03 12:53 ` Mike Rapoport
2024-07-04 7:20 ` Greg Kroah-Hartman
0 siblings, 1 reply; 372+ messages in thread
From: Mike Rapoport @ 2024-07-03 12:53 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Narasimhan V, Jan Beulich, Borislav Petkov (AMD),
Paul E. McKenney, Sasha Levin
On Wed, Jul 03, 2024 at 12:39:51PM +0200, Greg Kroah-Hartman wrote:
> 5.15-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Jan Beulich <jbeulich@suse.com>
>
> [ Upstream commit 3ac36aa7307363b7247ccb6f6a804e11496b2b36 ]
>
> memblock_set_node() warns about using MAX_NUMNODES, see
>
> e0eec24e2e19 ("memblock: make memblock_set_node() also warn about use of MAX_NUMNODES")
>
> for details.
This commit was a fix for e0eec24e2e19, it's not needed for kernels before 6.8.
> Reported-by: Narasimhan V <Narasimhan.V@amd.com>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> Cc: stable@vger.kernel.org
> [bp: commit message]
> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
> Reviewed-by: Mike Rapoport (IBM) <rppt@kernel.org>
> Tested-by: Paul E. McKenney <paulmck@kernel.org>
> Link: https://lore.kernel.org/r/20240603141005.23261-1-bp@kernel.org
> Link: https://lore.kernel.org/r/abadb736-a239-49e4-ab42-ace7acdd4278@suse.com
> Signed-off-by: Mike Rapoport (IBM) <rppt@kernel.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> arch/x86/mm/numa.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c
> index 1a1c0c242f272..d074a1b4f976c 100644
> --- a/arch/x86/mm/numa.c
> +++ b/arch/x86/mm/numa.c
> @@ -522,7 +522,7 @@ static void __init numa_clear_kernel_node_hotplug(void)
> for_each_reserved_mem_region(mb_region) {
> int nid = memblock_get_region_node(mb_region);
>
> - if (nid != MAX_NUMNODES)
> + if (nid != NUMA_NO_NODE)
> node_set(nid, reserved_nodemask);
> }
>
> @@ -642,9 +642,9 @@ static int __init numa_init(int (*init_func)(void))
> nodes_clear(node_online_map);
> memset(&numa_meminfo, 0, sizeof(numa_meminfo));
> WARN_ON(memblock_set_node(0, ULLONG_MAX, &memblock.memory,
> - MAX_NUMNODES));
> + NUMA_NO_NODE));
> WARN_ON(memblock_set_node(0, ULLONG_MAX, &memblock.reserved,
> - MAX_NUMNODES));
> + NUMA_NO_NODE));
> /* In case that parsing SRAT failed. */
> WARN_ON(memblock_clear_hotplug(0, ULLONG_MAX));
> numa_reset_distance();
> --
> 2.43.0
>
>
>
--
Sincerely yours,
Mike.
^ permalink raw reply [flat|nested] 372+ messages in thread
* Re: [PATCH 5.15 000/356] 5.15.162-rc1 review
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2024-07-03 10:41 ` [PATCH 5.15 356/356] arm64: dts: rockchip: Add sound-dai-cells for RK3368 Greg Kroah-Hartman
@ 2024-07-03 13:27 ` Jon Hunter
2024-07-03 17:17 ` Harshit Mogalapalli
` (6 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Jon Hunter @ 2024-07-03 13:27 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie,
linux-tegra, stable
On Wed, 03 Jul 2024 12:35:36 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.162 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 05 Jul 2024 10:28:09 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.162-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v5.15:
10 builds: 10 pass, 0 fail
26 boots: 26 pass, 0 fail
102 tests: 102 pass, 0 fail
Linux version: 5.15.162-rc1-gba1631e1a5cc
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra194-p2972-0000, tegra194-p3509-0000+p3668-0000,
tegra20-ventana, tegra210-p2371-2180,
tegra210-p3450-0000, tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 372+ messages in thread
* Re: [PATCH 5.15 067/356] selftests/mm: log a consistent test name for check_compaction
2024-07-03 12:52 ` Greg Kroah-Hartman
@ 2024-07-03 13:36 ` Mark Brown
2024-07-04 9:15 ` Greg Kroah-Hartman
0 siblings, 1 reply; 372+ messages in thread
From: Mark Brown @ 2024-07-03 13:36 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Muhammad Usama Anjum, Ryan Roberts, Shuah Khan,
Andrew Morton, Sasha Levin
[-- Attachment #1: Type: text/plain, Size: 1191 bytes --]
On Wed, Jul 03, 2024 at 02:52:14PM +0200, Greg Kroah-Hartman wrote:
> On Wed, Jul 03, 2024 at 01:02:18PM +0100, Mark Brown wrote:
> > On Wed, Jul 03, 2024 at 12:36:43PM +0200, Greg Kroah-Hartman wrote:
> > > Refactor the logging to use a consistent name when printing the result of
> > > the test, printing the existing messages as diagnostic information instead
> > > so they are still available for people trying to interpret the results.
