* [PATCH 6.1 001/150] irqchip/mbigen: Fix mbigen node address layout
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 002/150] platform/x86/intel/ifs: Gen2 Scan test support Greg Kroah-Hartman
` (151 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yipeng Zou, Thomas Gleixner,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yipeng Zou <zouyipeng@huawei.com>
[ Upstream commit 6be6cba9c4371d27f78d900ccfe34bb880d9ee20 ]
The mbigen interrupt chip has its per node registers located in a
contiguous region of page sized chunks. The code maps them into virtual
address space as a contiguous region and determines the address of a node
by using the node ID as index.
mbigen chip
|-----------------|------------|--------------|
mgn_node_0 mgn_node_1 ... mgn_node_i
|--------------| |--------------| |----------------------|
[0x0000, 0x0x0FFF] [0x1000, 0x1FFF] [i*0x1000, (i+1)*0x1000 - 1]
This works correctly up to 10 nodes, but then fails because the 11th's
array slot is used for the MGN_CLEAR registers.
mbigen chip
|-----------|--------|--------|---------------|--------|
mgn_node_0 mgn_node_1 ... mgn_clear_register ... mgn_node_i
|-----------------|
[0xA000, 0xAFFF]
Skip the MGN_CLEAR register space when calculating the offset for node IDs
greater than or equal to ten.
Fixes: a6c2f87b8820 ("irqchip/mbigen: Implement the mbigen irq chip operation functions")
Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/all/20240730014400.1751530-1-zouyipeng@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-mbigen.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/drivers/irqchip/irq-mbigen.c b/drivers/irqchip/irq-mbigen.c
index f3faf5c997706..23117a30c6275 100644
--- a/drivers/irqchip/irq-mbigen.c
+++ b/drivers/irqchip/irq-mbigen.c
@@ -64,6 +64,20 @@ struct mbigen_device {
void __iomem *base;
};
+static inline unsigned int get_mbigen_node_offset(unsigned int nid)
+{
+ unsigned int offset = nid * MBIGEN_NODE_OFFSET;
+
+ /*
+ * To avoid touched clear register in unexpected way, we need to directly
+ * skip clear register when access to more than 10 mbigen nodes.
+ */
+ if (nid >= (REG_MBIGEN_CLEAR_OFFSET / MBIGEN_NODE_OFFSET))
+ offset += MBIGEN_NODE_OFFSET;
+
+ return offset;
+}
+
static inline unsigned int get_mbigen_vec_reg(irq_hw_number_t hwirq)
{
unsigned int nid, pin;
@@ -72,8 +86,7 @@ static inline unsigned int get_mbigen_vec_reg(irq_hw_number_t hwirq)
nid = hwirq / IRQS_PER_MBIGEN_NODE + 1;
pin = hwirq % IRQS_PER_MBIGEN_NODE;
- return pin * 4 + nid * MBIGEN_NODE_OFFSET
- + REG_MBIGEN_VEC_OFFSET;
+ return pin * 4 + get_mbigen_node_offset(nid) + REG_MBIGEN_VEC_OFFSET;
}
static inline void get_mbigen_type_reg(irq_hw_number_t hwirq,
@@ -88,8 +101,7 @@ static inline void get_mbigen_type_reg(irq_hw_number_t hwirq,
*mask = 1 << (irq_ofst % 32);
ofst = irq_ofst / 32 * 4;
- *addr = ofst + nid * MBIGEN_NODE_OFFSET
- + REG_MBIGEN_TYPE_OFFSET;
+ *addr = ofst + get_mbigen_node_offset(nid) + REG_MBIGEN_TYPE_OFFSET;
}
static inline void get_mbigen_clear_reg(irq_hw_number_t hwirq,
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 002/150] platform/x86/intel/ifs: Gen2 Scan test support
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 001/150] irqchip/mbigen: Fix mbigen node address layout Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 003/150] platform/x86/intel/ifs: Initialize union ifs_status to zero Greg Kroah-Hartman
` (150 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jithu Joseph, Tony Luck,
Ilpo Järvinen, Pengfei Xu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jithu Joseph <jithu.joseph@intel.com>
[ Upstream commit 72b96ee29ed6f7670bbb180ba694816e33d361d1 ]
Width of chunk related bitfields is ACTIVATE_SCAN and SCAN_STATUS MSRs
are different in newer IFS generation compared to gen0.
Make changes to scan test flow such that MSRs are populated
appropriately based on the generation supported by hardware.
Account for the 8/16 bit MSR bitfield width differences between gen0 and
newer generations for the scan test trace event too.
Signed-off-by: Jithu Joseph <jithu.joseph@intel.com>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Tested-by: Pengfei Xu <pengfei.xu@intel.com>
Link: https://lore.kernel.org/r/20231005195137.3117166-5-jithu.joseph@intel.com
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Stable-dep-of: 3114f77e9453 ("platform/x86/intel/ifs: Initialize union ifs_status to zero")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel/ifs/ifs.h | 28 ++++++++++++++++++-----
drivers/platform/x86/intel/ifs/runtest.c | 29 ++++++++++++++++++------
include/trace/events/intel_ifs.h | 16 ++++++-------
3 files changed, 52 insertions(+), 21 deletions(-)
diff --git a/drivers/platform/x86/intel/ifs/ifs.h b/drivers/platform/x86/intel/ifs/ifs.h
index 73c8e91cf144d..1902a1722df1e 100644
--- a/drivers/platform/x86/intel/ifs/ifs.h
+++ b/drivers/platform/x86/intel/ifs/ifs.h
@@ -157,9 +157,17 @@ union ifs_chunks_auth_status {
union ifs_scan {
u64 data;
struct {
- u32 start :8;
- u32 stop :8;
- u32 rsvd :16;
+ union {
+ struct {
+ u8 start;
+ u8 stop;
+ u16 rsvd;
+ } gen0;
+ struct {
+ u16 start;
+ u16 stop;
+ } gen2;
+ };
u32 delay :31;
u32 sigmce :1;
};
@@ -169,9 +177,17 @@ union ifs_scan {
union ifs_status {
u64 data;
struct {
- u32 chunk_num :8;
- u32 chunk_stop_index :8;
- u32 rsvd1 :16;
+ union {
+ struct {
+ u8 chunk_num;
+ u8 chunk_stop_index;
+ u16 rsvd1;
+ } gen0;
+ struct {
+ u16 chunk_num;
+ u16 chunk_stop_index;
+ } gen2;
+ };
u32 error_code :8;
u32 rsvd2 :22;
u32 control_error :1;
diff --git a/drivers/platform/x86/intel/ifs/runtest.c b/drivers/platform/x86/intel/ifs/runtest.c
index b2ca2bb4501f6..d6bc2f0b61a34 100644
--- a/drivers/platform/x86/intel/ifs/runtest.c
+++ b/drivers/platform/x86/intel/ifs/runtest.c
@@ -169,21 +169,31 @@ static void ifs_test_core(int cpu, struct device *dev)
union ifs_status status;
unsigned long timeout;
struct ifs_data *ifsd;
+ int to_start, to_stop;
+ int status_chunk;
u64 msrvals[2];
int retries;
ifsd = ifs_get_data(dev);
- activate.rsvd = 0;
+ activate.gen0.rsvd = 0;
activate.delay = IFS_THREAD_WAIT;
activate.sigmce = 0;
- activate.start = 0;
- activate.stop = ifsd->valid_chunks - 1;
+ to_start = 0;
+ to_stop = ifsd->valid_chunks - 1;
+
+ if (ifsd->generation) {
+ activate.gen2.start = to_start;
+ activate.gen2.stop = to_stop;
+ } else {
+ activate.gen0.start = to_start;
+ activate.gen0.stop = to_stop;
+ }
timeout = jiffies + HZ / 2;
retries = MAX_IFS_RETRIES;
- while (activate.start <= activate.stop) {
+ while (to_start <= to_stop) {
if (time_after(jiffies, timeout)) {
status.error_code = IFS_SW_TIMEOUT;
break;
@@ -194,13 +204,14 @@ static void ifs_test_core(int cpu, struct device *dev)
status.data = msrvals[1];
- trace_ifs_status(cpu, activate, status);
+ trace_ifs_status(cpu, to_start, to_stop, status.data);
/* Some cases can be retried, give up for others */
if (!can_restart(status))
break;
- if (status.chunk_num == activate.start) {
+ status_chunk = ifsd->generation ? status.gen2.chunk_num : status.gen0.chunk_num;
+ if (status_chunk == to_start) {
/* Check for forward progress */
if (--retries == 0) {
if (status.error_code == IFS_NO_ERROR)
@@ -209,7 +220,11 @@ static void ifs_test_core(int cpu, struct device *dev)
}
} else {
retries = MAX_IFS_RETRIES;
- activate.start = status.chunk_num;
+ if (ifsd->generation)
+ activate.gen2.start = status_chunk;
+ else
+ activate.gen0.start = status_chunk;
+ to_start = status_chunk;
}
}
diff --git a/include/trace/events/intel_ifs.h b/include/trace/events/intel_ifs.h
index d7353024016cc..af0af3f1d9b7c 100644
--- a/include/trace/events/intel_ifs.h
+++ b/include/trace/events/intel_ifs.h
@@ -10,25 +10,25 @@
TRACE_EVENT(ifs_status,
- TP_PROTO(int cpu, union ifs_scan activate, union ifs_status status),
+ TP_PROTO(int cpu, int start, int stop, u64 status),
- TP_ARGS(cpu, activate, status),
+ TP_ARGS(cpu, start, stop, status),
TP_STRUCT__entry(
__field( u64, status )
__field( int, cpu )
- __field( u8, start )
- __field( u8, stop )
+ __field( u16, start )
+ __field( u16, stop )
),
TP_fast_assign(
__entry->cpu = cpu;
- __entry->start = activate.start;
- __entry->stop = activate.stop;
- __entry->status = status.data;
+ __entry->start = start;
+ __entry->stop = stop;
+ __entry->status = status;
),
- TP_printk("cpu: %d, start: %.2x, stop: %.2x, status: %llx",
+ TP_printk("cpu: %d, start: %.4x, stop: %.4x, status: %.16llx",
__entry->cpu,
__entry->start,
__entry->stop,
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 003/150] platform/x86/intel/ifs: Initialize union ifs_status to zero
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 001/150] irqchip/mbigen: Fix mbigen node address layout Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 002/150] platform/x86/intel/ifs: Gen2 Scan test support Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 004/150] jump_label: Fix the fix, brown paper bags galore Greg Kroah-Hartman
` (149 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Jithu Joseph,
Ashok Raj, Kuppuswamy Sathyanarayanan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
[ Upstream commit 3114f77e9453daa292ec0906f313a715c69b5943 ]
If the IFS scan test exits prematurely due to a timeout before
completing a single run, the union ifs_status remains uninitialized,
leading to incorrect test status reporting. To prevent this, always
initialize the union ifs_status to zero.
Fixes: 2b40e654b73a ("platform/x86/intel/ifs: Add scan test support")
Suggested-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Reviewed-by: Jithu Joseph <jithu.joseph@intel.com>
Reviewed-by: Ashok Raj <ashok.raj@intel.com>
Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Link: https://lore.kernel.org/r/20240730155930.1754744-1-sathyanarayanan.kuppuswamy@linux.intel.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel/ifs/runtest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/platform/x86/intel/ifs/runtest.c b/drivers/platform/x86/intel/ifs/runtest.c
index d6bc2f0b61a34..aeb6a3b7a8fd9 100644
--- a/drivers/platform/x86/intel/ifs/runtest.c
+++ b/drivers/platform/x86/intel/ifs/runtest.c
@@ -165,8 +165,8 @@ static int doscan(void *data)
*/
static void ifs_test_core(int cpu, struct device *dev)
{
+ union ifs_status status = {};
union ifs_scan activate;
- union ifs_status status;
unsigned long timeout;
struct ifs_data *ifsd;
int to_start, to_stop;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 004/150] jump_label: Fix the fix, brown paper bags galore
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 003/150] platform/x86/intel/ifs: Initialize union ifs_status to zero Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 005/150] x86/mm: Fix pti_clone_pgtable() alignment assumption Greg Kroah-Hartman
` (148 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong,
Peter Zijlstra (Intel), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 224fa3552029a3d14bec7acf72ded8171d551b88 ]
Per the example of:
!atomic_cmpxchg(&key->enabled, 0, 1)
the inverse was written as:
atomic_cmpxchg(&key->enabled, 1, 0)
except of course, that while !old is only true for old == 0, old is
true for everything except old == 0.
Fix it to read:
atomic_cmpxchg(&key->enabled, 1, 0) == 1
such that only the 1->0 transition returns true and goes on to disable
the keys.
Fixes: 83ab38ef0a0b ("jump_label: Fix concurrency issues in static_key_slow_dec()")
Reported-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Darrick J. Wong <djwong@kernel.org>
Link: https://lkml.kernel.org/r/20240731105557.GY33588@noisy.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/jump_label.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/jump_label.c b/kernel/jump_label.c
index eec802175ccc6..1ed269b2c4035 100644
--- a/kernel/jump_label.c
+++ b/kernel/jump_label.c
@@ -231,7 +231,7 @@ void static_key_disable_cpuslocked(struct static_key *key)
}
jump_label_lock();
- if (atomic_cmpxchg(&key->enabled, 1, 0))
+ if (atomic_cmpxchg(&key->enabled, 1, 0) == 1)
jump_label_update(key);
jump_label_unlock();
}
@@ -284,7 +284,7 @@ static void __static_key_slow_dec_cpuslocked(struct static_key *key)
return;
guard(mutex)(&jump_label_mutex);
- if (atomic_cmpxchg(&key->enabled, 1, 0))
+ if (atomic_cmpxchg(&key->enabled, 1, 0) == 1)
jump_label_update(key);
else
WARN_ON_ONCE(!static_key_slow_try_dec(key));
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 005/150] x86/mm: Fix pti_clone_pgtable() alignment assumption
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 004/150] jump_label: Fix the fix, brown paper bags galore Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 006/150] x86/mm: Fix pti_clone_entry_text() for i386 Greg Kroah-Hartman
` (147 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Thomas Gleixner,
Peter Zijlstra (Intel), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 41e71dbb0e0a0fe214545fe64af031303a08524c ]
Guenter reported dodgy crashes on an i386-nosmp build using GCC-11
that had the form of endless traps until entry stack exhaust and then
#DF from the stack guard.
It turned out that pti_clone_pgtable() had alignment assumptions on
the start address, notably it hard assumes start is PMD aligned. This
is true on x86_64, but very much not true on i386.
These assumptions can cause the end condition to malfunction, leading
to a 'short' clone. Guess what happens when the user mapping has a
short copy of the entry text?
Use the correct increment form for addr to avoid alignment
assumptions.
Fixes: 16a3fe634f6a ("x86/mm/pti: Clone kernel-image on PTE level for 32 bit")
Reported-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20240731163105.GG33588@noisy.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/mm/pti.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c
index 78414c6d1b5ed..2c4037174ed22 100644
--- a/arch/x86/mm/pti.c
+++ b/arch/x86/mm/pti.c
@@ -374,14 +374,14 @@ pti_clone_pgtable(unsigned long start, unsigned long end,
*/
*target_pmd = *pmd;
- addr += PMD_SIZE;
+ addr = round_up(addr + 1, PMD_SIZE);
} else if (level == PTI_CLONE_PTE) {
/* Walk the page-table down to the pte level */
pte = pte_offset_kernel(pmd, addr);
if (pte_none(*pte)) {
- addr += PAGE_SIZE;
+ addr = round_up(addr + 1, PAGE_SIZE);
continue;
}
@@ -401,7 +401,7 @@ pti_clone_pgtable(unsigned long start, unsigned long end,
/* Clone the PTE */
*target_pte = *pte;
- addr += PAGE_SIZE;
+ addr = round_up(addr + 1, PAGE_SIZE);
} else {
BUG();
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 006/150] x86/mm: Fix pti_clone_entry_text() for i386
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 005/150] x86/mm: Fix pti_clone_pgtable() alignment assumption Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 007/150] sctp: Fix null-ptr-deref in reuseport_add_sock() Greg Kroah-Hartman
` (146 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peter Zijlstra (Intel), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 3db03fb4995ef85fc41e86262ead7b4852f4bcf0 ]
While x86_64 has PMD aligned text sections, i386 does not have this
luxery. Notably ALIGN_ENTRY_TEXT_END is empty and _etext has PAGE
alignment.
This means that text on i386 can be page granular at the tail end,
which in turn means that the PTI text clones should consistently
account for this.
Make pti_clone_entry_text() consistent with pti_clone_kernel_text().
Fixes: 16a3fe634f6a ("x86/mm/pti: Clone kernel-image on PTE level for 32 bit")
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/mm/pti.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c
index 2c4037174ed22..7b804c34c0201 100644
--- a/arch/x86/mm/pti.c
+++ b/arch/x86/mm/pti.c
@@ -496,7 +496,7 @@ static void pti_clone_entry_text(void)
{
pti_clone_pgtable((unsigned long) __entry_text_start,
(unsigned long) __entry_text_end,
- PTI_CLONE_PMD);
+ PTI_LEVEL_KERNEL_IMAGE);
}
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 007/150] sctp: Fix null-ptr-deref in reuseport_add_sock().
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 006/150] x86/mm: Fix pti_clone_entry_text() for i386 Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 008/150] net: usb: qmi_wwan: fix memory leak for not ip packets Greg Kroah-Hartman
` (145 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+e6979a5d2f10ecb700e4,
Kuniyuki Iwashima, Xin Long, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 9ab0faa7f9ffe31296dbb9bbe6f76c72c14eea18 ]
syzbot reported a null-ptr-deref while accessing sk2->sk_reuseport_cb in
reuseport_add_sock(). [0]
The repro first creates a listener with SO_REUSEPORT. Then, it creates
another listener on the same port and concurrently closes the first
listener.
The second listen() calls reuseport_add_sock() with the first listener as
sk2, where sk2->sk_reuseport_cb is not expected to be cleared concurrently,
but the close() does clear it by reuseport_detach_sock().
The problem is SCTP does not properly synchronise reuseport_alloc(),
reuseport_add_sock(), and reuseport_detach_sock().
The caller of reuseport_alloc() and reuseport_{add,detach}_sock() must
provide synchronisation for sockets that are classified into the same
reuseport group.
Otherwise, such sockets form multiple identical reuseport groups, and
all groups except one would be silently dead.
1. Two sockets call listen() concurrently
2. No socket in the same group found in sctp_ep_hashtable[]
3. Two sockets call reuseport_alloc() and form two reuseport groups
4. Only one group hit first in __sctp_rcv_lookup_endpoint() receives
incoming packets
Also, the reported null-ptr-deref could occur.
TCP/UDP guarantees that would not happen by holding the hash bucket lock.
Let's apply the locking strategy to __sctp_hash_endpoint() and
__sctp_unhash_endpoint().
[0]:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 UID: 0 PID: 10230 Comm: syz-executor119 Not tainted 6.10.0-syzkaller-12585-g301927d2d2eb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:reuseport_add_sock+0x27e/0x5e0 net/core/sock_reuseport.c:350
Code: 00 0f b7 5d 00 bf 01 00 00 00 89 de e8 1b a4 ff f7 83 fb 01 0f 85 a3 01 00 00 e8 6d a0 ff f7 49 8d 7e 12 48 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 4b 02 00 00 41 0f b7 5e 12 49 8d 7e 14
RSP: 0018:ffffc9000b947c98 EFLAGS: 00010202
RAX: 0000000000000002 RBX: ffff8880252ddf98 RCX: ffff888079478000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000012
RBP: 0000000000000001 R08: ffffffff8993e18d R09: 1ffffffff1fef385
R10: dffffc0000000000 R11: fffffbfff1fef386 R12: ffff8880252ddac0
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f24e45b96c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffcced5f7b8 CR3: 00000000241be000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__sctp_hash_endpoint net/sctp/input.c:762 [inline]
sctp_hash_endpoint+0x52a/0x600 net/sctp/input.c:790
sctp_listen_start net/sctp/socket.c:8570 [inline]
sctp_inet_listen+0x767/0xa20 net/sctp/socket.c:8625
__sys_listen_socket net/socket.c:1883 [inline]
__sys_listen+0x1b7/0x230 net/socket.c:1894
__do_sys_listen net/socket.c:1902 [inline]
__se_sys_listen net/socket.c:1900 [inline]
__x64_sys_listen+0x5a/0x70 net/socket.c:1900
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f24e46039b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f24e45b9228 EFLAGS: 00000246 ORIG_RAX: 0000000000000032
RAX: ffffffffffffffda RBX: 00007f24e468e428 RCX: 00007f24e46039b9
RDX: 00007f24e46039b9 RSI: 0000000000000003 RDI: 0000000000000004
RBP: 00007f24e468e420 R08: 00007f24e45b96c0 R09: 00007f24e45b96c0
R10: 00007f24e45b96c0 R11: 0000000000000246 R12: 00007f24e468e42c
R13: 00007f24e465a5dc R14: 0020000000000001 R15: 00007ffcced5f7d8
</TASK>
Modules linked in:
Fixes: 6ba845740267 ("sctp: process sk_reuseport in sctp_get_port_local")
Reported-by: syzbot+e6979a5d2f10ecb700e4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e6979a5d2f10ecb700e4
Tested-by: syzbot+e6979a5d2f10ecb700e4@syzkaller.appspotmail.com
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20240731234624.94055-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/input.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 4f43afa8678f9..4ee9374dcfb92 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -748,15 +748,19 @@ static int __sctp_hash_endpoint(struct sctp_endpoint *ep)
struct sock *sk = ep->base.sk;
struct net *net = sock_net(sk);
struct sctp_hashbucket *head;
+ int err = 0;
ep->hashent = sctp_ep_hashfn(net, ep->base.bind_addr.port);
head = &sctp_ep_hashtable[ep->hashent];
+ write_lock(&head->lock);
if (sk->sk_reuseport) {
bool any = sctp_is_ep_boundall(sk);
struct sctp_endpoint *ep2;
struct list_head *list;
- int cnt = 0, err = 1;
+ int cnt = 0;
+
+ err = 1;
list_for_each(list, &ep->base.bind_addr.address_list)
cnt++;
@@ -774,24 +778,24 @@ static int __sctp_hash_endpoint(struct sctp_endpoint *ep)
if (!err) {
err = reuseport_add_sock(sk, sk2, any);
if (err)
- return err;
+ goto out;
break;
} else if (err < 0) {
- return err;
+ goto out;
}
}
if (err) {
err = reuseport_alloc(sk, any);
if (err)
- return err;
+ goto out;
}
}
- write_lock(&head->lock);
hlist_add_head(&ep->node, &head->chain);
+out:
write_unlock(&head->lock);
- return 0;
+ return err;
}
/* Add an endpoint to the hash. Local BH-safe. */
@@ -816,10 +820,9 @@ static void __sctp_unhash_endpoint(struct sctp_endpoint *ep)
head = &sctp_ep_hashtable[ep->hashent];
+ write_lock(&head->lock);
if (rcu_access_pointer(sk->sk_reuseport_cb))
reuseport_detach_sock(sk);
-
- write_lock(&head->lock);
hlist_del_init(&ep->node);
write_unlock(&head->lock);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 008/150] net: usb: qmi_wwan: fix memory leak for not ip packets
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 007/150] sctp: Fix null-ptr-deref in reuseport_add_sock() Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 009/150] net: bridge: mcast: wait for previous gc cycles when removing port Greg Kroah-Hartman
` (144 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniele Palmas, Bjørn Mork,
David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniele Palmas <dnlplm@gmail.com>
[ Upstream commit 7ab107544b777c3bd7feb9fe447367d8edd5b202 ]
Free the unused skb when not ip packets arrive.
Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support")
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Acked-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/qmi_wwan.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 46e0e1f1c20e0..ee0ea3d0f50ee 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -200,6 +200,7 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
break;
default:
/* not ip - do not know what to do */
+ kfree_skb(skbn);
goto skip;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 009/150] net: bridge: mcast: wait for previous gc cycles when removing port
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 008/150] net: usb: qmi_wwan: fix memory leak for not ip packets Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 010/150] net: linkwatch: use system_unbound_wq Greg Kroah-Hartman
` (143 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+263426984509be19c9a0,
Nikolay Aleksandrov, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <razor@blackwall.org>
[ Upstream commit 92c4ee25208d0f35dafc3213cdf355fbe449e078 ]
syzbot hit a use-after-free[1] which is caused because the bridge doesn't
make sure that all previous garbage has been collected when removing a
port. What happens is:
CPU 1 CPU 2
start gc cycle remove port
acquire gc lock first
wait for lock
call br_multicasg_gc() directly
acquire lock now but free port
the port can be freed
while grp timers still
running
Make sure all previous gc cycles have finished by using flush_work before
freeing the port.
[1]
BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861
Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699
CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861
call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1843 [inline]
__run_timers+0x74b/0xaf0 kernel/time/timer.c:2417
__run_timer_base kernel/time/timer.c:2428 [inline]
__run_timer_base kernel/time/timer.c:2421 [inline]
run_timer_base+0x111/0x190 kernel/time/timer.c:2437
Reported-by: syzbot+263426984509be19c9a0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=263426984509be19c9a0
Fixes: e12cec65b554 ("net: bridge: mcast: destroy all entries via gc")
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20240802080730.3206303-1-razor@blackwall.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_multicast.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 9765f9f9bf7ff..3cd2b648408d6 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1890,16 +1890,14 @@ void br_multicast_del_port(struct net_bridge_port *port)
{
struct net_bridge *br = port->br;
struct net_bridge_port_group *pg;
- HLIST_HEAD(deleted_head);
struct hlist_node *n;
/* Take care of the remaining groups, only perm ones should be left */
spin_lock_bh(&br->multicast_lock);
hlist_for_each_entry_safe(pg, n, &port->mglist, mglist)
br_multicast_find_del_pg(br, pg);
- hlist_move_list(&br->mcast_gc_list, &deleted_head);
spin_unlock_bh(&br->multicast_lock);
- br_multicast_gc(&deleted_head);
+ flush_work(&br->mcast_gc_work);
br_multicast_port_ctx_deinit(&port->multicast_ctx);
free_percpu(port->mcast_stats);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 010/150] net: linkwatch: use system_unbound_wq
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 009/150] net: bridge: mcast: wait for previous gc cycles when removing port Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 011/150] Bluetooth: l2cap: always unlock channel in l2cap_conless_channel() Greg Kroah-Hartman
` (142 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet,
Kuniyuki Iwashima, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 3e7917c0cdad835a5121520fc5686d954b7a61ab ]
linkwatch_event() grabs possibly very contended RTNL mutex.
system_wq is not suitable for such work.
Inspired by many noisy syzbot reports.
3 locks held by kworker/0:7/5266:
#0: ffff888015480948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3206 [inline]
#0: ffff888015480948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x90a/0x1830 kernel/workqueue.c:3312
#1: ffffc90003f6fd00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3207 [inline]
, at: process_scheduled_works+0x945/0x1830 kernel/workqueue.c:3312
#2: ffffffff8fa6f208 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:276
Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20240805085821.1616528-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/link_watch.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/core/link_watch.c b/net/core/link_watch.c
index 13513efcfbfe8..cdabced98b116 100644
--- a/net/core/link_watch.c
+++ b/net/core/link_watch.c
@@ -139,9 +139,9 @@ static void linkwatch_schedule_work(int urgent)
* override the existing timer.
*/
if (test_bit(LW_URGENT, &linkwatch_flags))
- mod_delayed_work(system_wq, &linkwatch_work, 0);
+ mod_delayed_work(system_unbound_wq, &linkwatch_work, 0);
else
- schedule_delayed_work(&linkwatch_work, delay);
+ queue_delayed_work(system_unbound_wq, &linkwatch_work, delay);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 011/150] Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 010/150] net: linkwatch: use system_unbound_wq Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 012/150] Bluetooth: hci_sync: avoid dup filtering when passive scanning with adv monitor Greg Kroah-Hartman
` (141 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+45ac74737e866894acb0,
Dmitry Antipov, Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit c531e63871c0b50c8c4e62c048535a08886fba3e ]
Add missing call to 'l2cap_chan_unlock()' on receive error handling
path in 'l2cap_conless_channel()'.
Fixes: a24cce144b98 ("Bluetooth: Fix reference counting of global L2CAP channels")
Reported-by: syzbot+45ac74737e866894acb0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=45ac74737e866894acb0
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 98dabbbe42938..209c6d458d336 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -7811,6 +7811,7 @@ static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
bt_cb(skb)->l2cap.psm = psm;
if (!chan->ops->recv(chan, skb)) {
+ l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
return;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 012/150] Bluetooth: hci_sync: avoid dup filtering when passive scanning with adv monitor
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 011/150] Bluetooth: l2cap: always unlock channel in l2cap_conless_channel() Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 013/150] net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register() Greg Kroah-Hartman
` (140 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anton Khirnov,
Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anton Khirnov <anton@khirnov.net>
[ Upstream commit b5431dc2803ac159d6d4645ae237d15c3cb252db ]
This restores behaviour (including the comment) from now-removed
hci_request.c, and also matches existing code for active scanning.
Without this, the duplicates filter is always active when passive
scanning, which makes it impossible to work with devices that send
nontrivial dynamic data in their advertisement reports.
Fixes: abfeea476c68 ("Bluetooth: hci_sync: Convert MGMT_OP_START_DISCOVERY")
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_sync.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 320fc1e6dff2a..3d6a22812b498 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -2880,6 +2880,20 @@ static int hci_passive_scan_sync(struct hci_dev *hdev)
} else if (hci_is_adv_monitoring(hdev)) {
window = hdev->le_scan_window_adv_monitor;
interval = hdev->le_scan_int_adv_monitor;
+
+ /* Disable duplicates filter when scanning for advertisement
+ * monitor for the following reasons.
+ *
+ * For HW pattern filtering (ex. MSFT), Realtek and Qualcomm
+ * controllers ignore RSSI_Sampling_Period when the duplicates
+ * filter is enabled.
+ *
+ * For SW pattern filtering, when we're not doing interleaved
+ * scanning, it is necessary to disable duplicates filter,
+ * otherwise hosts can only receive one advertisement and it's
+ * impossible to know if a peer is still in range.
+ */
+ filter_dups = LE_SCAN_FILTER_DUP_DISABLE;
} else {
window = hdev->le_scan_window;
interval = hdev->le_scan_interval;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 013/150] net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 012/150] Bluetooth: hci_sync: avoid dup filtering when passive scanning with adv monitor Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 014/150] l2tp: fix lockdep splat Greg Kroah-Hartman
` (139 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joe Hattori, Florian Fainelli,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
[ Upstream commit e3862093ee93fcfbdadcb7957f5f8974fffa806a ]
bcm_sf2_mdio_register() calls of_phy_find_device() and then
phy_device_remove() in a loop to remove existing PHY devices.
of_phy_find_device() eventually calls bus_find_device(), which calls
get_device() on the returned struct device * to increment the refcount.
The current implementation does not decrement the refcount, which causes
memory leak.
This commit adds the missing phy_device_free() call to decrement the
refcount via put_device() to balance the refcount.
Fixes: 771089c2a485 ("net: dsa: bcm_sf2: Ensure that MDIO diversion is used")
Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20240806011327.3817861-1-joe@pf.is.s.u-tokyo.ac.jp
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/bcm_sf2.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
index cd1f240c90f39..257df16768750 100644
--- a/drivers/net/dsa/bcm_sf2.c
+++ b/drivers/net/dsa/bcm_sf2.c
@@ -678,8 +678,10 @@ static int bcm_sf2_mdio_register(struct dsa_switch *ds)
of_remove_property(child, prop);
phydev = of_phy_find_device(child);
- if (phydev)
+ if (phydev) {
phy_device_remove(phydev);
+ phy_device_free(phydev);
+ }
}
err = mdiobus_register(priv->slave_mii_bus);
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 014/150] l2tp: fix lockdep splat
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 013/150] net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register() Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 015/150] net: fec: Stop PPS on driver remove Greg Kroah-Hartman
` (138 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet,
syzbot+6acef9e0a4d1f46c83d4, gnault, cong.wang, James Chapman,
Tom Parkin, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: James Chapman <jchapman@katalix.com>
[ Upstream commit 86a41ea9fd79ddb6145cb8ebf5aeafceabca6f7d ]
When l2tp tunnels use a socket provided by userspace, we can hit
lockdep splats like the below when data is transmitted through another
(unrelated) userspace socket which then gets routed over l2tp.
This issue was previously discussed here:
https://lore.kernel.org/netdev/87sfialu2n.fsf@cloudflare.com/
The solution is to have lockdep treat socket locks of l2tp tunnel
sockets separately than those of standard INET sockets. To do so, use
a different lockdep subclass where lock nesting is possible.
============================================
WARNING: possible recursive locking detected
6.10.0+ #34 Not tainted
--------------------------------------------
iperf3/771 is trying to acquire lock:
ffff8881027601d8 (slock-AF_INET/1){+.-.}-{2:2}, at: l2tp_xmit_skb+0x243/0x9d0
but task is already holding lock:
ffff888102650d98 (slock-AF_INET/1){+.-.}-{2:2}, at: tcp_v4_rcv+0x1848/0x1e10
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(slock-AF_INET/1);
lock(slock-AF_INET/1);
*** DEADLOCK ***
May be due to missing lock nesting notation
10 locks held by iperf3/771:
#0: ffff888102650258 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendmsg+0x1a/0x40
#1: ffffffff822ac220 (rcu_read_lock){....}-{1:2}, at: __ip_queue_xmit+0x4b/0xbc0
#2: ffffffff822ac220 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x17a/0x1130
#3: ffffffff822ac220 (rcu_read_lock){....}-{1:2}, at: process_backlog+0x28b/0x9f0
#4: ffffffff822ac220 (rcu_read_lock){....}-{1:2}, at: ip_local_deliver_finish+0xf9/0x260
#5: ffff888102650d98 (slock-AF_INET/1){+.-.}-{2:2}, at: tcp_v4_rcv+0x1848/0x1e10
#6: ffffffff822ac220 (rcu_read_lock){....}-{1:2}, at: __ip_queue_xmit+0x4b/0xbc0
#7: ffffffff822ac220 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x17a/0x1130
#8: ffffffff822ac1e0 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0xcc/0x1450
#9: ffff888101f33258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_queue_xmit+0x513/0x1450
stack backtrace:
CPU: 2 UID: 0 PID: 771 Comm: iperf3 Not tainted 6.10.0+ #34
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0x69/0xa0
dump_stack+0xc/0x20
__lock_acquire+0x135d/0x2600
? srso_alias_return_thunk+0x5/0xfbef5
lock_acquire+0xc4/0x2a0
? l2tp_xmit_skb+0x243/0x9d0
? __skb_checksum+0xa3/0x540
_raw_spin_lock_nested+0x35/0x50
? l2tp_xmit_skb+0x243/0x9d0
l2tp_xmit_skb+0x243/0x9d0
l2tp_eth_dev_xmit+0x3c/0xc0
dev_hard_start_xmit+0x11e/0x420
sch_direct_xmit+0xc3/0x640
__dev_queue_xmit+0x61c/0x1450
? ip_finish_output2+0xf4c/0x1130
ip_finish_output2+0x6b6/0x1130
? srso_alias_return_thunk+0x5/0xfbef5
? __ip_finish_output+0x217/0x380
? srso_alias_return_thunk+0x5/0xfbef5
__ip_finish_output+0x217/0x380
ip_output+0x99/0x120
__ip_queue_xmit+0xae4/0xbc0
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? tcp_options_write.constprop.0+0xcb/0x3e0
ip_queue_xmit+0x34/0x40
__tcp_transmit_skb+0x1625/0x1890
__tcp_send_ack+0x1b8/0x340
tcp_send_ack+0x23/0x30
__tcp_ack_snd_check+0xa8/0x530
? srso_alias_return_thunk+0x5/0xfbef5
tcp_rcv_established+0x412/0xd70
tcp_v4_do_rcv+0x299/0x420
tcp_v4_rcv+0x1991/0x1e10
ip_protocol_deliver_rcu+0x50/0x220
ip_local_deliver_finish+0x158/0x260
ip_local_deliver+0xc8/0xe0
ip_rcv+0xe5/0x1d0
? __pfx_ip_rcv+0x10/0x10
__netif_receive_skb_one_core+0xce/0xe0
? process_backlog+0x28b/0x9f0
__netif_receive_skb+0x34/0xd0
? process_backlog+0x28b/0x9f0
process_backlog+0x2cb/0x9f0
__napi_poll.constprop.0+0x61/0x280
net_rx_action+0x332/0x670
? srso_alias_return_thunk+0x5/0xfbef5
? find_held_lock+0x2b/0x80
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
handle_softirqs+0xda/0x480
? __dev_queue_xmit+0xa2c/0x1450
do_softirq+0xa1/0xd0
</IRQ>
<TASK>
__local_bh_enable_ip+0xc8/0xe0
? __dev_queue_xmit+0xa2c/0x1450
__dev_queue_xmit+0xa48/0x1450
? ip_finish_output2+0xf4c/0x1130
ip_finish_output2+0x6b6/0x1130
? srso_alias_return_thunk+0x5/0xfbef5
? __ip_finish_output+0x217/0x380
? srso_alias_return_thunk+0x5/0xfbef5
__ip_finish_output+0x217/0x380
ip_output+0x99/0x120
__ip_queue_xmit+0xae4/0xbc0
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? tcp_options_write.constprop.0+0xcb/0x3e0
ip_queue_xmit+0x34/0x40
__tcp_transmit_skb+0x1625/0x1890
tcp_write_xmit+0x766/0x2fb0
? __entry_text_end+0x102ba9/0x102bad
? srso_alias_return_thunk+0x5/0xfbef5
? __might_fault+0x74/0xc0
? srso_alias_return_thunk+0x5/0xfbef5
__tcp_push_pending_frames+0x56/0x190
tcp_push+0x117/0x310
tcp_sendmsg_locked+0x14c1/0x1740
tcp_sendmsg+0x28/0x40
inet_sendmsg+0x5d/0x90
sock_write_iter+0x242/0x2b0
vfs_write+0x68d/0x800
? __pfx_sock_write_iter+0x10/0x10
ksys_write+0xc8/0xf0
__x64_sys_write+0x3d/0x50
x64_sys_call+0xfaf/0x1f50
do_syscall_64+0x6d/0x140
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f4d143af992
Code: c3 8b 07 85 c0 75 24 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> e9 01 cc ff ff 41 54 b8 02 00 00 0
RSP: 002b:00007ffd65032058 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f4d143af992
RDX: 0000000000000025 RSI: 00007f4d143f3bcc RDI: 0000000000000005
RBP: 00007f4d143f2b28 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4d143f3bcc
R13: 0000000000000005 R14: 0000000000000000 R15: 00007ffd650323f0
</TASK>
Fixes: 0b2c59720e65 ("l2tp: close all race conditions in l2tp_tunnel_register()")
Suggested-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+6acef9e0a4d1f46c83d4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6acef9e0a4d1f46c83d4
CC: gnault@redhat.com
CC: cong.wang@bytedance.com
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: Tom Parkin <tparkin@katalix.com>
Link: https://patch.msgid.link/20240806160626.1248317-1-jchapman@katalix.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/l2tp/l2tp_core.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 8d21ff25f1602..70da78ab95202 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -88,6 +88,11 @@
/* Default trace flags */
#define L2TP_DEFAULT_DEBUG_FLAGS 0
+#define L2TP_DEPTH_NESTING 2
+#if L2TP_DEPTH_NESTING == SINGLE_DEPTH_NESTING
+#error "L2TP requires its own lockdep subclass"
+#endif
+
/* Private data stored for received packets in the skb.
*/
struct l2tp_skb_cb {
@@ -1041,7 +1046,13 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns
IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED | IPSKB_REROUTED);
nf_reset_ct(skb);
- bh_lock_sock_nested(sk);
+ /* L2TP uses its own lockdep subclass to avoid lockdep splats caused by
+ * nested socket calls on the same lockdep socket class. This can
+ * happen when data from a user socket is routed over l2tp, which uses
+ * another userspace socket.
+ */
+ spin_lock_nested(&sk->sk_lock.slock, L2TP_DEPTH_NESTING);
+
if (sock_owned_by_user(sk)) {
kfree_skb(skb);
ret = NET_XMIT_DROP;
@@ -1093,7 +1104,7 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns
ret = l2tp_xmit_queue(tunnel, skb, &inet->cork.fl);
out_unlock:
- bh_unlock_sock(sk);
+ spin_unlock(&sk->sk_lock.slock);
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 015/150] net: fec: Stop PPS on driver remove
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 014/150] l2tp: fix lockdep splat Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 016/150] rcutorture: Fix rcu_torture_fwd_cb_cr() data race Greg Kroah-Hartman
` (137 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fabio Estevam, =20Bence?=,
Andrew Lunn, Frank Li, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Csókás, Bence <csokas.bence@prolan.hu>
[ Upstream commit 8fee6d5ad5fa18c270eedb2a2cdf58dbadefb94b ]
PPS was not stopped in `fec_ptp_stop()`, called when
the adapter was removed. Consequentially, you couldn't
safely reload the driver with the PPS signal on.
Fixes: 32cba57ba74b ("net: fec: introduce fec_ptp_stop and use in probe fail path")
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Link: https://lore.kernel.org/netdev/CAOMZO5BzcZR8PwKKwBssQq_wAGzVgf1ffwe_nhpQJjviTdxy-w@mail.gmail.com/T/#m01dcb810bfc451a492140f6797ca77443d0cb79f
Signed-off-by: Csókás, Bence <csokas.bence@prolan.hu>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20240807080956.2556602-1-csokas.bence@prolan.hu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fec_ptp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c
index e0393dc159fc7..37d83ff5b30be 100644
--- a/drivers/net/ethernet/freescale/fec_ptp.c
+++ b/drivers/net/ethernet/freescale/fec_ptp.c
@@ -635,6 +635,9 @@ void fec_ptp_stop(struct platform_device *pdev)
struct net_device *ndev = platform_get_drvdata(pdev);
struct fec_enet_private *fep = netdev_priv(ndev);
+ if (fep->pps_enable)
+ fec_ptp_enable_pps(fep, 0);
+
cancel_delayed_work_sync(&fep->time_keep);
if (fep->ptp_clock)
ptp_clock_unregister(fep->ptp_clock);
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 016/150] rcutorture: Fix rcu_torture_fwd_cb_cr() data race
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 015/150] net: fec: Stop PPS on driver remove Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 017/150] md: do not delete safemode_timer in mddev_suspend Greg Kroah-Hartman
` (136 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul E. McKenney, Marco Elver,
Andrey Konovalov, kasan-dev, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul E. McKenney <paulmck@kernel.org>
[ Upstream commit 6040072f4774a575fa67b912efe7722874be337b ]
On powerpc systems, spinlock acquisition does not order prior stores
against later loads. This means that this statement:
rfcp->rfc_next = NULL;
Can be reordered to follow this statement:
WRITE_ONCE(*rfcpp, rfcp);
Which is then a data race with rcu_torture_fwd_prog_cr(), specifically,
this statement:
rfcpn = READ_ONCE(rfcp->rfc_next)
KCSAN located this data race, which represents a real failure on powerpc.
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Acked-by: Marco Elver <elver@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: <kasan-dev@googlegroups.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rcu/rcutorture.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
index 8c45df910763a..c14517912cfaa 100644
--- a/kernel/rcu/rcutorture.c
+++ b/kernel/rcu/rcutorture.c
@@ -2547,7 +2547,7 @@ static void rcu_torture_fwd_cb_cr(struct rcu_head *rhp)
spin_lock_irqsave(&rfp->rcu_fwd_lock, flags);
rfcpp = rfp->rcu_fwd_cb_tail;
rfp->rcu_fwd_cb_tail = &rfcp->rfc_next;
- WRITE_ONCE(*rfcpp, rfcp);
+ smp_store_release(rfcpp, rfcp);
WRITE_ONCE(rfp->n_launders_cb, rfp->n_launders_cb + 1);
i = ((jiffies - rfp->rcu_fwd_startat) / (HZ / FWD_CBS_HIST_DIV));
if (i >= ARRAY_SIZE(rfp->n_launders_hist))
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 017/150] md: do not delete safemode_timer in mddev_suspend
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 016/150] rcutorture: Fix rcu_torture_fwd_cb_cr() data race Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 018/150] md/raid5: avoid BUG_ON() while continue reshape after reassembling Greg Kroah-Hartman
` (135 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Nan, Yu Kuai, Song Liu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Nan <linan122@huawei.com>
[ Upstream commit a8768a134518e406d41799a3594aeb74e0889cf7 ]
The deletion of safemode_timer in mddev_suspend() is redundant and
potentially harmful now. If timer is about to be woken up but gets
deleted, 'in_sync' will remain 0 until the next write, causing array
to stay in the 'active' state instead of transitioning to 'clean'.
Commit 0d9f4f135eb6 ("MD: Add del_timer_sync to mddev_suspend (fix
nasty panic))" introduced this deletion for dm, because if timer fired
after dm is destroyed, the resource which the timer depends on might
have been freed.
However, commit 0dd84b319352 ("md: call __md_stop_writes in md_stop")
added __md_stop_writes() to md_stop(), which is called before freeing
resource. Timer is deleted in __md_stop_writes(), and the origin issue
is resolved. Therefore, delete safemode_timer can be removed safely now.
Signed-off-by: Li Nan <linan122@huawei.com>
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20240508092053.1447930-1-linan666@huaweicloud.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/md.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 7dc1c42accccd..b87c6ef0da8ab 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -489,7 +489,6 @@ void mddev_suspend(struct mddev *mddev)
clear_bit_unlock(MD_ALLOW_SB_UPDATE, &mddev->flags);
wait_event(mddev->sb_wait, !test_bit(MD_UPDATING_SB, &mddev->flags));
- del_timer_sync(&mddev->safemode_timer);
/* restrict memory reclaim I/O during raid array is suspend */
mddev->noio_flag = memalloc_noio_save();
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 018/150] md/raid5: avoid BUG_ON() while continue reshape after reassembling
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 017/150] md: do not delete safemode_timer in mddev_suspend Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 019/150] block: change rq_integrity_vec to respect the iterator Greg Kroah-Hartman
` (134 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yu Kuai, Song Liu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai3@huawei.com>
[ Upstream commit 305a5170dc5cf3d395bb4c4e9239bca6d0b54b49 ]
Currently, mdadm support --revert-reshape to abort the reshape while
reassembling, as the test 07revert-grow. However, following BUG_ON()
can be triggerred by the test:
kernel BUG at drivers/md/raid5.c:6278!
invalid opcode: 0000 [#1] PREEMPT SMP PTI
irq event stamp: 158985
CPU: 6 PID: 891 Comm: md0_reshape Not tainted 6.9.0-03335-g7592a0b0049a #94
RIP: 0010:reshape_request+0x3f1/0xe60
Call Trace:
<TASK>
raid5_sync_request+0x43d/0x550
md_do_sync+0xb7a/0x2110
md_thread+0x294/0x2b0
kthread+0x147/0x1c0
ret_from_fork+0x59/0x70
ret_from_fork_asm+0x1a/0x30
</TASK>
Root cause is that --revert-reshape update the raid_disks from 5 to 4,
while reshape position is still set, and after reassembling the array,
reshape position will be read from super block, then during reshape the
checking of 'writepos' that is caculated by old reshape position will
fail.
Fix this panic the easy way first, by converting the BUG_ON() to
WARN_ON(), and stop the reshape if checkings fail.
Noted that mdadm must fix --revert-shape as well, and probably md/raid
should enhance metadata validation as well, however this means
reassemble will fail and there must be user tools to fix the wrong
metadata.
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20240611132251.1967786-13-yukuai1@huaweicloud.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/raid5.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
index ed99b449d8fd4..4315dabd32023 100644
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -6316,7 +6316,9 @@ static sector_t reshape_request(struct mddev *mddev, sector_t sector_nr, int *sk
safepos = conf->reshape_safe;
sector_div(safepos, data_disks);
if (mddev->reshape_backwards) {
- BUG_ON(writepos < reshape_sectors);
+ if (WARN_ON(writepos < reshape_sectors))
+ return MaxSector;
+
writepos -= reshape_sectors;
readpos += reshape_sectors;
safepos += reshape_sectors;
@@ -6334,14 +6336,18 @@ static sector_t reshape_request(struct mddev *mddev, sector_t sector_nr, int *sk
* to set 'stripe_addr' which is where we will write to.
*/
if (mddev->reshape_backwards) {
- BUG_ON(conf->reshape_progress == 0);
+ if (WARN_ON(conf->reshape_progress == 0))
+ return MaxSector;
+
stripe_addr = writepos;
- BUG_ON((mddev->dev_sectors &
- ~((sector_t)reshape_sectors - 1))
- - reshape_sectors - stripe_addr
- != sector_nr);
+ if (WARN_ON((mddev->dev_sectors &
+ ~((sector_t)reshape_sectors - 1)) -
+ reshape_sectors - stripe_addr != sector_nr))
+ return MaxSector;
} else {
- BUG_ON(writepos != sector_nr + reshape_sectors);
+ if (WARN_ON(writepos != sector_nr + reshape_sectors))
+ return MaxSector;
+
stripe_addr = sector_nr;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 019/150] block: change rq_integrity_vec to respect the iterator
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 018/150] md/raid5: avoid BUG_ON() while continue reshape after reassembling Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 020/150] rcu: Fix rcu_barrier() VS post CPUHP_TEARDOWN_CPU invocation Greg Kroah-Hartman
` (133 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Anuj Gupta,
Kanchan Joshi, Christoph Hellwig, Jens Axboe, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
[ Upstream commit cf546dd289e0f6d2594c25e2fb4e19ee67c6d988 ]
If we allocate a bio that is larger than NVMe maximum request size,
attach integrity metadata to it and send it to the NVMe subsystem, the
integrity metadata will be corrupted.
Splitting the bio works correctly. The function bio_split will clone the
bio, trim the iterator of the first bio and advance the iterator of the
second bio.
However, the function rq_integrity_vec has a bug - it returns the first
vector of the bio's metadata and completely disregards the metadata
iterator that was advanced when the bio was split. Thus, the second bio
uses the same metadata as the first bio and this leads to metadata
corruption.
This commit changes rq_integrity_vec, so that it calls mp_bvec_iter_bvec
instead of returning the first vector. mp_bvec_iter_bvec reads the
iterator and uses it to build a bvec for the current position in the
iterator.
The "queue_max_integrity_segments(rq->q) > 1" check was removed, because
the updated rq_integrity_vec function works correctly with multiple
segments.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Anuj Gupta <anuj20.g@samsung.com>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/49d1afaa-f934-6ed2-a678-e0d428c63a65@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 6 +++---
include/linux/blk-integrity.h | 14 +++++++-------
2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 27446fa847526..6f648b58cbd4d 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -873,9 +873,9 @@ static blk_status_t nvme_map_metadata(struct nvme_dev *dev, struct request *req,
struct nvme_command *cmnd)
{
struct nvme_iod *iod = blk_mq_rq_to_pdu(req);
+ struct bio_vec bv = rq_integrity_vec(req);
- iod->meta_dma = dma_map_bvec(dev->dev, rq_integrity_vec(req),
- rq_dma_dir(req), 0);
+ iod->meta_dma = dma_map_bvec(dev->dev, &bv, rq_dma_dir(req), 0);
if (dma_mapping_error(dev->dev, iod->meta_dma))
return BLK_STS_IOERR;
cmnd->rw.metadata = cpu_to_le64(iod->meta_dma);
@@ -1016,7 +1016,7 @@ static __always_inline void nvme_pci_unmap_rq(struct request *req)
struct nvme_iod *iod = blk_mq_rq_to_pdu(req);
dma_unmap_page(dev->dev, iod->meta_dma,
- rq_integrity_vec(req)->bv_len, rq_dma_dir(req));
+ rq_integrity_vec(req).bv_len, rq_dma_dir(req));
}
if (blk_rq_nr_phys_segments(req))
diff --git a/include/linux/blk-integrity.h b/include/linux/blk-integrity.h
index 378b2459efe2d..69f73d0546118 100644
--- a/include/linux/blk-integrity.h
+++ b/include/linux/blk-integrity.h
@@ -105,14 +105,13 @@ static inline bool blk_integrity_rq(struct request *rq)
}
/*
- * Return the first bvec that contains integrity data. Only drivers that are
- * limited to a single integrity segment should use this helper.
+ * Return the current bvec that contains the integrity data. bip_iter may be
+ * advanced to iterate over the integrity data.
*/
-static inline struct bio_vec *rq_integrity_vec(struct request *rq)
+static inline struct bio_vec rq_integrity_vec(struct request *rq)
{
- if (WARN_ON_ONCE(queue_max_integrity_segments(rq->q) > 1))
- return NULL;
- return rq->bio->bi_integrity->bip_vec;
+ return mp_bvec_iter_bvec(rq->bio->bi_integrity->bip_vec,
+ rq->bio->bi_integrity->bip_iter);
}
#else /* CONFIG_BLK_DEV_INTEGRITY */
static inline int blk_rq_count_integrity_sg(struct request_queue *q,
@@ -178,7 +177,8 @@ static inline int blk_integrity_rq(struct request *rq)
static inline struct bio_vec *rq_integrity_vec(struct request *rq)
{
- return NULL;
+ /* the optimizer will remove all calls to this function */
+ return (struct bio_vec){ };
}
#endif /* CONFIG_BLK_DEV_INTEGRITY */
#endif /* _LINUX_BLK_INTEGRITY_H */
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 020/150] rcu: Fix rcu_barrier() VS post CPUHP_TEARDOWN_CPU invocation
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 019/150] block: change rq_integrity_vec to respect the iterator Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 021/150] clocksource/drivers/sh_cmt: Address race condition for clock events Greg Kroah-Hartman
` (132 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frederic Weisbecker,
Paul E. McKenney, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frederic Weisbecker <frederic@kernel.org>
[ Upstream commit 55d4669ef1b76823083caecfab12a8bd2ccdcf64 ]
When rcu_barrier() calls rcu_rdp_cpu_online() and observes a CPU off
rnp->qsmaskinitnext, it means that all accesses from the offline CPU
preceding the CPUHP_TEARDOWN_CPU are visible to RCU barrier, including
callbacks expiration and counter updates.
However interrupts can still fire after stop_machine() re-enables
interrupts and before rcutree_report_cpu_dead(). The related accesses
happening between CPUHP_TEARDOWN_CPU and rnp->qsmaskinitnext clearing
are _NOT_ guaranteed to be seen by rcu_barrier() without proper
ordering, especially when callbacks are invoked there to the end, making
rcutree_migrate_callback() bypass barrier_lock.
The following theoretical race example can make rcu_barrier() hang:
CPU 0 CPU 1
----- -----
//cpu_down()
smpboot_park_threads()
//ksoftirqd is parked now
<IRQ>
rcu_sched_clock_irq()
invoke_rcu_core()
do_softirq()
rcu_core()
rcu_do_batch()
// callback storm
// rcu_do_batch() returns
// before completing all
// of them
// do_softirq also returns early because of
// timeout. It defers to ksoftirqd but
// it's parked
</IRQ>
stop_machine()
take_cpu_down()
rcu_barrier()
spin_lock(barrier_lock)
// observes rcu_segcblist_n_cbs(&rdp->cblist) != 0
<IRQ>
do_softirq()
rcu_core()
rcu_do_batch()
//completes all pending callbacks
//smp_mb() implied _after_ callback number dec
</IRQ>
rcutree_report_cpu_dead()
rnp->qsmaskinitnext &= ~rdp->grpmask;
rcutree_migrate_callback()
// no callback, early return without locking
// barrier_lock
//observes !rcu_rdp_cpu_online(rdp)
rcu_barrier_entrain()
rcu_segcblist_entrain()
// Observe rcu_segcblist_n_cbs(rsclp) == 0
// because no barrier between reading
// rnp->qsmaskinitnext and rsclp->len
rcu_segcblist_add_len()
smp_mb__before_atomic()
// will now observe the 0 count and empty
// list, but too late, we enqueue regardless
WRITE_ONCE(rsclp->len, rsclp->len + v);
// ignored barrier callback
// rcu barrier stall...
This could be solved with a read memory barrier, enforcing the message
passing between rnp->qsmaskinitnext and rsclp->len, matching the full
memory barrier after rsclp->len addition in rcu_segcblist_add_len()
performed at the end of rcu_do_batch().
However the rcu_barrier() is complicated enough and probably doesn't
need too many more subtleties. CPU down is a slowpath and the
barrier_lock seldom contended. Solve the issue with unconditionally
locking the barrier_lock on rcutree_migrate_callbacks(). This makes sure
that either rcu_barrier() sees the empty queue or its entrained
callback will be migrated.
Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rcu/tree.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
index 61f9503a5fe9c..cd6144cea5a1a 100644
--- a/kernel/rcu/tree.c
+++ b/kernel/rcu/tree.c
@@ -4391,11 +4391,15 @@ void rcutree_migrate_callbacks(int cpu)
struct rcu_data *rdp = per_cpu_ptr(&rcu_data, cpu);
bool needwake;
- if (rcu_rdp_is_offloaded(rdp) ||
- rcu_segcblist_empty(&rdp->cblist))
- return; /* No callbacks to migrate. */
+ if (rcu_rdp_is_offloaded(rdp))
+ return;
raw_spin_lock_irqsave(&rcu_state.barrier_lock, flags);
+ if (rcu_segcblist_empty(&rdp->cblist)) {
+ raw_spin_unlock_irqrestore(&rcu_state.barrier_lock, flags);
+ return; /* No callbacks to migrate. */
+ }
+
WARN_ON_ONCE(rcu_rdp_cpu_online(rdp));
rcu_barrier_entrain(rdp);
my_rdp = this_cpu_ptr(&rcu_data);
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 021/150] clocksource/drivers/sh_cmt: Address race condition for clock events
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 020/150] rcu: Fix rcu_barrier() VS post CPUHP_TEARDOWN_CPU invocation Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 022/150] ACPI: battery: create alarm sysfs attribute atomically Greg Kroah-Hartman
` (131 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Söderlund,
Daniel Lezcano, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
[ Upstream commit db19d3aa77612983a02bd223b3f273f896b243cf ]
There is a race condition in the CMT interrupt handler. In the interrupt
handler the driver sets a driver private flag, FLAG_IRQCONTEXT. This
flag is used to indicate any call to set_next_event() should not be
directly propagated to the device, but instead cached. This is done as
the interrupt handler itself reprograms the device when needed before it
completes and this avoids this operation to take place twice.
It is unclear why this design was chosen, my suspicion is to allow the
struct clock_event_device.event_handler callback, which is called while
the FLAG_IRQCONTEXT is set, can update the next event without having to
write to the device twice.
Unfortunately there is a race between when the FLAG_IRQCONTEXT flag is
set and later cleared where the interrupt handler have already started to
write the next event to the device. If set_next_event() is called in
this window the value is only cached in the driver but not written. This
leads to the board to misbehave, or worse lockup and produce a splat.
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 0-...!: (0 ticks this GP) idle=f5e0/0/0x0 softirq=519/519 fqs=0 (false positive?)
rcu: (detected by 1, t=6502 jiffies, g=-595, q=77 ncpus=2)
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.10.0-rc5-arm64-renesas-00019-g74a6f86eaf1c-dirty #20
Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : tick_check_broadcast_expired+0xc/0x40
lr : cpu_idle_poll.isra.0+0x8c/0x168
sp : ffff800081c63d70
x29: ffff800081c63d70 x28: 00000000580000c8 x27: 00000000bfee5610
x26: 0000000000000027 x25: 0000000000000000 x24: 0000000000000000
x23: ffff00007fbb9100 x22: ffff8000818f1008 x21: ffff8000800ef07c
x20: ffff800081c79ec0 x19: ffff800081c70c28 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffc2c717d8
x14: 0000000000000000 x13: ffff000009c18080 x12: ffff8000825f7fc0
x11: 0000000000000000 x10: ffff8000818f3cd4 x9 : 0000000000000028
x8 : ffff800081c79ec0 x7 : ffff800081c73000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : ffff7ffffe286000 x3 : 0000000000000000
x2 : ffff7ffffe286000 x1 : ffff800082972900 x0 : ffff8000818f1008
Call trace:
tick_check_broadcast_expired+0xc/0x40
do_idle+0x9c/0x280
cpu_startup_entry+0x34/0x40
kernel_init+0x0/0x11c
do_one_initcall+0x0/0x260
__primary_switched+0x80/0x88
rcu: rcu_preempt kthread timer wakeup didn't happen for 6501 jiffies! g-595 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402
rcu: Possible timer handling issue on cpu=0 timer-softirq=262
rcu: rcu_preempt kthread starved for 6502 jiffies! g-595 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402 ->cpu=0
rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt state:I stack:0 pid:15 tgid:15 ppid:2 flags:0x00000008
Call trace:
__switch_to+0xbc/0x100
__schedule+0x358/0xbe0
schedule+0x48/0x148
schedule_timeout+0xc4/0x138
rcu_gp_fqs_loop+0x12c/0x764
rcu_gp_kthread+0x208/0x298
kthread+0x10c/0x110
ret_from_fork+0x10/0x20
The design have been part of the driver since it was first merged in
early 2009. It becomes increasingly harder to trigger the issue the
older kernel version one tries. It only takes a few boots on v6.10-rc5,
while hundreds of boots are needed to trigger it on v5.10.
Close the race condition by using the CMT channel lock for the two
competing sections. The channel lock was added to the driver after its
initial design.
Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Link: https://lore.kernel.org/r/20240702190230.3825292-1-niklas.soderlund+renesas@ragnatech.se
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clocksource/sh_cmt.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/clocksource/sh_cmt.c b/drivers/clocksource/sh_cmt.c
index 7b952aa52c0b9..7a2b83157bf5f 100644
--- a/drivers/clocksource/sh_cmt.c
+++ b/drivers/clocksource/sh_cmt.c
@@ -529,6 +529,7 @@ static void sh_cmt_set_next(struct sh_cmt_channel *ch, unsigned long delta)
static irqreturn_t sh_cmt_interrupt(int irq, void *dev_id)
{
struct sh_cmt_channel *ch = dev_id;
+ unsigned long flags;
/* clear flags */
sh_cmt_write_cmcsr(ch, sh_cmt_read_cmcsr(ch) &
@@ -559,6 +560,8 @@ static irqreturn_t sh_cmt_interrupt(int irq, void *dev_id)
ch->flags &= ~FLAG_SKIPEVENT;
+ raw_spin_lock_irqsave(&ch->lock, flags);
+
if (ch->flags & FLAG_REPROGRAM) {
ch->flags &= ~FLAG_REPROGRAM;
sh_cmt_clock_event_program_verify(ch, 1);
@@ -571,6 +574,8 @@ static irqreturn_t sh_cmt_interrupt(int irq, void *dev_id)
ch->flags &= ~FLAG_IRQCONTEXT;
+ raw_spin_unlock_irqrestore(&ch->lock, flags);
+
return IRQ_HANDLED;
}
@@ -781,12 +786,18 @@ static int sh_cmt_clock_event_next(unsigned long delta,
struct clock_event_device *ced)
{
struct sh_cmt_channel *ch = ced_to_sh_cmt(ced);
+ unsigned long flags;
BUG_ON(!clockevent_state_oneshot(ced));
+
+ raw_spin_lock_irqsave(&ch->lock, flags);
+
if (likely(ch->flags & FLAG_IRQCONTEXT))
ch->next_match_value = delta - 1;
else
- sh_cmt_set_next(ch, delta - 1);
+ __sh_cmt_set_next(ch, delta - 1);
+
+ raw_spin_unlock_irqrestore(&ch->lock, flags);
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 022/150] ACPI: battery: create alarm sysfs attribute atomically
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 021/150] clocksource/drivers/sh_cmt: Address race condition for clock events Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 023/150] ACPI: SBS: manage alarm sysfs attribute through psy core Greg Kroah-Hartman
` (130 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Rafael J. Wysocki, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
[ Upstream commit a231eed10ed5a290129fda36ad7bcc263c53ff7d ]
Let the power supply core register the attribute.
This ensures that the attribute is created before the device is
announced to userspace, avoid a race condition.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/battery.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c
index 084f156bdfbc4..088740fdea355 100644
--- a/drivers/acpi/battery.c
+++ b/drivers/acpi/battery.c
@@ -667,12 +667,18 @@ static ssize_t acpi_battery_alarm_store(struct device *dev,
return count;
}
-static const struct device_attribute alarm_attr = {
+static struct device_attribute alarm_attr = {
.attr = {.name = "alarm", .mode = 0644},
.show = acpi_battery_alarm_show,
.store = acpi_battery_alarm_store,
};
+static struct attribute *acpi_battery_attrs[] = {
+ &alarm_attr.attr,
+ NULL
+};
+ATTRIBUTE_GROUPS(acpi_battery);
+
/*
* The Battery Hooking API
*
@@ -809,7 +815,10 @@ static void __exit battery_hook_exit(void)
static int sysfs_add_battery(struct acpi_battery *battery)
{
- struct power_supply_config psy_cfg = { .drv_data = battery, };
+ struct power_supply_config psy_cfg = {
+ .drv_data = battery,
+ .attr_grp = acpi_battery_groups,
+ };
bool full_cap_broken = false;
if (!ACPI_BATTERY_CAPACITY_VALID(battery->full_charge_capacity) &&
@@ -854,7 +863,7 @@ static int sysfs_add_battery(struct acpi_battery *battery)
return result;
}
battery_hook_add_battery(battery);
- return device_create_file(&battery->bat->dev, &alarm_attr);
+ return 0;
}
static void sysfs_remove_battery(struct acpi_battery *battery)
@@ -865,7 +874,6 @@ static void sysfs_remove_battery(struct acpi_battery *battery)
return;
}
battery_hook_remove_battery(battery);
- device_remove_file(&battery->bat->dev, &alarm_attr);
power_supply_unregister(battery->bat);
battery->bat = NULL;
mutex_unlock(&battery->sysfs_lock);
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 023/150] ACPI: SBS: manage alarm sysfs attribute through psy core
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 022/150] ACPI: battery: create alarm sysfs attribute atomically Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 024/150] wifi: nl80211: disallow setting special AP channel widths Greg Kroah-Hartman
` (129 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Rafael J. Wysocki, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
[ Upstream commit 6bad28cfc30988a845fb3f59a99f4b8a4ce8fe95 ]
Let the power supply core register the attribute.
This ensures that the attribute is created before the device is
announced to userspace, avoiding a race condition.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/sbs.c | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/drivers/acpi/sbs.c b/drivers/acpi/sbs.c
index e6a01a8df1b81..7c0eba1a37d87 100644
--- a/drivers/acpi/sbs.c
+++ b/drivers/acpi/sbs.c
@@ -77,7 +77,6 @@ struct acpi_battery {
u16 spec;
u8 id;
u8 present:1;
- u8 have_sysfs_alarm:1;
};
#define to_acpi_battery(x) power_supply_get_drvdata(x)
@@ -462,12 +461,18 @@ static ssize_t acpi_battery_alarm_store(struct device *dev,
return count;
}
-static const struct device_attribute alarm_attr = {
+static struct device_attribute alarm_attr = {
.attr = {.name = "alarm", .mode = 0644},
.show = acpi_battery_alarm_show,
.store = acpi_battery_alarm_store,
};
+static struct attribute *acpi_battery_attrs[] = {
+ &alarm_attr.attr,
+ NULL
+};
+ATTRIBUTE_GROUPS(acpi_battery);
+
/* --------------------------------------------------------------------------
Driver Interface
-------------------------------------------------------------------------- */
@@ -509,7 +514,10 @@ static int acpi_battery_read(struct acpi_battery *battery)
static int acpi_battery_add(struct acpi_sbs *sbs, int id)
{
struct acpi_battery *battery = &sbs->battery[id];
- struct power_supply_config psy_cfg = { .drv_data = battery, };
+ struct power_supply_config psy_cfg = {
+ .drv_data = battery,
+ .attr_grp = acpi_battery_groups,
+ };
int result;
battery->id = id;
@@ -539,10 +547,6 @@ static int acpi_battery_add(struct acpi_sbs *sbs, int id)
goto end;
}
- result = device_create_file(&battery->bat->dev, &alarm_attr);
- if (result)
- goto end;
- battery->have_sysfs_alarm = 1;
end:
pr_info("%s [%s]: Battery Slot [%s] (battery %s)\n",
ACPI_SBS_DEVICE_NAME, acpi_device_bid(sbs->device),
@@ -554,11 +558,8 @@ static void acpi_battery_remove(struct acpi_sbs *sbs, int id)
{
struct acpi_battery *battery = &sbs->battery[id];
- if (battery->bat) {
- if (battery->have_sysfs_alarm)
- device_remove_file(&battery->bat->dev, &alarm_attr);
+ if (battery->bat)
power_supply_unregister(battery->bat);
- }
}
static int acpi_charger_add(struct acpi_sbs *sbs)
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 024/150] wifi: nl80211: disallow setting special AP channel widths
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 023/150] ACPI: SBS: manage alarm sysfs attribute through psy core Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 025/150] net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink Greg Kroah-Hartman
` (128 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+bc0f5b92cc7091f45fb6,
Johannes Berg, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 23daf1b4c91db9b26f8425cc7039cf96d22ccbfe ]
Setting the AP channel width is meant for use with the normal
20/40/... MHz channel width progression, and switching around
in S1G or narrow channels isn't supported. Disallow that.
Reported-by: syzbot+bc0f5b92cc7091f45fb6@syzkaller.appspotmail.com
Link: https://msgid.link/20240515141600.d4a9590bfe32.I19a32d60097e81b527eafe6b0924f6c5fbb2dc45@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/nl80211.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index a00df7b89ca86..603fcd921bd22 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3346,6 +3346,33 @@ static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
if (chandef.chan != cur_chan)
return -EBUSY;
+ /* only allow this for regular channel widths */
+ switch (wdev->links[link_id].ap.chandef.width) {
+ case NL80211_CHAN_WIDTH_20_NOHT:
+ case NL80211_CHAN_WIDTH_20:
+ case NL80211_CHAN_WIDTH_40:
+ case NL80211_CHAN_WIDTH_80:
+ case NL80211_CHAN_WIDTH_80P80:
+ case NL80211_CHAN_WIDTH_160:
+ case NL80211_CHAN_WIDTH_320:
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ switch (chandef.width) {
+ case NL80211_CHAN_WIDTH_20_NOHT:
+ case NL80211_CHAN_WIDTH_20:
+ case NL80211_CHAN_WIDTH_40:
+ case NL80211_CHAN_WIDTH_80:
+ case NL80211_CHAN_WIDTH_80P80:
+ case NL80211_CHAN_WIDTH_160:
+ case NL80211_CHAN_WIDTH_320:
+ break;
+ default:
+ return -EINVAL;
+ }
+
result = rdev_set_ap_chanwidth(rdev, dev, link_id,
&chandef);
if (result)
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 025/150] net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 024/150] wifi: nl80211: disallow setting special AP channel widths Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 026/150] selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT Greg Kroah-Hartman
` (127 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dragos Tatulea, Tariq Toukan,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dragos Tatulea <dtatulea@nvidia.com>
[ Upstream commit fba8334721e266f92079632598e46e5f89082f30 ]
When all the strides in a WQE have been consumed, the WQE is unlinked
from the WQ linked list (mlx5_wq_ll_pop()). For SHAMPO, it is possible
to receive CQEs with 0 consumed strides for the same WQE even after the
WQE is fully consumed and unlinked. This triggers an additional unlink
for the same wqe which corrupts the linked list.
Fix this scenario by accepting 0 sized consumed strides without
unlinking the WQE again.
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://lore.kernel.org/r/20240603212219.1037656-4-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
index 56d1bd22c7c66..97d1cfec4ec03 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
@@ -2146,6 +2146,9 @@ static void mlx5e_handle_rx_cqe_mpwrq_shampo(struct mlx5e_rq *rq, struct mlx5_cq
if (likely(wi->consumed_strides < rq->mpwqe.num_strides))
return;
+ if (unlikely(!cstrides))
+ return;
+
wq = &rq->mpwqe.wq;
wqe = mlx5_wq_ll_get_wqe(wq, wqe_id);
mlx5e_free_rx_mpwqe(rq, wi, true);
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 026/150] selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 025/150] net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 027/150] af_unix: Dont retry after unix_state_lock_nested() in unix_stream_connect() Greg Kroah-Hartman
` (126 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexei Starovoitov, Yonghong Song,
Daniel Borkmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yonghong Song <yonghong.song@linux.dev>
[ Upstream commit 7015843afcaf68c132784c89528dfddc0005e483 ]
Alexei reported that send_signal test may fail with nested CONFIG_PARAVIRT
configs. In this particular case, the base VM is AMD with 166 cpus, and I
run selftests with regular qemu on top of that and indeed send_signal test
failed. I also tried with an Intel box with 80 cpus and there is no issue.
The main qemu command line includes:
-enable-kvm -smp 16 -cpu host
The failure log looks like:
$ ./test_progs -t send_signal
[ 48.501588] watchdog: BUG: soft lockup - CPU#9 stuck for 26s! [test_progs:2225]
[ 48.503622] Modules linked in: bpf_testmod(O)
[ 48.503622] CPU: 9 PID: 2225 Comm: test_progs Tainted: G O 6.9.0-08561-g2c1713a8f1c9-dirty #69
[ 48.507629] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
[ 48.511635] RIP: 0010:handle_softirqs+0x71/0x290
[ 48.511635] Code: [...] 10 0a 00 00 00 31 c0 65 66 89 05 d5 f4 fa 7e fb bb ff ff ff ff <49> c7 c2 cb
[ 48.518527] RSP: 0018:ffffc90000310fa0 EFLAGS: 00000246
[ 48.519579] RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 00000000000006e0
[ 48.522526] RDX: 0000000000000006 RSI: ffff88810791ae80 RDI: 0000000000000000
[ 48.523587] RBP: ffffc90000fabc88 R08: 00000005a0af4f7f R09: 0000000000000000
[ 48.525525] R10: 0000000561d2f29c R11: 0000000000006534 R12: 0000000000000280
[ 48.528525] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 48.528525] FS: 00007f2f2885cd00(0000) GS:ffff888237c40000(0000) knlGS:0000000000000000
[ 48.531600] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 48.535520] CR2: 00007f2f287059f0 CR3: 0000000106a28002 CR4: 00000000003706f0
[ 48.537538] Call Trace:
[ 48.537538] <IRQ>
[ 48.537538] ? watchdog_timer_fn+0x1cd/0x250
[ 48.539590] ? lockup_detector_update_enable+0x50/0x50
[ 48.539590] ? __hrtimer_run_queues+0xff/0x280
[ 48.542520] ? hrtimer_interrupt+0x103/0x230
[ 48.544524] ? __sysvec_apic_timer_interrupt+0x4f/0x140
[ 48.545522] ? sysvec_apic_timer_interrupt+0x3a/0x90
[ 48.547612] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 48.547612] ? handle_softirqs+0x71/0x290
[ 48.547612] irq_exit_rcu+0x63/0x80
[ 48.551585] sysvec_apic_timer_interrupt+0x75/0x90
[ 48.552521] </IRQ>
[ 48.553529] <TASK>
[ 48.553529] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 48.555609] RIP: 0010:finish_task_switch.isra.0+0x90/0x260
[ 48.556526] Code: [...] 9f 58 0a 00 00 48 85 db 0f 85 89 01 00 00 4c 89 ff e8 53 d9 bd 00 fb 66 90 <4d> 85 ed 74
[ 48.562524] RSP: 0018:ffffc90000fabd38 EFLAGS: 00000282
[ 48.563589] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83385620
[ 48.563589] RDX: ffff888237c73ae4 RSI: 0000000000000000 RDI: ffff888237c6fd00
[ 48.568521] RBP: ffffc90000fabd68 R08: 0000000000000000 R09: 0000000000000000
[ 48.569528] R10: 0000000000000001 R11: 0000000000000000 R12: ffff8881009d0000
[ 48.573525] R13: ffff8881024e5400 R14: ffff88810791ae80 R15: ffff888237c6fd00
[ 48.575614] ? finish_task_switch.isra.0+0x8d/0x260
[ 48.576523] __schedule+0x364/0xac0
[ 48.577535] schedule+0x2e/0x110
[ 48.578555] pipe_read+0x301/0x400
[ 48.579589] ? destroy_sched_domains_rcu+0x30/0x30
[ 48.579589] vfs_read+0x2b3/0x2f0
[ 48.579589] ksys_read+0x8b/0xc0
[ 48.583590] do_syscall_64+0x3d/0xc0
[ 48.583590] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 48.586525] RIP: 0033:0x7f2f28703fa1
[ 48.587592] Code: [...] 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 80 3d c5 23 14 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0
[ 48.593534] RSP: 002b:00007ffd90f8cf88 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 48.595589] RAX: ffffffffffffffda RBX: 00007ffd90f8d5e8 RCX: 00007f2f28703fa1
[ 48.595589] RDX: 0000000000000001 RSI: 00007ffd90f8cfb0 RDI: 0000000000000006
[ 48.599592] RBP: 00007ffd90f8d2f0 R08: 0000000000000064 R09: 0000000000000000
[ 48.602527] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 48.603589] R13: 00007ffd90f8d608 R14: 00007f2f288d8000 R15: 0000000000f6bdb0
[ 48.605527] </TASK>
In the test, two processes are communicating through pipe. Further debugging
with strace found that the above splat is triggered as read() syscall could
not receive the data even if the corresponding write() syscall in another
process successfully wrote data into the pipe.
The failed subtest is "send_signal_perf". The corresponding perf event has
sample_period 1 and config PERF_COUNT_SW_CPU_CLOCK. sample_period 1 means every
overflow event will trigger a call to the BPF program. So I suspect this may
overwhelm the system. So I increased the sample_period to 100,000 and the test
passed. The sample_period 10,000 still has the test failed.
In other parts of selftest, e.g., [1], sample_freq is used instead. So I
decided to use sample_freq = 1,000 since the test can pass as well.
[1] https://lore.kernel.org/bpf/20240604070700.3032142-1-song@kernel.org/
Reported-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20240605201203.2603846-1-yonghong.song@linux.dev
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/prog_tests/send_signal.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/send_signal.c b/tools/testing/selftests/bpf/prog_tests/send_signal.c
index d63a20fbed339..210b806351bcf 100644
--- a/tools/testing/selftests/bpf/prog_tests/send_signal.c
+++ b/tools/testing/selftests/bpf/prog_tests/send_signal.c
@@ -152,7 +152,8 @@ static void test_send_signal_tracepoint(bool signal_thread)
static void test_send_signal_perf(bool signal_thread)
{
struct perf_event_attr attr = {
- .sample_period = 1,
+ .freq = 1,
+ .sample_freq = 1000,
.type = PERF_TYPE_SOFTWARE,
.config = PERF_COUNT_SW_CPU_CLOCK,
};
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 027/150] af_unix: Dont retry after unix_state_lock_nested() in unix_stream_connect().
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 026/150] selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 028/150] PCI: Add Edimax Vendor ID to pci_ids.h Greg Kroah-Hartman
` (125 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 1ca27e0c8c13ac50a4acf9cdf77069e2d94a547d ]
When a SOCK_(STREAM|SEQPACKET) socket connect()s to another one, we need
to lock the two sockets to check their states in unix_stream_connect().
We use unix_state_lock() for the server and unix_state_lock_nested() for
client with tricky sk->sk_state check to avoid deadlock.
The possible deadlock scenario are the following:
1) Self connect()
2) Simultaneous connect()
The former is simple, attempt to grab the same lock, and the latter is
AB-BA deadlock.
After the server's unix_state_lock(), we check the server socket's state,
and if it's not TCP_LISTEN, connect() fails with -EINVAL.
Then, we avoid the former deadlock by checking the client's state before
unix_state_lock_nested(). If its state is not TCP_LISTEN, we can make
sure that the client and the server are not identical based on the state.
Also, the latter deadlock can be avoided in the same way. Due to the
server sk->sk_state requirement, AB-BA deadlock could happen only with
TCP_LISTEN sockets. So, if the client's state is TCP_LISTEN, we can
give up the second lock to avoid the deadlock.
CPU 1 CPU 2 CPU 3
connect(A -> B) connect(B -> A) listen(A)
--- --- ---
unix_state_lock(B)
B->sk_state == TCP_LISTEN
READ_ONCE(A->sk_state) == TCP_CLOSE
^^^^^^^^^
ok, will lock A unix_state_lock(A)
.--------------' WRITE_ONCE(A->sk_state, TCP_LISTEN)
| unix_state_unlock(A)
|
| unix_state_lock(A)
| A->sk_sk_state == TCP_LISTEN
| READ_ONCE(B->sk_state) == TCP_LISTEN
v ^^^^^^^^^^
unix_state_lock_nested(A) Don't lock B !!
Currently, while checking the client's state, we also check if it's
TCP_ESTABLISHED, but this is unlikely and can be checked after we know
the state is not TCP_CLOSE.
Moreover, if it happens after the second lock, we now jump to the restart
label, but it's unlikely that the server is not found during the retry,
so the jump is mostly to revist the client state check.
Let's remove the retry logic and check the state against TCP_CLOSE first.
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 34 +++++++++-------------------------
1 file changed, 9 insertions(+), 25 deletions(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index db71f35b67b86..7d59f9a6c9046 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1461,6 +1461,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
struct unix_sock *u = unix_sk(sk), *newu, *otheru;
struct net *net = sock_net(sk);
struct sk_buff *skb = NULL;
+ unsigned char state;
long timeo;
int err;
@@ -1505,7 +1506,6 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
goto out;
}
- /* Latch state of peer */
unix_state_lock(other);
/* Apparently VFS overslept socket death. Retry. */
@@ -1535,37 +1535,21 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
goto restart;
}
- /* Latch our state.
-
- It is tricky place. We need to grab our state lock and cannot
- drop lock on peer. It is dangerous because deadlock is
- possible. Connect to self case and simultaneous
- attempt to connect are eliminated by checking socket
- state. other is TCP_LISTEN, if sk is TCP_LISTEN we
- check this before attempt to grab lock.
-
- Well, and we have to recheck the state after socket locked.
+ /* self connect and simultaneous connect are eliminated
+ * by rejecting TCP_LISTEN socket to avoid deadlock.
*/
- switch (READ_ONCE(sk->sk_state)) {
- case TCP_CLOSE:
- /* This is ok... continue with connect */
- break;
- case TCP_ESTABLISHED:
- /* Socket is already connected */
- err = -EISCONN;
- goto out_unlock;
- default:
- err = -EINVAL;
+ state = READ_ONCE(sk->sk_state);
+ if (unlikely(state != TCP_CLOSE)) {
+ err = state == TCP_ESTABLISHED ? -EISCONN : -EINVAL;
goto out_unlock;
}
unix_state_lock_nested(sk, U_LOCK_SECOND);
- if (sk->sk_state != TCP_CLOSE) {
+ if (unlikely(sk->sk_state != TCP_CLOSE)) {
+ err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EINVAL;
unix_state_unlock(sk);
- unix_state_unlock(other);
- sock_put(other);
- goto restart;
+ goto out_unlock;
}
err = security_unix_stream_connect(sk, other, newsk);
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 028/150] PCI: Add Edimax Vendor ID to pci_ids.h
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 027/150] af_unix: Dont retry after unix_state_lock_nested() in unix_stream_connect() Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 029/150] udf: prevent integer overflow in udf_bitmap_free_blocks() Greg Kroah-Hartman
` (124 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, FUJITA Tomonori, Bjorn Helgaas,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: FUJITA Tomonori <fujita.tomonori@gmail.com>
[ Upstream commit eee5528890d54b22b46f833002355a5ee94c3bb4 ]
Add the Edimax Vendor ID (0x1432) for an ethernet driver for Tehuti
Networks TN40xx chips. This ID can be used for Realtek 8180 and Ralink
rt28xx wireless drivers.
Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/20240623235507.108147-2-fujita.tomonori@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/pci_ids.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h
index 2c1371320c295..f680897794fa2 100644
--- a/include/linux/pci_ids.h
+++ b/include/linux/pci_ids.h
@@ -2109,6 +2109,8 @@
#define PCI_VENDOR_ID_CHELSIO 0x1425
+#define PCI_VENDOR_ID_EDIMAX 0x1432
+
#define PCI_VENDOR_ID_ADLINK 0x144a
#define PCI_VENDOR_ID_SAMSUNG 0x144d
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 029/150] udf: prevent integer overflow in udf_bitmap_free_blocks()
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 028/150] PCI: Add Edimax Vendor ID to pci_ids.h Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 030/150] wifi: nl80211: dont give key data to userspace Greg Kroah-Hartman
` (123 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Roman Smirnov, Jan Kara,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roman Smirnov <r.smirnov@omp.ru>
[ Upstream commit 56e69e59751d20993f243fb7dd6991c4e522424c ]
An overflow may occur if the function is called with the last
block and an offset greater than zero. It is necessary to add
a check to avoid this.
Found by Linux Verification Center (linuxtesting.org) with Svace.