> > I'm not convinced that this is a good stable candidate, it will change
> > the output people are seeing in their test environment which might be an
> > undesirable change.
> Did it change the output in a breaking way in the other stable trees and
> normal releases that happened with this commit in it?
Yes, it'd affect other releases - I didn't notice it going into other
stables (I tend to review the AUTOSEL stuff a lot more carefully than
things you send out since you normally only pick things that are Cc
stable but AUTOSEL has some wild stuff). The output tended to be stable
for a given test setup so it's likely that if you're just looking for
the same test results in a stable release you'd see these tests getting
renamed on you.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 372+ messages in thread
* Re: [PATCH 5.15 000/356] 5.15.162-rc1 review
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2024-07-03 13:27 ` [PATCH 5.15 000/356] 5.15.162-rc1 review Jon Hunter
@ 2024-07-03 17:17 ` Harshit Mogalapalli
2024-07-03 17:50 ` Mark Brown
` (5 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Harshit Mogalapalli @ 2024-07-03 17:17 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, broonie, Vegard Nossum, Darren Kenny
On 03/07/24 16:05, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.162 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 05 Jul 2024 10:28:09 +0000.
> Anything received after that time might be too late.
>
Hi Greg,
No problems seen on x86_64 and aarch64 with our testing.
Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Thanks,
Harshit
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.162-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
^ permalink raw reply [flat|nested] 372+ messages in thread
* Re: [PATCH 5.15 000/356] 5.15.162-rc1 review
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2024-07-03 17:17 ` Harshit Mogalapalli
@ 2024-07-03 17:50 ` Mark Brown
2024-07-03 18:08 ` Kelsey Steele
` (4 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Mark Brown @ 2024-07-03 17:50 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml
[-- Attachment #1: Type: text/plain, Size: 347 bytes --]
On Wed, Jul 03, 2024 at 12:35:36PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.162 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Mark Brown <broonie@kernel.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 372+ messages in thread
* Re: [PATCH 5.15 000/356] 5.15.162-rc1 review
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2024-07-03 17:50 ` Mark Brown
@ 2024-07-03 18:08 ` Kelsey Steele
2024-07-03 23:00 ` Shuah Khan
` (3 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Kelsey Steele @ 2024-07-03 18:08 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
On Wed, Jul 03, 2024 at 12:35:36PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.162 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 05 Jul 2024 10:28:09 +0000.
> Anything received after that time might be too late.
>
No regressions found on WSL (x86 and arm64).
Built, booted, and reviewed dmesg.
Thank you. :)
Tested-by: Kelsey Steele <kelseysteele@linux.microsoft.com>
^ permalink raw reply [flat|nested] 372+ messages in thread
* Re: [PATCH 5.15 000/356] 5.15.162-rc1 review
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2024-07-03 18:08 ` Kelsey Steele
@ 2024-07-03 23:00 ` Shuah Khan
2024-07-04 13:27 ` Naresh Kamboju
` (2 subsequent siblings)
363 siblings, 0 replies; 372+ messages in thread
From: Shuah Khan @ 2024-07-03 23:00 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, broonie, Shuah Khan
On 7/3/24 04:35, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.162 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 05 Jul 2024 10:28:09 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.162-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 372+ messages in thread
* Re: [PATCH 5.15 255/356] x86/mm/numa: Use NUMA_NO_NODE when calling memblock_set_node()
2024-07-03 12:53 ` Mike Rapoport
@ 2024-07-04 7:20 ` Greg Kroah-Hartman
0 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-04 7:20 UTC (permalink / raw)
To: Mike Rapoport
Cc: stable, patches, Narasimhan V, Jan Beulich, Borislav Petkov (AMD),
Paul E. McKenney, Sasha Levin
On Wed, Jul 03, 2024 at 03:53:18PM +0300, Mike Rapoport wrote:
> On Wed, Jul 03, 2024 at 12:39:51PM +0200, Greg Kroah-Hartman wrote:
> > 5.15-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Jan Beulich <jbeulich@suse.com>
> >
> > [ Upstream commit 3ac36aa7307363b7247ccb6f6a804e11496b2b36 ]
> >
> > memblock_set_node() warns about using MAX_NUMNODES, see
> >
> > e0eec24e2e19 ("memblock: make memblock_set_node() also warn about use of MAX_NUMNODES")
> >
> > for details.
>
> This commit was a fix for e0eec24e2e19, it's not needed for kernels before 6.8.
Thanks for the review, now dropped from all queues.
greg k-h
^ permalink raw reply [flat|nested] 372+ messages in thread
* Re: [PATCH 5.15 067/356] selftests/mm: log a consistent test name for check_compaction
2024-07-03 13:36 ` Mark Brown
@ 2024-07-04 9:15 ` Greg Kroah-Hartman
2024-07-04 9:19 ` Greg Kroah-Hartman
0 siblings, 1 reply; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-04 9:15 UTC (permalink / raw)
To: Mark Brown
Cc: stable, patches, Muhammad Usama Anjum, Ryan Roberts, Shuah Khan,
Andrew Morton, Sasha Levin
On Wed, Jul 03, 2024 at 02:36:56PM +0100, Mark Brown wrote:
> On Wed, Jul 03, 2024 at 02:52:14PM +0200, Greg Kroah-Hartman wrote:
> > On Wed, Jul 03, 2024 at 01:02:18PM +0100, Mark Brown wrote:
> > > On Wed, Jul 03, 2024 at 12:36:43PM +0200, Greg Kroah-Hartman wrote:
>
> > > > Refactor the logging to use a consistent name when printing the result of
> > > > the test, printing the existing messages as diagnostic information instead
> > > > so they are still available for people trying to interpret the results.