[JK: Make test cover also unalloc table freeing]
Link: https://patch.msgid.link/20240620072413.7448-1-r.smirnov@omp.ru
Suggested-by: Jan Kara <jack@suse.com>
Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/udf/balloc.c | 36 +++++++++++++-----------------------
1 file changed, 13 insertions(+), 23 deletions(-)
diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c
index c4c18eeacb60c..aa73ab1b50a52 100644
--- a/fs/udf/balloc.c
+++ b/fs/udf/balloc.c
@@ -22,6 +22,7 @@
#include "udfdecl.h"
#include <linux/bitops.h>
+#include <linux/overflow.h>
#include "udf_i.h"
#include "udf_sb.h"
@@ -144,7 +145,6 @@ static void udf_bitmap_free_blocks(struct super_block *sb,
{
struct udf_sb_info *sbi = UDF_SB(sb);
struct buffer_head *bh = NULL;
- struct udf_part_map *partmap;
unsigned long block;
unsigned long block_group;
unsigned long bit;
@@ -153,19 +153,9 @@ static void udf_bitmap_free_blocks(struct super_block *sb,
unsigned long overflow;
mutex_lock(&sbi->s_alloc_mutex);
- partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
- if (bloc->logicalBlockNum + count < count ||
- (bloc->logicalBlockNum + count) > partmap->s_partition_len) {
- udf_debug("%u < %d || %u + %u > %u\n",
- bloc->logicalBlockNum, 0,
- bloc->logicalBlockNum, count,
- partmap->s_partition_len);
- goto error_return;
- }
-
+ /* We make sure this cannot overflow when mounting the filesystem */
block = bloc->logicalBlockNum + offset +
(sizeof(struct spaceBitmapDesc) << 3);
-
do {
overflow = 0;
block_group = block >> (sb->s_blocksize_bits + 3);
@@ -395,7 +385,6 @@ static void udf_table_free_blocks(struct super_block *sb,
uint32_t count)
{
struct udf_sb_info *sbi = UDF_SB(sb);
- struct udf_part_map *partmap;
uint32_t start, end;
uint32_t elen;
struct kernel_lb_addr eloc;
@@ -404,16 +393,6 @@ static void udf_table_free_blocks(struct super_block *sb,
struct udf_inode_info *iinfo;
mutex_lock(&sbi->s_alloc_mutex);
- partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
- if (bloc->logicalBlockNum + count < count ||
- (bloc->logicalBlockNum + count) > partmap->s_partition_len) {
- udf_debug("%u < %d || %u + %u > %u\n",
- bloc->logicalBlockNum, 0,
- bloc->logicalBlockNum, count,
- partmap->s_partition_len);
- goto error_return;
- }
-
iinfo = UDF_I(table);
udf_add_free_space(sb, sbi->s_partition, count);
@@ -688,6 +667,17 @@ void udf_free_blocks(struct super_block *sb, struct inode *inode,
{
uint16_t partition = bloc->partitionReferenceNum;
struct udf_part_map *map = &UDF_SB(sb)->s_partmaps[partition];
+ uint32_t blk;
+
+ if (check_add_overflow(bloc->logicalBlockNum, offset, &blk) ||
+ check_add_overflow(blk, count, &blk) ||
+ bloc->logicalBlockNum + count > map->s_partition_len) {
+ udf_debug("Invalid request to free blocks: (%d, %u), off %u, "
+ "len %u, partition len %u\n",
+ partition, bloc->logicalBlockNum, offset, count,
+ map->s_partition_len);
+ return;
+ }
if (map->s_partition_flags & UDF_PART_FLAG_UNALLOC_BITMAP) {
udf_bitmap_free_blocks(sb, map->s_uspace.s_bitmap,
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 030/150] wifi: nl80211: dont give key data to userspace
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 029/150] udf: prevent integer overflow in udf_bitmap_free_blocks() Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 031/150] can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum Greg Kroah-Hartman
` (122 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miriam Rachel Korenblit,
Johannes Berg, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit a7e5793035792cc46a1a4b0a783655ffa897dfe9 ]
When a key is requested by userspace, there's really no need
to include the key data, the sequence counter is really what
userspace needs in this case. The fact that it's included is
just a historic quirk.
Remove the key data.
Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20240627104411.b6a4f097e4ea.I7e6cc976cb9e8a80ef25a3351330f313373b4578@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/nl80211.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 603fcd921bd22..214eee6105c7f 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -4421,10 +4421,7 @@ static void get_key_callback(void *c, struct key_params *params)
struct nlattr *key;
struct get_key_cookie *cookie = c;
- if ((params->key &&
- nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
- params->key_len, params->key)) ||
- (params->seq &&
+ if ((params->seq &&
nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
params->seq_len, params->seq)) ||
(params->cipher &&
@@ -4436,10 +4433,7 @@ static void get_key_callback(void *c, struct key_params *params)
if (!key)
goto nla_put_failure;
- if ((params->key &&
- nla_put(cookie->msg, NL80211_KEY_DATA,
- params->key_len, params->key)) ||
- (params->seq &&
+ if ((params->seq &&
nla_put(cookie->msg, NL80211_KEY_SEQ,
params->seq_len, params->seq)) ||
(params->cipher &&
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 031/150] can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 030/150] wifi: nl80211: dont give key data to userspace Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 032/150] can: mcp251xfd: tef: update workaround for erratum DS80000789E 6 of mcp2518fd Greg Kroah-Hartman
` (121 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Althöfer, Thomas Kopp,
Marc Kleine-Budde, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
[ Upstream commit b8e0ddd36ce9536ad7478dd27df06c9ae92370ba ]
This is a preparatory patch to work around a problem similar to
erratum DS80000789E 6 of the mcp2518fd, the other variants of the chip
family (mcp2517fd and mcp251863) are probably also affected.
Erratum DS80000789E 6 says "reading of the FIFOCI bits in the FIFOSTA
register for an RX FIFO may be corrupted". However observation shows
that this problem is not limited to RX FIFOs but also effects the TEF
FIFO.
When handling the TEF interrupt, the driver reads the FIFO header
index from the TEF FIFO STA register of the chip.
In the bad case, the driver reads a too large head index. In the
original code, the driver always trusted the read value, which caused
old CAN transmit complete events that were already processed to be
re-processed.
Instead of reading and trusting the head index, read the head index
and calculate the number of CAN frames that were supposedly received -
replace mcp251xfd_tef_ring_update() with mcp251xfd_get_tef_len().
The mcp251xfd_handle_tefif() function reads the CAN transmit complete
events from the chip, iterates over them and pushes them into the
network stack. The original driver already contains code to detect old
CAN transmit complete events, that will be updated in the next patch.
Cc: Stefan Althöfer <Stefan.Althoefer@janztec.com>
Cc: Thomas Kopp <thomas.kopp@microchip.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/can/spi/mcp251xfd/mcp251xfd-ring.c | 2 +
drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 54 +++++++++++++------
drivers/net/can/spi/mcp251xfd/mcp251xfd.h | 13 ++---
3 files changed, 43 insertions(+), 26 deletions(-)
diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c
index bf3f0f150199d..4d0246a0779a6 100644
--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c
+++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c
@@ -475,6 +475,8 @@ int mcp251xfd_ring_alloc(struct mcp251xfd_priv *priv)
clear_bit(MCP251XFD_FLAGS_FD_MODE, priv->flags);
}
+ tx_ring->obj_num_shift_to_u8 = BITS_PER_TYPE(tx_ring->obj_num) -
+ ilog2(tx_ring->obj_num);
tx_ring->obj_size = tx_obj_size;
rem = priv->rx_obj_num;
diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
index 237617b0c125f..b33192964cf7d 100644
--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
+++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
@@ -2,7 +2,7 @@
//
// mcp251xfd - Microchip MCP251xFD Family CAN controller driver
//
-// Copyright (c) 2019, 2020, 2021 Pengutronix,
+// Copyright (c) 2019, 2020, 2021, 2023 Pengutronix,
// Marc Kleine-Budde <kernel@pengutronix.de>
//
// Based on:
@@ -16,6 +16,11 @@
#include "mcp251xfd.h"
+static inline bool mcp251xfd_tx_fifo_sta_full(u32 fifo_sta)
+{
+ return !(fifo_sta & MCP251XFD_REG_FIFOSTA_TFNRFNIF);
+}
+
static inline int
mcp251xfd_tef_tail_get_from_chip(const struct mcp251xfd_priv *priv,
u8 *tef_tail)
@@ -120,28 +125,44 @@ mcp251xfd_handle_tefif_one(struct mcp251xfd_priv *priv,
return 0;
}
-static int mcp251xfd_tef_ring_update(struct mcp251xfd_priv *priv)
+static int
+mcp251xfd_get_tef_len(struct mcp251xfd_priv *priv, u8 *len_p)
{
const struct mcp251xfd_tx_ring *tx_ring = priv->tx;
- unsigned int new_head;
- u8 chip_tx_tail;
+ const u8 shift = tx_ring->obj_num_shift_to_u8;
+ u8 chip_tx_tail, tail, len;
+ u32 fifo_sta;
int err;
- err = mcp251xfd_tx_tail_get_from_chip(priv, &chip_tx_tail);
+ err = regmap_read(priv->map_reg, MCP251XFD_REG_FIFOSTA(priv->tx->fifo_nr),
+ &fifo_sta);
if (err)
return err;
- /* chip_tx_tail, is the next TX-Object send by the HW.
- * The new TEF head must be >= the old head, ...
+ if (mcp251xfd_tx_fifo_sta_full(fifo_sta)) {
+ *len_p = tx_ring->obj_num;
+ return 0;
+ }
+
+ chip_tx_tail = FIELD_GET(MCP251XFD_REG_FIFOSTA_FIFOCI_MASK, fifo_sta);
+
+ err = mcp251xfd_check_tef_tail(priv);
+ if (err)
+ return err;
+ tail = mcp251xfd_get_tef_tail(priv);
+
+ /* First shift to full u8. The subtraction works on signed
+ * values, that keeps the difference steady around the u8
+ * overflow. The right shift acts on len, which is an u8.
*/
- new_head = round_down(priv->tef->head, tx_ring->obj_num) + chip_tx_tail;
- if (new_head <= priv->tef->head)
- new_head += tx_ring->obj_num;
+ BUILD_BUG_ON(sizeof(tx_ring->obj_num) != sizeof(chip_tx_tail));
+ BUILD_BUG_ON(sizeof(tx_ring->obj_num) != sizeof(tail));
+ BUILD_BUG_ON(sizeof(tx_ring->obj_num) != sizeof(len));
- /* ... but it cannot exceed the TX head. */
- priv->tef->head = min(new_head, tx_ring->head);
+ len = (chip_tx_tail << shift) - (tail << shift);
+ *len_p = len >> shift;
- return mcp251xfd_check_tef_tail(priv);
+ return 0;
}
static inline int
@@ -182,13 +203,12 @@ int mcp251xfd_handle_tefif(struct mcp251xfd_priv *priv)
u8 tef_tail, len, l;
int err, i;
- err = mcp251xfd_tef_ring_update(priv);
+ err = mcp251xfd_get_tef_len(priv, &len);
if (err)
return err;
tef_tail = mcp251xfd_get_tef_tail(priv);
- len = mcp251xfd_get_tef_len(priv);
- l = mcp251xfd_get_tef_linear_len(priv);
+ l = mcp251xfd_get_tef_linear_len(priv, len);
err = mcp251xfd_tef_obj_read(priv, hw_tef_obj, tef_tail, l);
if (err)
return err;
@@ -223,6 +243,8 @@ int mcp251xfd_handle_tefif(struct mcp251xfd_priv *priv)
struct mcp251xfd_tx_ring *tx_ring = priv->tx;
int offset;
+ ring->head += len;
+
/* Increment the TEF FIFO tail pointer 'len' times in
* a single SPI message.
*
diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd.h b/drivers/net/can/spi/mcp251xfd/mcp251xfd.h
index b98ded7098a5a..78d12dda08a05 100644
--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd.h
+++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd.h
@@ -519,6 +519,7 @@ struct mcp251xfd_tef_ring {
/* u8 obj_num equals tx_ring->obj_num */
/* u8 obj_size equals sizeof(struct mcp251xfd_hw_tef_obj) */
+ /* u8 obj_num_shift_to_u8 equals tx_ring->obj_num_shift_to_u8 */
union mcp251xfd_write_reg_buf irq_enable_buf;
struct spi_transfer irq_enable_xfer;
@@ -537,6 +538,7 @@ struct mcp251xfd_tx_ring {
u8 nr;
u8 fifo_nr;
u8 obj_num;
+ u8 obj_num_shift_to_u8;
u8 obj_size;
struct mcp251xfd_tx_obj obj[MCP251XFD_TX_OBJ_NUM_MAX];
@@ -843,17 +845,8 @@ static inline u8 mcp251xfd_get_tef_tail(const struct mcp251xfd_priv *priv)
return priv->tef->tail & (priv->tx->obj_num - 1);
}
-static inline u8 mcp251xfd_get_tef_len(const struct mcp251xfd_priv *priv)
+static inline u8 mcp251xfd_get_tef_linear_len(const struct mcp251xfd_priv *priv, u8 len)
{
- return priv->tef->head - priv->tef->tail;
-}
-
-static inline u8 mcp251xfd_get_tef_linear_len(const struct mcp251xfd_priv *priv)
-{
- u8 len;
-
- len = mcp251xfd_get_tef_len(priv);
-
return min_t(u8, len, priv->tx->obj_num - mcp251xfd_get_tef_tail(priv));
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 032/150] can: mcp251xfd: tef: update workaround for erratum DS80000789E 6 of mcp2518fd
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 031/150] can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 033/150] btrfs: fix bitmap leak when loading free space cache on duplicate entry Greg Kroah-Hartman
` (120 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Althöfer, Thomas Kopp,
Marc Kleine-Budde, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
[ Upstream commit 3a0a88fcbaf9e027ecca3fe8775be9700b4d6460 ]
This patch updates the workaround for a problem similar to erratum
DS80000789E 6 of the mcp2518fd, the other variants of the chip
family (mcp2517fd and mcp251863) are probably also affected.
Erratum DS80000789E 6 says "reading of the FIFOCI bits in the FIFOSTA
register for an RX FIFO may be corrupted". However observation shows
that this problem is not limited to RX FIFOs but also effects the TEF
FIFO.
In the bad case, the driver reads a too large head index. As the FIFO
is implemented as a ring buffer, this results in re-handling old CAN
transmit complete events.
Every transmit complete event contains with a sequence number that
equals to the sequence number of the corresponding TX request. This
way old TX complete events can be detected.
If the original driver detects a non matching sequence number, it
prints an info message and tries again later. As wrong sequence
numbers can be explained by the erratum DS80000789E 6, demote the info
message to debug level, streamline the code and update the comments.
Keep the behavior: If an old CAN TX complete event is detected, abort
the iteration and mark the number of valid CAN TX complete events as
processed in the chip by incrementing the FIFO's tail index.
Cc: Stefan Althöfer <Stefan.Althoefer@janztec.com>
Cc: Thomas Kopp <thomas.kopp@microchip.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 71 +++++++------------
1 file changed, 27 insertions(+), 44 deletions(-)
diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
index b33192964cf7d..902eb767426d1 100644
--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
+++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
@@ -60,56 +60,39 @@ static int mcp251xfd_check_tef_tail(const struct mcp251xfd_priv *priv)
return 0;
}
-static int
-mcp251xfd_handle_tefif_recover(const struct mcp251xfd_priv *priv, const u32 seq)
-{
- const struct mcp251xfd_tx_ring *tx_ring = priv->tx;
- u32 tef_sta;
- int err;
-
- err = regmap_read(priv->map_reg, MCP251XFD_REG_TEFSTA, &tef_sta);
- if (err)
- return err;
-
- if (tef_sta & MCP251XFD_REG_TEFSTA_TEFOVIF) {
- netdev_err(priv->ndev,
- "Transmit Event FIFO buffer overflow.\n");
- return -ENOBUFS;
- }
-
- netdev_info(priv->ndev,
- "Transmit Event FIFO buffer %s. (seq=0x%08x, tef_tail=0x%08x, tef_head=0x%08x, tx_head=0x%08x).\n",
- tef_sta & MCP251XFD_REG_TEFSTA_TEFFIF ?
- "full" : tef_sta & MCP251XFD_REG_TEFSTA_TEFNEIF ?
- "not empty" : "empty",
- seq, priv->tef->tail, priv->tef->head, tx_ring->head);
-
- /* The Sequence Number in the TEF doesn't match our tef_tail. */
- return -EAGAIN;
-}
-
static int
mcp251xfd_handle_tefif_one(struct mcp251xfd_priv *priv,
const struct mcp251xfd_hw_tef_obj *hw_tef_obj,
unsigned int *frame_len_ptr)
{
struct net_device_stats *stats = &priv->ndev->stats;
+ u32 seq, tef_tail_masked, tef_tail;
struct sk_buff *skb;
- u32 seq, seq_masked, tef_tail_masked, tef_tail;
- seq = FIELD_GET(MCP251XFD_OBJ_FLAGS_SEQ_MCP2518FD_MASK,
+ /* Use the MCP2517FD mask on the MCP2518FD, too. We only
+ * compare 7 bits, this is enough to detect old TEF objects.
+ */
+ seq = FIELD_GET(MCP251XFD_OBJ_FLAGS_SEQ_MCP2517FD_MASK,
hw_tef_obj->flags);
-
- /* Use the MCP2517FD mask on the MCP2518FD, too. We only
- * compare 7 bits, this should be enough to detect
- * net-yet-completed, i.e. old TEF objects.
- */
- seq_masked = seq &
- field_mask(MCP251XFD_OBJ_FLAGS_SEQ_MCP2517FD_MASK);
tef_tail_masked = priv->tef->tail &
field_mask(MCP251XFD_OBJ_FLAGS_SEQ_MCP2517FD_MASK);
- if (seq_masked != tef_tail_masked)
- return mcp251xfd_handle_tefif_recover(priv, seq);
+
+ /* According to mcp2518fd erratum DS80000789E 6. the FIFOCI
+ * bits of a FIFOSTA register, here the TX FIFO tail index
+ * might be corrupted and we might process past the TEF FIFO's
+ * head into old CAN frames.
+ *
+ * Compare the sequence number of the currently processed CAN
+ * frame with the expected sequence number. Abort with
+ * -EBADMSG if an old CAN frame is detected.
+ */
+ if (seq != tef_tail_masked) {
+ netdev_dbg(priv->ndev, "%s: chip=0x%02x ring=0x%02x\n", __func__,
+ seq, tef_tail_masked);
+ stats->tx_fifo_errors++;
+
+ return -EBADMSG;
+ }
tef_tail = mcp251xfd_get_tef_tail(priv);
skb = priv->can.echo_skb[tef_tail];
@@ -223,12 +206,12 @@ int mcp251xfd_handle_tefif(struct mcp251xfd_priv *priv)
unsigned int frame_len = 0;
err = mcp251xfd_handle_tefif_one(priv, &hw_tef_obj[i], &frame_len);
- /* -EAGAIN means the Sequence Number in the TEF
- * doesn't match our tef_tail. This can happen if we
- * read the TEF objects too early. Leave loop let the
- * interrupt handler call us again.
+ /* -EBADMSG means we're affected by mcp2518fd erratum
+ * DS80000789E 6., i.e. the Sequence Number in the TEF
+ * doesn't match our tef_tail. Don't process any
+ * further and mark processed frames as good.
*/
- if (err == -EAGAIN)
+ if (err == -EBADMSG)
goto out_netif_wake_queue;
if (err)
return err;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 033/150] btrfs: fix bitmap leak when loading free space cache on duplicate entry
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 032/150] can: mcp251xfd: tef: update workaround for erratum DS80000789E 6 of mcp2518fd Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 034/150] drm/amdgpu/pm: Fix the param type of set_power_profile_mode Greg Kroah-Hartman
` (119 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Filipe Manana,
David Sterba, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 320d8dc612660da84c3b70a28658bb38069e5a9a ]
If we failed to link a free space entry because there's already a
conflicting entry for the same offset, we free the free space entry but
we don't free the associated bitmap that we had just allocated before.
Fix that by freeing the bitmap before freeing the entry.
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/free-space-cache.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c
index 76d52d682b3b0..21d262da386d5 100644
--- a/fs/btrfs/free-space-cache.c
+++ b/fs/btrfs/free-space-cache.c
@@ -865,6 +865,7 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode,
spin_unlock(&ctl->tree_lock);
btrfs_err(fs_info,
"Duplicate entries in free space cache, dumping");
+ kmem_cache_free(btrfs_free_space_bitmap_cachep, e->bitmap);
kmem_cache_free(btrfs_free_space_cachep, e);
goto free_cache;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 034/150] drm/amdgpu/pm: Fix the param type of set_power_profile_mode
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 033/150] btrfs: fix bitmap leak when loading free space cache on duplicate entry Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 035/150] drm/amdgpu/pm: Fix the null pointer dereference for smu7 Greg Kroah-Hartman
` (118 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Jun, Alex Deucher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Jun <Jun.Ma2@amd.com>
[ Upstream commit f683f24093dd94a831085fe0ea8e9dc4c6c1a2d1 ]
Function .set_power_profile_mode need an array as input
parameter. So define variable workload as an array to fix
the below coverity warning.
"Passing &workload to function hwmgr->hwmgr_func->set_power_profile_mode
which uses it as an array. This might corrupt or misinterpret adjacent
memory locations"
Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 8 ++++----
drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c | 8 ++++----
drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 16 ++++++++--------
3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
index 179e1c593a53f..f3668911a88fd 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
@@ -928,7 +928,7 @@ static int pp_dpm_switch_power_profile(void *handle,
enum PP_SMC_POWER_PROFILE type, bool en)
{
struct pp_hwmgr *hwmgr = handle;
- long workload;
+ long workload[1];
uint32_t index;
if (!hwmgr || !hwmgr->pm_en)
@@ -946,12 +946,12 @@ static int pp_dpm_switch_power_profile(void *handle,
hwmgr->workload_mask &= ~(1 << hwmgr->workload_prority[type]);
index = fls(hwmgr->workload_mask);
index = index > 0 && index <= Workload_Policy_Max ? index - 1 : 0;
- workload = hwmgr->workload_setting[index];
+ workload[0] = hwmgr->workload_setting[index];
} else {
hwmgr->workload_mask |= (1 << hwmgr->workload_prority[type]);
index = fls(hwmgr->workload_mask);
index = index <= Workload_Policy_Max ? index - 1 : 0;
- workload = hwmgr->workload_setting[index];
+ workload[0] = hwmgr->workload_setting[index];
}
if (type == PP_SMC_POWER_PROFILE_COMPUTE &&
@@ -961,7 +961,7 @@ static int pp_dpm_switch_power_profile(void *handle,
}
if (hwmgr->dpm_level != AMD_DPM_FORCED_LEVEL_MANUAL)
- hwmgr->hwmgr_func->set_power_profile_mode(hwmgr, &workload, 0);
+ hwmgr->hwmgr_func->set_power_profile_mode(hwmgr, workload, 0);
return 0;
}
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c
index 1d829402cd2e2..f4bd8e9357e22 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c
@@ -269,7 +269,7 @@ int psm_adjust_power_state_dynamic(struct pp_hwmgr *hwmgr, bool skip_display_set
struct pp_power_state *new_ps)
{
uint32_t index;
- long workload;
+ long workload[1];
if (hwmgr->not_vf) {
if (!skip_display_settings)
@@ -294,10 +294,10 @@ int psm_adjust_power_state_dynamic(struct pp_hwmgr *hwmgr, bool skip_display_set
if (hwmgr->dpm_level != AMD_DPM_FORCED_LEVEL_MANUAL) {
index = fls(hwmgr->workload_mask);
index = index > 0 && index <= Workload_Policy_Max ? index - 1 : 0;
- workload = hwmgr->workload_setting[index];
+ workload[0] = hwmgr->workload_setting[index];
- if (hwmgr->power_profile_mode != workload && hwmgr->hwmgr_func->set_power_profile_mode)
- hwmgr->hwmgr_func->set_power_profile_mode(hwmgr, &workload, 0);
+ if (hwmgr->power_profile_mode != workload[0] && hwmgr->hwmgr_func->set_power_profile_mode)
+ hwmgr->hwmgr_func->set_power_profile_mode(hwmgr, workload, 0);
}
return 0;
diff --git a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
index 1d0693dad8185..91f0646eb3ee0 100644
--- a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
@@ -1834,7 +1834,7 @@ static int smu_adjust_power_state_dynamic(struct smu_context *smu,
{
int ret = 0;
int index = 0;
- long workload;
+ long workload[1];
struct smu_dpm_context *smu_dpm_ctx = &(smu->smu_dpm);
if (!skip_display_settings) {
@@ -1874,10 +1874,10 @@ static int smu_adjust_power_state_dynamic(struct smu_context *smu,
smu_dpm_ctx->dpm_level != AMD_DPM_FORCED_LEVEL_PERF_DETERMINISM) {
index = fls(smu->workload_mask);
index = index > 0 && index <= WORKLOAD_POLICY_MAX ? index - 1 : 0;
- workload = smu->workload_setting[index];
+ workload[0] = smu->workload_setting[index];
- if (smu->power_profile_mode != workload)
- smu_bump_power_profile_mode(smu, &workload, 0);
+ if (smu->power_profile_mode != workload[0])
+ smu_bump_power_profile_mode(smu, workload, 0);
}
return ret;
@@ -1927,7 +1927,7 @@ static int smu_switch_power_profile(void *handle,
{
struct smu_context *smu = handle;
struct smu_dpm_context *smu_dpm_ctx = &(smu->smu_dpm);
- long workload;
+ long workload[1];
uint32_t index;
if (!smu->pm_enabled || !smu->adev->pm.dpm_enabled)
@@ -1940,17 +1940,17 @@ static int smu_switch_power_profile(void *handle,
smu->workload_mask &= ~(1 << smu->workload_prority[type]);
index = fls(smu->workload_mask);
index = index > 0 && index <= WORKLOAD_POLICY_MAX ? index - 1 : 0;
- workload = smu->workload_setting[index];
+ workload[0] = smu->workload_setting[index];
} else {
smu->workload_mask |= (1 << smu->workload_prority[type]);
index = fls(smu->workload_mask);
index = index <= WORKLOAD_POLICY_MAX ? index - 1 : 0;
- workload = smu->workload_setting[index];
+ workload[0] = smu->workload_setting[index];
}
if (smu_dpm_ctx->dpm_level != AMD_DPM_FORCED_LEVEL_MANUAL &&
smu_dpm_ctx->dpm_level != AMD_DPM_FORCED_LEVEL_PERF_DETERMINISM)
- smu_bump_power_profile_mode(smu, &workload, 0);
+ smu_bump_power_profile_mode(smu, workload, 0);
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 035/150] drm/amdgpu/pm: Fix the null pointer dereference for smu7
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 034/150] drm/amdgpu/pm: Fix the param type of set_power_profile_mode Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 036/150] drm/amdgpu: Fix the null pointer dereference to ras_manager Greg Kroah-Hartman
` (117 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Jun, Yang Wang, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Jun <Jun.Ma2@amd.com>
[ Upstream commit c02c1960c93eede587576625a1221205a68a904f ]
optimize the code to avoid pass a null pointer (hwmgr->backend)
to function smu7_update_edc_leakage_table.
Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 50 +++++++++----------
1 file changed, 24 insertions(+), 26 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
index 5e9410117712c..9f2f3f6a79adb 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
@@ -2970,6 +2970,7 @@ static int smu7_update_edc_leakage_table(struct pp_hwmgr *hwmgr)
static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
{
+ struct amdgpu_device *adev = hwmgr->adev;
struct smu7_hwmgr *data;
int result = 0;
@@ -3006,40 +3007,37 @@ static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
/* Initalize Dynamic State Adjustment Rule Settings */
result = phm_initializa_dynamic_state_adjustment_rule_settings(hwmgr);
- if (0 == result) {
- struct amdgpu_device *adev = hwmgr->adev;
+ if (result)
+ goto fail;
- data->is_tlu_enabled = false;
+ data->is_tlu_enabled = false;
- hwmgr->platform_descriptor.hardwareActivityPerformanceLevels =
+ hwmgr->platform_descriptor.hardwareActivityPerformanceLevels =
SMU7_MAX_HARDWARE_POWERLEVELS;
- hwmgr->platform_descriptor.hardwarePerformanceLevels = 2;
- hwmgr->platform_descriptor.minimumClocksReductionPercentage = 50;
+ hwmgr->platform_descriptor.hardwarePerformanceLevels = 2;
+ hwmgr->platform_descriptor.minimumClocksReductionPercentage = 50;
- data->pcie_gen_cap = adev->pm.pcie_gen_mask;
- if (data->pcie_gen_cap & CAIL_PCIE_LINK_SPEED_SUPPORT_GEN3)
- data->pcie_spc_cap = 20;
- else
- data->pcie_spc_cap = 16;
- data->pcie_lane_cap = adev->pm.pcie_mlw_mask;
-
- hwmgr->platform_descriptor.vbiosInterruptId = 0x20000400; /* IRQ_SOURCE1_SW_INT */
-/* The true clock step depends on the frequency, typically 4.5 or 9 MHz. Here we use 5. */
- hwmgr->platform_descriptor.clockStep.engineClock = 500;
- hwmgr->platform_descriptor.clockStep.memoryClock = 500;
- smu7_thermal_parameter_init(hwmgr);
- } else {
- /* Ignore return value in here, we are cleaning up a mess. */
- smu7_hwmgr_backend_fini(hwmgr);
- }
+ data->pcie_gen_cap = adev->pm.pcie_gen_mask;
+ if (data->pcie_gen_cap & CAIL_PCIE_LINK_SPEED_SUPPORT_GEN3)
+ data->pcie_spc_cap = 20;
+ else
+ data->pcie_spc_cap = 16;
+ data->pcie_lane_cap = adev->pm.pcie_mlw_mask;
+
+ hwmgr->platform_descriptor.vbiosInterruptId = 0x20000400; /* IRQ_SOURCE1_SW_INT */
+ /* The true clock step depends on the frequency, typically 4.5 or 9 MHz. Here we use 5. */
+ hwmgr->platform_descriptor.clockStep.engineClock = 500;
+ hwmgr->platform_descriptor.clockStep.memoryClock = 500;
+ smu7_thermal_parameter_init(hwmgr);
result = smu7_update_edc_leakage_table(hwmgr);
- if (result) {
- smu7_hwmgr_backend_fini(hwmgr);
- return result;
- }
+ if (result)
+ goto fail;
return 0;
+fail:
+ smu7_hwmgr_backend_fini(hwmgr);
+ return result;
}
static int smu7_force_dpm_highest(struct pp_hwmgr *hwmgr)
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 036/150] drm/amdgpu: Fix the null pointer dereference to ras_manager
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 035/150] drm/amdgpu/pm: Fix the null pointer dereference for smu7 Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 037/150] drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules Greg Kroah-Hartman
` (116 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Jun, Lijo Lazar, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Jun <Jun.Ma2@amd.com>
[ Upstream commit 4c11d30c95576937c6c35e6f29884761f2dddb43 ]
Check ras_manager before using it
Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
index ee83d282b49a8..4b7b3278a05f1 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
@@ -1679,12 +1679,15 @@ static void amdgpu_ras_interrupt_process_handler(struct work_struct *work)
int amdgpu_ras_interrupt_dispatch(struct amdgpu_device *adev,
struct ras_dispatch_if *info)
{
- struct ras_manager *obj = amdgpu_ras_find_obj(adev, &info->head);
- struct ras_ih_data *data = &obj->ih_data;
+ struct ras_manager *obj;
+ struct ras_ih_data *data;
+ obj = amdgpu_ras_find_obj(adev, &info->head);
if (!obj)
return -EINVAL;
+ data = &obj->ih_data;
+
if (data->inuse == 0)
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 037/150] drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 036/150] drm/amdgpu: Fix the null pointer dereference to ras_manager Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:01 ` [PATCH 6.1 038/150] drm/amdgpu: Add lock around VF RLCG interface Greg Kroah-Hartman
` (115 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Wang, Ma Jun, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Jun <Jun.Ma2@amd.com>
[ Upstream commit d19fb10085a49b77578314f69fff21562f7cd054 ]
Check the pointer value to fix potential null pointer
dereference
Acked-by: Yang Wang<kevinyang.wang@amd.com>
Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 7 +++++--
.../gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c | 14 ++++++++------
.../gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 7 +++++--
3 files changed, 18 insertions(+), 10 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
index 9f2f3f6a79adb..750b7527bdf83 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
@@ -3327,8 +3327,7 @@ static int smu7_apply_state_adjust_rules(struct pp_hwmgr *hwmgr,
const struct pp_power_state *current_ps)
{
struct amdgpu_device *adev = hwmgr->adev;
- struct smu7_power_state *smu7_ps =
- cast_phw_smu7_power_state(&request_ps->hardware);
+ struct smu7_power_state *smu7_ps;
uint32_t sclk;
uint32_t mclk;
struct PP_Clocks minimum_clocks = {0};
@@ -3345,6 +3344,10 @@ static int smu7_apply_state_adjust_rules(struct pp_hwmgr *hwmgr,
uint32_t latency;
bool latency_allowed = false;
+ smu7_ps = cast_phw_smu7_power_state(&request_ps->hardware);
+ if (!smu7_ps)
+ return -EINVAL;
+
data->battery_state = (PP_StateUILabel_Battery ==
request_ps->classification.ui_label);
data->mclk_ignore_signal = false;
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c
index b015a601b385a..eb744401e0567 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c
@@ -1065,16 +1065,18 @@ static int smu8_apply_state_adjust_rules(struct pp_hwmgr *hwmgr,
struct pp_power_state *prequest_ps,
const struct pp_power_state *pcurrent_ps)
{
- struct smu8_power_state *smu8_ps =
- cast_smu8_power_state(&prequest_ps->hardware);
-
- const struct smu8_power_state *smu8_current_ps =
- cast_const_smu8_power_state(&pcurrent_ps->hardware);
-
+ struct smu8_power_state *smu8_ps;
+ const struct smu8_power_state *smu8_current_ps;
struct smu8_hwmgr *data = hwmgr->backend;
struct PP_Clocks clocks = {0, 0, 0, 0};
bool force_high;
+ smu8_ps = cast_smu8_power_state(&prequest_ps->hardware);
+ smu8_current_ps = cast_const_smu8_power_state(&pcurrent_ps->hardware);
+
+ if (!smu8_ps || !smu8_current_ps)
+ return -EINVAL;
+
smu8_ps->need_dfs_bypass = true;
data->battery_state = (PP_StateUILabel_Battery == prequest_ps->classification.ui_label);
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
index d8cd23438b762..2628f12e0eedc 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
@@ -3263,8 +3263,7 @@ static int vega10_apply_state_adjust_rules(struct pp_hwmgr *hwmgr,
const struct pp_power_state *current_ps)
{
struct amdgpu_device *adev = hwmgr->adev;
- struct vega10_power_state *vega10_ps =
- cast_phw_vega10_power_state(&request_ps->hardware);
+ struct vega10_power_state *vega10_ps;
uint32_t sclk;
uint32_t mclk;
struct PP_Clocks minimum_clocks = {0};
@@ -3282,6 +3281,10 @@ static int vega10_apply_state_adjust_rules(struct pp_hwmgr *hwmgr,
uint32_t stable_pstate_sclk = 0, stable_pstate_mclk = 0;
uint32_t latency;
+ vega10_ps = cast_phw_vega10_power_state(&request_ps->hardware);
+ if (!vega10_ps)
+ return -EINVAL;
+
data->battery_state = (PP_StateUILabel_Battery ==
request_ps->classification.ui_label);
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 038/150] drm/amdgpu: Add lock around VF RLCG interface
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 037/150] drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules Greg Kroah-Hartman
@ 2024-08-12 16:01 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 039/150] drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr Greg Kroah-Hartman
` (114 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Victor Skvortsov, Zhigang Luo,
Alex Deucher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Skvortsov <victor.skvortsov@amd.com>
[ Upstream commit e864180ee49b4d30e640fd1e1d852b86411420c9 ]
flush_gpu_tlb may be called from another thread while
device_gpu_recover is running.
Both of these threads access registers through the VF
RLCG interface during VF Full Access. Add a lock around this interface
to prevent race conditions between these threads.
Signed-off-by: Victor Skvortsov <victor.skvortsov@amd.com>
Reviewed-by: Zhigang Luo <zhigang.luo@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 6 ++++++
drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 2 ++
3 files changed, 9 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
index d4faa489bd5fa..4d1c2eb63090f 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -3631,6 +3631,7 @@ int amdgpu_device_init(struct amdgpu_device *adev,
mutex_init(&adev->grbm_idx_mutex);
mutex_init(&adev->mn_lock);
mutex_init(&adev->virt.vf_errors.lock);
+ mutex_init(&adev->virt.rlcg_reg_lock);
hash_init(adev->mn_hash);
mutex_init(&adev->psp.mutex);
mutex_init(&adev->notifier_lock);
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c
index 81549f1edfe01..5ee9211c503c4 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c
@@ -956,6 +956,9 @@ static u32 amdgpu_virt_rlcg_reg_rw(struct amdgpu_device *adev, u32 offset, u32 v
scratch_reg1 = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->scratch_reg1;
scratch_reg2 = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->scratch_reg2;
scratch_reg3 = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->scratch_reg3;
+
+ mutex_lock(&adev->virt.rlcg_reg_lock);
+
if (reg_access_ctrl->spare_int)
spare_int = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->spare_int;
@@ -1009,6 +1012,9 @@ static u32 amdgpu_virt_rlcg_reg_rw(struct amdgpu_device *adev, u32 offset, u32 v
}
ret = readl(scratch_reg0);
+
+ mutex_unlock(&adev->virt.rlcg_reg_lock);
+
return ret;
}
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h
index 2b9d806e23afb..dc6aaa4d67be7 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h
@@ -260,6 +260,8 @@ struct amdgpu_virt {
/* the ucode id to signal the autoload */
uint32_t autoload_ucode_id;
+
+ struct mutex rlcg_reg_lock;
};
struct amdgpu_video_codec_info;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 039/150] drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2024-08-12 16:01 ` [PATCH 6.1 038/150] drm/amdgpu: Add lock around VF RLCG interface Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 040/150] media: amphion: Remove lock in s_ctrl callback Greg Kroah-Hartman
` (113 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bob Zhou, Tim Huang, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bob Zhou <bob.zhou@amd.com>
[ Upstream commit 50151b7f1c79a09117837eb95b76c2de76841dab ]
Check return value and conduct null pointer handling to avoid null pointer dereference.
Signed-off-by: Bob Zhou <bob.zhou@amd.com>
Reviewed-by: Tim Huang <Tim.Huang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 29 ++++++++++++++++---
1 file changed, 25 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
index 2628f12e0eedc..f8333410cc3e4 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
@@ -3422,13 +3422,17 @@ static int vega10_find_dpm_states_clocks_in_dpm_table(struct pp_hwmgr *hwmgr, co
const struct vega10_power_state *vega10_ps =
cast_const_phw_vega10_power_state(states->pnew_state);
struct vega10_single_dpm_table *sclk_table = &(data->dpm_table.gfx_table);
- uint32_t sclk = vega10_ps->performance_levels
- [vega10_ps->performance_level_count - 1].gfx_clock;
struct vega10_single_dpm_table *mclk_table = &(data->dpm_table.mem_table);
- uint32_t mclk = vega10_ps->performance_levels
- [vega10_ps->performance_level_count - 1].mem_clock;
+ uint32_t sclk, mclk;
uint32_t i;
+ if (vega10_ps == NULL)
+ return -EINVAL;
+ sclk = vega10_ps->performance_levels
+ [vega10_ps->performance_level_count - 1].gfx_clock;
+ mclk = vega10_ps->performance_levels
+ [vega10_ps->performance_level_count - 1].mem_clock;
+
for (i = 0; i < sclk_table->count; i++) {
if (sclk == sclk_table->dpm_levels[i].value)
break;
@@ -3735,6 +3739,9 @@ static int vega10_generate_dpm_level_enable_mask(
cast_const_phw_vega10_power_state(states->pnew_state);
int i;
+ if (vega10_ps == NULL)
+ return -EINVAL;
+
PP_ASSERT_WITH_CODE(!vega10_trim_dpm_states(hwmgr, vega10_ps),
"Attempt to Trim DPM States Failed!",
return -1);
@@ -5002,6 +5009,8 @@ static int vega10_check_states_equal(struct pp_hwmgr *hwmgr,
vega10_psa = cast_const_phw_vega10_power_state(pstate1);
vega10_psb = cast_const_phw_vega10_power_state(pstate2);
+ if (vega10_psa == NULL || vega10_psb == NULL)
+ return -EINVAL;
/* If the two states don't even have the same number of performance levels
* they cannot be the same state.
@@ -5135,6 +5144,8 @@ static int vega10_set_sclk_od(struct pp_hwmgr *hwmgr, uint32_t value)
return -EINVAL;
vega10_ps = cast_phw_vega10_power_state(&ps->hardware);
+ if (vega10_ps == NULL)
+ return -EINVAL;
vega10_ps->performance_levels
[vega10_ps->performance_level_count - 1].gfx_clock =
@@ -5186,6 +5197,8 @@ static int vega10_set_mclk_od(struct pp_hwmgr *hwmgr, uint32_t value)
return -EINVAL;
vega10_ps = cast_phw_vega10_power_state(&ps->hardware);
+ if (vega10_ps == NULL)
+ return -EINVAL;
vega10_ps->performance_levels
[vega10_ps->performance_level_count - 1].mem_clock =
@@ -5427,6 +5440,9 @@ static void vega10_odn_update_power_state(struct pp_hwmgr *hwmgr)
return;
vega10_ps = cast_phw_vega10_power_state(&ps->hardware);
+ if (vega10_ps == NULL)
+ return;
+
max_level = vega10_ps->performance_level_count - 1;
if (vega10_ps->performance_levels[max_level].gfx_clock !=
@@ -5449,6 +5465,9 @@ static void vega10_odn_update_power_state(struct pp_hwmgr *hwmgr)
ps = (struct pp_power_state *)((unsigned long)(hwmgr->ps) + hwmgr->ps_size * (hwmgr->num_ps - 1));
vega10_ps = cast_phw_vega10_power_state(&ps->hardware);
+ if (vega10_ps == NULL)
+ return;
+
max_level = vega10_ps->performance_level_count - 1;
if (vega10_ps->performance_levels[max_level].gfx_clock !=
@@ -5639,6 +5658,8 @@ static int vega10_get_performance_level(struct pp_hwmgr *hwmgr, const struct pp_
return -EINVAL;
vega10_ps = cast_const_phw_vega10_power_state(state);
+ if (vega10_ps == NULL)
+ return -EINVAL;
i = index > vega10_ps->performance_level_count - 1 ?
vega10_ps->performance_level_count - 1 : index;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 040/150] media: amphion: Remove lock in s_ctrl callback
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 039/150] drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 041/150] drm/amd/display: Add NULL check for afb before dereferencing in amdgpu_dm_plane_handle_cursor_update Greg Kroah-Hartman
` (112 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Qian, Sebastian Fricke,
Hans Verkuil, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Qian <ming.qian@nxp.com>
[ Upstream commit 065927b51eb1f042c3e026cebfd55e72ccc26093 ]
There is no need to add a lock in s_ctrl callback, it has been
synchronized by the ctrl_handler's lock, otherwise it may led to
a deadlock if the driver calls v4l2_ctrl_s_ctrl().