>
> > > I'm not convinced that this is a good stable candidate, it will change
> > > the output people are seeing in their test environment which might be an
> > > undesirable change.
>
> > Did it change the output in a breaking way in the other stable trees and
> > normal releases that happened with this commit in it?
>
> Yes, it'd affect other releases - I didn't notice it going into other
> stables (I tend to review the AUTOSEL stuff a lot more carefully than
> things you send out since you normally only pick things that are Cc
> stable but AUTOSEL has some wild stuff). The output tended to be stable
> for a given test setup so it's likely that if you're just looking for
> the same test results in a stable release you'd see these tests getting
> renamed on you.
This is here as a dependency of another change, let me see if I can
remove it and get the dependant patch still working...
^ permalink raw reply [flat|nested] 372+ messages in thread
* Re: [PATCH 5.15 067/356] selftests/mm: log a consistent test name for check_compaction
2024-07-04 9:15 ` Greg Kroah-Hartman
@ 2024-07-04 9:19 ` Greg Kroah-Hartman
0 siblings, 0 replies; 372+ messages in thread
From: Greg Kroah-Hartman @ 2024-07-04 9:19 UTC (permalink / raw)
To: Mark Brown
Cc: stable, patches, Muhammad Usama Anjum, Ryan Roberts, Shuah Khan,
Andrew Morton, Sasha Levin
On Thu, Jul 04, 2024 at 11:15:34AM +0200, Greg Kroah-Hartman wrote:
> On Wed, Jul 03, 2024 at 02:36:56PM +0100, Mark Brown wrote:
> > On Wed, Jul 03, 2024 at 02:52:14PM +0200, Greg Kroah-Hartman wrote:
> > > On Wed, Jul 03, 2024 at 01:02:18PM +0100, Mark Brown wrote:
> > > > On Wed, Jul 03, 2024 at 12:36:43PM +0200, Greg Kroah-Hartman wrote:
> >
> > > > > Refactor the logging to use a consistent name when printing the result of
> > > > > the test, printing the existing messages as diagnostic information instead
> > > > > so they are still available for people trying to interpret the results.
> >
> > > > I'm not convinced that this is a good stable candidate, it will change
> > > > the output people are seeing in their test environment which might be an
> > > > undesirable change.
> >
> > > Did it change the output in a breaking way in the other stable trees and
> > > normal releases that happened with this commit in it?
> >
> > Yes, it'd affect other releases - I didn't notice it going into other
> > stables (I tend to review the AUTOSEL stuff a lot more carefully than
> > things you send out since you normally only pick things that are Cc
> > stable but AUTOSEL has some wild stuff). The output tended to be stable
> > for a given test setup so it's likely that if you're just looking for
> > the same test results in a stable release you'd see these tests getting
> > renamed on you.
>
> This is here as a dependency of another change, let me see if I can
> remove it and get the dependant patch still working...
Got it working, now dropped, thanks.
greg k-h
^ permalink raw reply [flat|nested] 372+ messages in thread
* Re: [PATCH 5.15 000/356] 5.15.162-rc1 review
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2024-07-03 23:00 ` Shuah Khan
@ 2024-07-04 13:27 ` Naresh Kamboju
2024-07-04 14:43 ` Florian Fainelli
2024-07-05 5:50 ` Ron Economos
363 siblings, 0 replies; 372+ messages in thread
From: Naresh Kamboju @ 2024-07-04 13:27 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
On Wed, 3 Jul 2024 at 16:44, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.15.162 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 05 Jul 2024 10:28:09 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.162-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build
* kernel: 5.15.162-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git commit: ba1631e1a5ccf4fa69f692369f3f80f200b2678b
* git describe: v5.15.161-357-gba1631e1a5cc
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.15.y/build/v5.15.161-357-gba1631e1a5cc
## Test Regressions (compared to v5.15.161)
## Metric Regressions (compared to v5.15.161)
## Test Fixes (compared to v5.15.161)
## Metric Fixes (compared to v5.15.161)
## Test result summary
total: 132177, pass: 108849, fail: 2842, skip: 20352, xfail: 134
## Build Summary
* arc: 5 total, 5 passed, 0 failed
* arm: 102 total, 102 passed, 0 failed
* arm64: 29 total, 29 passed, 0 failed
* i386: 23 total, 23 passed, 0 failed
* mips: 22 total, 22 passed, 0 failed
* parisc: 3 total, 3 passed, 0 failed
* powerpc: 24 total, 24 passed, 0 failed
* riscv: 8 total, 8 passed, 0 failed
* s390: 9 total, 9 passed, 0 failed
* sh: 10 total, 10 passed, 0 failed
* sparc: 6 total, 6 passed, 0 failed
* x86_64: 25 total, 25 passed, 0 failed
## Test suites summary
* boot
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-efivarfs
* kselftest-exec
* kselftest-filesystems
* kselftest-filesystems-binderfs
* kselftest-filesystems-epoll
* kselftest-firmware
* kselftest-fpu
* kselftest-ftrace
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-kcmp
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-mincore
* kselftest-mqueue
* kselftest-net
* kselftest-net-mptcp
* kselftest-openat2
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-tc-testing
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user_events
* kselftest-vDSO
* kselftest-watchdog
* kselftest-x86
* kunit
* kvm-unit-tests
* libgpiod
* libhugetlbfs
* log-parser-boot
* log-parser-test
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-hugetlb
* ltp-ipc
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-pty
* ltp-sched
* ltp-smoke
* ltp-smoketest
* ltp-syscalls
* ltp-tracing
* perf
* rcutorture
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 372+ messages in thread
* Re: [PATCH 5.15 000/356] 5.15.162-rc1 review
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2024-07-04 13:27 ` Naresh Kamboju
@ 2024-07-04 14:43 ` Florian Fainelli
2024-07-05 5:50 ` Ron Economos
363 siblings, 0 replies; 372+ messages in thread
From: Florian Fainelli @ 2024-07-04 14:43 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, srw, rwarsow,
conor, allen.lkml, broonie
On 7/3/2024 11:35 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.162 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 05 Jul 2024 10:28:09 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.162-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 372+ messages in thread
* Re: [PATCH 5.15 000/356] 5.15.162-rc1 review
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2024-07-04 14:43 ` Florian Fainelli
@ 2024-07-05 5:50 ` Ron Economos
363 siblings, 0 replies; 372+ messages in thread
From: Ron Economos @ 2024-07-05 5:50 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, broonie
On 7/3/24 3:35 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.162 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 05 Jul 2024 10:28:09 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.162-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 372+ messages in thread
end of thread, other threads:[~2024-07-05 5:50 UTC | newest]
Thread overview: 372+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-03 10:35 [PATCH 5.15 000/356] 5.15.162-rc1 review Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 001/356] wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 002/356] wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 003/356] wifi: cfg80211: Lock wiphy in cfg80211_get_station Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 004/356] wifi: cfg80211: pmsr: use correct nla_get_uX functions Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 005/356] wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 006/356] wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 007/356] wifi: iwlwifi: mvm: check n_ssids before accessing the ssids Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 008/356] wifi: iwlwifi: mvm: dont read past the mfuart notifcation Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 009/356] wifi: mac80211: correctly parse Spatial Reuse Parameter Set element Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 010/356] net/ncsi: Simplify Kconfig/dts control flow Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 011/356] net/ncsi: Fix the multi thread manner of NCSI driver Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 012/356] ipv6: sr: block BH in seg6_output_core() and seg6_input_core() Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 013/356] bpf: Set run context for rawtp test_run callback Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 014/356] octeontx2-af: Always allocate PF entries from low prioriy zone Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 015/356] net: sched: sch_multiq: fix possible OOB write in multiq_tune() Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 016/356] vxlan: Fix regression when dropping packets due to invalid src addresses Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 017/356] tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 018/356] net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 019/356] ptp: Fix error message on failed pin verification Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 020/356] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 021/356] af_unix: Annodate data-races around sk->sk_state for writers Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 022/356] af_unix: Annotate data-race of sk->sk_state in unix_inq_len() Greg Kroah-Hartman
2024-07-03 10:35 ` [PATCH 5.15 023/356] af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll() Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 024/356] net: inline sock_prot_inuse_add() Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 025/356] net: drop nopreempt requirement on sock_prot_inuse_add() Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 026/356] af_unix: Annotate data-race of sk->sk_state in unix_stream_connect() Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 027/356] af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg() Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 028/356] af_unix: Annotate data-race of sk->sk_state in unix_stream_read_skb() Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 029/356] af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 030/356] af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 031/356] af_unix: Use unix_recvq_full_lockless() in unix_stream_connect() Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 032/356] af_unix: annotate lockless accesses to sk->sk_err Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 033/356] af_unix: Use skb_queue_empty_lockless() in unix_release_sock() Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 034/356] af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen() Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 035/356] af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill() Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 036/356] ipv6: fix possible race in __fib6_drop_pcpu_from() Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 037/356] usb: gadget: f_fs: use io_data->status consistently Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 038/356] usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 039/356] iio: accel: mxc4005: Reset chip on probe() and resume() Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 040/356] drm/amd/display: Handle Y carry-over in VCP X.Y calculation Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 041/356] drm/amd/display: Clean up some inconsistent indenting Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 042/356] drm/amd/display: drop unnecessary NULL checks in debugfs Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 043/356] drm/amd/display: Fix incorrect DSC instance for MST Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 044/356] pvpanic: Keep single style across modules Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 045/356] pvpanic: Indentation fixes here and there Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 046/356] misc/pvpanic: deduplicate common code Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 047/356] misc/pvpanic-pci: register attributes via pci_driver Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 048/356] skbuff: introduce skb_pull_data Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 049/356] Bluetooth: hci_qca: mark OF related data as maybe unused Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 050/356] Bluetooth: btqca: use le32_to_cpu for ver.soc_id Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 051/356] Bluetooth: btqca: Add WCN3988 support Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 052/356] Bluetooth: qca: use switch case for soc type behavior Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 053/356] Bluetooth: qca: add support for QCA2066 Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 054/356] Bluetooth: qca: fix info leak when fetching fw build id Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 055/356] serial: sc16is7xx: replace hardcoded divisor value with BIT() macro Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 056/356] serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 057/356] x86/ibt,ftrace: Search for __fentry__ location Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 058/356] ftrace: Fix possible use-after-free issue in ftrace_location() Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 059/356] mmc: davinci_mmc: Convert to platform remove callback returning void Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 060/356] mmc: davinci: Dont strip remove function when driver is builtin Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 061/356] i2c: add fwnode APIs Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 062/356] i2c: acpi: Unbind mux adapters before delete Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 063/356] cma: factor out minimum alignment requirement Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 064/356] mm/cma: drop incorrect alignment check in cma_init_reserved_mem Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 065/356] selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 066/356] selftests/mm: conform test to TAP format output Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 067/356] selftests/mm: log a consistent test name for check_compaction Greg Kroah-Hartman
2024-07-03 12:02 ` Mark Brown
2024-07-03 12:52 ` Greg Kroah-Hartman
2024-07-03 13:36 ` Mark Brown
2024-07-04 9:15 ` Greg Kroah-Hartman
2024-07-04 9:19 ` Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 068/356] selftests/mm: compaction_test: fix bogus test success on Aarch64 Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 069/356] wifi: ath10k: fix QCOM_RPROC_COMMON dependency Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 070/356] btrfs: fix leak of qgroup extent records after transaction abort Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 071/356] nilfs2: Remove check for PageError Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 072/356] nilfs2: return the mapped address from nilfs_get_page() Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 073/356] nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 074/356] USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 075/356] usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 076/356] mei: me: release irq in mei_me_pci_resume error path Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 077/356] jfs: xattr: fix buffer overflow for invalid xattr Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 078/356] xhci: Set correct transferred length for cancelled bulk transfers Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 079/356] xhci: Apply reset resume quirk to Etron EJ188 xHCI host Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 080/356] xhci: Handle TD clearing for multiple streams case Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 081/356] xhci: Apply broken streams quirk to Etron EJ188 xHCI host Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 082/356] scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory Greg Kroah-Hartman