Signed-off-by: Ming Qian <ming.qian@nxp.com>
Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/amphion/vdec.c | 2 --
drivers/media/platform/amphion/venc.c | 2 --
2 files changed, 4 deletions(-)
diff --git a/drivers/media/platform/amphion/vdec.c b/drivers/media/platform/amphion/vdec.c
index dc35a87e628ec..2bfab4467b81c 100644
--- a/drivers/media/platform/amphion/vdec.c
+++ b/drivers/media/platform/amphion/vdec.c
@@ -145,7 +145,6 @@ static int vdec_op_s_ctrl(struct v4l2_ctrl *ctrl)
struct vdec_t *vdec = inst->priv;
int ret = 0;
- vpu_inst_lock(inst);
switch (ctrl->id) {
case V4L2_CID_MPEG_VIDEO_DEC_DISPLAY_DELAY_ENABLE:
vdec->params.display_delay_enable = ctrl->val;
@@ -157,7 +156,6 @@ static int vdec_op_s_ctrl(struct v4l2_ctrl *ctrl)
ret = -EINVAL;
break;
}
- vpu_inst_unlock(inst);
return ret;
}
diff --git a/drivers/media/platform/amphion/venc.c b/drivers/media/platform/amphion/venc.c
index 1df2b35c1a240..c9cfef16c5b92 100644
--- a/drivers/media/platform/amphion/venc.c
+++ b/drivers/media/platform/amphion/venc.c
@@ -528,7 +528,6 @@ static int venc_op_s_ctrl(struct v4l2_ctrl *ctrl)
struct venc_t *venc = inst->priv;
int ret = 0;
- vpu_inst_lock(inst);
switch (ctrl->id) {
case V4L2_CID_MPEG_VIDEO_H264_PROFILE:
venc->params.profile = ctrl->val;
@@ -589,7 +588,6 @@ static int venc_op_s_ctrl(struct v4l2_ctrl *ctrl)
ret = -EINVAL;
break;
}
- vpu_inst_unlock(inst);
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 041/150] drm/amd/display: Add NULL check for afb before dereferencing in amdgpu_dm_plane_handle_cursor_update
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 040/150] media: amphion: Remove lock in s_ctrl callback Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 042/150] drm/amd/display: Add null checker before passing variables Greg Kroah-Hartman
` (111 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Chung, Rodrigo Siqueira,
Roman Li, Hersen Wu, Alex Hung, Aurabindo Pillai, Harry Wentland,
Srinivasan Shanmugam, Alex Deucher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit 38e6f715b02b572f74677eb2f29d3b4bc6f1ddff ]
This commit adds a null check for the 'afb' variable in the
amdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was
assumed to be null, but was used later in the code without a null check.
This could potentially lead to a null pointer dereference.
Fixes the below:
drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252)
Cc: Tom Chung <chiahsuan.chung@amd.com>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Cc: Roman Li <roman.li@amd.com>
Cc: Hersen Wu <hersenxs.wu@amd.com>
Cc: Alex Hung <alex.hung@amd.com>
Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
Cc: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
index cd6e99cf74a06..984a5affc5af1 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
@@ -1225,14 +1225,22 @@ void handle_cursor_update(struct drm_plane *plane,
{
struct amdgpu_device *adev = drm_to_adev(plane->dev);
struct amdgpu_framebuffer *afb = to_amdgpu_framebuffer(plane->state->fb);
- struct drm_crtc *crtc = afb ? plane->state->crtc : old_plane_state->crtc;
- struct dm_crtc_state *crtc_state = crtc ? to_dm_crtc_state(crtc->state) : NULL;
- struct amdgpu_crtc *amdgpu_crtc = to_amdgpu_crtc(crtc);
- uint64_t address = afb ? afb->address : 0;
+ struct drm_crtc *crtc;
+ struct dm_crtc_state *crtc_state;
+ struct amdgpu_crtc *amdgpu_crtc;
+ u64 address;
struct dc_cursor_position position = {0};
struct dc_cursor_attributes attributes;
int ret;
+ if (!afb)
+ return;
+
+ crtc = plane->state->crtc ? plane->state->crtc : old_plane_state->crtc;
+ crtc_state = crtc ? to_dm_crtc_state(crtc->state) : NULL;
+ amdgpu_crtc = to_amdgpu_crtc(crtc);
+ address = afb->address;
+
if (!plane->state->fb && !old_plane_state->fb)
return;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 042/150] drm/amd/display: Add null checker before passing variables
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 041/150] drm/amd/display: Add NULL check for afb before dereferencing in amdgpu_dm_plane_handle_cursor_update Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 043/150] media: uvcvideo: Ignore empty TS packets Greg Kroah-Hartman
` (110 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harry Wentland, Hamza Mahfooz,
Alex Hung, Alex Deucher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Hung <alex.hung@amd.com>
[ Upstream commit 8092aa3ab8f7b737a34b71f91492c676a843043a ]
Checks null pointer before passing variables to functions.
This fixes 3 NULL_RETURNS issues reported by Coverity.
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Acked-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index 31bae620aeffc..6189685af1fda 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -2636,7 +2636,8 @@ static int dm_suspend(void *handle)
dm->cached_dc_state = dc_copy_state(dm->dc->current_state);
- dm_gpureset_toggle_interrupts(adev, dm->cached_dc_state, false);
+ if (dm->cached_dc_state)
+ dm_gpureset_toggle_interrupts(adev, dm->cached_dc_state, false);
amdgpu_dm_commit_zero_streams(dm->dc);
@@ -6388,7 +6389,8 @@ static void create_eml_sink(struct amdgpu_dm_connector *aconnector)
aconnector->dc_sink = aconnector->dc_link->local_sink ?
aconnector->dc_link->local_sink :
aconnector->dc_em_sink;
- dc_sink_retain(aconnector->dc_sink);
+ if (aconnector->dc_sink)
+ dc_sink_retain(aconnector->dc_sink);
}
}
@@ -7121,7 +7123,8 @@ static int amdgpu_dm_connector_get_modes(struct drm_connector *connector)
drm_add_modes_noedid(connector, 640, 480);
} else {
amdgpu_dm_connector_ddc_get_modes(connector, edid);
- amdgpu_dm_connector_add_common_modes(encoder, connector);
+ if (encoder)
+ amdgpu_dm_connector_add_common_modes(encoder, connector);
amdgpu_dm_connector_add_freesync_modes(connector, edid);
}
amdgpu_dm_fbc_init(connector);
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 043/150] media: uvcvideo: Ignore empty TS packets
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 042/150] drm/amd/display: Add null checker before passing variables Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 044/150] media: uvcvideo: Fix the bandwdith quirk on USB 3.x Greg Kroah-Hartman
` (109 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, HungNien Chen, Sergey Senozhatsky,
Laurent Pinchart, Ricardo Ribalda, Tomasz Figa, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
[ Upstream commit 5cd7c25f6f0576073b3d03bc4cfb1e8ca63a1195 ]
Some SunplusIT cameras took a borderline interpretation of the UVC 1.5
standard, and fill the PTS and SCR fields with invalid data if the
package does not contain data.
"STC must be captured when the first video data of a video frame is put
on the USB bus."
Some SunplusIT devices send, e.g.,
buffer: 0xa7755c00 len 000012 header:0x8c stc 00000000 sof 0000 pts 00000000
buffer: 0xa7755c00 len 000012 header:0x8c stc 00000000 sof 0000 pts 00000000
buffer: 0xa7755c00 len 000668 header:0x8c stc 73779dba sof 070c pts 7376d37a
While the UVC specification meant that the first two packets shouldn't
have had the SCR bit set in the header.
This borderline/buggy interpretation has been implemented in a variety
of devices, from directly SunplusIT and from other OEMs that rebrand
SunplusIT products. So quirking based on VID:PID will be problematic.
All the affected modules have the following extension unit:
VideoControl Interface Descriptor:
guidExtensionCode {82066163-7050-ab49-b8cc-b3855e8d221d}
But the vendor plans to use that GUID in the future and fix the bug,
this means that we should use heuristic to figure out the broken
packets.
This patch takes care of this.
lsusb of one of the affected cameras:
Bus 001 Device 003: ID 1bcf:2a01 Sunplus Innovation Technology Inc.
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.01
bDeviceClass 239 Miscellaneous Device
bDeviceSubClass 2 ?
bDeviceProtocol 1 Interface Association
bMaxPacketSize0 64
idVendor 0x1bcf Sunplus Innovation Technology Inc.
idProduct 0x2a01
bcdDevice 0.02
iManufacturer 1 SunplusIT Inc
iProduct 2 HanChen Wise Camera
iSerial 3 01.00.00
bNumConfigurations 1
Tested-by: HungNien Chen <hn.chen@sunplusit.com>
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Tomasz Figa <tfiga@chromium.org>
Link: https://lore.kernel.org/r/20240323-resend-hwtimestamp-v10-2-b08e590d97c7@chromium.org
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/uvc/uvc_video.c | 31 ++++++++++++++++++++++++++++++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
index a5ad3ff8bdbb9..7ca0760574598 100644
--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -476,6 +476,7 @@ uvc_video_clock_decode(struct uvc_streaming *stream, struct uvc_buffer *buf,
ktime_t time;
u16 host_sof;
u16 dev_sof;
+ u32 dev_stc;
switch (data[1] & (UVC_STREAM_PTS | UVC_STREAM_SCR)) {
case UVC_STREAM_PTS | UVC_STREAM_SCR:
@@ -522,6 +523,34 @@ uvc_video_clock_decode(struct uvc_streaming *stream, struct uvc_buffer *buf,
if (dev_sof == stream->clock.last_sof)
return;
+ dev_stc = get_unaligned_le32(&data[header_size - 6]);
+
+ /*
+ * STC (Source Time Clock) is the clock used by the camera. The UVC 1.5
+ * standard states that it "must be captured when the first video data
+ * of a video frame is put on the USB bus". This is generally understood
+ * as requiring devices to clear the payload header's SCR bit before
+ * the first packet containing video data.
+ *
+ * Most vendors follow that interpretation, but some (namely SunplusIT
+ * on some devices) always set the `UVC_STREAM_SCR` bit, fill the SCR
+ * field with 0's,and expect that the driver only processes the SCR if
+ * there is data in the packet.
+ *
+ * Ignore all the hardware timestamp information if we haven't received
+ * any data for this frame yet, the packet contains no data, and both
+ * STC and SOF are zero. This heuristics should be safe on compliant
+ * devices. This should be safe with compliant devices, as in the very
+ * unlikely case where a UVC 1.1 device would send timing information
+ * only before the first packet containing data, and both STC and SOF
+ * happen to be zero for a particular frame, we would only miss one
+ * clock sample from many and the clock recovery algorithm wouldn't
+ * suffer from this condition.
+ */
+ if (buf && buf->bytesused == 0 && len == header_size &&
+ dev_stc == 0 && dev_sof == 0)
+ return;
+
stream->clock.last_sof = dev_sof;
host_sof = usb_get_current_frame_number(stream->dev->udev);
@@ -560,7 +589,7 @@ uvc_video_clock_decode(struct uvc_streaming *stream, struct uvc_buffer *buf,
spin_lock_irqsave(&stream->clock.lock, flags);
sample = &stream->clock.samples[stream->clock.head];
- sample->dev_stc = get_unaligned_le32(&data[header_size - 6]);
+ sample->dev_stc = dev_stc;
sample->dev_sof = dev_sof;
sample->host_sof = host_sof;
sample->host_time = time;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 044/150] media: uvcvideo: Fix the bandwdith quirk on USB 3.x
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 043/150] media: uvcvideo: Ignore empty TS packets Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 045/150] media: xc2028: avoid use-after-free in load_firmware_cb() Greg Kroah-Hartman
` (108 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Pecio, Ricardo Ribalda,
Laurent Pinchart, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Pecio <michal.pecio@gmail.com>
[ Upstream commit 9e3d55fbd160b3ca376599a68b4cddfdc67d4153 ]
The bandwidth fixup quirk doesn't know that SuperSpeed exists and has
the same 8 service intervals per millisecond as High Speed, hence its
calculations are wrong.
Assume that all speeds from HS up use 8 intervals per millisecond.
No further changes are needed, updated code has been confirmed to work
with all speeds from FS to SS.
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://lore.kernel.org/r/20240414190040.2255a0bc@foxbook
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/uvc/uvc_video.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
index 7ca0760574598..aa0a879a9c64a 100644
--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -212,13 +212,13 @@ static void uvc_fixup_video_ctrl(struct uvc_streaming *stream,
* Compute a bandwidth estimation by multiplying the frame
* size by the number of video frames per second, divide the
* result by the number of USB frames (or micro-frames for
- * high-speed devices) per second and add the UVC header size
- * (assumed to be 12 bytes long).
+ * high- and super-speed devices) per second and add the UVC
+ * header size (assumed to be 12 bytes long).
*/
bandwidth = frame->wWidth * frame->wHeight / 8 * format->bpp;
bandwidth *= 10000000 / interval + 1;
bandwidth /= 1000;
- if (stream->dev->udev->speed == USB_SPEED_HIGH)
+ if (stream->dev->udev->speed >= USB_SPEED_HIGH)
bandwidth /= 8;
bandwidth += 12;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 045/150] media: xc2028: avoid use-after-free in load_firmware_cb()
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 044/150] media: uvcvideo: Fix the bandwdith quirk on USB 3.x Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 046/150] ext4: fix uninitialized variable in ext4_inlinedir_to_tree Greg Kroah-Hartman
` (107 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chi Zhiling, Hans Verkuil,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chi Zhiling <chizhiling@kylinos.cn>
[ Upstream commit 68594cec291ff9523b9feb3f43fd853dcddd1f60 ]
syzkaller reported use-after-free in load_firmware_cb() [1].
The reason is because the module allocated a struct tuner in tuner_probe(),
and then the module initialization failed, the struct tuner was released.
A worker which created during module initialization accesses this struct
tuner later, it caused use-after-free.
The process is as follows:
task-6504 worker_thread
tuner_probe <= alloc dvb_frontend [2]
...
request_firmware_nowait <= create a worker
...
tuner_remove <= free dvb_frontend
...
request_firmware_work_func <= the firmware is ready
load_firmware_cb <= but now the dvb_frontend has been freed
To fix the issue, check the dvd_frontend in load_firmware_cb(), if it is
null, report a warning and just return.
[1]:
==================================================================
BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0
Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504
Call trace:
load_firmware_cb+0x1310/0x17a0
request_firmware_work_func+0x128/0x220
process_one_work+0x770/0x1824
worker_thread+0x488/0xea0
kthread+0x300/0x430
ret_from_fork+0x10/0x20
Allocated by task 6504:
kzalloc
tuner_probe+0xb0/0x1430
i2c_device_probe+0x92c/0xaf0
really_probe+0x678/0xcd0
driver_probe_device+0x280/0x370
__device_attach_driver+0x220/0x330
bus_for_each_drv+0x134/0x1c0
__device_attach+0x1f4/0x410
device_initial_probe+0x20/0x30
bus_probe_device+0x184/0x200
device_add+0x924/0x12c0
device_register+0x24/0x30
i2c_new_device+0x4e0/0xc44
v4l2_i2c_new_subdev_board+0xbc/0x290
v4l2_i2c_new_subdev+0xc8/0x104
em28xx_v4l2_init+0x1dd0/0x3770
Freed by task 6504:
kfree+0x238/0x4e4
tuner_remove+0x144/0x1c0
i2c_device_remove+0xc8/0x290
__device_release_driver+0x314/0x5fc
device_release_driver+0x30/0x44
bus_remove_device+0x244/0x490
device_del+0x350/0x900
device_unregister+0x28/0xd0
i2c_unregister_device+0x174/0x1d0
v4l2_device_unregister+0x224/0x380
em28xx_v4l2_init+0x1d90/0x3770
The buggy address belongs to the object at ffff8000d7ca2000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 776 bytes inside of
2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800)
The buggy address belongs to the page:
page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0
flags: 0x7ff800000000100(slab)
raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
[2]
Actually, it is allocated for struct tuner, and dvb_frontend is inside.
Signed-off-by: Chi Zhiling <chizhiling@kylinos.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/tuners/xc2028.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/media/tuners/xc2028.c b/drivers/media/tuners/xc2028.c
index 5a967edceca93..352b8a3679b72 100644
--- a/drivers/media/tuners/xc2028.c
+++ b/drivers/media/tuners/xc2028.c
@@ -1361,9 +1361,16 @@ static void load_firmware_cb(const struct firmware *fw,
void *context)
{
struct dvb_frontend *fe = context;
- struct xc2028_data *priv = fe->tuner_priv;
+ struct xc2028_data *priv;
int rc;
+ if (!fe) {
+ pr_warn("xc2028: No frontend in %s\n", __func__);
+ return;
+ }
+
+ priv = fe->tuner_priv;
+
tuner_dbg("request_firmware_nowait(): %s\n", fw ? "OK" : "error");
if (!fw) {
tuner_err("Could not load firmware %s.\n", priv->fname);
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 046/150] ext4: fix uninitialized variable in ext4_inlinedir_to_tree
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 045/150] media: xc2028: avoid use-after-free in load_firmware_cb() Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 047/150] jbd2: avoid memleak in jbd2_journal_write_metadata_buffer Greg Kroah-Hartman
` (106 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaxi Shen, Theodore Tso,
Sasha Levin, syzbot+eaba5abe296837a640c0
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaxi Shen <shenxiaxi26@gmail.com>
[ Upstream commit 8dc9c3da79c84b13fdb135e2fb0a149a8175bffe ]
Syzbot has found an uninit-value bug in ext4_inlinedir_to_tree
This error happens because ext4_inlinedir_to_tree does not
handle the case when ext4fs_dirhash returns an error
This can be avoided by checking the return value of ext4fs_dirhash
and propagating the error,
similar to how it's done with ext4_htree_store_dirent
Signed-off-by: Xiaxi Shen <shenxiaxi26@gmail.com>
Reported-and-tested-by: syzbot+eaba5abe296837a640c0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=eaba5abe296837a640c0
Link: https://patch.msgid.link/20240501033017.220000-1-shenxiaxi26@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/inline.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 3a91be1d9bbe7..ee9d2faa5218f 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1439,7 +1439,11 @@ int ext4_inlinedir_to_tree(struct file *dir_file,
hinfo->hash = EXT4_DIRENT_HASH(de);
hinfo->minor_hash = EXT4_DIRENT_MINOR_HASH(de);
} else {
- ext4fs_dirhash(dir, de->name, de->name_len, hinfo);
+ err = ext4fs_dirhash(dir, de->name, de->name_len, hinfo);
+ if (err) {
+ ret = err;
+ goto out;
+ }
}
if ((hinfo->hash < start_hash) ||
((hinfo->hash == start_hash) &&
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 047/150] jbd2: avoid memleak in jbd2_journal_write_metadata_buffer
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 046/150] ext4: fix uninitialized variable in ext4_inlinedir_to_tree Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 048/150] s390/sclp: Prevent release of buffer in I/O Greg Kroah-Hartman
` (105 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kemeng Shi, Zhang Yi, Jan Kara,
Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kemeng Shi <shikemeng@huaweicloud.com>
[ Upstream commit cc102aa24638b90e04364d64e4f58a1fa91a1976 ]
The new_bh is from alloc_buffer_head, we should call free_buffer_head to
free it in error case.
Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20240514112438.1269037-2-shikemeng@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jbd2/journal.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
index b136b46b63bc9..c8d59f7c47453 100644
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -409,6 +409,7 @@ int jbd2_journal_write_metadata_buffer(transaction_t *transaction,
tmp = jbd2_alloc(bh_in->b_size, GFP_NOFS);
if (!tmp) {
brelse(new_bh);
+ free_buffer_head(new_bh);
return -ENOMEM;
}
spin_lock(&jh_in->b_state_lock);
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 048/150] s390/sclp: Prevent release of buffer in I/O
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 047/150] jbd2: avoid memleak in jbd2_journal_write_metadata_buffer Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 049/150] SUNRPC: Fix a race to wake a sync task Greg Kroah-Hartman
` (104 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Peter Oberparleiter,
Alexander Gordeev, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Oberparleiter <oberpar@linux.ibm.com>
[ Upstream commit bf365071ea92b9579d5a272679b74052a5643e35 ]
When a task waiting for completion of a Store Data operation is
interrupted, an attempt is made to halt this operation. If this attempt
fails due to a hardware or firmware problem, there is a chance that the
SCLP facility might store data into buffers referenced by the original
operation at a later time.
Handle this situation by not releasing the referenced data buffers if
the halt attempt fails. For current use cases, this might result in a
leak of few pages of memory in case of a rare hardware/firmware
malfunction.
Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/char/sclp_sd.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/s390/char/sclp_sd.c b/drivers/s390/char/sclp_sd.c
index f9e164be7568f..944e75beb160c 100644
--- a/drivers/s390/char/sclp_sd.c
+++ b/drivers/s390/char/sclp_sd.c
@@ -320,8 +320,14 @@ static int sclp_sd_store_data(struct sclp_sd_data *result, u8 di)
&esize);
if (rc) {
/* Cancel running request if interrupted */
- if (rc == -ERESTARTSYS)
- sclp_sd_sync(page, SD_EQ_HALT, di, 0, 0, NULL, NULL);
+ if (rc == -ERESTARTSYS) {
+ if (sclp_sd_sync(page, SD_EQ_HALT, di, 0, 0, NULL, NULL)) {
+ pr_warn("Could not stop Store Data request - leaking at least %zu bytes\n",
+ (size_t)dsize * PAGE_SIZE);
+ data = NULL;
+ asce = 0;
+ }
+ }
vfree(data);
goto out;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 049/150] SUNRPC: Fix a race to wake a sync task
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 048/150] s390/sclp: Prevent release of buffer in I/O Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 050/150] bus: mhi: host: pci_generic: add support for Telit FE990 modem Greg Kroah-Hartman
` (103 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Coddington, Jeff Layton,
Anna Schumaker, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Coddington <bcodding@redhat.com>
[ Upstream commit ed0172af5d6fc07d1b40ca82f5ca3979300369f7 ]
We've observed NFS clients with sync tasks sleeping in __rpc_execute
waiting on RPC_TASK_QUEUED that have not responded to a wake-up from
rpc_make_runnable(). I suspect this problem usually goes unnoticed,
because on a busy client the task will eventually be re-awoken by another
task completion or xprt event. However, if the state manager is draining
the slot table, a sync task missing a wake-up can result in a hung client.
We've been able to prove that the waker in rpc_make_runnable() successfully
calls wake_up_bit() (ie- there's no race to tk_runstate), but the
wake_up_bit() call fails to wake the waiter. I suspect the waker is
missing the load of the bit's wait_queue_head, so waitqueue_active() is
false. There are some very helpful comments about this problem above
wake_up_bit(), prepare_to_wait(), and waitqueue_active().
Fix this by inserting smp_mb__after_atomic() before the wake_up_bit(),
which pairs with prepare_to_wait() calling set_current_state().
Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/sched.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
index 6debf4fd42d4e..cef623ea15060 100644
--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -369,8 +369,10 @@ static void rpc_make_runnable(struct workqueue_struct *wq,
if (RPC_IS_ASYNC(task)) {
INIT_WORK(&task->u.tk_work, rpc_async_schedule);
queue_work(wq, &task->u.tk_work);
- } else
+ } else {
+ smp_mb__after_atomic();
wake_up_bit(&task->tk_runstate, RPC_TASK_QUEUED);
+ }
}
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 050/150] bus: mhi: host: pci_generic: add support for Telit FE990 modem
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 049/150] SUNRPC: Fix a race to wake a sync task Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 051/150] Revert "bpftool: Mount bpffs when pinmaps path not under the bpffs" Greg Kroah-Hartman
` (102 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniele Palmas,
Manivannan Sadhasivam, Manivannan Sadhasivam, Fabio Porcedda
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniele Palmas <dnlplm@gmail.com>
commit 0724869ede9c169429bb622e2d28f97995a95656 upstream.
Add support for Telit FE990 that has the same configuration as FN990:
$ lspci -vv
04:00.0 Unassigned class [ff00]: Qualcomm Device 0308
Subsystem: Device 1c5d:2015
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Link: https://lore.kernel.org/r/20230804094039.365102-1-dnlplm@gmail.com
[mani: minor update to commit subject and adjusted comment]
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Cc: Fabio Porcedda <fabio.porcedda@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/mhi/host/pci_generic.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/bus/mhi/host/pci_generic.c
+++ b/drivers/bus/mhi/host/pci_generic.c
@@ -553,6 +553,9 @@ static const struct pci_device_id mhi_pc
/* Telit FN990 */
{ PCI_DEVICE_SUB(PCI_VENDOR_ID_QCOM, 0x0308, 0x1c5d, 0x2010),
.driver_data = (kernel_ulong_t) &mhi_telit_fn990_info },
+ /* Telit FE990 */
+ { PCI_DEVICE_SUB(PCI_VENDOR_ID_QCOM, 0x0308, 0x1c5d, 0x2015),
+ .driver_data = (kernel_ulong_t) &mhi_telit_fn990_info },
{ PCI_DEVICE(PCI_VENDOR_ID_QCOM, 0x0308),
.driver_data = (kernel_ulong_t) &mhi_qcom_sdx65_info },
{ PCI_DEVICE(0x1eac, 0x1001), /* EM120R-GL (sdx24) */
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 051/150] Revert "bpftool: Mount bpffs when pinmaps path not under the bpffs"
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 050/150] bus: mhi: host: pci_generic: add support for Telit FE990 modem Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 052/150] profiling: remove profile=sleep support Greg Kroah-Hartman
` (101 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salvatore Bonaccorso, Tao Chen,
Daniel Borkmann, Quentin Monnet, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit 65dd9cbafec2f6f7908cebcab0386f750fc352af which is
commit da5f8fd1f0d393d5eaaba9ad8c22d1c26bb2bf9b upstream.
It breaks the build, so should be dropped.
Reported-by: Salvatore Bonaccorso <carnil@debian.org>
Link: https://lore.kernel.org/r/ZrSe8gZ_GyFv1knq@eldamar.lan
Cc: Tao Chen <chen.dylane@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Quentin Monnet <qmo@kernel.org>
Cc: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/bpf/bpftool/prog.c | 4 ----
1 file changed, 4 deletions(-)
--- a/tools/bpf/bpftool/prog.c
+++ b/tools/bpf/bpftool/prog.c
@@ -1707,10 +1707,6 @@ static int load_with_options(int argc, c
}
if (pinmaps) {
- err = create_and_mount_bpffs_dir(pinmaps);
- if (err)
- goto err_unpin;
-
err = bpf_object__pin_maps(obj, pinmaps);
if (err) {
p_err("failed to pin all maps");
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 052/150] profiling: remove profile=sleep support
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 051/150] Revert "bpftool: Mount bpffs when pinmaps path not under the bpffs" Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 053/150] scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES Greg Kroah-Hartman
` (100 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tetsuo Handa, Linus Torvalds
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
commit b88f55389ad27f05ed84af9e1026aa64dbfabc9a upstream.
The kernel sleep profile is no longer working due to a recursive locking
bug introduced by commit 42a20f86dc19 ("sched: Add wrapper for get_wchan()
to keep task blocked")
Booting with the 'profile=sleep' kernel command line option added or
executing
# echo -n sleep > /sys/kernel/profiling
after boot causes the system to lock up.
Lockdep reports
kthreadd/3 is trying to acquire lock:
ffff93ac82e08d58 (&p->pi_lock){....}-{2:2}, at: get_wchan+0x32/0x70
but task is already holding lock:
ffff93ac82e08d58 (&p->pi_lock){....}-{2:2}, at: try_to_wake_up+0x53/0x370
with the call trace being
lock_acquire+0xc8/0x2f0
get_wchan+0x32/0x70
__update_stats_enqueue_sleeper+0x151/0x430
enqueue_entity+0x4b0/0x520
enqueue_task_fair+0x92/0x6b0
ttwu_do_activate+0x73/0x140
try_to_wake_up+0x213/0x370
swake_up_locked+0x20/0x50
complete+0x2f/0x40
kthread+0xfb/0x180
However, since nobody noticed this regression for more than two years,
let's remove 'profile=sleep' support based on the assumption that nobody
needs this functionality.
Fixes: 42a20f86dc19 ("sched: Add wrapper for get_wchan() to keep task blocked")
Cc: stable@vger.kernel.org # v5.16+
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/admin-guide/kernel-parameters.txt | 4 +---
include/linux/profile.h | 1 -
kernel/profile.c | 11 +----------
kernel/sched/stats.c | 10 ----------
4 files changed, 2 insertions(+), 24 deletions(-)
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -4556,11 +4556,9 @@
profile= [KNL] Enable kernel profiling via /proc/profile
Format: [<profiletype>,]<number>
- Param: <profiletype>: "schedule", "sleep", or "kvm"
+ Param: <profiletype>: "schedule" or "kvm"
[defaults to kernel profiling]
Param: "schedule" - profile schedule points.
- Param: "sleep" - profile D-state sleeping (millisecs).
- Requires CONFIG_SCHEDSTATS
Param: "kvm" - profile VM exits.
Param: <number> - step/bucket size as a power of 2 for
statistical time based profiling.
--- a/include/linux/profile.h
+++ b/include/linux/profile.h
@@ -11,7 +11,6 @@
#define CPU_PROFILING 1
#define SCHED_PROFILING 2
-#define SLEEP_PROFILING 3
#define KVM_PROFILING 4
struct proc_dir_entry;
--- a/kernel/profile.c
+++ b/kernel/profile.c
@@ -57,20 +57,11 @@ static DEFINE_MUTEX(profile_flip_mutex);
int profile_setup(char *str)
{
static const char schedstr[] = "schedule";
- static const char sleepstr[] = "sleep";
static const char kvmstr[] = "kvm";
const char *select = NULL;
int par;
- if (!strncmp(str, sleepstr, strlen(sleepstr))) {
-#ifdef CONFIG_SCHEDSTATS
- force_schedstat_enabled();
- prof_on = SLEEP_PROFILING;
- select = sleepstr;
-#else
- pr_warn("kernel sleep profiling requires CONFIG_SCHEDSTATS\n");
-#endif /* CONFIG_SCHEDSTATS */
- } else if (!strncmp(str, schedstr, strlen(schedstr))) {
+ if (!strncmp(str, schedstr, strlen(schedstr))) {
prof_on = SCHED_PROFILING;
select = schedstr;
} else if (!strncmp(str, kvmstr, strlen(kvmstr))) {
--- a/kernel/sched/stats.c
+++ b/kernel/sched/stats.c
@@ -92,16 +92,6 @@ void __update_stats_enqueue_sleeper(stru
trace_sched_stat_blocked(p, delta);
- /*
- * Blocking time is in units of nanosecs, so shift by
- * 20 to get a milliseconds-range estimation of the
- * amount of time that the task spent sleeping:
- */
- if (unlikely(prof_on == SLEEP_PROFILING)) {
- profile_hits(SLEEP_PROFILING,
- (void *)get_wchan(p),
- delta >> 20);
- }
account_scheduler_latency(p, delta >> 10, 0);
}
}
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 053/150] scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 052/150] profiling: remove profile=sleep support Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 054/150] irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to raw_spinlock_t Greg Kroah-Hartman
` (99 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Christoph Hellwig,
Johannes Thumshirn, Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
commit 82dbb57ac8d06dfe8227ba9ab11a49de2b475ae5 upstream.
Some firmware versions of the 9600 series SAS HBA byte-swap the REPORT
ZONES command reply buffer from ATA-ZAC devices by directly accessing the
buffer in the host memory. This does not respect the default command DMA
direction and causes IOMMU page faults on architectures with an IOMMU
enforcing write-only mappings for DMA_FROM_DEVICE DMA driection (e.g. AMD
hosts).
scsi 18:0:0:0: Direct-Access-ZBC ATA WDC WSH722020AL W870 PQ: 0 ANSI: 6
scsi 18:0:0:0: SATA: handle(0x0027), sas_addr(0x300062b2083e7c40), phy(0), device_name(0x5000cca29dc35e11)
scsi 18:0:0:0: enclosure logical id (0x300062b208097c40), slot(0)
scsi 18:0:0:0: enclosure level(0x0000), connector name( C0.0)
scsi 18:0:0:0: atapi(n), ncq(y), asyn_notify(n), smart(y), fua(y), sw_preserve(y)
scsi 18:0:0:0: qdepth(32), tagged(1), scsi_level(7), cmd_que(1)
sd 18:0:0:0: Attached scsi generic sg2 type 20
sd 18:0:0:0: [sdc] Host-managed zoned block device
mpt3sas 0000:41:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0021 address=0xfff9b200 flags=0x0050]
mpt3sas 0000:41:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0021 address=0xfff9b300 flags=0x0050]
mpt3sas_cm0: mpt3sas_ctl_pre_reset_handler: Releasing the trace buffer due to adapter reset.
mpt3sas_cm0 fault info from func: mpt3sas_base_make_ioc_ready
mpt3sas_cm0: fault_state(0x2666)!
mpt3sas_cm0: sending diag reset !!
mpt3sas_cm0: diag reset: SUCCESS
sd 18:0:0:0: [sdc] REPORT ZONES start lba 0 failed
sd 18:0:0:0: [sdc] REPORT ZONES: Result: hostbyte=DID_RESET driverbyte=DRIVER_OK
sd 18:0:0:0: [sdc] 0 4096-byte logical blocks: (0 B/0 B)
Avoid such issue by always mapping the buffer of REPORT ZONES commands
using DMA_BIDIRECTIONAL (read+write IOMMU mapping). This is done by
introducing the helper function _base_scsi_dma_map() and using this helper
in _base_build_sg_scmd() and _base_build_sg_scmd_ieee() instead of calling
directly scsi_dma_map().
Fixes: 471ef9d4e498 ("mpt3sas: Build MPI SGL LIST on GEN2 HBAs and IEEE SGL LIST on GEN3 HBAs")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Link: https://lore.kernel.org/r/20240719073913.179559-3-dlemoal@kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/mpt3sas/mpt3sas_base.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
@@ -2672,6 +2672,22 @@ _base_build_zero_len_sge_ieee(struct MPT
_base_add_sg_single_ieee(paddr, sgl_flags, 0, 0, -1);
}
+static inline int _base_scsi_dma_map(struct scsi_cmnd *cmd)
+{
+ /*
+ * Some firmware versions byte-swap the REPORT ZONES command reply from
+ * ATA-ZAC devices by directly accessing in the host buffer. This does
+ * not respect the default command DMA direction and causes IOMMU page
+ * faults on some architectures with an IOMMU enforcing write mappings
+ * (e.g. AMD hosts). Avoid such issue by making the report zones buffer
+ * mapping bi-directional.
+ */
+ if (cmd->cmnd[0] == ZBC_IN && cmd->cmnd[1] == ZI_REPORT_ZONES)
+ cmd->sc_data_direction = DMA_BIDIRECTIONAL;
+
+ return scsi_dma_map(cmd);
+}
+
/**
* _base_build_sg_scmd - main sg creation routine
* pcie_device is unused here!
@@ -2718,7 +2734,7 @@ _base_build_sg_scmd(struct MPT3SAS_ADAPT
sgl_flags = sgl_flags << MPI2_SGE_FLAGS_SHIFT;
sg_scmd = scsi_sglist(scmd);
- sges_left = scsi_dma_map(scmd);
+ sges_left = _base_scsi_dma_map(scmd);
if (sges_left < 0)
return -ENOMEM;
@@ -2862,7 +2878,7 @@ _base_build_sg_scmd_ieee(struct MPT3SAS_
}
sg_scmd = scsi_sglist(scmd);
- sges_left = scsi_dma_map(scmd);
+ sges_left = _base_scsi_dma_map(scmd);
if (sges_left < 0)
return -ENOMEM;
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 054/150] irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to raw_spinlock_t
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 053/150] scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 055/150] irqchip/loongarch-cpu: Fix return value of lpic_gsi_to_irq() Greg Kroah-Hartman
` (98 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Arseniy Krasnov, Thomas Gleixner
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arseniy Krasnov <avkrasnov@salutedevices.com>
commit f872d4af79fe8c71ae291ce8875b477e1669a6c7 upstream.
This lock is acquired under irq_desc::lock with interrupts disabled.
When PREEMPT_RT is enabled, 'spinlock_t' becomes preemptible, which results
in invalid lock acquire context;
[ BUG: Invalid wait context ]
swapper/0/1 is trying to lock:
ffff0000008fed30 (&ctl->lock){....}-{3:3}, at: meson_gpio_irq_update_bits0
other info that might help us debug this:
context-{5:5}
3 locks held by swapper/0/1:
#0: ffff0000003cd0f8 (&dev->mutex){....}-{4:4}, at: __driver_attach+0x90c
#1: ffff000004714650 (&desc->request_mutex){+.+.}-{4:4}, at: __setup_irq0
#2: ffff0000047144c8 (&irq_desc_lock_class){-.-.}-{2:2}, at: __setup_irq0
stack backtrace:
CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.9-sdkernel #1
Call trace:
_raw_spin_lock_irqsave+0x60/0x88
meson_gpio_irq_update_bits+0x34/0x70
meson8_gpio_irq_set_type+0x78/0xc4
meson_gpio_irq_set_type+0x30/0x60
__irq_set_trigger+0x60/0x180
__setup_irq+0x30c/0x6e0
request_threaded_irq+0xec/0x1a4
Fixes: 215f4cc0fb20 ("irqchip/meson: Add support for gpio interrupt controller")
Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/20240729131850.3015508-1-avkrasnov@salutedevices.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-meson-gpio.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/irqchip/irq-meson-gpio.c
+++ b/drivers/irqchip/irq-meson-gpio.c
@@ -168,7 +168,7 @@ struct meson_gpio_irq_controller {
void __iomem *base;
u32 channel_irqs[MAX_NUM_CHANNEL];
DECLARE_BITMAP(channel_map, MAX_NUM_CHANNEL);
- spinlock_t lock;
+ raw_spinlock_t lock;
};
static void meson_gpio_irq_update_bits(struct meson_gpio_irq_controller *ctl,
@@ -177,14 +177,14 @@ static void meson_gpio_irq_update_bits(s
unsigned long flags;
u32 tmp;
- spin_lock_irqsave(&ctl->lock, flags);
+ raw_spin_lock_irqsave(&ctl->lock, flags);
tmp = readl_relaxed(ctl->base + reg);
tmp &= ~mask;
tmp |= val;
writel_relaxed(tmp, ctl->base + reg);
- spin_unlock_irqrestore(&ctl->lock, flags);
+ raw_spin_unlock_irqrestore(&ctl->lock, flags);
}
static void meson_gpio_irq_init_dummy(struct meson_gpio_irq_controller *ctl)
@@ -234,12 +234,12 @@ meson_gpio_irq_request_channel(struct me
unsigned long flags;
unsigned int idx;
- spin_lock_irqsave(&ctl->lock, flags);
+ raw_spin_lock_irqsave(&ctl->lock, flags);
/* Find a free channel */
idx = find_first_zero_bit(ctl->channel_map, ctl->params->nr_channels);
if (idx >= ctl->params->nr_channels) {
- spin_unlock_irqrestore(&ctl->lock, flags);
+ raw_spin_unlock_irqrestore(&ctl->lock, flags);
pr_err("No channel available\n");
return -ENOSPC;
}
@@ -247,7 +247,7 @@ meson_gpio_irq_request_channel(struct me
/* Mark the channel as used */
set_bit(idx, ctl->channel_map);
- spin_unlock_irqrestore(&ctl->lock, flags);
+ raw_spin_unlock_irqrestore(&ctl->lock, flags);
/*
* Setup the mux of the channel to route the signal of the pad
@@ -557,7 +557,7 @@ static int meson_gpio_irq_of_init(struct
if (!ctl)
return -ENOMEM;
- spin_lock_init(&ctl->lock);
+ raw_spin_lock_init(&ctl->lock);
ctl->base = of_iomap(node, 0);
if (!ctl->base) {
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 055/150] irqchip/loongarch-cpu: Fix return value of lpic_gsi_to_irq()
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 054/150] irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to raw_spinlock_t Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 056/150] sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime Greg Kroah-Hartman
` (97 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miao Wang, Huacai Chen,
Thomas Gleixner, Jiaxun Yang
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 81a91abab1307d7725fa4620952c0767beae7753 upstream.
lpic_gsi_to_irq() should return a valid Linux interrupt number if
acpi_register_gsi() succeeds, and return 0 otherwise. But lpic_gsi_to_irq()
converts a negative return value of acpi_register_gsi() to a positive value
silently.
Convert the return value explicitly.
Fixes: e8bba72b396c ("irqchip / ACPI: Introduce ACPI_IRQ_MODEL_LPIC for LoongArch")
Reported-by: Miao Wang <shankerwangmiao@gmail.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20240723064508.35560-1-chenhuacai@loongson.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-loongarch-cpu.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/irqchip/irq-loongarch-cpu.c b/drivers/irqchip/irq-loongarch-cpu.c
index 9d8f2c406043..b35903a06902 100644
--- a/drivers/irqchip/irq-loongarch-cpu.c
+++ b/drivers/irqchip/irq-loongarch-cpu.c
@@ -18,11 +18,13 @@ struct fwnode_handle *cpuintc_handle;
static u32 lpic_gsi_to_irq(u32 gsi)
{
+ int irq = 0;
+
/* Only pch irqdomain transferring is required for LoongArch. */
if (gsi >= GSI_MIN_PCH_IRQ && gsi <= GSI_MAX_PCH_IRQ)
- return acpi_register_gsi(NULL, gsi, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_HIGH);
+ irq = acpi_register_gsi(NULL, gsi, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_HIGH);
- return 0;
+ return (irq > 0) ? irq : 0;
}
static struct fwnode_handle *lpic_get_gsi_domain_id(u32 gsi)
--
2.46.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 056/150] sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 055/150] irqchip/loongarch-cpu: Fix return value of lpic_gsi_to_irq() Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 057/150] ext4: fix wrong unit use in ext4_mb_find_by_goal Greg Kroah-Hartman
` (96 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zheng Zucheng,
Peter Zijlstra (Intel)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zheng Zucheng <zhengzucheng@huawei.com>
commit 77baa5bafcbe1b2a15ef9c37232c21279c95481c upstream.
In extreme test scenarios:
the 14th field utime in /proc/xx/stat is greater than sum_exec_runtime,
utime = 18446744073709518790 ns, rtime = 135989749728000 ns
In cputime_adjust() process, stime is greater than rtime due to
mul_u64_u64_div_u64() precision problem.
before call mul_u64_u64_div_u64(),
stime = 175136586720000, rtime = 135989749728000, utime = 1416780000.
after call mul_u64_u64_div_u64(),
stime = 135989949653530
unsigned reversion occurs because rtime is less than stime.
utime = rtime - stime = 135989749728000 - 135989949653530
= -199925530
= (u64)18446744073709518790
Trigger condition:
1). User task run in kernel mode most of time
2). ARM64 architecture
3). TICK_CPU_ACCOUNTING=y
CONFIG_VIRT_CPU_ACCOUNTING_NATIVE is not set
Fix mul_u64_u64_div_u64() conversion precision by reset stime to rtime
Fixes: 3dc167ba5729 ("sched/cputime: Improve cputime_adjust()")
Signed-off-by: Zheng Zucheng <zhengzucheng@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20240726023235.217771-1-zhengzucheng@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/cputime.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/kernel/sched/cputime.c
+++ b/kernel/sched/cputime.c
@@ -591,6 +591,12 @@ void cputime_adjust(struct task_cputime
}
stime = mul_u64_u64_div_u64(stime, rtime, stime + utime);
+ /*
+ * Because mul_u64_u64_div_u64() can approximate on some
+ * achitectures; enforce the constraint that: a*b/(b+c) <= a.