2024-07-03 10:36 ` [PATCH 5.15 083/356] powerpc/uaccess: Fix build errors seen with GCC 13/14 Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 084/356] Input: try trimming too long modalias strings Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 085/356] clk: sifive: Do not register clkdevs for PRCI clocks Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 086/356] SUNRPC: return proper error from gss_wrap_req_priv Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 087/356] platform/x86: dell-smbios-base: Use sysfs_emit() Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 088/356] platform/x86: dell-smbios: Fix wrong token data in sysfs Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 089/356] gpio: tqmx86: fix typo in Kconfig label Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 090/356] gpio: tqmx86: store IRQ trigger type and unmask status separately Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 091/356] HID: core: remove unnecessary WARN_ON() in implement() Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 092/356] iommu/amd: Introduce pci segment structure Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 093/356] iommu/amd: Fix sysfs leak in iommu init Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 094/356] iommu: Return right value in iommu_sva_bind_device() Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 095/356] HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 096/356] drm/vmwgfx: 3D disabled should not effect STDU memory limits Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 097/356] net: sfp: Always call `sfp_sm_mod_remove()` on remove Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 098/356] net: hns3: fix kernel crash problem in concurrent scenario Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 099/356] net: hns3: add cond_resched() to hns3 ring buffer init process Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 100/356] liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 101/356] drm/komeda: check for error-valued pointer Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 102/356] drm/bridge/panel: Fix runtime warning on panel bridge release Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 103/356] tcp: fix race in tcp_v6_syn_recv_sock() Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 104/356] net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN) packets Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 105/356] Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 106/356] netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 107/356] net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs parameters Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 108/356] net/ipv6: Fix the RT cache flush via sysctl using a previous delay Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 109/356] ionic: fix use after netif_napi_del() Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 110/356] af_unix: Read with MSG_PEEK loops if the first unread byte is OOB Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 111/356] iio: adc: ad9467: fix scan type sign Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 112/356] iio: dac: ad5592r: fix temperature channel scaling value Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 113/356] iio: imu: inv_icm42600: delete unneeded update watermark call Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 114/356] drivers: core: synchronize really_probe() and dev_uevent() Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 115/356] drm/exynos/vidi: fix memory leak in .get_modes() Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 116/356] drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 117/356] mptcp: ensure snd_una is properly initialized on connect Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 118/356] tracing/selftests: Fix kprobe event name test for .isra. functions Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 119/356] null_blk: Print correct max open zones limit in null_init_zoned_dev() Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 120/356] sock_map: avoid race between sock_map_close and sk_psock_put Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 121/356] vmci: prevent speculation leaks by sanitizing event in event_deliver() Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 122/356] spmi: hisi-spmi-controller: Do not override device identifier Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 123/356] knfsd: LOOKUP can return an illegal error value Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 124/356] fs/proc: fix softlockup in __read_vmcore Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 125/356] ocfs2: use coarse time for new created files Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 126/356] ocfs2: fix races between hole punching and AIO+DIO Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 127/356] PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 128/356] dmaengine: axi-dmac: fix possible race in remove() Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 129/356] intel_th: pci: Add Granite Rapids support Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 130/356] intel_th: pci: Add Granite Rapids SOC support Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 131/356] intel_th: pci: Add Sapphire " Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 132/356] intel_th: pci: Add Meteor Lake-S support Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 133/356] intel_th: pci: Add Lunar Lake support Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 134/356] nilfs2: fix potential kernel bug due to lack of writeback flag waiting Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 135/356] tick/nohz_full: Dont abuse smp_call_function_single() in tick_setup_device() Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 136/356] scsi: mpi3mr: Fix ATA NCQ priority support Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 137/356] mm/huge_memory: dont unpoison huge_zero_folio Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 138/356] serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 139/356] hugetlb_encode.h: fix undefined behaviour (34 << 26) Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 140/356] mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 141/356] mptcp: pm: update add_addr counters after connect Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 142/356] kbuild: Remove support for Clangs ThinLTO caching Greg Kroah-Hartman
2024-07-03 10:37 ` [PATCH 5.15 143/356] greybus: Fix use-after-free bug in gb_interface_release due to race condition Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 144/356] usb-storage: alauda: Check whether the media is initialized Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 145/356] i2c: at91: Fix the functionality flags of the slave-only interface Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 146/356] i2c: designware: " Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 147/356] zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 148/356] Bluetooth: qca: Fix error code in qca_read_fw_build_info() Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 149/356] Bluetooth: qca: fix info leak when fetching board id Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 150/356] padata: Disable BH when taking works lock on MT path Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 151/356] crypto: hisilicon/sec - Fix memory leak for sec resource release Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 152/356] rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 153/356] rcutorture: Make stall-tasks directly exit when rcutorture tests end Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 154/356] rcutorture: Fix invalid context warning when enable srcu barrier testing Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 155/356] block/ioctl: prefer different overflow check Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 156/356] selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 157/356] selftests/bpf: Fix flaky test btf_map_in_map/lookup_update Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 158/356] batman-adv: bypass empty buckets in batadv_purge_orig_ref() Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 159/356] wifi: ath9k: work around memset overflow warning Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 160/356] af_packet: avoid a false positive warning in packet_setsockopt() Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 161/356] drop_monitor: replace spin_lock by raw_spin_lock Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 162/356] scsi: qedi: Fix crash while reading debugfs attribute Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 163/356] kselftest: arm64: Add a null pointer check Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 164/356] netpoll: Fix race condition in netpoll_owner_active Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 165/356] HID: Add quirk for Logitech Casa touchpad Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 166/356] ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7 Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 167/356] Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 168/356] drm/amd/display: Exit idle optimizations before HDCP execution Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 169/356] drm/lima: add mask irq callback to gp and pp Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 170/356] drm/lima: mask irqs in timeout path before hard reset Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 171/356] powerpc/pseries: Enforce hcall result buffer validity and size Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 172/356] powerpc/io: Avoid clang null pointer arithmetic warnings Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 173/356] power: supply: cros_usbpd: provide ID table for avoiding fallback match Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 174/356] iommu/arm-smmu-v3: Free MSIs in case of ENOMEM Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 175/356] f2fs: remove clear SB_INLINECRYPT flag in default_options Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 176/356] usb: misc: uss720: check for incompatible versions of the Belkin F5U002 Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 177/356] Avoid hw_desc array overrun in dw-axi-dmac Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 178/356] udf: udftime: prevent overflow in udf_disk_stamp_to_time() Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 179/356] PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 180/356] MIPS: Octeon: Add PCIe link status check Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 181/356] serial: imx: Introduce timeout when waiting on transmitter empty Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 182/356] serial: exar: adding missing CTI and Exar PCI ids Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 183/356] MIPS: Routerboard 532: Fix vendor retry check code Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 184/356] mips: bmips: BCM6358: make sure CBR is correctly set Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 185/356] tracing: Build event generation tests only as modules Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 186/356] cipso: fix total option length computation Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 187/356] netrom: Fix a memory leak in nr_heartbeat_expiry() Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 188/356] ipv6: prevent possible NULL deref in fib6_nh_init() Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 189/356] ipv6: prevent possible NULL dereference in rt6_probe() Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 190/356] xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 191/356] netns: Make get_net_ns() handle zero refcount net Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 192/356] qca_spi: Make interrupt remembering atomic Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 193/356] net/sched: act_api: rely on rcu in tcf_idr_check_alloc Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 194/356] net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 195/356] tipc: force a dst refcount before doing decryption Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 196/356] net/sched: act_ct: set net pointer when creating new nf_flow_table Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 197/356] sched: act_ct: add netns into the key of tcf_ct_flow_table Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 198/356] ptp: fix integer overflow in max_vclocks_store Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 199/356] net: stmmac: No need to calculate speed divider when offload is disabled Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 200/356] virtio_net: checksum offloading handling fix Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 201/356] octeontx2-pf: Add error handling to VLAN unoffload handling Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 202/356] netfilter: ipset: Fix suspicious rcu_dereference_protected() Greg Kroah-Hartman
2024-07-03 10:38 ` [PATCH 5.15 203/356] seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 204/356] bnxt_en: Restore PTP tx_avail count in case of skb_pad() error Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 205/356] net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 206/356] regulator: core: Fix modpost error "regulator_get_regmap" undefined Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 207/356] dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 208/356] dmaengine: ioat: switch from pci_ to dma_ API Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 209/356] dmaengine: ioat: Drop redundant pci_enable_pcie_error_reporting() Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 210/356] dmaengine: ioatdma: Fix leaking on version mismatch Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 211/356] dmaengine: ioat: use PCI core macros for PCIe Capability Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 212/356] dmaengine: ioatdma: Fix error path in ioat3_dma_probe() Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 213/356] dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe() Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 214/356] dmaengine: ioatdma: Fix missing kmem_cache_destroy() Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 215/356] regulator: bd71815: fix ramp values Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 