+ */
+ if (unlikely(stime > rtime))
+ stime = rtime;
update:
/*
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 057/150] ext4: fix wrong unit use in ext4_mb_find_by_goal
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 056/150] sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 058/150] arm64: Add Neoverse-V2 part Greg Kroah-Hartman
` (95 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kemeng Shi, Ojaswin Mujoo,
Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kemeng Shi <shikemeng@huaweicloud.com>
[ Upstream commit 99c515e3a860576ba90c11acbc1d6488dfca6463 ]
We need start in block unit while fe_start is in cluster unit. Use
ext4_grp_offs_to_block helper to convert fe_start to get start in
block unit.
Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://lore.kernel.org/r/20230603150327.3596033-4-shikemeng@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 71ce3ed5ab6ba..004ad321a45d6 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2226,8 +2226,7 @@ int ext4_mb_find_by_goal(struct ext4_allocation_context *ac,
if (max >= ac->ac_g_ex.fe_len && ac->ac_g_ex.fe_len == sbi->s_stripe) {
ext4_fsblk_t start;
- start = ext4_group_first_block_no(ac->ac_sb, e4b->bd_group) +
- ex.fe_start;
+ start = ext4_grp_offs_to_block(ac->ac_sb, &ex);
/* use do_div to get remainder (would be 64-bit modulo) */
if (do_div(start, sbi->s_stripe) == 0) {
ac->ac_found++;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 058/150] arm64: Add Neoverse-V2 part
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 057/150] ext4: fix wrong unit use in ext4_mb_find_by_goal Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 059/150] arm64: barrier: Restore spec_bar() macro Greg Kroah-Hartman
` (94 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Besar Wicaksono, James Clark,
Will Deacon, Mark Rutland, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Besar Wicaksono <bwicaksono@nvidia.com>
[ Upstream commit f4d9d9dcc70b96b5e5d7801bd5fbf8491b07b13d ]
Add the part number and MIDR for Neoverse-V2
Signed-off-by: Besar Wicaksono <bwicaksono@nvidia.com>
Reviewed-by: James Clark <james.clark@arm.com>
Link: https://lore.kernel.org/r/20240109192310.16234-2-bwicaksono@nvidia.com
Signed-off-by: Will Deacon <will@kernel.org>
[ Mark: trivial backport ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
index af3a678a76b3a..29fe8b5c938a4 100644
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -85,6 +85,7 @@
#define ARM_CPU_PART_CORTEX_X2 0xD48
#define ARM_CPU_PART_NEOVERSE_N2 0xD49
#define ARM_CPU_PART_CORTEX_A78C 0xD4B
+#define ARM_CPU_PART_NEOVERSE_V2 0xD4F
#define APM_CPU_PART_XGENE 0x000
#define APM_CPU_VAR_POTENZA 0x00
@@ -151,6 +152,7 @@
#define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2)
#define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2)
#define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C)
+#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2)
#define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
#define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
#define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX)
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 059/150] arm64: barrier: Restore spec_bar() macro
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 058/150] arm64: Add Neoverse-V2 part Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 060/150] arm64: cputype: Add Cortex-X4 definitions Greg Kroah-Hartman
` (93 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
James Morse, Will Deacon, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit ebfc726eae3f31bdb5fae1bbd74ef235d71046ca ]
Upcoming errata workarounds will need to use SB from C code. Restore the
spec_bar() macro so that we can use SB.
This is effectively a revert of commit:
4f30ba1cce36d413 ("arm64: barrier: Remove spec_bar() macro")
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20240508081400.235362-2-mark.rutland@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
[ Mark: trivial backport ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/barrier.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/arm64/include/asm/barrier.h b/arch/arm64/include/asm/barrier.h
index 2cfc4245d2e2d..e22ec44d50f5f 100644
--- a/arch/arm64/include/asm/barrier.h
+++ b/arch/arm64/include/asm/barrier.h
@@ -38,6 +38,10 @@
*/
#define dgh() asm volatile("hint #6" : : : "memory")
+#define spec_bar() asm volatile(ALTERNATIVE("dsb nsh\nisb\n", \
+ SB_BARRIER_INSN"nop\n", \
+ ARM64_HAS_SB))
+
#ifdef CONFIG_ARM64_PSEUDO_NMI
#define pmr_sync() \
do { \
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 060/150] arm64: cputype: Add Cortex-X4 definitions
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 059/150] arm64: barrier: Restore spec_bar() macro Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 061/150] arm64: cputype: Add Neoverse-V3 definitions Greg Kroah-Hartman
` (92 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
James Morse, Will Deacon, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 02a0a04676fa7796d9cbc9eb5ca120aaa194d2dd ]
Add cputype definitions for Cortex-X4. These will be used for errata
detection in subsequent patches.
These values can be found in Table B-249 ("MIDR_EL1 bit descriptions")
in issue 0002-05 of the Cortex-X4 TRM, which can be found at:
https://developer.arm.com/documentation/102484/0002/?lang=en
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20240508081400.235362-3-mark.rutland@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
[ Mark: fix conflict (dealt with upstream via a later merge) ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
index 29fe8b5c938a4..f1fc64900f4e4 100644
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -86,6 +86,7 @@
#define ARM_CPU_PART_NEOVERSE_N2 0xD49
#define ARM_CPU_PART_CORTEX_A78C 0xD4B
#define ARM_CPU_PART_NEOVERSE_V2 0xD4F
+#define ARM_CPU_PART_CORTEX_X4 0xD82
#define APM_CPU_PART_XGENE 0x000
#define APM_CPU_VAR_POTENZA 0x00
@@ -153,6 +154,7 @@
#define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2)
#define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C)
#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2)
+#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4)
#define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
#define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
#define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX)
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 061/150] arm64: cputype: Add Neoverse-V3 definitions
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 060/150] arm64: cputype: Add Cortex-X4 definitions Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 062/150] arm64: errata: Add workaround for Arm errata 3194386 and 3312417 Greg Kroah-Hartman
` (91 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
James Morse, Will Deacon, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 0ce85db6c2141b7ffb95709d76fc55a27ff3cdc1 ]
Add cputype definitions for Neoverse-V3. These will be used for errata
detection in subsequent patches.
These values can be found in Table B-249 ("MIDR_EL1 bit descriptions")
in issue 0001-04 of the Neoverse-V3 TRM, which can be found at:
https://developer.arm.com/documentation/107734/0001/?lang=en
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20240508081400.235362-4-mark.rutland@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
[ Mark: trivial backport ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
index f1fc64900f4e4..69e36de72c055 100644
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -87,6 +87,7 @@
#define ARM_CPU_PART_CORTEX_A78C 0xD4B
#define ARM_CPU_PART_NEOVERSE_V2 0xD4F
#define ARM_CPU_PART_CORTEX_X4 0xD82
+#define ARM_CPU_PART_NEOVERSE_V3 0xD84
#define APM_CPU_PART_XGENE 0x000
#define APM_CPU_VAR_POTENZA 0x00
@@ -155,6 +156,7 @@
#define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C)
#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2)
#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4)
+#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3)
#define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
#define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
#define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX)
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 062/150] arm64: errata: Add workaround for Arm errata 3194386 and 3312417
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 061/150] arm64: cputype: Add Neoverse-V3 definitions Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 063/150] arm64: cputype: Add Cortex-X3 definitions Greg Kroah-Hartman
` (90 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
James Morse, Will Deacon, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 7187bb7d0b5c7dfa18ca82e9e5c75e13861b1d88 ]
Cortex-X4 and Neoverse-V3 suffer from errata whereby an MSR to the SSBS
special-purpose register does not affect subsequent speculative
instructions, permitting speculative store bypassing for a window of
time. This is described in their Software Developer Errata Notice (SDEN)
documents:
* Cortex-X4 SDEN v8.0, erratum 3194386:
https://developer.arm.com/documentation/SDEN-2432808/0800/
* Neoverse-V3 SDEN v6.0, erratum 3312417:
https://developer.arm.com/documentation/SDEN-2891958/0600/
To workaround these errata, it is necessary to place a speculation
barrier (SB) after MSR to the SSBS special-purpose register. This patch
adds the requisite SB after writes to SSBS within the kernel, and hides
the presence of SSBS from EL0 such that userspace software which cares
about SSBS will manipulate this via prctl(PR_GET_SPECULATION_CTRL, ...).
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20240508081400.235362-5-mark.rutland@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
[ Mark: fix conflicts & renames, drop unneeded cpucaps.h, fold in user_feature_fixup() ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/arm64/silicon-errata.rst | 4 +++
arch/arm64/Kconfig | 41 ++++++++++++++++++++++++++
arch/arm64/kernel/cpu_errata.c | 19 ++++++++++++
arch/arm64/kernel/cpufeature.c | 12 ++++++++
arch/arm64/kernel/proton-pack.c | 12 ++++++++
arch/arm64/tools/cpucaps | 1 +
6 files changed, 89 insertions(+)
diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst
index 27135b9c07acb..701ec95ebc5e3 100644
--- a/Documentation/arm64/silicon-errata.rst
+++ b/Documentation/arm64/silicon-errata.rst
@@ -129,6 +129,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X2 | #2224489 | ARM64_ERRATUM_2224489 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X4 | #3194386 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N1 | #1188873,1418040| ARM64_ERRATUM_1418040 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N1 | #1349291 | N/A |
@@ -141,6 +143,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N2 | #2253138 | ARM64_ERRATUM_2253138 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-V3 | #3312417 | ARM64_ERRATUM_3312417 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | MMU-500 | #841119,826419 | N/A |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | MMU-600 | #1076982,1209401| N/A |
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 044b98a62f7bb..cb9e16823fb2b 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1000,6 +1000,47 @@ config ARM64_ERRATUM_2966298
If unsure, say Y.
+config ARM64_WORKAROUND_SPECULATIVE_SSBS
+ bool
+
+config ARM64_ERRATUM_3194386
+ bool "Cortex-X4: 3194386: workaround for MSR SSBS not self-synchronizing"
+ select ARM64_WORKAROUND_SPECULATIVE_SSBS
+ default y
+ help
+ This option adds the workaround for ARM Cortex-X4 erratum 3194386.
+
+ On affected cores "MSR SSBS, #0" instructions may not affect
+ subsequent speculative instructions, which may permit unexepected
+ speculative store bypassing.
+
+ Work around this problem by placing a speculation barrier after
+ kernel changes to SSBS. The presence of the SSBS special-purpose
+ register is hidden from hwcaps and EL0 reads of ID_AA64PFR1_EL1, such
+ that userspace will use the PR_SPEC_STORE_BYPASS prctl to change
+ SSBS.
+
+ If unsure, say Y.
+
+config ARM64_ERRATUM_3312417
+ bool "Neoverse-V3: 3312417: workaround for MSR SSBS not self-synchronizing"
+ select ARM64_WORKAROUND_SPECULATIVE_SSBS
+ default y
+ help
+ This option adds the workaround for ARM Neoverse-V3 erratum 3312417.
+
+ On affected cores "MSR SSBS, #0" instructions may not affect
+ subsequent speculative instructions, which may permit unexepected
+ speculative store bypassing.
+
+ Work around this problem by placing a speculation barrier after
+ kernel changes to SSBS. The presence of the SSBS special-purpose
+ register is hidden from hwcaps and EL0 reads of ID_AA64PFR1_EL1, such
+ that userspace will use the PR_SPEC_STORE_BYPASS prctl to change
+ SSBS.
+
+ If unsure, say Y.
+
config CAVIUM_ERRATUM_22375
bool "Cavium erratum 22375, 24313"
default y
diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
index 74584597bfb82..c9d05f753829c 100644
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -435,6 +435,18 @@ static struct midr_range broken_aarch32_aes[] = {
};
#endif /* CONFIG_ARM64_WORKAROUND_TRBE_WRITE_OUT_OF_RANGE */
+#ifdef CONFIG_ARM64_WORKAROUND_SPECULATIVE_SSBS
+static const struct midr_range erratum_spec_ssbs_list[] = {
+#ifdef CONFIG_ARM64_ERRATUM_3194386
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X4),
+#endif
+#ifdef CONFIG_ARM64_ERRATUM_3312417
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
+#endif
+ {}
+};
+#endif
+
const struct arm64_cpu_capabilities arm64_errata[] = {
#ifdef CONFIG_ARM64_WORKAROUND_CLEAN_CACHE
{
@@ -726,6 +738,13 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
.cpu_enable = cpu_clear_bf16_from_user_emulation,
},
#endif
+#ifdef CONFIG_ARM64_WORKAROUND_SPECULATIVE_SSBS
+ {
+ .desc = "ARM errata 3194386, 3312417",
+ .capability = ARM64_WORKAROUND_SPECULATIVE_SSBS,
+ ERRATA_MIDR_RANGE_LIST(erratum_spec_ssbs_list),
+ },
+#endif
#ifdef CONFIG_ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD
{
.desc = "ARM erratum 2966298",
diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index 770a31c6ed81b..840cc48b5147b 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -2084,6 +2084,17 @@ static void cpu_enable_mte(struct arm64_cpu_capabilities const *cap)
}
#endif /* CONFIG_ARM64_MTE */
+static void user_feature_fixup(void)
+{
+ if (cpus_have_cap(ARM64_WORKAROUND_SPECULATIVE_SSBS)) {
+ struct arm64_ftr_reg *regp;
+
+ regp = get_arm64_ftr_reg(SYS_ID_AA64PFR1_EL1);
+ if (regp)
+ regp->user_mask &= ~ID_AA64PFR1_EL1_SSBS_MASK;
+ }
+}
+
static void elf_hwcap_fixup(void)
{
#ifdef CONFIG_ARM64_ERRATUM_1742098
@@ -3284,6 +3295,7 @@ void __init setup_cpu_features(void)
u32 cwg;
setup_system_capabilities();
+ user_feature_fixup();
setup_elf_hwcaps(arm64_elf_hwcaps);
if (system_supports_32bit_el0()) {
diff --git a/arch/arm64/kernel/proton-pack.c b/arch/arm64/kernel/proton-pack.c
index bfce41c2a53b3..e476692cea976 100644
--- a/arch/arm64/kernel/proton-pack.c
+++ b/arch/arm64/kernel/proton-pack.c
@@ -570,6 +570,18 @@ static enum mitigation_state spectre_v4_enable_hw_mitigation(void)
/* SCTLR_EL1.DSSBS was initialised to 0 during boot */
set_pstate_ssbs(0);
+
+ /*
+ * SSBS is self-synchronizing and is intended to affect subsequent
+ * speculative instructions, but some CPUs can speculate with a stale
+ * value of SSBS.
+ *
+ * Mitigate this with an unconditional speculation barrier, as CPUs
+ * could mis-speculate branches and bypass a conditional barrier.
+ */
+ if (IS_ENABLED(CONFIG_ARM64_WORKAROUND_SPECULATIVE_SSBS))
+ spec_bar();
+
return SPECTRE_MITIGATED;
}
diff --git a/arch/arm64/tools/cpucaps b/arch/arm64/tools/cpucaps
index 2dc7ddee5f044..f5c9a4f5f7226 100644
--- a/arch/arm64/tools/cpucaps
+++ b/arch/arm64/tools/cpucaps
@@ -86,4 +86,5 @@ WORKAROUND_NVIDIA_CARMEL_CNP
WORKAROUND_QCOM_FALKOR_E1003
WORKAROUND_REPEAT_TLBI
WORKAROUND_SPECULATIVE_AT
+WORKAROUND_SPECULATIVE_SSBS
WORKAROUND_SPECULATIVE_UNPRIV_LOAD
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 063/150] arm64: cputype: Add Cortex-X3 definitions
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 062/150] arm64: errata: Add workaround for Arm errata 3194386 and 3312417 Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 064/150] arm64: cputype: Add Cortex-A720 definitions Greg Kroah-Hartman
` (89 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, James Morse,
Will Deacon, Catalin Marinas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit be5a6f238700f38b534456608588723fba96c5ab ]
Add cputype definitions for Cortex-X3. These will be used for errata
detection in subsequent patches.
These values can be found in Table A-263 ("MIDR_EL1 bit descriptions")
in issue 07 of the Cortex-X3 TRM, which can be found at:
https://developer.arm.com/documentation/101593/0102/?lang=en
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20240603111812.1514101-2-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[ Mark: trivial backport ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
index 69e36de72c055..02d3a6c6a37f3 100644
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -85,6 +85,7 @@
#define ARM_CPU_PART_CORTEX_X2 0xD48
#define ARM_CPU_PART_NEOVERSE_N2 0xD49
#define ARM_CPU_PART_CORTEX_A78C 0xD4B
+#define ARM_CPU_PART_CORTEX_X3 0xD4E
#define ARM_CPU_PART_NEOVERSE_V2 0xD4F
#define ARM_CPU_PART_CORTEX_X4 0xD82
#define ARM_CPU_PART_NEOVERSE_V3 0xD84
@@ -154,6 +155,7 @@
#define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2)
#define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2)
#define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C)
+#define MIDR_CORTEX_X3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X3)
#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2)
#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4)
#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3)
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 064/150] arm64: cputype: Add Cortex-A720 definitions
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 063/150] arm64: cputype: Add Cortex-X3 definitions Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 065/150] arm64: cputype: Add Cortex-X925 definitions Greg Kroah-Hartman
` (88 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, James Morse,
Will Deacon, Catalin Marinas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit add332c40328cf06fe35e4b3cde8ec315c4629e5 ]
Add cputype definitions for Cortex-A720. These will be used for errata
detection in subsequent patches.
These values can be found in Table A-186 ("MIDR_EL1 bit descriptions")
in issue 0002-05 of the Cortex-A720 TRM, which can be found at:
https://developer.arm.com/documentation/102530/0002/?lang=en
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20240603111812.1514101-3-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[ Mark: trivial backport ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
index 02d3a6c6a37f3..1e3dbfc81d432 100644
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -87,6 +87,7 @@
#define ARM_CPU_PART_CORTEX_A78C 0xD4B
#define ARM_CPU_PART_CORTEX_X3 0xD4E
#define ARM_CPU_PART_NEOVERSE_V2 0xD4F
+#define ARM_CPU_PART_CORTEX_A720 0xD81
#define ARM_CPU_PART_CORTEX_X4 0xD82
#define ARM_CPU_PART_NEOVERSE_V3 0xD84
@@ -157,6 +158,7 @@
#define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C)
#define MIDR_CORTEX_X3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X3)
#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2)
+#define MIDR_CORTEX_A720 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720)
#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4)
#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3)
#define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 065/150] arm64: cputype: Add Cortex-X925 definitions
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 064/150] arm64: cputype: Add Cortex-A720 definitions Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 066/150] arm64: errata: Unify speculative SSBS errata logic Greg Kroah-Hartman
` (87 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, James Morse,
Will Deacon, Catalin Marinas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit fd2ff5f0b320f418288e7a1f919f648fbc8a0dfc ]
Add cputype definitions for Cortex-X925. These will be used for errata
detection in subsequent patches.
These values can be found in Table A-285 ("MIDR_EL1 bit descriptions")
in issue 0001-05 of the Cortex-X925 TRM, which can be found at:
https://developer.arm.com/documentation/102807/0001/?lang=en
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20240603111812.1514101-4-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[ Mark: trivial backport ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
index 1e3dbfc81d432..b52d974da8283 100644
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -90,6 +90,7 @@
#define ARM_CPU_PART_CORTEX_A720 0xD81
#define ARM_CPU_PART_CORTEX_X4 0xD82
#define ARM_CPU_PART_NEOVERSE_V3 0xD84
+#define ARM_CPU_PART_CORTEX_X925 0xD85
#define APM_CPU_PART_XGENE 0x000
#define APM_CPU_VAR_POTENZA 0x00
@@ -161,6 +162,7 @@
#define MIDR_CORTEX_A720 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720)
#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4)
#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3)
+#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925)
#define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
#define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
#define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX)
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 066/150] arm64: errata: Unify speculative SSBS errata logic
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 065/150] arm64: cputype: Add Cortex-X925 definitions Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 067/150] arm64: errata: Expand speculative SSBS workaround Greg Kroah-Hartman
` (86 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, James Morse,
Will Deacon, Catalin Marinas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit ec768766608092087dfb5c1fc45a16a6f524dee2 ]
Cortex-X4 erratum 3194386 and Neoverse-V3 erratum 3312417 are identical,
with duplicate Kconfig text and some unsightly ifdeffery. While we try
to share code behind CONFIG_ARM64_WORKAROUND_SPECULATIVE_SSBS, having
separate options results in a fair amount of boilerplate code, and this
will only get worse as we expand the set of affected CPUs.
To reduce this boilerplate, unify the two behind a common Kconfig
option. This removes the duplicate text and Kconfig logic, and removes
the need for the intermediate ARM64_WORKAROUND_SPECULATIVE_SSBS option.
The set of affected CPUs is described as a list so that this can easily
be extended.
I've used ARM64_ERRATUM_3194386 (matching the Neoverse-V3 erratum ID) as
the common option, matching the way we use ARM64_ERRATUM_1319367 to
cover Cortex-A57 erratum 1319537 and Cortex-A72 erratum 1319367.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20240603111812.1514101-5-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[ Mark: fix conflicts & renames, drop unneeded cpucaps.h ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/arm64/silicon-errata.rst | 2 +-
arch/arm64/Kconfig | 28 ++++----------------------
arch/arm64/kernel/cpu_errata.c | 8 ++------
arch/arm64/kernel/proton-pack.c | 2 +-
4 files changed, 8 insertions(+), 32 deletions(-)
diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst
index 701ec95ebc5e3..1566cf898fc20 100644
--- a/Documentation/arm64/silicon-errata.rst
+++ b/Documentation/arm64/silicon-errata.rst
@@ -143,7 +143,7 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N2 | #2253138 | ARM64_ERRATUM_2253138 |
+----------------+-----------------+-----------------+-----------------------------+
-| ARM | Neoverse-V3 | #3312417 | ARM64_ERRATUM_3312417 |
+| ARM | Neoverse-V3 | #3312417 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | MMU-500 | #841119,826419 | N/A |
+----------------+-----------------+-----------------+-----------------------------+
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index cb9e16823fb2b..1a0eae0ced3f2 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1000,34 +1000,14 @@ config ARM64_ERRATUM_2966298
If unsure, say Y.
-config ARM64_WORKAROUND_SPECULATIVE_SSBS
- bool
-
config ARM64_ERRATUM_3194386
- bool "Cortex-X4: 3194386: workaround for MSR SSBS not self-synchronizing"
- select ARM64_WORKAROUND_SPECULATIVE_SSBS
+ bool "Cortex-X4/Neoverse-V3: workaround for MSR SSBS not self-synchronizing"
default y
help
- This option adds the workaround for ARM Cortex-X4 erratum 3194386.
-
- On affected cores "MSR SSBS, #0" instructions may not affect
- subsequent speculative instructions, which may permit unexepected
- speculative store bypassing.
-
- Work around this problem by placing a speculation barrier after
- kernel changes to SSBS. The presence of the SSBS special-purpose
- register is hidden from hwcaps and EL0 reads of ID_AA64PFR1_EL1, such
- that userspace will use the PR_SPEC_STORE_BYPASS prctl to change
- SSBS.
+ This option adds the workaround for the following errata:
- If unsure, say Y.
-
-config ARM64_ERRATUM_3312417
- bool "Neoverse-V3: 3312417: workaround for MSR SSBS not self-synchronizing"
- select ARM64_WORKAROUND_SPECULATIVE_SSBS
- default y
- help
- This option adds the workaround for ARM Neoverse-V3 erratum 3312417.
+ * ARM Cortex-X4 erratum 3194386
+ * ARM Neoverse-V3 erratum 3312417
On affected cores "MSR SSBS, #0" instructions may not affect
subsequent speculative instructions, which may permit unexepected
diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
index c9d05f753829c..d098a2ea494e2 100644
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -435,14 +435,10 @@ static struct midr_range broken_aarch32_aes[] = {
};
#endif /* CONFIG_ARM64_WORKAROUND_TRBE_WRITE_OUT_OF_RANGE */
-#ifdef CONFIG_ARM64_WORKAROUND_SPECULATIVE_SSBS
-static const struct midr_range erratum_spec_ssbs_list[] = {
#ifdef CONFIG_ARM64_ERRATUM_3194386
+static const struct midr_range erratum_spec_ssbs_list[] = {
MIDR_ALL_VERSIONS(MIDR_CORTEX_X4),
-#endif
-#ifdef CONFIG_ARM64_ERRATUM_3312417
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
-#endif
{}
};
#endif
@@ -738,7 +734,7 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
.cpu_enable = cpu_clear_bf16_from_user_emulation,
},
#endif
-#ifdef CONFIG_ARM64_WORKAROUND_SPECULATIVE_SSBS
+#ifdef CONFIG_ARM64_ERRATUM_3194386
{
.desc = "ARM errata 3194386, 3312417",
.capability = ARM64_WORKAROUND_SPECULATIVE_SSBS,
diff --git a/arch/arm64/kernel/proton-pack.c b/arch/arm64/kernel/proton-pack.c
index e476692cea976..2df5e43ae4d14 100644
--- a/arch/arm64/kernel/proton-pack.c
+++ b/arch/arm64/kernel/proton-pack.c
@@ -579,7 +579,7 @@ static enum mitigation_state spectre_v4_enable_hw_mitigation(void)
* Mitigate this with an unconditional speculation barrier, as CPUs
* could mis-speculate branches and bypass a conditional barrier.
*/
- if (IS_ENABLED(CONFIG_ARM64_WORKAROUND_SPECULATIVE_SSBS))
+ if (IS_ENABLED(CONFIG_ARM64_ERRATUM_3194386))
spec_bar();
return SPECTRE_MITIGATED;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 067/150] arm64: errata: Expand speculative SSBS workaround
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 066/150] arm64: errata: Unify speculative SSBS errata logic Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 068/150] arm64: cputype: Add Cortex-X1C definitions Greg Kroah-Hartman
` (85 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, James Morse,
Will Deacon, Catalin Marinas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 75b3c43eab594bfbd8184ec8ee1a6b820950819a ]
A number of Arm Ltd CPUs suffer from errata whereby an MSR to the SSBS
special-purpose register does not affect subsequent speculative
instructions, permitting speculative store bypassing for a window of
time.
We worked around this for Cortex-X4 and Neoverse-V3, in commit:
7187bb7d0b5c7dfa ("arm64: errata: Add workaround for Arm errata 3194386 and 3312417")
... as per their Software Developer Errata Notice (SDEN) documents:
* Cortex-X4 SDEN v8.0, erratum 3194386:
https://developer.arm.com/documentation/SDEN-2432808/0800/
* Neoverse-V3 SDEN v6.0, erratum 3312417:
https://developer.arm.com/documentation/SDEN-2891958/0600/
Since then, similar errata have been published for a number of other Arm Ltd
CPUs, for which the mitigation is the same. This is described in their
respective SDEN documents:
* Cortex-A710 SDEN v19.0, errataum 3324338
https://developer.arm.com/documentation/SDEN-1775101/1900/?lang=en
* Cortex-A720 SDEN v11.0, erratum 3456091
https://developer.arm.com/documentation/SDEN-2439421/1100/?lang=en
* Cortex-X2 SDEN v19.0, erratum 3324338
https://developer.arm.com/documentation/SDEN-1775100/1900/?lang=en
* Cortex-X3 SDEN v14.0, erratum 3324335
https://developer.arm.com/documentation/SDEN-2055130/1400/?lang=en
* Cortex-X925 SDEN v8.0, erratum 3324334
https://developer.arm.com/documentation/109108/800/?lang=en
* Neoverse-N2 SDEN v17.0, erratum 3324339
https://developer.arm.com/documentation/SDEN-1982442/1700/?lang=en
* Neoverse-V2 SDEN v9.0, erratum 3324336
https://developer.arm.com/documentation/SDEN-2332927/900/?lang=en
Note that due to shared design lineage, some CPUs share the same erratum
number.
Add these to the existing mitigation under CONFIG_ARM64_ERRATUM_3194386.
As listing all of the erratum IDs in the runtime description would be
unwieldy, this is reduced to:
"SSBS not fully self-synchronizing"
... matching the description of the errata in all of the SDENs.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20240603111812.1514101-6-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[ Mark: fix conflicts and renames ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/arm64/silicon-errata.rst | 14 ++++++++++++++
arch/arm64/Kconfig | 9 ++++++++-
arch/arm64/kernel/cpu_errata.c | 9 ++++++++-
3 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst
index 1566cf898fc20..a9121f520262a 100644
--- a/Documentation/arm64/silicon-errata.rst
+++ b/Documentation/arm64/silicon-errata.rst
@@ -125,12 +125,22 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A710 | #2224489 | ARM64_ERRATUM_2224489 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A710 | #3324338 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A720 | #3456091 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X2 | #2119858 | ARM64_ERRATUM_2119858 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X2 | #2224489 | ARM64_ERRATUM_2224489 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X2 | #3324338 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X3 | #3324335 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X4 | #3194386 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X925 | #3324334 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N1 | #1188873,1418040| ARM64_ERRATUM_1418040 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N1 | #1349291 | N/A |
@@ -143,6 +153,10 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N2 | #2253138 | ARM64_ERRATUM_2253138 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-N2 | #3324339 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-V2 | #3324336 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V3 | #3312417 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | MMU-500 | #841119,826419 | N/A |
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 1a0eae0ced3f2..797de1f01451f 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1001,12 +1001,19 @@ config ARM64_ERRATUM_2966298
If unsure, say Y.
config ARM64_ERRATUM_3194386
- bool "Cortex-X4/Neoverse-V3: workaround for MSR SSBS not self-synchronizing"
+ bool "Cortex-{A720,X4,X925}/Neoverse-V3: workaround for MSR SSBS not self-synchronizing"
default y
help
This option adds the workaround for the following errata:
+ * ARM Cortex-A710 erratam 3324338
+ * ARM Cortex-A720 erratum 3456091
+ * ARM Cortex-X2 erratum 3324338
+ * ARM Cortex-X3 erratum 3324335
* ARM Cortex-X4 erratum 3194386
+ * ARM Cortex-X925 erratum 3324334
+ * ARM Neoverse N2 erratum 3324339
+ * ARM Neoverse V2 erratum 3324336
* ARM Neoverse-V3 erratum 3312417
On affected cores "MSR SSBS, #0" instructions may not affect
diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
index d098a2ea494e2..66c63cfc1c641 100644
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -437,8 +437,15 @@ static struct midr_range broken_aarch32_aes[] = {
#ifdef CONFIG_ARM64_ERRATUM_3194386
static const struct midr_range erratum_spec_ssbs_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A720),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X3),
MIDR_ALL_VERSIONS(MIDR_CORTEX_X4),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X925),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
{}
};
#endif
@@ -736,7 +743,7 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
#endif
#ifdef CONFIG_ARM64_ERRATUM_3194386
{
- .desc = "ARM errata 3194386, 3312417",
+ .desc = "SSBS not fully self-synchronizing",
.capability = ARM64_WORKAROUND_SPECULATIVE_SSBS,
ERRATA_MIDR_RANGE_LIST(erratum_spec_ssbs_list),
},
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 068/150] arm64: cputype: Add Cortex-X1C definitions
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 067/150] arm64: errata: Expand speculative SSBS workaround Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 069/150] arm64: cputype: Add Cortex-A725 definitions Greg Kroah-Hartman
` (84 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, James Morse,
Will Deacon, Anshuman Khandual, Catalin Marinas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 58d245e03c324d083a0ec3b9ab8ebd46ec9848d7 ]
Add cputype definitions for Cortex-X1C. These will be used for errata
detection in subsequent patches.
These values can be found in the Cortex-X1C TRM:
https://developer.arm.com/documentation/101968/0002/
... in section B2.107 ("MIDR_EL1, Main ID Register, EL1").
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Will Deacon <will@kernel.org>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Link: https://lore.kernel.org/r/20240801101803.1982459-2-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[ Mark: trivial backport ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
index b52d974da8283..ee736fbd40d5b 100644
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -85,6 +85,7 @@
#define ARM_CPU_PART_CORTEX_X2 0xD48
#define ARM_CPU_PART_NEOVERSE_N2 0xD49
#define ARM_CPU_PART_CORTEX_A78C 0xD4B
+#define ARM_CPU_PART_CORTEX_X1C 0xD4C
#define ARM_CPU_PART_CORTEX_X3 0xD4E
#define ARM_CPU_PART_NEOVERSE_V2 0xD4F
#define ARM_CPU_PART_CORTEX_A720 0xD81
@@ -157,6 +158,7 @@
#define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2)
#define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2)
#define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C)
+#define MIDR_CORTEX_X1C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1C)
#define MIDR_CORTEX_X3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X3)
#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2)
#define MIDR_CORTEX_A720 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720)
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 069/150] arm64: cputype: Add Cortex-A725 definitions
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 068/150] arm64: cputype: Add Cortex-X1C definitions Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 070/150] arm64: errata: Expand speculative SSBS workaround (again) Greg Kroah-Hartman
` (83 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, James Morse,
Will Deacon, Anshuman Khandual, Catalin Marinas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 9ef54a384526911095db465e77acc1cb5266b32c ]
Add cputype definitions for Cortex-A725. These will be used for errata
detection in subsequent patches.
These values can be found in the Cortex-A725 TRM:
https://developer.arm.com/documentation/107652/0001/
... in table A-247 ("MIDR_EL1 bit descriptions").
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Will Deacon <will@kernel.org>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Link: https://lore.kernel.org/r/20240801101803.1982459-3-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[ Mark: trivial backport ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
index ee736fbd40d5b..a0a028a6b9670 100644
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -92,6 +92,7 @@
#define ARM_CPU_PART_CORTEX_X4 0xD82
#define ARM_CPU_PART_NEOVERSE_V3 0xD84
#define ARM_CPU_PART_CORTEX_X925 0xD85
+#define ARM_CPU_PART_CORTEX_A725 0xD87
#define APM_CPU_PART_XGENE 0x000
#define APM_CPU_VAR_POTENZA 0x00
@@ -165,6 +166,7 @@
#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4)
#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3)
#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925)
+#define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725)
#define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
#define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
#define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX)
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 070/150] arm64: errata: Expand speculative SSBS workaround (again)
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 069/150] arm64: cputype: Add Cortex-A725 definitions Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 071/150] i2c: smbus: Improve handling of stuck alerts Greg Kroah-Hartman
` (82 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, James Morse,
Will Deacon, Anshuman Khandual, Catalin Marinas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit adeec61a4723fd3e39da68db4cc4d924e6d7f641 ]
A number of Arm Ltd CPUs suffer from errata whereby an MSR to the SSBS
special-purpose register does not affect subsequent speculative
instructions, permitting speculative store bypassing for a window of
time.
We worked around this for a number of CPUs in commits:
* 7187bb7d0b5c7dfa ("arm64: errata: Add workaround for Arm errata 3194386 and 3312417")
* 75b3c43eab594bfb ("arm64: errata: Expand speculative SSBS workaround")
Since then, similar errata have been published for a number of other Arm
Ltd CPUs, for which the same mitigation is sufficient. This is described
in their respective Software Developer Errata Notice (SDEN) documents:
* Cortex-A76 (MP052) SDEN v31.0, erratum 3324349
https://developer.arm.com/documentation/SDEN-885749/3100/
* Cortex-A77 (MP074) SDEN v19.0, erratum 3324348
https://developer.arm.com/documentation/SDEN-1152370/1900/
* Cortex-A78 (MP102) SDEN v21.0, erratum 3324344
https://developer.arm.com/documentation/SDEN-1401784/2100/
* Cortex-A78C (MP138) SDEN v16.0, erratum 3324346
https://developer.arm.com/documentation/SDEN-1707916/1600/
* Cortex-A78C (MP154) SDEN v10.0, erratum 3324347
https://developer.arm.com/documentation/SDEN-2004089/1000/
* Cortex-A725 (MP190) SDEN v5.0, erratum 3456106
https://developer.arm.com/documentation/SDEN-2832921/0500/
* Cortex-X1 (MP077) SDEN v21.0, erratum 3324344
https://developer.arm.com/documentation/SDEN-1401782/2100/
* Cortex-X1C (MP136) SDEN v16.0, erratum 3324346
https://developer.arm.com/documentation/SDEN-1707914/1600/
* Neoverse-N1 (MP050) SDEN v32.0, erratum 3324349
https://developer.arm.com/documentation/SDEN-885747/3200/
* Neoverse-V1 (MP076) SDEN v19.0, erratum 3324341
https://developer.arm.com/documentation/SDEN-1401781/1900/
Note that due to the manner in which Arm develops IP and tracks errata,
some CPUs share a common erratum number and some CPUs have multiple
erratum numbers for the same HW issue.
On parts without SB, it is necessary to use ISB for the workaround. The
spec_bar() macro used in the mitigation will expand to a "DSB SY; ISB"
sequence in this case, which is sufficient on all affected parts.
Enable the existing mitigation by adding the relevant MIDRs to
erratum_spec_ssbs_list. The list is sorted alphanumerically (involving
moving Neoverse-V3 after Neoverse-V2) so that this is easy to audit and
potentially extend again in future. The Kconfig text is also updated to
clarify the set of affected parts and the mitigation.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Will Deacon <will@kernel.org>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Acked-by: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20240801101803.1982459-4-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[ Mark: fix conflicts in silicon-errata.rst ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/arm64/silicon-errata.rst | 18 ++++++++++++++++++
arch/arm64/Kconfig | 22 ++++++++++++++++------
arch/arm64/kernel/cpu_errata.c | 11 ++++++++++-
3 files changed, 44 insertions(+), 7 deletions(-)
diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst
index a9121f520262a..6451e9198fef7 100644
--- a/Documentation/arm64/silicon-errata.rst
+++ b/Documentation/arm64/silicon-errata.rst
@@ -109,8 +109,16 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A76 | #1463225 | ARM64_ERRATUM_1463225 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A76 | #3324349 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A77 | #1508412 | ARM64_ERRATUM_1508412 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A77 | #3324348 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A78 | #3324344 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A78C | #3324346,3324347| ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A510 | #2051678 | ARM64_ERRATUM_2051678 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A510 | #2077057 | ARM64_ERRATUM_2077057 |
@@ -129,6 +137,12 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A720 | #3456091 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A725 | #3456106 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X1 | #3324344 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X1C | #3324346 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X2 | #2119858 | ARM64_ERRATUM_2119858 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X2 | #2224489 | ARM64_ERRATUM_2224489 |
@@ -147,6 +161,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N1 | #1542419 | ARM64_ERRATUM_1542419 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-N1 | #3324349 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N2 | #2139208 | ARM64_ERRATUM_2139208 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N2 | #2067961 | ARM64_ERRATUM_2067961 |
@@ -155,6 +171,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N2 | #3324339 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-V1 | #3324341 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V2 | #3324336 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V3 | #3312417 | ARM64_ERRATUM_3194386 |
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 797de1f01451f..2ef939075039d 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1001,18 +1001,28 @@ config ARM64_ERRATUM_2966298
If unsure, say Y.
config ARM64_ERRATUM_3194386
- bool "Cortex-{A720,X4,X925}/Neoverse-V3: workaround for MSR SSBS not self-synchronizing"
+ bool "Cortex-*/Neoverse-*: workaround for MSR SSBS not self-synchronizing"
default y
help
This option adds the workaround for the following errata:
+ * ARM Cortex-A76 erratum 3324349
+ * ARM Cortex-A77 erratum 3324348
+ * ARM Cortex-A78 erratum 3324344
+ * ARM Cortex-A78C erratum 3324346
+ * ARM Cortex-A78C erratum 3324347
* ARM Cortex-A710 erratam 3324338
* ARM Cortex-A720 erratum 3456091
+ * ARM Cortex-A725 erratum 3456106
+ * ARM Cortex-X1 erratum 3324344
+ * ARM Cortex-X1C erratum 3324346
* ARM Cortex-X2 erratum 3324338
* ARM Cortex-X3 erratum 3324335
* ARM Cortex-X4 erratum 3194386
* ARM Cortex-X925 erratum 3324334
+ * ARM Neoverse-N1 erratum 3324349
* ARM Neoverse N2 erratum 3324339
+ * ARM Neoverse-V1 erratum 3324341
* ARM Neoverse V2 erratum 3324336
* ARM Neoverse-V3 erratum 3312417
@@ -1020,11 +1030,11 @@ config ARM64_ERRATUM_3194386
subsequent speculative instructions, which may permit unexepected
speculative store bypassing.
- Work around this problem by placing a speculation barrier after
- kernel changes to SSBS. The presence of the SSBS special-purpose
- register is hidden from hwcaps and EL0 reads of ID_AA64PFR1_EL1, such
- that userspace will use the PR_SPEC_STORE_BYPASS prctl to change
- SSBS.
+ Work around this problem by placing a Speculation Barrier (SB) or
+ Instruction Synchronization Barrier (ISB) after kernel changes to
+ SSBS. The presence of the SSBS special-purpose register is hidden
+ from hwcaps and EL0 reads of ID_AA64PFR1_EL1, such that userspace
+ will use the PR_SPEC_STORE_BYPASS prctl to change SSBS.
If unsure, say Y.
diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
index 66c63cfc1c641..7640031e1b845 100644
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -437,15 +437,24 @@ static struct midr_range broken_aarch32_aes[] = {
#ifdef CONFIG_ARM64_ERRATUM_3194386
static const struct midr_range erratum_spec_ssbs_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
MIDR_ALL_VERSIONS(MIDR_CORTEX_A720),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A725),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C),
MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
MIDR_ALL_VERSIONS(MIDR_CORTEX_X3),
MIDR_ALL_VERSIONS(MIDR_CORTEX_X4),
MIDR_ALL_VERSIONS(MIDR_CORTEX_X925),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
{}
};
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 071/150] i2c: smbus: Improve handling of stuck alerts
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 070/150] arm64: errata: Expand speculative SSBS workaround (again) Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 072/150] ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask Greg Kroah-Hartman
` (81 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Wolfram Sang,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit 37c526f00bc1c4f847fc800085f8f009d2e11be6 ]
The following messages were observed while testing alert functionality
on systems with multiple I2C devices on a single bus if alert was active
on more than one chip.
smbus_alert 3-000c: SMBALERT# from dev 0x0c, flag 0
smbus_alert 3-000c: no driver alert()!
and:
smbus_alert 3-000c: SMBALERT# from dev 0x28, flag 0
Once it starts, this message repeats forever at high rate. There is no
device at any of the reported addresses.
Analysis shows that this is seen if multiple devices have the alert pin
active. Apparently some devices do not support SMBus arbitration correctly.