216/356] ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 217/356] RDMA/mlx5: Add check for srq max_sge attribute Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 218/356] serial: stm32: rework RX over DMA Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 219/356] net: do not leave a dangling sk pointer, when socket creation fails Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 220/356] btrfs: retry block group reclaim without infinite loop Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 221/356] KVM: x86: Always sync PIR to IRR prior to scanning I/O APIC routes Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 222/356] ALSA: hda/realtek: Limit mic boost on N14AP7 Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 223/356] drm/i915/mso: using joiner is not possible with eDP MSO Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 224/356] drm/radeon: fix UBSAN warning in kv_dpm.c Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 225/356] gcov: add support for GCC 14 Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 226/356] kcov: dont lose track of remote references during softirqs Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 227/356] tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack() Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 228/356] i2c: ocores: set IACK bit after core is enabled Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 229/356] dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller schema Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 230/356] arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 231/356] drm/amd/display: revert Exit idle optimizations before HDCP execution Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 232/356] perf: script: add raw|disasm arguments to --insn-trace option Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 233/356] perf script: Show also errors for " Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 234/356] ARM: dts: samsung: smdkv310: fix keypad no-autorepeat Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 235/356] ARM: dts: samsung: exynos4412-origen: " Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 236/356] ARM: dts: samsung: smdk4412: " Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 237/356] rtlwifi: rtl8192de: Style clean-ups Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 238/356] wifi: rtlwifi: rtl8192de: Fix 5 GHz TX power Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 239/356] pmdomain: ti-sci: Fix duplicate PD referrals Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 240/356] bcache: fix variable length array abuse in btree_iter Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 241/356] tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 242/356] x86/cpu/vfm: Add new macros to work with (vendor/family/model) values Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 243/356] x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 244/356] ksmbd: ignore trailing slashes in share paths Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 245/356] drm/i915/gt: Only kick the signal worker if theres been an update Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 246/356] drm/i915/gt: Disarm breadcrumbs if engines are already idle Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 247/356] Revert "kheaders: substituting --sort in archive creation" Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 248/356] kheaders: explicitly define file modes for archived headers Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 249/356] riscv: mm: init: try best to use IS_ENABLED(CONFIG_64BIT) instead of #ifdef Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 250/356] riscv: fix overlap of allocated page and PTR_ERR Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 251/356] perf/core: Fix missing wakeup when waiting for context reference Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 252/356] PCI: Add PCI_ERROR_RESPONSE and related definitions Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 253/356] x86/amd_nb: Check for invalid SMN reads Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 254/356] smb: client: fix deadlock in smb2_find_smb_tcon() Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 255/356] x86/mm/numa: Use NUMA_NO_NODE when calling memblock_set_node() Greg Kroah-Hartman
2024-07-03 12:53 ` Mike Rapoport
2024-07-04 7:20 ` Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 256/356] ACPI: x86: utils: Add Picasso to the list for forcing StorageD3Enable Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 257/356] ACPI: x86: Force StorageD3Enable on more products Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 258/356] gve: Add RX context Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 259/356] gve: Clear napi->skb before dev_kfree_skb_any() Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 260/356] Input: ili210x - fix ili251x_read_touch_data() return value Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 261/356] pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 262/356] pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins Greg Kroah-Hartman
2024-07-03 10:39 ` [PATCH 5.15 263/356] pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 264/356] pinctrl: rockchip: use dedicated pinctrl type for RK3328 Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 265/356] pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 266/356] cifs: fix typo in module parameter enable_gcm_256 Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 267/356] drm/amdgpu: fix UBSAN warning in kv_dpm.c Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 268/356] net: mdio: add helpers to extract clause 45 regad and devad fields Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 269/356] net: stmmac: Assign configured channel value to EXTTS event Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 270/356] ASoC: fsl-asoc-card: set priv->pdev before using it Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 271/356] net: dsa: microchip: fix initial port flush problem Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 272/356] ibmvnic: Free any outstanding tx skbs during scrq reset Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 273/356] net: phy: micrel: add Microchip KSZ 9477 to the device table Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 274/356] xdp: Remove WARN() from __xdp_reg_mem_model() Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 275/356] tcp: Use BPF timeout setting for SYN ACK RTO Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 276/356] Fix race for duplicate reqsk on identical SYN Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 277/356] sparc: fix old compat_sys_select() Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 278/356] sparc: fix compat recv/recvfrom syscalls Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 279/356] parisc: use correct " Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 280/356] tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 281/356] netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 282/356] tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset() Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 283/356] bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro() Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 284/356] drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 285/356] vduse: validate block features only with block devices Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 286/356] vduse: Temporarily fail if control queue feature requested Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 