They keep sending address bits after detecting an address collision and
handle the collision not at all or too late.
Specifically, address 0x0c is seen with ADT7461A at address 0x4c and
ADM1021 at address 0x18 if alert is active on both chips. Address 0x28 is
seen with ADT7483 at address 0x2a and ADT7461 at address 0x4c if alert is
active on both chips.
Once the system is in bad state (alert is set by more than one chip),
it often only recovers by power cycling.
To reduce the impact of this problem, abort the endless loop in
smbus_alert() if the same address is read more than once and not
handled by a driver.
Fixes: b5527a7766f0 ("i2c: Add SMBus alert support")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
[wsa: it also fixed an interrupt storm in one of my experiments]
Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
[wsa: rebased, moved a comment as well, improved the 'invalid' value]
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/i2c-smbus.c | 32 +++++++++++++++++++++++++-------
1 file changed, 25 insertions(+), 7 deletions(-)
diff --git a/drivers/i2c/i2c-smbus.c b/drivers/i2c/i2c-smbus.c
index 07c92c8495a3c..5f74978874691 100644
--- a/drivers/i2c/i2c-smbus.c
+++ b/drivers/i2c/i2c-smbus.c
@@ -34,6 +34,7 @@ static int smbus_do_alert(struct device *dev, void *addrp)
struct i2c_client *client = i2c_verify_client(dev);
struct alert_data *data = addrp;
struct i2c_driver *driver;
+ int ret;
if (!client || client->addr != data->addr)
return 0;
@@ -47,16 +48,21 @@ static int smbus_do_alert(struct device *dev, void *addrp)
device_lock(dev);
if (client->dev.driver) {
driver = to_i2c_driver(client->dev.driver);
- if (driver->alert)
+ if (driver->alert) {
+ /* Stop iterating after we find the device */
driver->alert(client, data->type, data->data);
- else
+ ret = -EBUSY;
+ } else {
dev_warn(&client->dev, "no driver alert()!\n");
- } else
+ ret = -EOPNOTSUPP;
+ }
+ } else {
dev_dbg(&client->dev, "alert with no driver\n");
+ ret = -ENODEV;
+ }
device_unlock(dev);
- /* Stop iterating after we find the device */
- return -EBUSY;
+ return ret;
}
/*
@@ -67,6 +73,7 @@ static irqreturn_t smbus_alert(int irq, void *d)
{
struct i2c_smbus_alert *alert = d;
struct i2c_client *ara;
+ unsigned short prev_addr = I2C_CLIENT_END; /* Not a valid address */
ara = alert->ara;
@@ -94,8 +101,19 @@ static irqreturn_t smbus_alert(int irq, void *d)
data.addr, data.data);
/* Notify driver for the device which issued the alert */
- device_for_each_child(&ara->adapter->dev, &data,
- smbus_do_alert);
+ status = device_for_each_child(&ara->adapter->dev, &data,
+ smbus_do_alert);
+ /*
+ * If we read the same address more than once, and the alert
+ * was not handled by a driver, it won't do any good to repeat
+ * the loop because it will never terminate.
+ * Bail out in this case.
+ * Note: This assumes that a driver with alert handler handles
+ * the alert properly and clears it if necessary.
+ */
+ if (data.addr == prev_addr && status != -EBUSY)
+ break;
+ prev_addr = data.addr;
}
return IRQ_HANDLED;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 072/150] ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 071/150] i2c: smbus: Improve handling of stuck alerts Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 073/150] ASoC: codecs: wsa881x: " Greg Kroah-Hartman
` (80 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit 3f6fb03dae9c7dfba7670858d29e03c8faaa89fe ]
Device has up to WCD938X_MAX_SWR_PORTS number of ports and the array
assigned to prop.src_dpn_prop and prop.sink_dpn_prop has
0..WCD938X_MAX_SWR_PORTS-1 elements. On the other hand, GENMASK(high,
low) creates an inclusive mask between <high, low>, so we need the mask
from 0 up to WCD938X_MAX_SWR_PORTS-1.
Theoretically, too wide mask could cause an out of bounds read in
sdw_get_slave_dpn_prop() in stream.c, however only in the case of buggy
driver, e.g. adding incorrect number of ports via
sdw_stream_add_slave().
Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://patch.msgid.link/20240726-asoc-wcd-wsa-swr-ports-genmask-v1-2-d4d7a8b56f05@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/wcd938x-sdw.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/codecs/wcd938x-sdw.c b/sound/soc/codecs/wcd938x-sdw.c
index 5b5b7c267a616..061c77d0cd45b 100644
--- a/sound/soc/codecs/wcd938x-sdw.c
+++ b/sound/soc/codecs/wcd938x-sdw.c
@@ -1252,12 +1252,12 @@ static int wcd9380_probe(struct sdw_slave *pdev,
pdev->prop.lane_control_support = true;
pdev->prop.simple_clk_stop_capable = true;
if (wcd->is_tx) {
- pdev->prop.source_ports = GENMASK(WCD938X_MAX_SWR_PORTS, 0);
+ pdev->prop.source_ports = GENMASK(WCD938X_MAX_SWR_PORTS - 1, 0);
pdev->prop.src_dpn_prop = wcd938x_dpn_prop;
wcd->ch_info = &wcd938x_sdw_tx_ch_info[0];
pdev->prop.wake_capable = true;
} else {
- pdev->prop.sink_ports = GENMASK(WCD938X_MAX_SWR_PORTS, 0);
+ pdev->prop.sink_ports = GENMASK(WCD938X_MAX_SWR_PORTS - 1, 0);
pdev->prop.sink_dpn_prop = wcd938x_dpn_prop;
wcd->ch_info = &wcd938x_sdw_rx_ch_info[0];
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 073/150] ASoC: codecs: wsa881x: Correct Soundwire ports mask
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 072/150] ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 074/150] ASoC: codecs: wsa883x: parse port-mapping information Greg Kroah-Hartman
` (79 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit eb11c3bb64ad0a05aeacdb01039863aa2aa3614b ]
Device has up to WSA881X_MAX_SWR_PORTS number of ports and the array
assigned to prop.sink_dpn_prop has 0..WSA881X_MAX_SWR_PORTS-1 elements.
On the other hand, GENMASK(high, low) creates an inclusive mask between
<high, low>, so we need the mask from 0 up to WSA881X_MAX_SWR_PORTS-1.
Theoretically, too wide mask could cause an out of bounds read in
sdw_get_slave_dpn_prop() in stream.c, however only in the case of buggy
driver, e.g. adding incorrect number of ports via
sdw_stream_add_slave().
Fixes: a0aab9e1404a ("ASoC: codecs: add wsa881x amplifier support")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://patch.msgid.link/20240726-asoc-wcd-wsa-swr-ports-genmask-v1-4-d4d7a8b56f05@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/wsa881x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/wsa881x.c b/sound/soc/codecs/wsa881x.c
index 264ec05a3c675..054da9d2776cd 100644
--- a/sound/soc/codecs/wsa881x.c
+++ b/sound/soc/codecs/wsa881x.c
@@ -1131,7 +1131,7 @@ static int wsa881x_probe(struct sdw_slave *pdev,
wsa881x->sconfig.frame_rate = 48000;
wsa881x->sconfig.direction = SDW_DATA_DIR_RX;
wsa881x->sconfig.type = SDW_STREAM_PDM;
- pdev->prop.sink_ports = GENMASK(WSA881X_MAX_SWR_PORTS, 0);
+ pdev->prop.sink_ports = GENMASK(WSA881X_MAX_SWR_PORTS - 1, 0);
pdev->prop.sink_dpn_prop = wsa_sink_dpn_prop;
pdev->prop.scp_int1_mask = SDW_SCP_INT1_BUS_CLASH | SDW_SCP_INT1_PARITY;
gpiod_direction_output(wsa881x->sd_n, 1);
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 074/150] ASoC: codecs: wsa883x: parse port-mapping information
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 073/150] ASoC: codecs: wsa881x: " Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 075/150] ASoC: codecs: wsa883x: Correct Soundwire ports mask Greg Kroah-Hartman
` (78 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Srinivas Kandagatla, Dmitry Baryshkov, Mark Brown, Sasha Levin,
Neil Armstrong
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
[ Upstream commit 1cf3295bd108abbd7f128071ae9775fd18394ca9 ]
Add support to parse static master port map information from device tree.
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Tested-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-HDK
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://patch.msgid.link/20240626-port-map-v2-2-6cc1c5608cdd@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 6801ac36f256 ("ASoC: codecs: wsa883x: Correct Soundwire ports mask")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/wsa883x.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/sound/soc/codecs/wsa883x.c b/sound/soc/codecs/wsa883x.c
index cd96c35a150c8..908f3c5035721 100644
--- a/sound/soc/codecs/wsa883x.c
+++ b/sound/soc/codecs/wsa883x.c
@@ -1410,6 +1410,14 @@ static int wsa883x_probe(struct sdw_slave *pdev,
wsa883x->sconfig.direction = SDW_DATA_DIR_RX;
wsa883x->sconfig.type = SDW_STREAM_PDM;
+ /**
+ * Port map index starts with 0, however the data port for this codec
+ * are from index 1
+ */
+ if (of_property_read_u32_array(dev->of_node, "qcom,port-mapping", &pdev->m_port_map[1],
+ WSA883X_MAX_SWR_PORTS))
+ dev_dbg(dev, "Static Port mapping not specified\n");
+
pdev->prop.sink_ports = GENMASK(WSA883X_MAX_SWR_PORTS, 0);
pdev->prop.simple_clk_stop_capable = true;
pdev->prop.sink_dpn_prop = wsa_sink_dpn_prop;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 075/150] ASoC: codecs: wsa883x: Correct Soundwire ports mask
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 074/150] ASoC: codecs: wsa883x: parse port-mapping information Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 076/150] spi: spidev: Add missing spi_device_id for bh2228fv Greg Kroah-Hartman
` (77 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit 6801ac36f25690e14955f7f9eace1eaa29edbdd0 ]
Device has up to WSA883X_MAX_SWR_PORTS number of ports and the array
assigned to prop.sink_dpn_prop has 0..WSA883X_MAX_SWR_PORTS-1 elements.
On the other hand, GENMASK(high, low) creates an inclusive mask between
<high, low>, so we need the mask from 0 up to WSA883X_MAX_SWR_PORTS-1.
Theoretically, too wide mask could cause an out of bounds read in
sdw_get_slave_dpn_prop() in stream.c, however only in the case of buggy
driver, e.g. adding incorrect number of ports via
sdw_stream_add_slave().
Fixes: 43b8c7dc85a1 ("ASoC: codecs: add wsa883x amplifier support")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://patch.msgid.link/20240726-asoc-wcd-wsa-swr-ports-genmask-v1-5-d4d7a8b56f05@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/wsa883x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/wsa883x.c b/sound/soc/codecs/wsa883x.c
index 908f3c5035721..f4b81ebab3537 100644
--- a/sound/soc/codecs/wsa883x.c
+++ b/sound/soc/codecs/wsa883x.c
@@ -1418,7 +1418,7 @@ static int wsa883x_probe(struct sdw_slave *pdev,
WSA883X_MAX_SWR_PORTS))
dev_dbg(dev, "Static Port mapping not specified\n");
- pdev->prop.sink_ports = GENMASK(WSA883X_MAX_SWR_PORTS, 0);
+ pdev->prop.sink_ports = GENMASK(WSA883X_MAX_SWR_PORTS - 1, 0);
pdev->prop.simple_clk_stop_capable = true;
pdev->prop.sink_dpn_prop = wsa_sink_dpn_prop;
pdev->prop.scp_int1_mask = SDW_SCP_INT1_BUS_CLASH | SDW_SCP_INT1_PARITY;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 076/150] spi: spidev: Add missing spi_device_id for bh2228fv
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 075/150] ASoC: codecs: wsa883x: Correct Soundwire ports mask Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 077/150] ASoC: SOF: Remove libraries from topology lookups Greg Kroah-Hartman
` (76 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit e4c4638b6a10427d30e29d22351c375886025f47 ]
When the of_device_id entry for "rohm,bh2228fv" was added, the
corresponding spi_device_id was forgotten, causing a warning message
during boot-up:
SPI driver spidev has no spi_device_id for rohm,bh2228fv
Fix module autoloading and shut up the warning by adding the missing
entry.
Fixes: fc28d1c1fe3b3e2f ("spi: spidev: add correct compatible for Rohm BH2228FV")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/cb571d4128f41175f31319cd9febc829417ea167.1722346539.git.geert+renesas@glider.be
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spidev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
index 00612efc2277f..477c3578e7d9e 100644
--- a/drivers/spi/spidev.c
+++ b/drivers/spi/spidev.c
@@ -692,6 +692,7 @@ static const struct file_operations spidev_fops = {
static struct class *spidev_class;
static const struct spi_device_id spidev_spi_ids[] = {
+ { .name = "bh2228fv" },
{ .name = "dh2228fv" },
{ .name = "ltc2488" },
{ .name = "sx1301" },
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 077/150] ASoC: SOF: Remove libraries from topology lookups
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 076/150] spi: spidev: Add missing spi_device_id for bh2228fv Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 078/150] i2c: smbus: Send alert notifications to all devices if source not found Greg Kroah-Hartman
` (75 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Curtis Malainey, Wojciech Macek,
AngeloGioacchino Del Regno, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Curtis Malainey <cujomalainey@chromium.org>
[ Upstream commit 7354eb7f1558466e92e926802d36e69e42938ea9 ]
Default firmware shipped in open source are not licensed for 3P
libraries, therefore topologies should not reference them.
If a OS wants to use 3P (that they have licensed) then they should use
the appropriate topology override mechanisms.
Fixes: 8a7d5d85ed2161 ("ASoC: SOF: mediatek: mt8195: Add devicetree support to select topologies")
Signed-off-by: Curtis Malainey <cujomalainey@chromium.org>
Cc: Wojciech Macek <wmacek@google.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patch.msgid.link/20240731212153.921327-1-cujomalainey@chromium.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/mediatek/mt8195/mt8195.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/sof/mediatek/mt8195/mt8195.c b/sound/soc/sof/mediatek/mt8195/mt8195.c
index 3c81e84fcecfa..53cadbe8a05cc 100644
--- a/sound/soc/sof/mediatek/mt8195/mt8195.c
+++ b/sound/soc/sof/mediatek/mt8195/mt8195.c
@@ -662,7 +662,7 @@ static struct snd_sof_dsp_ops sof_mt8195_ops = {
static struct snd_sof_of_mach sof_mt8195_machs[] = {
{
.compatible = "google,tomato",
- .sof_tplg_filename = "sof-mt8195-mt6359-rt1019-rt5682-dts.tplg"
+ .sof_tplg_filename = "sof-mt8195-mt6359-rt1019-rt5682.tplg"
}, {
.compatible = "mediatek,mt8195",
.sof_tplg_filename = "sof-mt8195.tplg"
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 078/150] i2c: smbus: Send alert notifications to all devices if source not found
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 077/150] ASoC: SOF: Remove libraries from topology lookups Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 079/150] bpf: kprobe: remove unused declaring of bpf_kprobe_override Greg Kroah-Hartman
` (74 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Wolfram Sang,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit f6c29f710c1ff2590109f83be3e212b86c01e0f3 ]
If a SMBus alert is received and the originating device is not found,
the reason may be that the address reported on the SMBus alert address
is corrupted, for example because multiple devices asserted alert and
do not correctly implement SMBus arbitration.
If this happens, call alert handlers on all devices connected to the
given I2C bus, in the hope that this cleans up the situation.
This change reliably fixed the problem on a system with multiple devices
on a single bus. Example log where the device on address 0x18 (ADM1021)
and on address 0x4c (ADT7461A) both had the alert line asserted:
smbus_alert 3-000c: SMBALERT# from dev 0x0c, flag 0
smbus_alert 3-000c: no driver alert()!
smbus_alert 3-000c: SMBALERT# from dev 0x0c, flag 0
smbus_alert 3-000c: no driver alert()!
lm90 3-0018: temp1 out of range, please check!
lm90 3-0018: Disabling ALERT#
lm90 3-0029: Everything OK
lm90 3-002a: Everything OK
lm90 3-004c: temp1 out of range, please check!
lm90 3-004c: temp2 out of range, please check!
lm90 3-004c: Disabling ALERT#
Fixes: b5527a7766f0 ("i2c: Add SMBus alert support")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
[wsa: fixed a typo in the commit message]
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/i2c-smbus.c | 38 +++++++++++++++++++++++++++++++++++---
1 file changed, 35 insertions(+), 3 deletions(-)
diff --git a/drivers/i2c/i2c-smbus.c b/drivers/i2c/i2c-smbus.c
index 5f74978874691..8d0b520eb8e8d 100644
--- a/drivers/i2c/i2c-smbus.c
+++ b/drivers/i2c/i2c-smbus.c
@@ -65,6 +65,32 @@ static int smbus_do_alert(struct device *dev, void *addrp)
return ret;
}
+/* Same as above, but call back all drivers with alert handler */
+
+static int smbus_do_alert_force(struct device *dev, void *addrp)
+{
+ struct i2c_client *client = i2c_verify_client(dev);
+ struct alert_data *data = addrp;
+ struct i2c_driver *driver;
+
+ if (!client || (client->flags & I2C_CLIENT_TEN))
+ return 0;
+
+ /*
+ * Drivers should either disable alerts, or provide at least
+ * a minimal handler. Lock so the driver won't change.
+ */
+ device_lock(dev);
+ if (client->dev.driver) {
+ driver = to_i2c_driver(client->dev.driver);
+ if (driver->alert)
+ driver->alert(client, data->type, data->data);
+ }
+ device_unlock(dev);
+
+ return 0;
+}
+
/*
* The alert IRQ handler needs to hand work off to a task which can issue
* SMBus calls, because those sleeping calls can't be made in IRQ context.
@@ -106,13 +132,19 @@ static irqreturn_t smbus_alert(int irq, void *d)
/*
* If we read the same address more than once, and the alert
* was not handled by a driver, it won't do any good to repeat
- * the loop because it will never terminate.
- * Bail out in this case.
+ * the loop because it will never terminate. Try again, this
+ * time calling the alert handlers of all devices connected to
+ * the bus, and abort the loop afterwards. If this helps, we
+ * are all set. If it doesn't, there is nothing else we can do,
+ * so we might as well abort the loop.
* Note: This assumes that a driver with alert handler handles
* the alert properly and clears it if necessary.
*/
- if (data.addr == prev_addr && status != -EBUSY)
+ if (data.addr == prev_addr && status != -EBUSY) {
+ device_for_each_child(&ara->adapter->dev, &data,
+ smbus_do_alert_force);
break;
+ }
prev_addr = data.addr;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 079/150] bpf: kprobe: remove unused declaring of bpf_kprobe_override
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 078/150] i2c: smbus: Send alert notifications to all devices if source not found Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 080/150] kprobes: Fix to check symbol prefixes correctly Greg Kroah-Hartman
` (73 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Menglong Dong, Jiri Olsa,
Masami Hiramatsu (Google), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Menglong Dong <menglong8.dong@gmail.com>
[ Upstream commit 0e8b53979ac86eddb3fd76264025a70071a25574 ]
After the commit 66665ad2f102 ("tracing/kprobe: bpf: Compare instruction
pointer with original one"), "bpf_kprobe_override" is not used anywhere
anymore, and we can remove it now.
Link: https://lore.kernel.org/all/20240710085939.11520-1-dongml2@chinatelecom.cn/
Fixes: 66665ad2f102 ("tracing/kprobe: bpf: Compare instruction pointer with original one")
Signed-off-by: Menglong Dong <dongml2@chinatelecom.cn>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/trace_events.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/include/linux/trace_events.h b/include/linux/trace_events.h
index c8b5e9781d01a..f70624ec4188f 100644
--- a/include/linux/trace_events.h
+++ b/include/linux/trace_events.h
@@ -847,7 +847,6 @@ do { \
struct perf_event;
DECLARE_PER_CPU(struct pt_regs, perf_trace_regs);
-DECLARE_PER_CPU(int, bpf_kprobe_override);
extern int perf_trace_init(struct perf_event *event);
extern void perf_trace_destroy(struct perf_event *event);
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 080/150] kprobes: Fix to check symbol prefixes correctly
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 079/150] bpf: kprobe: remove unused declaring of bpf_kprobe_override Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 081/150] i2c: qcom-geni: add desc struct to prepare support for I2C Master Hub variant Greg Kroah-Hartman
` (72 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu (Google),
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
[ Upstream commit 8c8acb8f26cbde665b233dd1b9bbcbb9b86822dc ]
Since str_has_prefix() takes the prefix as the 2nd argument and the string
as the first, is_cfi_preamble_symbol() always fails to check the prefix.
Fix the function parameter order so that it correctly check the prefix.
Link: https://lore.kernel.org/all/172260679559.362040.7360872132937227206.stgit@devnote2/
Fixes: de02f2ac5d8c ("kprobes: Prohibit probing on CFI preamble symbol")
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/kprobes.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 5b5ee060a2db5..4c4fc4d309b8b 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1552,8 +1552,8 @@ static bool is_cfi_preamble_symbol(unsigned long addr)
if (lookup_symbol_name(addr, symbuf))
return false;
- return str_has_prefix("__cfi_", symbuf) ||
- str_has_prefix("__pfx_", symbuf);
+ return str_has_prefix(symbuf, "__cfi_") ||
+ str_has_prefix(symbuf, "__pfx_");
}
static int check_kprobe_address_safe(struct kprobe *p,
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 081/150] i2c: qcom-geni: add desc struct to prepare support for I2C Master Hub variant
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 080/150] kprobes: Fix to check symbol prefixes correctly Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 082/150] i2c: qcom-geni: Add missing clk_disable_unprepare in geni_i2c_runtime_resume Greg Kroah-Hartman
` (71 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Konrad Dybcio,
Wolfram Sang, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neil Armstrong <neil.armstrong@linaro.org>
[ Upstream commit 14d02fbadb5dc1cdf66078ef8430dd1cd22bfd53 ]
The I2C Master Hub is a stripped down version of the GENI Serial Engine
QUP Wrapper Controller but only supporting I2C serial engines without
DMA support.
Those I2C serial engines variants have some requirements:
- a separate "core" clock
- doesn't support DMA, thus no memory interconnect path
- fixed FIFO size not discoverable in the HW_PARAM_0 register
Add a desc struct specifying all those requirements which will be used in
a next change when adding the I2C Master Hub serial engine compatible.
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Stable-dep-of: 9ba48db9f77c ("i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-qcom-geni.c | 50 ++++++++++++++++++++++++++++--
1 file changed, 47 insertions(+), 3 deletions(-)
diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c
index 75b9c3f26bba6..67bf0a27d37ed 100644
--- a/drivers/i2c/busses/i2c-qcom-geni.c
+++ b/drivers/i2c/busses/i2c-qcom-geni.c
@@ -88,6 +88,7 @@ struct geni_i2c_dev {
int cur_wr;
int cur_rd;
spinlock_t lock;
+ struct clk *core_clk;
u32 clk_freq_out;
const struct geni_i2c_clk_fld *clk_fld;
int suspended;
@@ -100,6 +101,13 @@ struct geni_i2c_dev {
bool abort_done;
};
+struct geni_i2c_desc {
+ bool has_core_clk;
+ char *icc_ddr;
+ bool no_dma_support;
+ unsigned int tx_fifo_depth;
+};
+
struct geni_i2c_err_log {
int err;
const char *msg;
@@ -763,6 +771,7 @@ static int geni_i2c_probe(struct platform_device *pdev)
u32 proto, tx_depth, fifo_disable;
int ret;
struct device *dev = &pdev->dev;
+ const struct geni_i2c_desc *desc = NULL;
gi2c = devm_kzalloc(dev, sizeof(*gi2c), GFP_KERNEL);
if (!gi2c)
@@ -775,6 +784,14 @@ static int geni_i2c_probe(struct platform_device *pdev)
if (IS_ERR(gi2c->se.base))
return PTR_ERR(gi2c->se.base);
+ desc = device_get_match_data(&pdev->dev);
+
+ if (desc && desc->has_core_clk) {
+ gi2c->core_clk = devm_clk_get(dev, "core");
+ if (IS_ERR(gi2c->core_clk))
+ return PTR_ERR(gi2c->core_clk);
+ }
+
gi2c->se.clk = devm_clk_get(dev, "se");
if (IS_ERR(gi2c->se.clk) && !has_acpi_companion(dev))
return PTR_ERR(gi2c->se.clk);
@@ -818,7 +835,7 @@ static int geni_i2c_probe(struct platform_device *pdev)
gi2c->adap.dev.of_node = dev->of_node;
strscpy(gi2c->adap.name, "Geni-I2C", sizeof(gi2c->adap.name));
- ret = geni_icc_get(&gi2c->se, "qup-memory");
+ ret = geni_icc_get(&gi2c->se, desc ? desc->icc_ddr : "qup-memory");
if (ret)
return ret;
/*
@@ -828,12 +845,17 @@ static int geni_i2c_probe(struct platform_device *pdev)
*/
gi2c->se.icc_paths[GENI_TO_CORE].avg_bw = GENI_DEFAULT_BW;
gi2c->se.icc_paths[CPU_TO_GENI].avg_bw = GENI_DEFAULT_BW;
- gi2c->se.icc_paths[GENI_TO_DDR].avg_bw = Bps_to_icc(gi2c->clk_freq_out);
+ if (!desc || desc->icc_ddr)
+ gi2c->se.icc_paths[GENI_TO_DDR].avg_bw = Bps_to_icc(gi2c->clk_freq_out);
ret = geni_icc_set_bw(&gi2c->se);
if (ret)
return ret;
+ ret = clk_prepare_enable(gi2c->core_clk);
+ if (ret)
+ return ret;
+
ret = geni_se_resources_on(&gi2c->se);
if (ret) {
dev_err(dev, "Error turning on resources %d\n", ret);
@@ -843,10 +865,15 @@ static int geni_i2c_probe(struct platform_device *pdev)
if (proto != GENI_SE_I2C) {
dev_err(dev, "Invalid proto %d\n", proto);
geni_se_resources_off(&gi2c->se);
+ clk_disable_unprepare(gi2c->core_clk);
return -ENXIO;
}
- fifo_disable = readl_relaxed(gi2c->se.base + GENI_IF_DISABLE_RO) & FIFO_IF_DISABLE;
+ if (desc && desc->no_dma_support)
+ fifo_disable = false;
+ else
+ fifo_disable = readl_relaxed(gi2c->se.base + GENI_IF_DISABLE_RO) & FIFO_IF_DISABLE;
+
if (fifo_disable) {
/* FIFO is disabled, so we can only use GPI DMA */
gi2c->gpi_mode = true;
@@ -858,6 +885,16 @@ static int geni_i2c_probe(struct platform_device *pdev)
} else {
gi2c->gpi_mode = false;
tx_depth = geni_se_get_tx_fifo_depth(&gi2c->se);
+
+ /* I2C Master Hub Serial Elements doesn't have the HW_PARAM_0 register */
+ if (!tx_depth && desc)
+ tx_depth = desc->tx_fifo_depth;
+
+ if (!tx_depth) {
+ dev_err(dev, "Invalid TX FIFO depth\n");
+ return -EINVAL;
+ }
+
gi2c->tx_wm = tx_depth - 1;
geni_se_init(&gi2c->se, gi2c->tx_wm, tx_depth);
geni_se_config_packing(&gi2c->se, BITS_PER_BYTE,
@@ -866,6 +903,7 @@ static int geni_i2c_probe(struct platform_device *pdev)
dev_dbg(dev, "i2c fifo/se-dma mode. fifo depth:%d\n", tx_depth);
}
+ clk_disable_unprepare(gi2c->core_clk);
ret = geni_se_resources_off(&gi2c->se);
if (ret) {
dev_err(dev, "Error turning off resources %d\n", ret);
@@ -931,6 +969,8 @@ static int __maybe_unused geni_i2c_runtime_suspend(struct device *dev)
gi2c->suspended = 1;
}
+ clk_disable_unprepare(gi2c->core_clk);
+
return geni_icc_disable(&gi2c->se);
}
@@ -943,6 +983,10 @@ static int __maybe_unused geni_i2c_runtime_resume(struct device *dev)
if (ret)
return ret;
+ ret = clk_prepare_enable(gi2c->core_clk);
+ if (ret)
+ return ret;
+
ret = geni_se_resources_on(&gi2c->se);
if (ret)
return ret;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 082/150] i2c: qcom-geni: Add missing clk_disable_unprepare in geni_i2c_runtime_resume
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 081/150] i2c: qcom-geni: add desc struct to prepare support for I2C Master Hub variant Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 083/150] i2c: qcom-geni: Add missing geni_icc_disable " Greg Kroah-Hartman
` (70 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Vladimir Zapolskiy,
Andi Shyti, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gaosheng Cui <cuigaosheng1@huawei.com>
[ Upstream commit b93d16bee557302d4e588375ececd833cc048acc ]
Add the missing clk_disable_unprepare() before return in
geni_i2c_runtime_resume().
Fixes: 14d02fbadb5d ("i2c: qcom-geni: add desc struct to prepare support for I2C Master Hub variant")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Reviewed-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Stable-dep-of: 9ba48db9f77c ("i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-qcom-geni.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c
index 67bf0a27d37ed..02eab8d5082ba 100644
--- a/drivers/i2c/busses/i2c-qcom-geni.c
+++ b/drivers/i2c/busses/i2c-qcom-geni.c
@@ -988,8 +988,10 @@ static int __maybe_unused geni_i2c_runtime_resume(struct device *dev)
return ret;
ret = geni_se_resources_on(&gi2c->se);
- if (ret)
+ if (ret) {
+ clk_disable_unprepare(gi2c->core_clk);
return ret;
+ }
enable_irq(gi2c->irq);
gi2c->suspended = 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 083/150] i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 082/150] i2c: qcom-geni: Add missing clk_disable_unprepare in geni_i2c_runtime_resume Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 084/150] spi: spi-fsl-lpspi: Fix scldiv calculation Greg Kroah-Hartman
` (69 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Vladimir Zapolskiy,
Andi Shyti, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gaosheng Cui <cuigaosheng1@huawei.com>
[ Upstream commit 9ba48db9f77ce0001dbb882476fa46e092feb695 ]
Add the missing geni_icc_disable() before return in
geni_i2c_runtime_resume().
Fixes: bf225ed357c6 ("i2c: i2c-qcom-geni: Add interconnect support")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Reviewed-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-qcom-geni.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c
index 02eab8d5082ba..6dcc0951c3d6d 100644
--- a/drivers/i2c/busses/i2c-qcom-geni.c
+++ b/drivers/i2c/busses/i2c-qcom-geni.c
@@ -990,6 +990,7 @@ static int __maybe_unused geni_i2c_runtime_resume(struct device *dev)
ret = geni_se_resources_on(&gi2c->se);
if (ret) {
clk_disable_unprepare(gi2c->core_clk);
+ geni_icc_disable(&gi2c->se);
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 084/150] spi: spi-fsl-lpspi: Fix scldiv calculation
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 083/150] i2c: qcom-geni: Add missing geni_icc_disable " Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 085/150] ALSA: usb-audio: Re-add ScratchAmp quirk entries Greg Kroah-Hartman
` (68 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stefan Wahren, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Wahren <wahrenst@gmx.net>
[ Upstream commit 730bbfaf7d4890bd99e637db7767dc68cfeb24e7 ]
The effective SPI clock frequency should never exceed speed_hz
otherwise this might result in undefined behavior of the SPI device.
Currently the scldiv calculation could violate this constraint.
For the example parameters perclk_rate = 24 MHz and speed_hz = 7 MHz,
the function fsl_lpspi_set_bitrate will determine perscale = 0 and
scldiv = 1, which is a effective SPI clock of 8 MHz.
So fix this by rounding up the quotient of perclk_rate and speed_hz.
While this never change within the loop, we can pull this out.
Fixes: 5314987de5e5 ("spi: imx: add lpspi bus driver")
Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
Link: https://patch.msgid.link/20240804113611.83613-1-wahrenst@gmx.net
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-fsl-lpspi.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c
index 9e324d72596af..dd2381ac27f67 100644
--- a/drivers/spi/spi-fsl-lpspi.c
+++ b/drivers/spi/spi-fsl-lpspi.c
@@ -297,7 +297,7 @@ static void fsl_lpspi_set_watermark(struct fsl_lpspi_data *fsl_lpspi)
static int fsl_lpspi_set_bitrate(struct fsl_lpspi_data *fsl_lpspi)
{
struct lpspi_config config = fsl_lpspi->config;
- unsigned int perclk_rate, scldiv;
+ unsigned int perclk_rate, scldiv, div;
u8 prescale;
perclk_rate = clk_get_rate(fsl_lpspi->clk_per);
@@ -308,8 +308,10 @@ static int fsl_lpspi_set_bitrate(struct fsl_lpspi_data *fsl_lpspi)
return -EINVAL;
}
+ div = DIV_ROUND_UP(perclk_rate, config.speed_hz);
+
for (prescale = 0; prescale < 8; prescale++) {
- scldiv = perclk_rate / config.speed_hz / (1 << prescale) - 2;
+ scldiv = div / (1 << prescale) - 2;
if (scldiv < 256) {
fsl_lpspi->config.prescale = prescale;
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 085/150] ALSA: usb-audio: Re-add ScratchAmp quirk entries
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 084/150] spi: spi-fsl-lpspi: Fix scldiv calculation Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 086/150] ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT Greg Kroah-Hartman
` (67 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 03898691d42e0170e7d00f07cbe21ce0e9f3a8fa ]
At the code refactoring of USB-audio quirk handling, I assumed that
the quirk entries of Stanton ScratchAmp devices were only about the
device name, and moved them completely into the rename table.
But it seems that the device requires the quirk entry so that it's
probed by the driver itself.
This re-adds back the quirk entries of ScratchAmp, but in a
minimalistic manner.
Fixes: 5436f59bc5bc ("ALSA: usb-audio: Move device rename and profile quirks to an internal table")
Link: https://patch.msgid.link/20240808081803.22300-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks-table.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
index 5d72dc8441cbb..af1b8cf5a9883 100644
--- a/sound/usb/quirks-table.h
+++ b/sound/usb/quirks-table.h
@@ -2594,6 +2594,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
+/* Stanton ScratchAmp */
+{ USB_DEVICE(0x103d, 0x0100) },
+{ USB_DEVICE(0x103d, 0x0101) },
+
/* Novation EMS devices */
{
USB_DEVICE_VENDOR_SPEC(0x1235, 0x0001),
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 086/150] ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 085/150] ALSA: usb-audio: Re-add ScratchAmp quirk entries Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 087/150] drm/amd/display: Skip Recompute DSC Params if no Stream on Link Greg Kroah-Hartman
` (66 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arseniy Krasnov,
Sebastian Andrzej Siewior, Jerome Brunet, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jerome Brunet <jbrunet@baylibre.com>
[ Upstream commit 5003d0ce5c7da3a02c0aff771f516f99731e7390 ]
With PREEMPT_RT enabled a spinlock_t becomes a sleeping lock.
This is usually not a problem with spinlocks used in IRQ context since
IRQ handlers get threaded. However, if IRQF_ONESHOT is set, the primary
handler won't be force-threaded and runs always in hardirq context. This is
a problem because spinlock_t requires a preemptible context on PREEMPT_RT.
In this particular instance, regmap mmio uses spinlock_t to protect the
register access and IRQF_ONESHOT is set on the IRQ. In this case, it is
actually better to do everything in threaded handler and it solves the
problem with PREEMPT_RT.
Reported-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
Closes: https://lore.kernel.org/linux-amlogic/20240729131652.3012327-1-avkrasnov@salutedevices.com
Suggested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Fixes: b11d26660dff ("ASoC: meson: axg-fifo: use threaded irq to check periods")
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: https://patch.msgid.link/20240807162705.4024136-1-jbrunet@baylibre.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/meson/axg-fifo.c | 26 ++++++++++----------------
1 file changed, 10 insertions(+), 16 deletions(-)
diff --git a/sound/soc/meson/axg-fifo.c b/sound/soc/meson/axg-fifo.c
index 94b169a5493b5..5218e40aeb1bb 100644
--- a/sound/soc/meson/axg-fifo.c
+++ b/sound/soc/meson/axg-fifo.c
@@ -207,25 +207,18 @@ static irqreturn_t axg_fifo_pcm_irq_block(int irq, void *dev_id)
status = FIELD_GET(STATUS1_INT_STS, status);
axg_fifo_ack_irq(fifo, status);
- /* Use the thread to call period elapsed on nonatomic links */
- if (status & FIFO_INT_COUNT_REPEAT)
- return IRQ_WAKE_THREAD;
+ if (status & ~FIFO_INT_COUNT_REPEAT)
+ dev_dbg(axg_fifo_dev(ss), "unexpected irq - STS 0x%02x\n",
+ status);
- dev_dbg(axg_fifo_dev(ss), "unexpected irq - STS 0x%02x\n",
- status);
+ if (status & FIFO_INT_COUNT_REPEAT) {
+ snd_pcm_period_elapsed(ss);
+ return IRQ_HANDLED;
+ }
return IRQ_NONE;
}
-static irqreturn_t axg_fifo_pcm_irq_block_thread(int irq, void *dev_id)
-{
- struct snd_pcm_substream *ss = dev_id;
-
- snd_pcm_period_elapsed(ss);
-
- return IRQ_HANDLED;
-}
-
int axg_fifo_pcm_open(struct snd_soc_component *component,
struct snd_pcm_substream *ss)
{
@@ -251,8 +244,9 @@ int axg_fifo_pcm_open(struct snd_soc_component *component,
if (ret)
return ret;
- ret = request_threaded_irq(fifo->irq, axg_fifo_pcm_irq_block,
- axg_fifo_pcm_irq_block_thread,
+ /* Use the threaded irq handler only with non-atomic links */
+ ret = request_threaded_irq(fifo->irq, NULL,
+ axg_fifo_pcm_irq_block,
IRQF_ONESHOT, dev_name(dev), ss);
if (ret)
return ret;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 087/150] drm/amd/display: Skip Recompute DSC Params if no Stream on Link
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 086/150] ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 088/150] drm/client: fix null pointer dereference in drm_client_modeset_probe Greg Kroah-Hartman
` (65 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Rodrigo Siqueira, Fangzhi Zuo, Wayne Lin, Daniel Wheeler
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fangzhi Zuo <Jerry.Zuo@amd.com>
commit 50e376f1fe3bf571d0645ddf48ad37eb58323919 upstream.
[why]
Encounter NULL pointer dereference uner mst + dsc setup.
BUG: kernel NULL pointer dereference, address: 0000000000000008
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2
Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022
RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]
Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>
RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224
RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280
RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850
R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000
R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224
FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0
Call Trace:
<TASK>
? __die+0x23/0x70
? page_fault_oops+0x171/0x4e0
? plist_add+0xbe/0x100
? exc_page_fault+0x7c/0x180
? asm_exc_page_fault+0x26/0x30
? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]
? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]
compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
drm_atomic_check_only+0x5c5/0xa40
drm_mode_atomic_ioctl+0x76e/0xbc0
[how]
dsc recompute should be skipped if no mode change detected on the new
request. If detected, keep checking whether the stream is already on
current state or not.
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
Signed-off-by: Fangzhi Zuo <Jerry.Zuo@amd.com>
Signed-off-by: Wayne Lin <wayne.lin@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 8151a6c13111b465dbabe07c19f572f7cbd16fef)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
@@ -1255,6 +1255,9 @@ static bool is_dsc_need_re_compute(
}
}
+ if (new_stream_on_link_num == 0)
+ return false;
+
/* check current_state if there stream on link but it is not in
* new request state
*/
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 088/150] drm/client: fix null pointer dereference in drm_client_modeset_probe
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 087/150] drm/amd/display: Skip Recompute DSC Params if no Stream on Link Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 089/150] ALSA: line6: Fix racy access to midibuf Greg Kroah-Hartman
` (64 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Thomas Zimmermann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 113fd6372a5bb3689aba8ef5b8a265ed1529a78f upstream.
In drm_client_modeset_probe(), the return value of drm_mode_duplicate() is
assigned to modeset->mode, which will lead to a possible NULL pointer
dereference on failure of drm_mode_duplicate(). Add a check to avoid npd.
Cc: stable@vger.kernel.org
Fixes: cf13909aee05 ("drm/fb-helper: Move out modeset config code")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20240802044736.1570345-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_client_modeset.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/gpu/drm/drm_client_modeset.c
+++ b/drivers/gpu/drm/drm_client_modeset.c
@@ -873,6 +873,11 @@ int drm_client_modeset_probe(struct drm_
kfree(modeset->mode);
modeset->mode = drm_mode_duplicate(dev, mode);
+ if (!modeset->mode) {
+ ret = -ENOMEM;
+ break;
+ }
+
drm_connector_get(connector);
modeset->connectors[modeset->num_connectors++] = connector;
modeset->x = offset->x;
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 089/150] ALSA: line6: Fix racy access to midibuf
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 088/150] drm/client: fix null pointer dereference in drm_client_modeset_probe Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 090/150] ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list Greg Kroah-Hartman
` (63 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+78eccfb8b3c9a85fc6c5,
Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 15b7a03205b31bc5623378c190d22b7ff60026f1 upstream.
There can be concurrent accesses to line6 midibuf from both the URB
completion callback and the rawmidi API access. This could be a cause
of KMSAN warning triggered by syzkaller below (so put as reported-by
here).
This patch protects the midibuf call of the former code path with a
spinlock for avoiding the possible races.
Reported-by: syzbot+78eccfb8b3c9a85fc6c5@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/00000000000000949c061df288c5@google.com
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20240805130129.10872-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/line6/driver.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/sound/usb/line6/driver.c
+++ b/sound/usb/line6/driver.c
@@ -286,12 +286,14 @@ static void line6_data_received(struct u
{
struct usb_line6 *line6 = (struct usb_line6 *)urb->context;
struct midi_buffer *mb = &line6->line6midi->midibuf_in;
+ unsigned long flags;
int done;
if (urb->status == -ESHUTDOWN)
return;
if (line6->properties->capabilities & LINE6_CAP_CONTROL_MIDI) {
+ spin_lock_irqsave(&line6->line6midi->lock, flags);
done =
line6_midibuf_write(mb, urb->transfer_buffer, urb->actual_length);
@@ -300,12 +302,15 @@ static void line6_data_received(struct u
dev_dbg(line6->ifcdev, "%d %d buffer overflow - message skipped\n",
done, urb->actual_length);
}
+ spin_unlock_irqrestore(&line6->line6midi->lock, flags);
for (;;) {
+ spin_lock_irqsave(&line6->line6midi->lock, flags);
done =
line6_midibuf_read(mb, line6->buffer_message,
LINE6_MIDI_MESSAGE_MAXLEN,
LINE6_MIDIBUF_READ_RX);
+ spin_unlock_irqrestore(&line6->line6midi->lock, flags);
if (done <= 0)
break;
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 090/150] ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 089/150] ALSA: line6: Fix racy access to midibuf Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 091/150] ALSA: hda/realtek: Add Framework Laptop 13 (Intel Core Ultra) to quirks Greg Kroah-Hartman
` (62 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Steven Steve Kendall, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven 'Steve' Kendall <skend@chromium.org>
commit 7e1e206b99f4b3345aeb49d94584a420b7887f1d upstream.
In recent HP UEFI firmware (likely v2.15 and above, tested on 2.27),
these pins are incorrectly set for HDMI/DP audio. Tested on
HP MP9 G4 Retail System AMS. Tested audio with two monitors connected
via DisplayPort.
Link: https://forum.manjaro.org/t/intel-cannon-lake-pch-cavs-conexant-cx20632-no-sound-at-hdmi-or-displayport/133494
Link: https://bbs.archlinux.org/viewtopic.php?id=270523
Signed-off-by: Steven 'Steve' Kendall <skend@chromium.org>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20240806-hdmi-audio-hp-wrongpins-v2-1-d9eb4ad41043@chromium.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_hdmi.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -1989,6 +1989,7 @@ static int hdmi_add_cvt(struct hda_codec
}
static const struct snd_pci_quirk force_connect_list[] = {
+ SND_PCI_QUIRK(0x103c, 0x83ef, "HP MP9 G4 Retail System AMS", 1),
SND_PCI_QUIRK(0x103c, 0x870f, "HP", 1),
SND_PCI_QUIRK(0x103c, 0x871a, "HP", 1),
SND_PCI_QUIRK(0x103c, 0x8711, "HP", 1),
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 091/150] ALSA: hda/realtek: Add Framework Laptop 13 (Intel Core Ultra) to quirks
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 090/150] ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 092/150] ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4 Greg Kroah-Hartman
` (61 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dustin L. Howett, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dustin L. Howett <dustin@howett.net>
commit eb91c456f3714c336f0812dccab422ec0e72bde4 upstream.
The Framework Laptop 13 (Intel Core Ultra) has an ALC285 that ships in a
similar configuration to the ALC295 in previous models. It requires the
same quirk for headset detection.
Signed-off-by: Dustin L. Howett <dustin@howett.net>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20240806-alsa-hda-realtek-add-framework-laptop-13-intel-core-ultra-to-quirks-v1-1-42d6ce2dbf14@howett.net
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -10173,6 +10173,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x8086, 0x3038, "Intel NUC 13", ALC295_FIXUP_CHROME_BOOK),
SND_PCI_QUIRK(0xf111, 0x0001, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0xf111, 0x0006, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
#if 0
/* Below is a quirk table taken from the old code.
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 092/150] ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 091/150] ALSA: hda/realtek: Add Framework Laptop 13 (Intel Core Ultra) to quirks Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 093/150] usb: vhci-hcd: Do not drop references before new references are gained Greg Kroah-Hartman
` (60 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 176fd1511dd9086ab4fa9323cb232177c6235288 upstream.
HP EliteDesk 800 G4 (PCI SSID 103c:83e2) is another Kabylake machine
where BIOS misses the HDMI pin initializations. Add the quirk entry.
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20240806064918.11132-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_hdmi.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -1989,6 +1989,7 @@ static int hdmi_add_cvt(struct hda_codec
}
static const struct snd_pci_quirk force_connect_list[] = {
+ SND_PCI_QUIRK(0x103c, 0x83e2, "HP EliteDesk 800 G4", 1),
SND_PCI_QUIRK(0x103c, 0x83ef, "HP MP9 G4 Retail System AMS", 1),
SND_PCI_QUIRK(0x103c, 0x870f, "HP", 1),
SND_PCI_QUIRK(0x103c, 0x871a, "HP", 1),
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 093/150] usb: vhci-hcd: Do not drop references before new references are gained
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 092/150] ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4 Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 094/150] USB: serial: debug: do not echo input by default Greg Kroah-Hartman
` (59 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, stable, Shuah Khan
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit afdcfd3d6fcdeca2735ca8d994c5f2d24a368f0a upstream.
At a few places the driver carries stale pointers
to references that can still be used. Make sure that does not happen.
This strictly speaking closes ZDI-CAN-22273, though there may be
similar races in the driver.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@kernel.org>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://lore.kernel.org/r/20240709113851.14691-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/usbip/vhci_hcd.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -745,6 +745,7 @@ static int vhci_urb_enqueue(struct usb_h
*
*/
if (usb_pipedevice(urb->pipe) == 0) {
+ struct usb_device *old;
__u8 type = usb_pipetype(urb->pipe);
struct usb_ctrlrequest *ctrlreq =
(struct usb_ctrlrequest *) urb->setup_packet;
@@ -755,14 +756,15 @@ static int vhci_urb_enqueue(struct usb_h
goto no_need_xmit;
}
+ old = vdev->udev;
switch (ctrlreq->bRequest) {
case USB_REQ_SET_ADDRESS:
/* set_address may come when a device is reset */
dev_info(dev, "SetAddress Request (%d) to port %d\n",
ctrlreq->wValue, vdev->rhport);
- usb_put_dev(vdev->udev);
vdev->udev = usb_get_dev(urb->dev);
+ usb_put_dev(old);
spin_lock(&vdev->ud.lock);
vdev->ud.status = VDEV_ST_USED;
@@ -781,8 +783,8 @@ static int vhci_urb_enqueue(struct usb_h
usbip_dbg_vhci_hc(
"Not yet?:Get_Descriptor to device 0 (get max pipe size)\n");
- usb_put_dev(vdev->udev);
vdev->udev = usb_get_dev(urb->dev);
+ usb_put_dev(old);
goto out;
default:
@@ -1067,6 +1069,7 @@ static void vhci_shutdown_connection(str
static void vhci_device_reset(struct usbip_device *ud)
{
struct vhci_device *vdev = container_of(ud, struct vhci_device, ud);
+ struct usb_device *old = vdev->udev;
unsigned long flags;
spin_lock_irqsave(&ud->lock, flags);
@@ -1074,8 +1077,8 @@ static void vhci_device_reset(struct usb
vdev->speed = 0;
vdev->devid = 0;
- usb_put_dev(vdev->udev);
vdev->udev = NULL;
+ usb_put_dev(old);
if (ud->tcp_socket) {
sockfd_put(ud->tcp_socket);
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 094/150] USB: serial: debug: do not echo input by default
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 093/150] usb: vhci-hcd: Do not drop references before new references are gained Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 095/150] usb: gadget: core: Check for unset descriptor Greg Kroah-Hartman
` (58 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Marczykowski-Górecki,
Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
commit 00af4f3dda1461ec90d892edc10bec6d3c50c554 upstream.
This driver is intended as a "client" end of the console connection.
When connected to a host it's supposed to receive debug logs, and
possibly allow to interact with whatever debug console is available
there. Feeding messages back, depending on a configuration may cause log
messages be executed as shell commands (which can be really bad if one
is unlucky, imagine a log message like "prevented running `rm -rf
/home`"). In case of Xen, it exposes sysrq-like debug interface, and
feeding it its own logs will pretty quickly hit 'R' for "instant
reboot".
Contrary to a classic serial console, the USB one cannot be configured
ahead of time, as the device shows up only when target OS is up. And at
the time device is opened to execute relevant ioctl, it's already too
late, especially when logs start flowing shortly after device is
initialized.
Avoid the issue by changing default to no echo for this type of devices.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
[ johan: amend summary; disable also ECHONL ]
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/usb_debug.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/serial/usb_debug.c
+++ b/drivers/usb/serial/usb_debug.c
@@ -69,6 +69,11 @@ static void usb_debug_process_read_urb(s
usb_serial_generic_process_read_urb(urb);
}
+static void usb_debug_init_termios(struct tty_struct *tty)
+{
+ tty->termios.c_lflag &= ~(ECHO | ECHONL);
+}
+
static struct usb_serial_driver debug_device = {
.driver = {
.owner = THIS_MODULE,
@@ -78,6 +83,7 @@ static struct usb_serial_driver debug_de
.num_ports = 1,
.bulk_out_size = USB_DEBUG_MAX_PACKET_SIZE,
.break_ctl = usb_debug_break_ctl,
+ .init_termios = usb_debug_init_termios,
.process_read_urb = usb_debug_process_read_urb,
};
@@ -89,6 +95,7 @@ static struct usb_serial_driver dbc_devi
.id_table = dbc_id_table,
.num_ports = 1,
.break_ctl = usb_debug_break_ctl,
+ .init_termios = usb_debug_init_termios,
.process_read_urb = usb_debug_process_read_urb,
};
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 095/150] usb: gadget: core: Check for unset descriptor
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 094/150] USB: serial: debug: do not echo input by default Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 096/150] usb: gadget: u_serial: Set start_delayed during suspend Greg Kroah-Hartman
` (57 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chris Wulff
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Wulff <crwulff@gmail.com>
commit 973a57891608a98e894db2887f278777f564de18 upstream.
Make sure the descriptor has been set before looking at maxpacket.
This fixes a null pointer panic in this case.
This may happen if the gadget doesn't properly set up the endpoint
for the current speed, or the gadget descriptors are malformed and
the descriptor for the speed/endpoint are not found.
No current gadget driver is known to have this problem, but this
may cause a hard-to-find bug during development of new gadgets.
Fixes: 54f83b8c8ea9 ("USB: gadget: Reject endpoints with 0 maxpacket value")
Cc: stable@vger.kernel.org
Signed-off-by: Chris Wulff <crwulff@gmail.com>
Link: https://lore.kernel.org/r/20240725010419.314430-2-crwulff@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/core.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/usb/gadget/udc/core.c
+++ b/drivers/usb/gadget/udc/core.c
@@ -118,12 +118,10 @@ int usb_ep_enable(struct usb_ep *ep)
goto out;
/* UDC drivers can't handle endpoints with maxpacket size 0 */
- if (usb_endpoint_maxp(ep->desc) == 0) {
- /*
- * We should log an error message here, but we can't call
- * dev_err() because there's no way to find the gadget
- * given only ep.
- */
+ if (!ep->desc || usb_endpoint_maxp(ep->desc) == 0) {
+ WARN_ONCE(1, "%s: ep%d (%s) has %s\n", __func__, ep->address, ep->name,
+ (!ep->desc) ? "NULL descriptor" : "maxpacket 0");
+
ret = -EINVAL;
goto out;
}
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 096/150] usb: gadget: u_serial: Set start_delayed during suspend
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 095/150] usb: gadget: core: Check for unset descriptor Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 097/150] usb: gadget: u_audio: Check return codes from usb_ep_enable and config_ep_by_speed Greg Kroah-Hartman
` (56 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Prashanth K
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prashanth K <quic_prashk@quicinc.com>
commit 5a444bea37e2759549ef72bfe83d1c8712e76b3d upstream.
Upstream commit aba3a8d01d62 ("usb: gadget: u_serial: add suspend
resume callbacks") added started_delayed flag, so that new ports
which are opened after USB suspend can start IO while resuming.
But if the port was already opened, and gadget suspend kicks in
afterwards, start_delayed will never be set. This causes resume
to bail out before calling gs_start_io(). Fix this by setting
start_delayed during suspend.
Fixes: aba3a8d01d62 ("usb: gadget: u_serial: add suspend resume callbacks")
Cc: stable@vger.kernel.org
Signed-off-by: Prashanth K <quic_prashk@quicinc.com>
Link: https://lore.kernel.org/r/20240730125754.576326-1-quic_prashk@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/u_serial.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/gadget/function/u_serial.c
+++ b/drivers/usb/gadget/function/u_serial.c
@@ -1436,6 +1436,7 @@ void gserial_suspend(struct gserial *gse
spin_lock(&port->port_lock);
spin_unlock(&serial_port_lock);
port->suspended = true;
+ port->start_delayed = true;
spin_unlock_irqrestore(&port->port_lock, flags);
}
EXPORT_SYMBOL_GPL(gserial_suspend);
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 097/150] usb: gadget: u_audio: Check return codes from usb_ep_enable and config_ep_by_speed.
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 096/150] usb: gadget: u_serial: Set start_delayed during suspend Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:02 ` [PATCH 6.1 098/150] scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES Greg Kroah-Hartman
` (55 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chris Wulff
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Wulff <crwulff@gmail.com>
commit 76a7bfc445b8e9893c091e24ccfd4f51dfdc0a70 upstream.
These functions can fail if descriptors are malformed, or missing,
for the selected USB speed.
Fixes: eb9fecb9e69b ("usb: gadget: f_uac2: split out audio core")
Fixes: 24f779dac8f3 ("usb: gadget: f_uac2/u_audio: add feedback endpoint support")
Cc: stable@vger.kernel.org
Signed-off-by: Chris Wulff <crwulff@gmail.com>
Link: https://lore.kernel.org/r/20240721192314.3532697-2-crwulff@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/u_audio.c | 42 +++++++++++++++++++++++++++-------
1 file changed, 34 insertions(+), 8 deletions(-)
--- a/drivers/usb/gadget/function/u_audio.c
+++ b/drivers/usb/gadget/function/u_audio.c
@@ -592,16 +592,25 @@ int u_audio_start_capture(struct g_audio
struct usb_ep *ep, *ep_fback;
struct uac_rtd_params *prm;
struct uac_params *params = &audio_dev->params;
- int req_len, i;
+ int req_len, i, ret;
prm = &uac->c_prm;
dev_dbg(dev, "start capture with rate %d\n", prm->srate);
ep = audio_dev->out_ep;
- config_ep_by_speed(gadget, &audio_dev->func, ep);
+ ret = config_ep_by_speed(gadget, &audio_dev->func, ep);
+ if (ret < 0) {
+ dev_err(dev, "config_ep_by_speed for out_ep failed (%d)\n", ret);
+ return ret;
+ }
+
req_len = ep->maxpacket;
prm->ep_enabled = true;
- usb_ep_enable(ep);
+ ret = usb_ep_enable(ep);
+ if (ret < 0) {
+ dev_err(dev, "usb_ep_enable failed for out_ep (%d)\n", ret);
+ return ret;
+ }
for (i = 0; i < params->req_number; i++) {
if (!prm->reqs[i]) {
@@ -629,9 +638,18 @@ int u_audio_start_capture(struct g_audio
return 0;
/* Setup feedback endpoint */
- config_ep_by_speed(gadget, &audio_dev->func, ep_fback);
+ ret = config_ep_by_speed(gadget, &audio_dev->func, ep_fback);
+ if (ret < 0) {
+ dev_err(dev, "config_ep_by_speed in_ep_fback failed (%d)\n", ret);
+ return ret; // TODO: Clean up out_ep
+ }
+
prm->fb_ep_enabled = true;
- usb_ep_enable(ep_fback);
+ ret = usb_ep_enable(ep_fback);
+ if (ret < 0) {
+ dev_err(dev, "usb_ep_enable failed for in_ep_fback (%d)\n", ret);
+ return ret; // TODO: Clean up out_ep
+ }
req_len = ep_fback->maxpacket;
req_fback = usb_ep_alloc_request(ep_fback, GFP_ATOMIC);
@@ -687,13 +705,17 @@ int u_audio_start_playback(struct g_audi
struct uac_params *params = &audio_dev->params;
unsigned int factor;
const struct usb_endpoint_descriptor *ep_desc;
- int req_len, i;
+ int req_len, i, ret;
unsigned int p_pktsize;
prm = &uac->p_prm;
dev_dbg(dev, "start playback with rate %d\n", prm->srate);
ep = audio_dev->in_ep;
- config_ep_by_speed(gadget, &audio_dev->func, ep);
+ ret = config_ep_by_speed(gadget, &audio_dev->func, ep);
+ if (ret < 0) {
+ dev_err(dev, "config_ep_by_speed for in_ep failed (%d)\n", ret);
+ return ret;
+ }
ep_desc = ep->desc;
/*
@@ -720,7 +742,11 @@ int u_audio_start_playback(struct g_audi
uac->p_residue_mil = 0;
prm->ep_enabled = true;
- usb_ep_enable(ep);
+ ret = usb_ep_enable(ep);
+ if (ret < 0) {
+ dev_err(dev, "usb_ep_enable failed for in_ep (%d)\n", ret);
+ return ret;
+ }
for (i = 0; i < params->req_number; i++) {
if (!prm->reqs[i]) {
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 098/150] scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 097/150] usb: gadget: u_audio: Check return codes from usb_ep_enable and config_ep_by_speed Greg Kroah-Hartman
@ 2024-08-12 16:02 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 099/150] scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic Greg Kroah-Hartman
` (54 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Damien Le Moal,
Johannes Thumshirn, Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
commit 1abc900ddda8ad2ef739fedf498d415655b6c3b8 upstream.
Some firmware versions of the 9600 series SAS HBA byte-swap the REPORT
ZONES command reply buffer from ATA-ZAC devices by directly accessing the
buffer in the host memory. This does not respect the default command DMA
direction and causes IOMMU page faults on architectures with an IOMMU
enforcing write-only mappings for DMA_FROM_DEVICE DMA direction (e.g. AMD
hosts), leading to the device capacity to be dropped to 0:
scsi 18:0:58:0: Direct-Access-ZBC ATA WDC WSH722626AL W930 PQ: 0 ANSI: 7
scsi 18:0:58:0: Power-on or device reset occurred
sd 18:0:58:0: Attached scsi generic sg9 type 20
sd 18:0:58:0: [sdj] Host-managed zoned block device
mpi3mr 0000:c1:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0001 address=0xfec0c400 flags=0x0050]
mpi3mr 0000:c1:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0001 address=0xfec0c500 flags=0x0050]
sd 18:0:58:0: [sdj] REPORT ZONES start lba 0 failed
sd 18:0:58:0: [sdj] REPORT ZONES: Result: hostbyte=DID_SOFT_ERROR driverbyte=DRIVER_OK
sd 18:0:58:0: [sdj] 0 4096-byte logical blocks: (0 B/0 B)
sd 18:0:58:0: [sdj] Write Protect is off
sd 18:0:58:0: [sdj] Mode Sense: 6b 00 10 08
sd 18:0:58:0: [sdj] Write cache: enabled, read cache: enabled, supports DPO and FUA
sd 18:0:58:0: [sdj] Attached SCSI disk
Avoid this issue by always mapping the buffer of REPORT ZONES commands
using DMA_BIDIRECTIONAL, that is, using a read-write IOMMU mapping.
Suggested-by: Christoph Hellwig <hch@lst.de>
Fixes: 023ab2a9b4ed ("scsi: mpi3mr: Add support for queue command processing")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Link: https://lore.kernel.org/r/20240719073913.179559-2-dlemoal@kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/mpi3mr/mpi3mr_os.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/scsi/mpi3mr/mpi3mr_os.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_os.c
@@ -3389,6 +3389,17 @@ static int mpi3mr_prepare_sg_scmd(struct
scmd->sc_data_direction);
priv->meta_sg_valid = 1; /* To unmap meta sg DMA */
} else {
+ /*
+ * Some firmware versions byte-swap the REPORT ZONES command
+ * reply from ATA-ZAC devices by directly accessing in the host
+ * buffer. This does not respect the default command DMA
+ * direction and causes IOMMU page faults on some architectures
+ * with an IOMMU enforcing write mappings (e.g. AMD hosts).
+ * Avoid such issue by making the REPORT ZONES buffer mapping
+ * bi-directional.
+ */
+ if (scmd->cmnd[0] == ZBC_IN && scmd->cmnd[1] == ZI_REPORT_ZONES)
+ scmd->sc_data_direction = DMA_BIDIRECTIONAL;
sg_scmd = scsi_sglist(scmd);
sges_left = scsi_dma_map(scmd);
}
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 099/150] scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2024-08-12 16:02 ` [PATCH 6.1 098/150] scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 100/150] tick/broadcast: Move per CPU pointer access into the atomic section Greg Kroah-Hartman
` (53 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vamshi Gajjela, Bart Van Assche,
Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vamshi Gajjela <vamshigajjela@google.com>
commit ab9fd06cb8f0db0854291833fc40c789e43a361f upstream.
The ufshcd_add_delay_before_dme_cmd() always introduces a delay of
MIN_DELAY_BEFORE_DME_CMDS_US between DME commands even when it's not
required. The delay is added when the UFS host controller supplies the
quirk UFSHCD_QUIRK_DELAY_BEFORE_DME_CMDS.
Fix the logic to update hba->last_dme_cmd_tstamp to ensure subsequent DME
commands have the correct delay in the range of 0 to
MIN_DELAY_BEFORE_DME_CMDS_US.
Update the timestamp at the end of the function to ensure it captures the
latest time after any necessary delay has been applied.
Signed-off-by: Vamshi Gajjela <vamshigajjela@google.com>
Link: https://lore.kernel.org/r/20240724135126.1786126-1-vamshigajjela@google.com
Fixes: cad2e03d8607 ("ufs: add support to allow non standard behaviours (quirks)")
Cc: stable@vger.kernel.org
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ufs/core/ufshcd.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -3909,11 +3909,16 @@ static inline void ufshcd_add_delay_befo
min_sleep_time_us =
MIN_DELAY_BEFORE_DME_CMDS_US - delta;
else
- return; /* no more delay required */
+ min_sleep_time_us = 0; /* no more delay required */
}
- /* allow sleep for extra 50us if needed */
- usleep_range(min_sleep_time_us, min_sleep_time_us + 50);
+ if (min_sleep_time_us > 0) {
+ /* allow sleep for extra 50us if needed */
+ usleep_range(min_sleep_time_us, min_sleep_time_us + 50);
+ }
+
+ /* update the last_dme_cmd_tstamp */
+ hba->last_dme_cmd_tstamp = ktime_get();
}
/**
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 100/150] tick/broadcast: Move per CPU pointer access into the atomic section
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 099/150] scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 101/150] vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler Greg Kroah-Hartman
` (52 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Wang, Thomas Gleixner, Yu Liao
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit 6881e75237a84093d0986f56223db3724619f26e upstream.
The recent fix for making the take over of the broadcast timer more
reliable retrieves a per CPU pointer in preemptible context.
This went unnoticed as compilers hoist the access into the non-preemptible
region where the pointer is actually used. But of course it's valid that
the compiler keeps it at the place where the code puts it which rightfully
triggers:
BUG: using smp_processor_id() in preemptible [00000000] code:
caller is hotplug_cpu__broadcast_tick_pull+0x1c/0xc0
Move it to the actual usage site which is in a non-preemptible region.
Fixes: f7d43dd206e7 ("tick/broadcast: Make takeover of broadcast hrtimer reliable")
Reported-by: David Wang <00107082@163.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Yu Liao <liaoyu15@huawei.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/87ttg56ers.ffs@tglx
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/time/tick-broadcast.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/kernel/time/tick-broadcast.c
+++ b/kernel/time/tick-broadcast.c
@@ -1137,7 +1137,6 @@ void tick_broadcast_switch_to_oneshot(vo
#ifdef CONFIG_HOTPLUG_CPU
void hotplug_cpu__broadcast_tick_pull(int deadcpu)
{
- struct tick_device *td = this_cpu_ptr(&tick_cpu_device);
struct clock_event_device *bc;
unsigned long flags;
@@ -1163,6 +1162,8 @@ void hotplug_cpu__broadcast_tick_pull(in
* device to avoid the starvation.
*/
if (tick_check_broadcast_expired()) {
+ struct tick_device *td = this_cpu_ptr(&tick_cpu_device);
+
cpumask_clear_cpu(smp_processor_id(), tick_broadcast_force_mask);
tick_program_event(td->evtdev->next_event, 1);
}
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 101/150] vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 100/150] tick/broadcast: Move per CPU pointer access into the atomic section Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 102/150] ntp: Clamp maxerror and esterror to operating range Greg Kroah-Hartman
` (51 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dragos Tatulea, Jason Wang,
Michael S. Tsirkin, Michal Kubiak
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Wang <jasowang@redhat.com>
commit 0823dc64586ba5ea13a7d200a5d33e4c5fa45950 upstream.
remap_pfn_page() should not be called in the fault handler as it may
change the vma->flags which may trigger lockdep warning since the vma
write lock is not held. Actually there's no need to modify the
vma->flags as it has been set in the mmap(). So this patch switches to
use vmf_insert_pfn() instead.
Reported-by: Dragos Tatulea <dtatulea@nvidia.com>
Tested-by: Dragos Tatulea <dtatulea@nvidia.com>
Fixes: ddd89d0a059d ("vhost_vdpa: support doorbell mapping via mmap")
Cc: stable@vger.kernel.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
Message-Id: <20240701033159.18133-1-jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vhost/vdpa.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
--- a/drivers/vhost/vdpa.c
+++ b/drivers/vhost/vdpa.c
@@ -1294,13 +1294,7 @@ static vm_fault_t vhost_vdpa_fault(struc
notify = ops->get_vq_notification(vdpa, index);
- vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
- if (remap_pfn_range(vma, vmf->address & PAGE_MASK,
- PFN_DOWN(notify.addr), PAGE_SIZE,
- vma->vm_page_prot))
- return VM_FAULT_SIGBUS;
-
- return VM_FAULT_NOPAGE;
+ return vmf_insert_pfn(vma, vmf->address & PAGE_MASK, PFN_DOWN(notify.addr));
}
static const struct vm_operations_struct vhost_vdpa_vm_ops = {
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 102/150] ntp: Clamp maxerror and esterror to operating range
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 101/150] vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 103/150] torture: Enable clocksource watchdog with "tsc=watchdog" Greg Kroah-Hartman
` (50 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Stitt, Thomas Gleixner,
Miroslav Lichvar, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Stitt <justinstitt@google.com>
[ Upstream commit 87d571d6fb77ec342a985afa8744bb9bb75b3622 ]
Using syzkaller alongside the newly reintroduced signed integer overflow
sanitizer spits out this report:
UBSAN: signed-integer-overflow in ../kernel/time/ntp.c:461:16
9223372036854775807 + 500 cannot be represented in type 'long'
Call Trace:
handle_overflow+0x171/0x1b0
second_overflow+0x2d6/0x500
accumulate_nsecs_to_secs+0x60/0x160
timekeeping_advance+0x1fe/0x890
update_wall_time+0x10/0x30
time_maxerror is unconditionally incremented and the result is checked
against NTP_PHASE_LIMIT, but the increment itself can overflow, resulting
in wrap-around to negative space.
Before commit eea83d896e31 ("ntp: NTP4 user space bits update") the user
supplied value was sanity checked to be in the operating range. That change
removed the sanity check and relied on clamping in handle_overflow() which
does not work correctly when the user supplied value is in the overflow
zone of the '+ 500' operation.
The operation requires CAP_SYS_TIME and the side effect of the overflow is
NTP getting out of sync.
Miroslav confirmed that the input value should be clamped to the operating
range and the same applies to time_esterror. The latter is not used by the
kernel, but the value still should be in the operating range as it was
before the sanity check got removed.
Clamp them to the operating range.
[ tglx: Changed it to clamping and included time_esterror ]
Fixes: eea83d896e31 ("ntp: NTP4 user space bits update")
Signed-off-by: Justin Stitt <justinstitt@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Miroslav Lichvar <mlichvar@redhat.com>
Link: https://lore.kernel.org/all/20240517-b4-sio-ntp-usec-v2-1-d539180f2b79@google.com
Closes: https://github.com/KSPP/linux/issues/354
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/ntp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
index 406dccb79c2b6..502e1e5b7f7f6 100644
--- a/kernel/time/ntp.c
+++ b/kernel/time/ntp.c
@@ -727,10 +727,10 @@ static inline void process_adjtimex_modes(const struct __kernel_timex *txc,
}
if (txc->modes & ADJ_MAXERROR)
- time_maxerror = txc->maxerror;
+ time_maxerror = clamp(txc->maxerror, 0, NTP_PHASE_LIMIT);
if (txc->modes & ADJ_ESTERROR)
- time_esterror = txc->esterror;
+ time_esterror = clamp(txc->esterror, 0, NTP_PHASE_LIMIT);
if (txc->modes & ADJ_TIMECONST) {
time_constant = txc->constant;
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 103/150] torture: Enable clocksource watchdog with "tsc=watchdog"
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 102/150] ntp: Clamp maxerror and esterror to operating range Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 104/150] clocksource: Scale the watchdog read retries automatically Greg Kroah-Hartman
` (49 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul E. McKenney, Boqun Feng,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul E. McKenney <paulmck@kernel.org>
[ Upstream commit 877a0e83c57fa5e2a7fd628ec2e1733ed70c8792 ]
This commit tests the "tsc=watchdog" kernel boot parameter when running
the clocksourcewd torture tests.
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Stable-dep-of: f2655ac2c06a ("clocksource: Fix brown-bag boolean thinko in cs_watchdog_read()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/rcutorture/bin/torture.sh | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/tools/testing/selftests/rcutorture/bin/torture.sh b/tools/testing/selftests/rcutorture/bin/torture.sh
index d477618e7261d..91bca30e8587c 100755
--- a/tools/testing/selftests/rcutorture/bin/torture.sh
+++ b/tools/testing/selftests/rcutorture/bin/torture.sh
@@ -405,16 +405,16 @@ fi
if test "$do_clocksourcewd" = "yes"
then
- torture_bootargs="rcupdate.rcu_cpu_stall_suppress_at_boot=1 torture.disable_onoff_at_boot rcupdate.rcu_task_stall_timeout=30000"
+ torture_bootargs="rcupdate.rcu_cpu_stall_suppress_at_boot=1 torture.disable_onoff_at_boot rcupdate.rcu_task_stall_timeout=30000 tsc=watchdog"
torture_set "clocksourcewd-1" tools/testing/selftests/rcutorture/bin/kvm.sh --allcpus --duration 45s --configs TREE03 --kconfig "CONFIG_TEST_CLOCKSOURCE_WATCHDOG=y" --trust-make
- torture_bootargs="rcupdate.rcu_cpu_stall_suppress_at_boot=1 torture.disable_onoff_at_boot rcupdate.rcu_task_stall_timeout=30000 clocksource.max_cswd_read_retries=1"
+ torture_bootargs="rcupdate.rcu_cpu_stall_suppress_at_boot=1 torture.disable_onoff_at_boot rcupdate.rcu_task_stall_timeout=30000 clocksource.max_cswd_read_retries=1 tsc=watchdog"
torture_set "clocksourcewd-2" tools/testing/selftests/rcutorture/bin/kvm.sh --allcpus --duration 45s --configs TREE03 --kconfig "CONFIG_TEST_CLOCKSOURCE_WATCHDOG=y" --trust-make
# In case our work is already done...
if test "$do_rcutorture" != "yes"
then
- torture_bootargs="rcupdate.rcu_cpu_stall_suppress_at_boot=1 torture.disable_onoff_at_boot rcupdate.rcu_task_stall_timeout=30000"
+ torture_bootargs="rcupdate.rcu_cpu_stall_suppress_at_boot=1 torture.disable_onoff_at_boot rcupdate.rcu_task_stall_timeout=30000 tsc=watchdog"
torture_set "clocksourcewd-3" tools/testing/selftests/rcutorture/bin/kvm.sh --allcpus --duration 45s --configs TREE03 --trust-make
fi
fi
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 104/150] clocksource: Scale the watchdog read retries automatically
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 103/150] torture: Enable clocksource watchdog with "tsc=watchdog" Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 105/150] clocksource: Fix brown-bag boolean thinko in cs_watchdog_read() Greg Kroah-Hartman
` (48 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Feng Tang, Thomas Gleixner, Jin Wang,
Paul E. McKenney, Waiman Long, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Feng Tang <feng.tang@intel.com>
[ Upstream commit 2ed08e4bc53298db3f87b528cd804cb0cce066a9 ]
On a 8-socket server the TSC is wrongly marked as 'unstable' and disabled
during boot time on about one out of 120 boot attempts:
clocksource: timekeeping watchdog on CPU227: wd-tsc-wd excessive read-back delay of 153560ns vs. limit of 125000ns,
wd-wd read-back delay only 11440ns, attempt 3, marking tsc unstable
tsc: Marking TSC unstable due to clocksource watchdog
TSC found unstable after boot, most likely due to broken BIOS. Use 'tsc=unstable'.
sched_clock: Marking unstable (119294969739, 159204297)<-(125446229205, -5992055152)
clocksource: Checking clocksource tsc synchronization from CPU 319 to CPUs 0,99,136,180,210,542,601,896.
clocksource: Switched to clocksource hpet
The reason is that for platform with a large number of CPUs, there are
sporadic big or huge read latencies while reading the watchog/clocksource
during boot or when system is under stress work load, and the frequency and
maximum value of the latency goes up with the number of online CPUs.
The cCurrent code already has logic to detect and filter such high latency
case by reading the watchdog twice and checking the two deltas. Due to the
randomness of the latency, there is a low probabilty that the first delta
(latency) is big, but the second delta is small and looks valid. The
watchdog code retries the readouts by default twice, which is not
necessarily sufficient for systems with a large number of CPUs.
There is a command line parameter 'max_cswd_read_retries' which allows to
increase the number of retries, but that's not user friendly as it needs to
be tweaked per system. As the number of required retries is proportional to
the number of online CPUs, this parameter can be calculated at runtime.
Scale and enlarge the number of retries according to the number of online
CPUs and remove the command line parameter completely.
[ tglx: Massaged change log and comments ]
Signed-off-by: Feng Tang <feng.tang@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Jin Wang <jin1.wang@intel.com>
Tested-by: Paul E. McKenney <paulmck@kernel.org>
Reviewed-by: Waiman Long <longman@redhat.com>
Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
Link: https://lore.kernel.org/r/20240221060859.1027450-1-feng.tang@intel.com
Stable-dep-of: f2655ac2c06a ("clocksource: Fix brown-bag boolean thinko in cs_watchdog_read()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/admin-guide/kernel-parameters.txt | 6 ------
include/linux/clocksource.h | 14 +++++++++++++-
kernel/time/clocksource-wdtest.c | 13 +++++++------
kernel/time/clocksource.c | 10 ++++------
tools/testing/selftests/rcutorture/bin/torture.sh | 2 +-
5 files changed, 25 insertions(+), 20 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index a29ff7a773c7c..8df4c1c5c6197 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -637,12 +637,6 @@
loops can be debugged more effectively on production
systems.
- clocksource.max_cswd_read_retries= [KNL]
- Number of clocksource_watchdog() retries due to
- external delays before the clock will be marked
- unstable. Defaults to two retries, that is,
- three attempts to read the clock under test.
-
clocksource.verify_n_cpus= [KNL]
Limit the number of CPUs checked for clocksources
marked with CLOCK_SOURCE_VERIFY_PERCPU that
diff --git a/include/linux/clocksource.h b/include/linux/clocksource.h
index 1d42d4b173271..0ad8b550bb4b4 100644
--- a/include/linux/clocksource.h
+++ b/include/linux/clocksource.h
@@ -291,7 +291,19 @@ static inline void timer_probe(void) {}
#define TIMER_ACPI_DECLARE(name, table_id, fn) \
ACPI_DECLARE_PROBE_ENTRY(timer, name, table_id, 0, NULL, 0, fn)
-extern ulong max_cswd_read_retries;
+static inline unsigned int clocksource_get_max_watchdog_retry(void)
+{
+ /*
+ * When system is in the boot phase or under heavy workload, there
+ * can be random big latencies during the clocksource/watchdog
+ * read, so allow retries to filter the noise latency. As the
+ * latency's frequency and maximum value goes up with the number of
+ * CPUs, scale the number of retries with the number of online
+ * CPUs.
+ */
+ return (ilog2(num_online_cpus()) / 2) + 1;
+}
+
void clocksource_verify_percpu(struct clocksource *cs);
#endif /* _LINUX_CLOCKSOURCE_H */
diff --git a/kernel/time/clocksource-wdtest.c b/kernel/time/clocksource-wdtest.c
index df922f49d171b..d06185e054ea2 100644
--- a/kernel/time/clocksource-wdtest.c
+++ b/kernel/time/clocksource-wdtest.c
@@ -104,8 +104,8 @@ static void wdtest_ktime_clocksource_reset(void)
static int wdtest_func(void *arg)
{
unsigned long j1, j2;
+ int i, max_retries;
char *s;
- int i;
schedule_timeout_uninterruptible(holdoff * HZ);
@@ -139,18 +139,19 @@ static int wdtest_func(void *arg)
WARN_ON_ONCE(time_before(j2, j1 + NSEC_PER_USEC));
/* Verify tsc-like stability with various numbers of errors injected. */
- for (i = 0; i <= max_cswd_read_retries + 1; i++) {
- if (i <= 1 && i < max_cswd_read_retries)
+ max_retries = clocksource_get_max_watchdog_retry();
+ for (i = 0; i <= max_retries + 1; i++) {
+ if (i <= 1 && i < max_retries)
s = "";
- else if (i <= max_cswd_read_retries)
+ else if (i <= max_retries)
s = ", expect message";
else
s = ", expect clock skew";
- pr_info("--- Watchdog with %dx error injection, %lu retries%s.\n", i, max_cswd_read_retries, s);
+ pr_info("--- Watchdog with %dx error injection, %d retries%s.\n", i, max_retries, s);
WRITE_ONCE(wdtest_ktime_read_ndelays, i);
schedule_timeout_uninterruptible(2 * HZ);
WARN_ON_ONCE(READ_ONCE(wdtest_ktime_read_ndelays));
- WARN_ON_ONCE((i <= max_cswd_read_retries) !=
+ WARN_ON_ONCE((i <= max_retries) !=
!(clocksource_wdtest_ktime.flags & CLOCK_SOURCE_UNSTABLE));
wdtest_ktime_clocksource_reset();
}
diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
index cc6db3bce1b2f..6d5a0fc98e398 100644
--- a/kernel/time/clocksource.c
+++ b/kernel/time/clocksource.c
@@ -207,9 +207,6 @@ void clocksource_mark_unstable(struct clocksource *cs)
spin_unlock_irqrestore(&watchdog_lock, flags);
}
-ulong max_cswd_read_retries = 2;
-module_param(max_cswd_read_retries, ulong, 0644);
-EXPORT_SYMBOL_GPL(max_cswd_read_retries);
static int verify_n_cpus = 8;
module_param(verify_n_cpus, int, 0644);
@@ -221,11 +218,12 @@ enum wd_read_status {
static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow, u64 *wdnow)
{
- unsigned int nretries;
+ unsigned int nretries, max_retries;
u64 wd_end, wd_end2, wd_delta;
int64_t wd_delay, wd_seq_delay;
- for (nretries = 0; nretries <= max_cswd_read_retries; nretries++) {
+ max_retries = clocksource_get_max_watchdog_retry();
+ for (nretries = 0; nretries <= max_retries; nretries++) {
local_irq_disable();
*wdnow = watchdog->read(watchdog);
*csnow = cs->read(cs);
@@ -237,7 +235,7 @@ static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow,
wd_delay = clocksource_cyc2ns(wd_delta, watchdog->mult,
watchdog->shift);
if (wd_delay <= WATCHDOG_MAX_SKEW) {
- if (nretries > 1 || nretries >= max_cswd_read_retries) {
+ if (nretries > 1 || nretries >= max_retries) {
pr_warn("timekeeping watchdog on CPU%d: %s retried %d times before success\n",
smp_processor_id(), watchdog->name, nretries);
}
diff --git a/tools/testing/selftests/rcutorture/bin/torture.sh b/tools/testing/selftests/rcutorture/bin/torture.sh
index 91bca30e8587c..483f22f5abd7c 100755
--- a/tools/testing/selftests/rcutorture/bin/torture.sh
+++ b/tools/testing/selftests/rcutorture/bin/torture.sh
@@ -408,7 +408,7 @@ then
torture_bootargs="rcupdate.rcu_cpu_stall_suppress_at_boot=1 torture.disable_onoff_at_boot rcupdate.rcu_task_stall_timeout=30000 tsc=watchdog"
torture_set "clocksourcewd-1" tools/testing/selftests/rcutorture/bin/kvm.sh --allcpus --duration 45s --configs TREE03 --kconfig "CONFIG_TEST_CLOCKSOURCE_WATCHDOG=y" --trust-make
- torture_bootargs="rcupdate.rcu_cpu_stall_suppress_at_boot=1 torture.disable_onoff_at_boot rcupdate.rcu_task_stall_timeout=30000 clocksource.max_cswd_read_retries=1 tsc=watchdog"
+ torture_bootargs="rcupdate.rcu_cpu_stall_suppress_at_boot=1 torture.disable_onoff_at_boot rcupdate.rcu_task_stall_timeout=30000 tsc=watchdog"
torture_set "clocksourcewd-2" tools/testing/selftests/rcutorture/bin/kvm.sh --allcpus --duration 45s --configs TREE03 --kconfig "CONFIG_TEST_CLOCKSOURCE_WATCHDOG=y" --trust-make
# In case our work is already done...
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 105/150] clocksource: Fix brown-bag boolean thinko in cs_watchdog_read()
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 104/150] clocksource: Scale the watchdog read retries automatically Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 106/150] driver core: Fix uevent_show() vs driver detach race Greg Kroah-Hartman
` (47 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Borislav Petkov, Paul E. McKenney,
Thomas Gleixner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul E. McKenney <paulmck@kernel.org>
[ Upstream commit f2655ac2c06a15558e51ed6529de280e1553c86e ]
The current "nretries > 1 || nretries >= max_retries" check in
cs_watchdog_read() will always evaluate to true, and thus pr_warn(), if
nretries is greater than 1. The intent is instead to never warn on the
first try, but otherwise warn if the successful retry was the last retry.
Therefore, change that "||" to "&&".
Fixes: db3a34e17433 ("clocksource: Retry clock read if long delays detected")
Reported-by: Borislav Petkov <bp@alien8.de>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/20240802154618.4149953-2-paulmck@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/clocksource.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
index 6d5a0fc98e398..cd9a59011dee9 100644
--- a/kernel/time/clocksource.c
+++ b/kernel/time/clocksource.c
@@ -235,7 +235,7 @@ static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow,
wd_delay = clocksource_cyc2ns(wd_delta, watchdog->mult,
watchdog->shift);
if (wd_delay <= WATCHDOG_MAX_SKEW) {
- if (nretries > 1 || nretries >= max_retries) {
+ if (nretries > 1 && nretries >= max_retries) {
pr_warn("timekeeping watchdog on CPU%d: %s retried %d times before success\n",
smp_processor_id(), watchdog->name, nretries);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 156+ messages in thread* [PATCH 6.1 106/150] driver core: Fix uevent_show() vs driver detach race
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 105/150] clocksource: Fix brown-bag boolean thinko in cs_watchdog_read() Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 107/150] ntp: Safeguard against time_constant overflow Greg Kroah-Hartman
` (46 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4762dd74e32532cda5ff,
Tetsuo Handa, Ashish Sangwan, Namjae Jeon, Dirk Behme,
Rafael J. Wysocki, Dan Williams
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Williams <dan.j.williams@intel.com>
commit 15fffc6a5624b13b428bb1c6e9088e32a55eb82c upstream.
uevent_show() wants to de-reference dev->driver->name. There is no clean
way for a device attribute to de-reference dev->driver unless that
attribute is defined via (struct device_driver).dev_groups. Instead, the
anti-pattern of taking the device_lock() in the attribute handler risks
deadlocks with code paths that remove device attributes while holding
the lock.