287/356] x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 288/356] mtd: partitions: redboot: Added conversion of operands to a larger type Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 289/356] bpf: Add a check for struct bpf_fib_lookup size Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 290/356] RDMA/restrack: Fix potential invalid address access Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 291/356] net/iucv: Avoid explicit cpumask var allocation on stack Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 292/356] net/dpaa2: " Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 293/356] crypto: ecdh - explicitly zeroize private_key Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 294/356] ALSA: emux: improve patch ioctl data validation Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 295/356] media: dvbdev: Initialize sbuf Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 296/356] soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 297/356] drm/radeon/radeon_display: Decrease the size of allocated memory Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 298/356] nvme: fixup comment for nvme RDMA Provider Type Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 299/356] drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 300/356] gpio: davinci: Validate the obtained number of IRQs Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 301/356] gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1) Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 302/356] x86: stop playing stack games in profile_pc() Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 303/356] parisc: use generic sys_fanotify_mark implementation Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 304/356] ocfs2: fix DIO failure due to insufficient transaction credits Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 305/356] mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 306/356] mmc: sdhci: Do not invert write-protect twice Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 307/356] mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro() Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 308/356] i2c: testunit: dont erase registers after STOP Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 309/356] i2c: testunit: discard write requests while old command is running Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 310/356] iio: adc: ad7266: Fix variable checking bug Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 311/356] iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 312/356] iio: chemical: bme680: Fix pressure value output Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 313/356] iio: chemical: bme680: Fix calibration data variable Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 314/356] iio: chemical: bme680: Fix overflows in compensate() functions Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 315/356] iio: chemical: bme680: Fix sensor data read operation Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 316/356] net: usb: ax88179_178a: improve link status logs Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 317/356] usb: gadget: printer: SS+ support Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 318/356] usb: gadget: printer: fix races against disable Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 319/356] usb: musb: da8xx: fix a resource leak in probe() Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 320/356] usb: atm: cxacru: fix endpoint checking in cxacru_bind() Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 321/356] usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 322/356] serial: 8250_omap: Implementation of Errata i2310 Greg Kroah-Hartman
2024-07-03 10:40 ` [PATCH 5.15 323/356] serial: imx: set receiver level before starting uart Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 324/356] tty: mcf: MCF54418 has 10 UARTS Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 325/356] net: can: j1939: Initialize unused data in j1939_send_one() Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 326/356] net: can: j1939: recover socket queue on CAN bus error during BAM transmission Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 327/356] net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 328/356] cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked() Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 329/356] kbuild: Install dtb files as 0644 in Makefile.dtbinst Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 330/356] sh: rework sync_file_range ABI Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 331/356] csky, hexagon: fix broken sys_sync_file_range Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 332/356] hexagon: fix fadvise64_64 calling conventions Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 333/356] drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 334/356] drm/amdgpu: avoid using null object of framebuffer Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 335/356] drm/i915/gt: Fix potential UAF by revoke of fence registers Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 336/356] drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 337/356] batman-adv: Dont accept TT entries for out-of-spec VIDs Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 338/356] ata: ahci: Clean up sysfs file on error Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 339/356] ata: libata-core: Fix double free " Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 340/356] ftruncate: pass a signed offset Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 341/356] syscalls: fix compat_sys_io_pgetevents_time64 usage Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 342/356] syscalls: fix sys_fanotify_mark prototype Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 343/356] pwm: stm32: Refuse too small period requests Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 344/356] nfs: Leave pages in the pagecache if readpage failed Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 345/356] ipv6: annotate some data-races around sk->sk_prot Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 346/356] ipv6: Fix data races " Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 347/356] tcp: Fix data races around icsk->icsk_af_ops Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 348/356] drivers: fix typo in firmware/efi/memmap.c Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 349/356] efi: Correct comment on efi_memmap_alloc Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 350/356] efi: memmap: Move manipulation routines into x86 arch tree Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 351/356] efi: xen: Set EFI_PARAVIRT for Xen dom0 boot on all architectures Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 352/356] efi/x86: Free EFI memory map only when installing a new one Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 353/356] KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 354/356] ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 355/356] arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E Greg Kroah-Hartman
2024-07-03 10:41 ` [PATCH 5.15 356/356] arm64: dts: rockchip: Add sound-dai-cells for RK3368 Greg Kroah-Hartman
2024-07-03 13:27 ` [PATCH 5.15 000/356] 5.15.162-rc1 review Jon Hunter
2024-07-03 17:17 ` Harshit Mogalapalli
2024-07-03 17:50 ` Mark Brown
2024-07-03 18:08 ` Kelsey Steele
2024-07-03 23:00 ` Shuah Khan
2024-07-04 13:27 ` Naresh Kamboju
2024-07-04 14:43 ` Florian Fainelli
2024-07-05 5:50 ` Ron Economos
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).