This deadlock is typically invisible to lockdep given the device_lock()
is marked lockdep_set_novalidate_class(), but some subsystems allocate a
local lockdep key for @dev->mutex to reveal reports of the form:
======================================================
WARNING: possible circular locking dependency detected
6.10.0-rc7+ #275 Tainted: G OE N
------------------------------------------------------
modprobe/2374 is trying to acquire lock:
ffff8c2270070de0 (kn->active#6){++++}-{0:0}, at: __kernfs_remove+0xde/0x220
but task is already holding lock:
ffff8c22016e88f8 (&cxl_root_key){+.+.}-{3:3}, at: device_release_driver_internal+0x39/0x210
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&cxl_root_key){+.+.}-{3:3}:
__mutex_lock+0x99/0xc30
uevent_show+0xac/0x130
dev_attr_show+0x18/0x40
sysfs_kf_seq_show+0xac/0xf0
seq_read_iter+0x110/0x450
vfs_read+0x25b/0x340
ksys_read+0x67/0xf0
do_syscall_64+0x75/0x190
entry_SYSCALL_64_after_hwframe+0x76/0x7e
-> #0 (kn->active#6){++++}-{0:0}:
__lock_acquire+0x121a/0x1fa0
lock_acquire+0xd6/0x2e0
kernfs_drain+0x1e9/0x200
__kernfs_remove+0xde/0x220
kernfs_remove_by_name_ns+0x5e/0xa0
device_del+0x168/0x410
device_unregister+0x13/0x60
devres_release_all+0xb8/0x110
device_unbind_cleanup+0xe/0x70
device_release_driver_internal+0x1c7/0x210
driver_detach+0x47/0x90
bus_remove_driver+0x6c/0xf0
cxl_acpi_exit+0xc/0x11 [cxl_acpi]
__do_sys_delete_module.isra.0+0x181/0x260
do_syscall_64+0x75/0x190
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The observation though is that driver objects are typically much longer
lived than device objects. It is reasonable to perform lockless
de-reference of a @driver pointer even if it is racing detach from a
device. Given the infrequency of driver unregistration, use
synchronize_rcu() in module_remove_driver() to close any potential
races. It is potentially overkill to suffer synchronize_rcu() just to
handle the rare module removal racing uevent_show() event.
Thanks to Tetsuo Handa for the debug analysis of the syzbot report [1].
Fixes: c0a40097f0bc ("drivers: core: synchronize really_probe() and dev_uevent()")
Reported-by: syzbot+4762dd74e32532cda5ff@syzkaller.appspotmail.com
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Closes: http://lore.kernel.org/5aa5558f-90a4-4864-b1b1-5d6784c5607d@I-love.SAKURA.ne.jp [1]
Link: http://lore.kernel.org/669073b8ea479_5fffa294c1@dwillia2-xfh.jf.intel.com.notmuch
Cc: stable@vger.kernel.org
Cc: Ashish Sangwan <a.sangwan@samsung.com>
Cc: Namjae Jeon <namjae.jeon@samsung.com>
Cc: Dirk Behme <dirk.behme@de.bosch.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Rafael J. Wysocki <rafael@kernel.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Link: https://lore.kernel.org/r/172081332794.577428.9738802016494057132.stgit@dwillia2-xfh.jf.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/core.c | 13 ++++++++-----
drivers/base/module.c | 4 ++++
2 files changed, 12 insertions(+), 5 deletions(-)
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -25,6 +25,7 @@
#include <linux/mutex.h>
#include <linux/pm_runtime.h>
#include <linux/netdevice.h>
+#include <linux/rcupdate.h>
#include <linux/sched/signal.h>
#include <linux/sched/mm.h>
#include <linux/swiotlb.h>
@@ -2558,6 +2559,7 @@ static const char *dev_uevent_name(struc
static int dev_uevent(struct kobject *kobj, struct kobj_uevent_env *env)
{
struct device *dev = kobj_to_dev(kobj);
+ struct device_driver *driver;
int retval = 0;
/* add device node properties if present */
@@ -2586,8 +2588,12 @@ static int dev_uevent(struct kobject *ko
if (dev->type && dev->type->name)
add_uevent_var(env, "DEVTYPE=%s", dev->type->name);
- if (dev->driver)
- add_uevent_var(env, "DRIVER=%s", dev->driver->name);
+ /* Synchronize with module_remove_driver() */
+ rcu_read_lock();
+ driver = READ_ONCE(dev->driver);
+ if (driver)
+ add_uevent_var(env, "DRIVER=%s", driver->name);
+ rcu_read_unlock();
/* Add common DT information about the device */
of_device_uevent(dev, env);
@@ -2657,11 +2663,8 @@ static ssize_t uevent_show(struct device
if (!env)
return -ENOMEM;
- /* Synchronize with really_probe() */
- device_lock(dev);
/* let the kset specific function add its keys */
retval = kset->uevent_ops->uevent(&dev->kobj, env);
- device_unlock(dev);
if (retval)
goto out;
--- a/drivers/base/module.c
+++ b/drivers/base/module.c
@@ -7,6 +7,7 @@
#include <linux/errno.h>
#include <linux/slab.h>
#include <linux/string.h>
+#include <linux/rcupdate.h>
#include "base.h"
static char *make_driver_name(struct device_driver *drv)
@@ -77,6 +78,9 @@ void module_remove_driver(struct device_
if (!drv)
return;
+ /* Synchronize with dev_uevent() */
+ synchronize_rcu();
+
sysfs_remove_link(&drv->p->kobj, "module");
if (drv->owner)
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 107/150] ntp: Safeguard against time_constant overflow
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 106/150] driver core: Fix uevent_show() vs driver detach race Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 108/150] timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex() Greg Kroah-Hartman
` (45 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Stitt, Thomas Gleixner,
Miroslav Lichvar
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Stitt <justinstitt@google.com>
commit 06c03c8edce333b9ad9c6b207d93d3a5ae7c10c0 upstream.
Using syzkaller with the recently reintroduced signed integer overflow
sanitizer produces this UBSAN report:
UBSAN: signed-integer-overflow in ../kernel/time/ntp.c:738:18
9223372036854775806 + 4 cannot be represented in type 'long'
Call Trace:
handle_overflow+0x171/0x1b0
__do_adjtimex+0x1236/0x1440
do_adjtimex+0x2be/0x740
The user supplied time_constant value is incremented by four and then
clamped to the operating range.
Before commit eea83d896e31 ("ntp: NTP4 user space bits update") the user
supplied value was sanity checked to be in the operating range. That change
removed the sanity check and relied on clamping after incrementing which
does not work correctly when the user supplied value is in the overflow
zone of the '+ 4' operation.
The operation requires CAP_SYS_TIME and the side effect of the overflow is
NTP getting out of sync.
Similar to the fixups for time_maxerror and time_esterror, clamp the user
space supplied value to the operating range.
[ tglx: Switch to clamping ]
Fixes: eea83d896e31 ("ntp: NTP4 user space bits update")
Signed-off-by: Justin Stitt <justinstitt@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Miroslav Lichvar <mlichvar@redhat.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/20240517-b4-sio-ntp-c-v2-1-f3a80096f36f@google.com
Closes: https://github.com/KSPP/linux/issues/352
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/time/ntp.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/kernel/time/ntp.c
+++ b/kernel/time/ntp.c
@@ -733,11 +733,10 @@ static inline void process_adjtimex_mode
time_esterror = clamp(txc->esterror, 0, NTP_PHASE_LIMIT);
if (txc->modes & ADJ_TIMECONST) {
- time_constant = txc->constant;
+ time_constant = clamp(txc->constant, 0, MAXTC);
if (!(time_status & STA_NANO))
time_constant += 4;
- time_constant = min(time_constant, (long)MAXTC);
- time_constant = max(time_constant, 0l);
+ time_constant = clamp(time_constant, 0, MAXTC);
}
if (txc->modes & ADJ_TAI &&
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 108/150] timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex()
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 107/150] ntp: Safeguard against time_constant overflow Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 109/150] serial: core: check uartclk for zero to avoid divide by zero Greg Kroah-Hartman
` (44 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Gleixner
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit 5916be8a53de6401871bdd953f6c60237b47d6d3 upstream.
The addition of the bases argument to clock_was_set() fixed up all call
sites correctly except for do_adjtimex(). This uses CLOCK_REALTIME
instead of CLOCK_SET_WALL as argument. CLOCK_REALTIME is 0.
As a result the effect of that clock_was_set() notification is incomplete
and might result in timers expiring late because the hrtimer code does
not re-evaluate the affected clock bases.
Use CLOCK_SET_WALL instead of CLOCK_REALTIME to tell the hrtimers code
which clock bases need to be re-evaluated.
Fixes: 17a1b8826b45 ("hrtimer: Add bases argument to clock_was_set()")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/877ccx7igo.ffs@tglx
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/time/timekeeping.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -2476,7 +2476,7 @@ int do_adjtimex(struct __kernel_timex *t
clock_set |= timekeeping_advance(TK_ADV_FREQ);
if (clock_set)
- clock_was_set(CLOCK_REALTIME);
+ clock_was_set(CLOCK_SET_WALL);
ntp_notify_cmos_timer();
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 109/150] serial: core: check uartclk for zero to avoid divide by zero
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 108/150] timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex() Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 110/150] parisc: fix a possible DMA corruption Greg Kroah-Hartman
` (43 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzkaller, George Kennedy
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: George Kennedy <george.kennedy@oracle.com>
commit 6eabce6608d6f3440f4c03aa3d3ef50a47a3d193 upstream.
Calling ioctl TIOCSSERIAL with an invalid baud_base can
result in uartclk being zero, which will result in a
divide by zero error in uart_get_divisor(). The check for
uartclk being zero in uart_set_info() needs to be done
before other settings are made as subsequent calls to
ioctl TIOCSSERIAL for the same port would be impacted if
the uartclk check was done where uartclk gets set.
Oops: divide error: 0000 PREEMPT SMP KASAN PTI
RIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580)
Call Trace:
<TASK>
serial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576
drivers/tty/serial/8250/8250_port.c:2589)
serial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502
drivers/tty/serial/8250/8250_port.c:2741)
serial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862)
uart_change_line_settings (./include/linux/spinlock.h:376
./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222)
uart_port_startup (drivers/tty/serial/serial_core.c:342)
uart_startup (drivers/tty/serial/serial_core.c:368)
uart_set_info (drivers/tty/serial/serial_core.c:1034)
uart_set_info_user (drivers/tty/serial/serial_core.c:1059)
tty_set_serial (drivers/tty/tty_io.c:2637)
tty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791)
__x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907
fs/ioctl.c:893 fs/ioctl.c:893)
do_syscall_64 (arch/x86/entry/common.c:52
(discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Reported-by: syzkaller <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
Rule: add
Link: https://lore.kernel.org/stable/1721148848-9784-1-git-send-email-george.kennedy%40oracle.com
Link: https://lore.kernel.org/r/1721219078-3209-1-git-send-email-george.kennedy@oracle.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/serial_core.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -846,6 +846,14 @@ static int uart_set_info(struct tty_stru
new_flags = (__force upf_t)new_info->flags;
old_custom_divisor = uport->custom_divisor;
+ if (!(uport->flags & UPF_FIXED_PORT)) {
+ unsigned int uartclk = new_info->baud_base * 16;
+ /* check needs to be done here before other settings made */
+ if (uartclk == 0) {
+ retval = -EINVAL;
+ goto exit;
+ }
+ }
if (!capable(CAP_SYS_ADMIN)) {
retval = -EPERM;
if (change_irq || change_port ||
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 110/150] parisc: fix a possible DMA corruption
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 109/150] serial: core: check uartclk for zero to avoid divide by zero Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 111/150] ASoC: amd: yc: Add quirk entry for OMEN by HP Gaming Laptop 16-n0xxx Greg Kroah-Hartman
` (42 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 7ae04ba36b381bffe2471eff3a93edced843240f upstream.
ARCH_DMA_MINALIGN was defined as 16 - this is too small - it may be
possible that two unrelated 16-byte allocations share a cache line. If
one of these allocations is written using DMA and the other is written
using cached write, the value that was written with DMA may be
corrupted.
This commit changes ARCH_DMA_MINALIGN to be 128 on PA20 and 32 on PA1.1 -
that's the largest possible cache line size.
As different parisc microarchitectures have different cache line size, we
define arch_slab_minalign(), cache_line_size() and
dma_get_cache_alignment() so that the kernel may tune slab cache
parameters dynamically, based on the detected cache line size.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/Kconfig | 1 +
arch/parisc/include/asm/cache.h | 11 ++++++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
--- a/arch/parisc/Kconfig
+++ b/arch/parisc/Kconfig
@@ -18,6 +18,7 @@ config PARISC
select ARCH_SUPPORTS_HUGETLBFS if PA20
select ARCH_SUPPORTS_MEMORY_FAILURE
select ARCH_STACKWALK
+ select ARCH_HAS_CACHE_LINE_SIZE
select ARCH_HAS_DEBUG_VM_PGTABLE
select HAVE_RELIABLE_STACKTRACE
select DMA_OPS
--- a/arch/parisc/include/asm/cache.h
+++ b/arch/parisc/include/asm/cache.h
@@ -20,7 +20,16 @@
#define SMP_CACHE_BYTES L1_CACHE_BYTES
-#define ARCH_DMA_MINALIGN L1_CACHE_BYTES
+#ifdef CONFIG_PA20
+#define ARCH_DMA_MINALIGN 128
+#else
+#define ARCH_DMA_MINALIGN 32
+#endif
+#define ARCH_KMALLOC_MINALIGN 16 /* ldcw requires 16-byte alignment */
+
+#define arch_slab_minalign() ((unsigned)dcache_stride)
+#define cache_line_size() dcache_stride
+#define dma_get_cache_alignment cache_line_size
#define __read_mostly __section(".data..read_mostly")
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 111/150] ASoC: amd: yc: Add quirk entry for OMEN by HP Gaming Laptop 16-n0xxx
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 110/150] parisc: fix a possible DMA corruption Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 112/150] kcov: properly check for softirq context Greg Kroah-Hartman
` (41 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 6675e76a5c441b52b1b983ebb714122087020ebe upstream.
Fix the missing mic on OMEN by HP Gaming Laptop 16-n0xxx by adding the
quirk entry with the board ID 8A44.
Cc: stable@vger.kernel.org
Link: https://bugzilla.suse.com/show_bug.cgi?id=1227182
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20240807170249.16490-1-tiwai@suse.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -385,6 +385,13 @@ static const struct dmi_system_id yc_acp
.driver_data = &acp6x_card,
.matches = {
DMI_MATCH(DMI_BOARD_VENDOR, "HP"),
+ DMI_MATCH(DMI_BOARD_NAME, "8A44"),
+ }
+ },
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "HP"),
DMI_MATCH(DMI_BOARD_NAME, "8A22"),
}
},
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 112/150] kcov: properly check for softirq context
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 111/150] ASoC: amd: yc: Add quirk entry for OMEN by HP Gaming Laptop 16-n0xxx Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 113/150] irqchip/xilinx: Fix shift out of bounds Greg Kroah-Hartman
` (40 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrey Konovalov,
syzbot+2388cdaeb6b10f0c13ac, Marco Elver, Alan Stern,
Aleksandr Nogikh, Alexander Potapenko, Dmitry Vyukov,
Marcello Sylvester Bauer, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Konovalov <andreyknvl@gmail.com>
commit 7d4df2dad312f270d62fecb0e5c8b086c6d7dcfc upstream.
When collecting coverage from softirqs, KCOV uses in_serving_softirq() to
check whether the code is running in the softirq context. Unfortunately,
in_serving_softirq() is > 0 even when the code is running in the hardirq
or NMI context for hardirqs and NMIs that happened during a softirq.
As a result, if a softirq handler contains a remote coverage collection
section and a hardirq with another remote coverage collection section
happens during handling the softirq, KCOV incorrectly detects a nested
softirq coverate collection section and prints a WARNING, as reported by
syzbot.
This issue was exposed by commit a7f3813e589f ("usb: gadget: dummy_hcd:
Switch to hrtimer transfer scheduler"), which switched dummy_hcd to using
hrtimer and made the timer's callback be executed in the hardirq context.
Change the related checks in KCOV to account for this behavior of
in_serving_softirq() and make KCOV ignore remote coverage collection
sections in the hardirq and NMI contexts.
This prevents the WARNING printed by syzbot but does not fix the inability
of KCOV to collect coverage from the __usb_hcd_giveback_urb when dummy_hcd
is in use (caused by a7f3813e589f); a separate patch is required for that.
Link: https://lkml.kernel.org/r/20240729022158.92059-1-andrey.konovalov@linux.dev
Fixes: 5ff3b30ab57d ("kcov: collect coverage from interrupts")
Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
Reported-by: syzbot+2388cdaeb6b10f0c13ac@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2388cdaeb6b10f0c13ac
Acked-by: Marco Elver <elver@google.com>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Aleksandr Nogikh <nogikh@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Marcello Sylvester Bauer <sylv@sylv.io>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/kcov.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/kernel/kcov.c
+++ b/kernel/kcov.c
@@ -161,6 +161,15 @@ static void kcov_remote_area_put(struct
kmsan_unpoison_memory(&area->list, sizeof(area->list));
}
+/*
+ * Unlike in_serving_softirq(), this function returns false when called during
+ * a hardirq or an NMI that happened in the softirq context.
+ */
+static inline bool in_softirq_really(void)
+{
+ return in_serving_softirq() && !in_hardirq() && !in_nmi();
+}
+
static notrace bool check_kcov_mode(enum kcov_mode needed_mode, struct task_struct *t)
{
unsigned int mode;
@@ -170,7 +179,7 @@ static notrace bool check_kcov_mode(enum
* so we ignore code executed in interrupts, unless we are in a remote
* coverage collection section in a softirq.
*/
- if (!in_task() && !(in_serving_softirq() && t->kcov_softirq))
+ if (!in_task() && !(in_softirq_really() && t->kcov_softirq))
return false;
mode = READ_ONCE(t->kcov_mode);
/*
@@ -847,7 +856,7 @@ void kcov_remote_start(u64 handle)
if (WARN_ON(!kcov_check_handle(handle, true, true, true)))
return;
- if (!in_task() && !in_serving_softirq())
+ if (!in_task() && !in_softirq_really())
return;
local_lock_irqsave(&kcov_percpu_data.lock, flags);
@@ -989,7 +998,7 @@ void kcov_remote_stop(void)
int sequence;
unsigned long flags;
- if (!in_task() && !in_serving_softirq())
+ if (!in_task() && !in_softirq_really())
return;
local_lock_irqsave(&kcov_percpu_data.lock, flags);
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 113/150] irqchip/xilinx: Fix shift out of bounds
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 112/150] kcov: properly check for softirq context Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 114/150] genirq/irqdesc: Honor caller provided affinity in alloc_desc() Greg Kroah-Hartman
` (39 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Radhey Shyam Pandey, Thomas Gleixner
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
commit d73f0f49daa84176c3beee1606e73c7ffb6af8b2 upstream.
The device tree property 'xlnx,kind-of-intr' is sanity checked that the
bitmask contains only set bits which are in the range of the number of
interrupts supported by the controller.
The check is done by shifting the mask right by the number of supported
interrupts and checking the result for zero.
The data type of the mask is u32 and the number of supported interrupts is
up to 32. In case of 32 interrupts the shift is out of bounds, resulting in
a mismatch warning. The out of bounds condition is also reported by UBSAN:
UBSAN: shift-out-of-bounds in irq-xilinx-intc.c:332:22
shift exponent 32 is too large for 32-bit type 'unsigned int'
Fix it by promoting the mask to u64 for the test.
Fixes: d50466c90724 ("microblaze: intc: Refactor DT sanity check")
Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/1723186944-3571957-1-git-send-email-radhey.shyam.pandey@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-xilinx-intc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/irqchip/irq-xilinx-intc.c
+++ b/drivers/irqchip/irq-xilinx-intc.c
@@ -189,7 +189,7 @@ static int __init xilinx_intc_of_init(st
irqc->intr_mask = 0;
}
- if (irqc->intr_mask >> irqc->nr_irq)
+ if ((u64)irqc->intr_mask >> irqc->nr_irq)
pr_warn("irq-xilinx: mismatch in kind-of-intr param\n");
pr_info("irq-xilinx: %pOF: num_irq=%d, edge=0x%x\n",
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 114/150] genirq/irqdesc: Honor caller provided affinity in alloc_desc()
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 113/150] irqchip/xilinx: Fix shift out of bounds Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 115/150] power: supply: axp288_charger: Fix constant_charge_voltage writes Greg Kroah-Hartman
` (38 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shay Drory, Thomas Gleixner
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shay Drory <shayd@nvidia.com>
commit edbbaae42a56f9a2b39c52ef2504dfb3fb0a7858 upstream.
Currently, whenever a caller is providing an affinity hint for an
interrupt, the allocation code uses it to calculate the node and copies the
cpumask into irq_desc::affinity.
If the affinity for the interrupt is not marked 'managed' then the startup
of the interrupt ignores irq_desc::affinity and uses the system default
affinity mask.
Prevent this by setting the IRQD_AFFINITY_SET flag for the interrupt in the
allocator, which causes irq_setup_affinity() to use irq_desc::affinity on
interrupt startup if the mask contains an online CPU.
[ tglx: Massaged changelog ]
Fixes: 45ddcecbfa94 ("genirq: Use affinity hint in irqdesc allocation")
Signed-off-by: Shay Drory <shayd@nvidia.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/all/20240806072044.837827-1-shayd@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/irq/irqdesc.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/irq/irqdesc.c
+++ b/kernel/irq/irqdesc.c
@@ -493,6 +493,7 @@ static int alloc_descs(unsigned int star
flags = IRQD_AFFINITY_MANAGED |
IRQD_MANAGED_SHUTDOWN;
}
+ flags |= IRQD_AFFINITY_SET;
mask = &affinity->mask;
node = cpu_to_node(cpumask_first(mask));
affinity++;
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 115/150] power: supply: axp288_charger: Fix constant_charge_voltage writes
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 114/150] genirq/irqdesc: Honor caller provided affinity in alloc_desc() Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 116/150] power: supply: axp288_charger: Round constant_charge_voltage writes down Greg Kroah-Hartman
` (37 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans de Goede, Sebastian Reichel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit b34ce4a59cfe9cd0d6f870e6408e8ec88a964585 upstream.
info->max_cv is in millivolts, divide the microvolt value being written
to constant_charge_voltage by 1000 *before* clamping it to info->max_cv.
Before this fix the code always tried to set constant_charge_voltage
to max_cv / 1000 = 4 millivolt, which ends up in setting it to 4.1V
which is the lowest supported value.
Fixes: 843735b788a4 ("power: axp288_charger: axp288 charger driver")
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20240717200333.56669-1-hdegoede@redhat.com
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/axp288_charger.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/power/supply/axp288_charger.c
+++ b/drivers/power/supply/axp288_charger.c
@@ -337,8 +337,8 @@ static int axp288_charger_usb_set_proper
}
break;
case POWER_SUPPLY_PROP_CONSTANT_CHARGE_VOLTAGE:
- scaled_val = min(val->intval, info->max_cv);
- scaled_val = DIV_ROUND_CLOSEST(scaled_val, 1000);
+ scaled_val = DIV_ROUND_CLOSEST(val->intval, 1000);
+ scaled_val = min(scaled_val, info->max_cv);
ret = axp288_charger_set_cv(info, scaled_val);
if (ret < 0) {
dev_warn(&info->pdev->dev, "set charge voltage failed\n");
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 116/150] power: supply: axp288_charger: Round constant_charge_voltage writes down
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 115/150] power: supply: axp288_charger: Fix constant_charge_voltage writes Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 117/150] tracing: Fix overflow in get_free_elt() Greg Kroah-Hartman
` (36 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans de Goede, Sebastian Reichel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 81af7f2342d162e24ac820c10e68684d9f927663 upstream.
Round constant_charge_voltage writes down to the first supported lower
value, rather then rounding them up to the first supported higher value.
This fixes e.g. writing 4250000 resulting in a value of 4350000 which
might be dangerous, instead writing 4250000 will now result in a safe
4200000 value.
Fixes: 843735b788a4 ("power: axp288_charger: axp288 charger driver")
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20240717200333.56669-2-hdegoede@redhat.com
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/axp288_charger.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/drivers/power/supply/axp288_charger.c
+++ b/drivers/power/supply/axp288_charger.c
@@ -178,18 +178,18 @@ static inline int axp288_charger_set_cv(
u8 reg_val;
int ret;
- if (cv <= CV_4100MV) {
- reg_val = CHRG_CCCV_CV_4100MV;
- cv = CV_4100MV;
- } else if (cv <= CV_4150MV) {
- reg_val = CHRG_CCCV_CV_4150MV;
- cv = CV_4150MV;
- } else if (cv <= CV_4200MV) {
+ if (cv >= CV_4350MV) {
+ reg_val = CHRG_CCCV_CV_4350MV;
+ cv = CV_4350MV;
+ } else if (cv >= CV_4200MV) {
reg_val = CHRG_CCCV_CV_4200MV;
cv = CV_4200MV;
+ } else if (cv >= CV_4150MV) {
+ reg_val = CHRG_CCCV_CV_4150MV;
+ cv = CV_4150MV;
} else {
- reg_val = CHRG_CCCV_CV_4350MV;
- cv = CV_4350MV;
+ reg_val = CHRG_CCCV_CV_4100MV;
+ cv = CV_4100MV;
}
reg_val = reg_val << CHRG_CCCV_CV_BIT_POS;
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 117/150] tracing: Fix overflow in get_free_elt()
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 116/150] power: supply: axp288_charger: Round constant_charge_voltage writes down Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 118/150] padata: Fix possible divide-by-0 panic in padata_mt_helper() Greg Kroah-Hartman
` (35 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Cheng-Jui Wang,
Tze-nan Wu, Steven Rostedt (Google)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tze-nan Wu <Tze-nan.Wu@mediatek.com>
commit bcf86c01ca4676316557dd482c8416ece8c2e143 upstream.
"tracing_map->next_elt" in get_free_elt() is at risk of overflowing.
Once it overflows, new elements can still be inserted into the tracing_map
even though the maximum number of elements (`max_elts`) has been reached.
Continuing to insert elements after the overflow could result in the
tracing_map containing "tracing_map->max_size" elements, leaving no empty
entries.
If any attempt is made to insert an element into a full tracing_map using
`__tracing_map_insert()`, it will cause an infinite loop with preemption
disabled, leading to a CPU hang problem.
Fix this by preventing any further increments to "tracing_map->next_elt"
once it reaches "tracing_map->max_elt".
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Fixes: 08d43a5fa063e ("tracing: Add lock-free tracing_map")
Co-developed-by: Cheng-Jui Wang <cheng-jui.wang@mediatek.com>
Link: https://lore.kernel.org/20240805055922.6277-1-Tze-nan.Wu@mediatek.com
Signed-off-by: Cheng-Jui Wang <cheng-jui.wang@mediatek.com>
Signed-off-by: Tze-nan Wu <Tze-nan.Wu@mediatek.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/tracing_map.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/kernel/trace/tracing_map.c
+++ b/kernel/trace/tracing_map.c
@@ -454,7 +454,7 @@ static struct tracing_map_elt *get_free_
struct tracing_map_elt *elt = NULL;
int idx;
- idx = atomic_inc_return(&map->next_elt);
+ idx = atomic_fetch_add_unless(&map->next_elt, 1, map->max_elts);
if (idx < map->max_elts) {
elt = *(TRACING_MAP_ELT(map->elts, idx));
if (map->ops && map->ops->elt_init)
@@ -699,7 +699,7 @@ void tracing_map_clear(struct tracing_ma
{
unsigned int i;
- atomic_set(&map->next_elt, -1);
+ atomic_set(&map->next_elt, 0);
atomic64_set(&map->hits, 0);
atomic64_set(&map->drops, 0);
@@ -783,7 +783,7 @@ struct tracing_map *tracing_map_create(u
map->map_bits = map_bits;
map->max_elts = (1 << map_bits);
- atomic_set(&map->next_elt, -1);
+ atomic_set(&map->next_elt, 0);
map->map_size = (1 << (map_bits + 1));
map->ops = ops;
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 118/150] padata: Fix possible divide-by-0 panic in padata_mt_helper()
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 117/150] tracing: Fix overflow in get_free_elt() Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 119/150] smb3: fix setting SecurityFlags when encryption is required Greg Kroah-Hartman
` (34 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Waiman Long, Daniel Jordan,
Steffen Klassert, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
commit 6d45e1c948a8b7ed6ceddb14319af69424db730c upstream.
We are hit with a not easily reproducible divide-by-0 panic in padata.c at
bootup time.
[ 10.017908] Oops: divide error: 0000 1 PREEMPT SMP NOPTI
[ 10.017908] CPU: 26 PID: 2627 Comm: kworker/u1666:1 Not tainted 6.10.0-15.el10.x86_64 #1
[ 10.017908] Hardware name: Lenovo ThinkSystem SR950 [7X12CTO1WW]/[7X12CTO1WW], BIOS [PSE140J-2.30] 07/20/2021
[ 10.017908] Workqueue: events_unbound padata_mt_helper
[ 10.017908] RIP: 0010:padata_mt_helper+0x39/0xb0
:
[ 10.017963] Call Trace:
[ 10.017968] <TASK>
[ 10.018004] ? padata_mt_helper+0x39/0xb0
[ 10.018084] process_one_work+0x174/0x330
[ 10.018093] worker_thread+0x266/0x3a0
[ 10.018111] kthread+0xcf/0x100
[ 10.018124] ret_from_fork+0x31/0x50
[ 10.018138] ret_from_fork_asm+0x1a/0x30
[ 10.018147] </TASK>
Looking at the padata_mt_helper() function, the only way a divide-by-0
panic can happen is when ps->chunk_size is 0. The way that chunk_size is
initialized in padata_do_multithreaded(), chunk_size can be 0 when the
min_chunk in the passed-in padata_mt_job structure is 0.
Fix this divide-by-0 panic by making sure that chunk_size will be at least
1 no matter what the input parameters are.
Link: https://lkml.kernel.org/r/20240806174647.1050398-1-longman@redhat.com
Fixes: 004ed42638f4 ("padata: add basic support for multithreaded jobs")
Signed-off-by: Waiman Long <longman@redhat.com>
Cc: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Waiman Long <longman@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/padata.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -508,6 +508,13 @@ void __init padata_do_multithreaded(stru
ps.chunk_size = max(ps.chunk_size, job->min_chunk);
ps.chunk_size = roundup(ps.chunk_size, job->align);
+ /*
+ * chunk_size can be 0 if the caller sets min_chunk to 0. So force it
+ * to at least 1 to prevent divide-by-0 panic in padata_mt_helper().`
+ */
+ if (!ps.chunk_size)
+ ps.chunk_size = 1U;
+
list_for_each_entry(pw, &works, pw_list)
queue_work(system_unbound_wq, &pw->pw_work);
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 119/150] smb3: fix setting SecurityFlags when encryption is required
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 118/150] padata: Fix possible divide-by-0 panic in padata_mt_helper() Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 120/150] btrfs: avoid using fixed char array size for tree names Greg Kroah-Hartman
` (33 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bharath SM, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steve French <stfrench@microsoft.com>
commit 1b5487aefb1ce7a6b1f15a33297d1231306b4122 upstream.
Setting encryption as required in security flags was broken.
For example (to require all mounts to be encrypted by setting):
"echo 0x400c5 > /proc/fs/cifs/SecurityFlags"
Would return "Invalid argument" and log "Unsupported security flags"
This patch fixes that (e.g. allowing overriding the default for
SecurityFlags 0x00c5, including 0x40000 to require seal, ie
SMB3.1.1 encryption) so now that works and forces encryption
on subsequent mounts.
Acked-by: Bharath SM <bharathsm@microsoft.com>
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/admin-guide/cifs/usage.rst | 2 +-
fs/smb/client/cifs_debug.c | 2 +-
fs/smb/client/cifsglob.h | 8 ++++----
fs/smb/client/smb2pdu.c | 3 +++
4 files changed, 9 insertions(+), 6 deletions(-)
--- a/Documentation/admin-guide/cifs/usage.rst
+++ b/Documentation/admin-guide/cifs/usage.rst
@@ -741,7 +741,7 @@ SecurityFlags Flags which control secur
may use NTLMSSP 0x00080
must use NTLMSSP 0x80080
seal (packet encryption) 0x00040
- must seal (not implemented yet) 0x40040
+ must seal 0x40040
cifsFYI If set to non-zero value, additional debug information
will be logged to the system error log. This field
--- a/fs/smb/client/cifs_debug.c
+++ b/fs/smb/client/cifs_debug.c
@@ -960,7 +960,7 @@ static int cifs_security_flags_proc_open
static void
cifs_security_flags_handle_must_flags(unsigned int *flags)
{
- unsigned int signflags = *flags & CIFSSEC_MUST_SIGN;
+ unsigned int signflags = *flags & (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL);
if ((*flags & CIFSSEC_MUST_KRB5) == CIFSSEC_MUST_KRB5)
*flags = CIFSSEC_MUST_KRB5;
--- a/fs/smb/client/cifsglob.h
+++ b/fs/smb/client/cifsglob.h
@@ -1820,7 +1820,7 @@ static inline bool is_retryable_error(in
#define CIFSSEC_MAY_SIGN 0x00001
#define CIFSSEC_MAY_NTLMV2 0x00004
#define CIFSSEC_MAY_KRB5 0x00008
-#define CIFSSEC_MAY_SEAL 0x00040 /* not supported yet */
+#define CIFSSEC_MAY_SEAL 0x00040
#define CIFSSEC_MAY_NTLMSSP 0x00080 /* raw ntlmssp with ntlmv2 */
#define CIFSSEC_MUST_SIGN 0x01001
@@ -1830,11 +1830,11 @@ require use of the stronger protocol */
#define CIFSSEC_MUST_NTLMV2 0x04004
#define CIFSSEC_MUST_KRB5 0x08008
#ifdef CONFIG_CIFS_UPCALL
-#define CIFSSEC_MASK 0x8F08F /* flags supported if no weak allowed */
+#define CIFSSEC_MASK 0xCF0CF /* flags supported if no weak allowed */
#else
-#define CIFSSEC_MASK 0x87087 /* flags supported if no weak allowed */
+#define CIFSSEC_MASK 0xC70C7 /* flags supported if no weak allowed */
#endif /* UPCALL */
-#define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */
+#define CIFSSEC_MUST_SEAL 0x40040
#define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */
#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP | CIFSSEC_MAY_SEAL)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -80,6 +80,9 @@ int smb3_encryption_required(const struc
if (tcon->seal &&
(tcon->ses->server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION))
return 1;
+ if (((global_secflags & CIFSSEC_MUST_SEAL) == CIFSSEC_MUST_SEAL) &&
+ (tcon->ses->server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION))
+ return 1;
return 0;
}
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 120/150] btrfs: avoid using fixed char array size for tree names
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 119/150] smb3: fix setting SecurityFlags when encryption is required Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 121/150] x86/mtrr: Check if fixed MTRRs exist before saving them Greg Kroah-Hartman
` (32 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sam James, Alejandro Colomar,
Johannes Thumshirn, Qu Wenruo, David Sterba
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
commit 12653ec36112ab55fa06c01db7c4432653d30a8d upstream.
[BUG]
There is a bug report that using the latest trunk GCC 15, btrfs would cause
unterminated-string-initialization warning:
linux-6.6/fs/btrfs/print-tree.c:29:49: error: initializer-string for array of ‘char’ is too long [-Werror=unterminated-string-initialization]
29 | { BTRFS_BLOCK_GROUP_TREE_OBJECTID, "BLOCK_GROUP_TREE" },
|
^~~~~~~~~~~~~~~~~~
[CAUSE]
To print tree names we have an array of root_name_map structure, which
uses "char name[16];" to store the name string of a tree.
But the following trees have names exactly at 16 chars length:
- "BLOCK_GROUP_TREE"
- "RAID_STRIPE_TREE"
This means we will have no space for the terminating '\0', and can lead
to unexpected access when printing the name.
[FIX]
Instead of "char name[16];" use "const char *" instead.
Since the name strings are all read-only data, and are all NULL
terminated by default, there is not much need to bother the length at
all.
Reported-by: Sam James <sam@gentoo.org>
Reported-by: Alejandro Colomar <alx@kernel.org>
Fixes: edde81f1abf29 ("btrfs: add raid stripe tree pretty printer")
Fixes: 9c54e80ddc6bd ("btrfs: add code to support the block group root")
CC: stable@vger.kernel.org # 6.1+
Suggested-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/print-tree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/btrfs/print-tree.c
+++ b/fs/btrfs/print-tree.c
@@ -9,7 +9,7 @@
struct root_name_map {
u64 id;
- char name[16];
+ const char *name;
};
static const struct root_name_map root_map[] = {
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 121/150] x86/mtrr: Check if fixed MTRRs exist before saving them
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 120/150] btrfs: avoid using fixed char array size for tree names Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 122/150] sched/smt: Introduce sched_smt_present_inc/dec() helper Greg Kroah-Hartman
` (31 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andi Kleen, Thomas Gleixner
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andi Kleen <ak@linux.intel.com>
commit 919f18f961c03d6694aa726c514184f2311a4614 upstream.
MTRRs have an obsolete fixed variant for fine grained caching control
of the 640K-1MB region that uses separate MSRs. This fixed variant has
a separate capability bit in the MTRR capability MSR.
So far all x86 CPUs which support MTRR have this separate bit set, so it
went unnoticed that mtrr_save_state() does not check the capability bit
before accessing the fixed MTRR MSRs.
Though on a CPU that does not support the fixed MTRR capability this
results in a #GP. The #GP itself is harmless because the RDMSR fault is
handled gracefully, but results in a WARN_ON().
Add the missing capability check to prevent this.
Fixes: 2b1f6278d77c ("[PATCH] x86: Save the MTRRs of the BSP before booting an AP")
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/20240808000244.946864-1-ak@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/mtrr/mtrr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kernel/cpu/mtrr/mtrr.c
+++ b/arch/x86/kernel/cpu/mtrr/mtrr.c
@@ -816,7 +816,7 @@ void mtrr_save_state(void)
{
int first_cpu;
- if (!mtrr_enabled())
+ if (!mtrr_enabled() || !mtrr_state.have_fixed)
return;
first_cpu = cpumask_first(cpu_online_mask);
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 122/150] sched/smt: Introduce sched_smt_present_inc/dec() helper
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 121/150] x86/mtrr: Check if fixed MTRRs exist before saving them Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 123/150] sched/smt: Fix unbalance sched_smt_present dec/inc Greg Kroah-Hartman
` (30 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yang Yingliang,
Peter Zijlstra (Intel)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
commit 31b164e2e4af84d08d2498083676e7eeaa102493 upstream.
Introduce sched_smt_present_inc/dec() helper, so it can be called
in normal or error path simply. No functional changed.
Cc: stable@kernel.org
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/r/20240703031610.587047-2-yangyingliang@huaweicloud.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/core.c | 26 +++++++++++++++++++-------
1 file changed, 19 insertions(+), 7 deletions(-)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -9398,6 +9398,22 @@ static int cpuset_cpu_inactive(unsigned
return 0;
}
+static inline void sched_smt_present_inc(int cpu)
+{
+#ifdef CONFIG_SCHED_SMT
+ if (cpumask_weight(cpu_smt_mask(cpu)) == 2)
+ static_branch_inc_cpuslocked(&sched_smt_present);
+#endif
+}
+
+static inline void sched_smt_present_dec(int cpu)
+{
+#ifdef CONFIG_SCHED_SMT
+ if (cpumask_weight(cpu_smt_mask(cpu)) == 2)
+ static_branch_dec_cpuslocked(&sched_smt_present);
+#endif
+}
+
int sched_cpu_activate(unsigned int cpu)
{
struct rq *rq = cpu_rq(cpu);
@@ -9409,13 +9425,10 @@ int sched_cpu_activate(unsigned int cpu)
*/
balance_push_set(cpu, false);
-#ifdef CONFIG_SCHED_SMT
/*
* When going up, increment the number of cores with SMT present.
*/
- if (cpumask_weight(cpu_smt_mask(cpu)) == 2)
- static_branch_inc_cpuslocked(&sched_smt_present);
-#endif
+ sched_smt_present_inc(cpu);
set_cpu_active(cpu, true);
if (sched_smp_initialized) {
@@ -9485,13 +9498,12 @@ int sched_cpu_deactivate(unsigned int cp
}
rq_unlock_irqrestore(rq, &rf);
-#ifdef CONFIG_SCHED_SMT
/*
* When going down, decrement the number of cores with SMT present.
*/
- if (cpumask_weight(cpu_smt_mask(cpu)) == 2)
- static_branch_dec_cpuslocked(&sched_smt_present);
+ sched_smt_present_dec(cpu);
+#ifdef CONFIG_SCHED_SMT
sched_core_cpu_deactivate(cpu);
#endif
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 123/150] sched/smt: Fix unbalance sched_smt_present dec/inc
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 122/150] sched/smt: Introduce sched_smt_present_inc/dec() helper Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 124/150] drm/bridge: analogix_dp: properly handle zero sized AUX transactions Greg Kroah-Hartman
` (29 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yang Yingliang,
Peter Zijlstra (Intel), Chen Yu, Tim Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
commit e22f910a26cc2a3ac9c66b8e935ef2a7dd881117 upstream.
I got the following warn report while doing stress test:
jump label: negative count!
WARNING: CPU: 3 PID: 38 at kernel/jump_label.c:263 static_key_slow_try_dec+0x9d/0xb0
Call Trace:
<TASK>
__static_key_slow_dec_cpuslocked+0x16/0x70
sched_cpu_deactivate+0x26e/0x2a0
cpuhp_invoke_callback+0x3ad/0x10d0
cpuhp_thread_fun+0x3f5/0x680
smpboot_thread_fn+0x56d/0x8d0
kthread+0x309/0x400
ret_from_fork+0x41/0x70
ret_from_fork_asm+0x1b/0x30
</TASK>
Because when cpuset_cpu_inactive() fails in sched_cpu_deactivate(),
the cpu offline failed, but sched_smt_present is decremented before
calling sched_cpu_deactivate(), it leads to unbalanced dec/inc, so
fix it by incrementing sched_smt_present in the error path.
Fixes: c5511d03ec09 ("sched/smt: Make sched_smt_present track topology")
Cc: stable@kernel.org
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Chen Yu <yu.c.chen@intel.com>
Reviewed-by: Tim Chen <tim.c.chen@linux.intel.com>
Link: https://lore.kernel.org/r/20240703031610.587047-3-yangyingliang@huaweicloud.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/core.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -9513,6 +9513,7 @@ int sched_cpu_deactivate(unsigned int cp
sched_update_numa(cpu, false);
ret = cpuset_cpu_inactive(cpu);
if (ret) {
+ sched_smt_present_inc(cpu);
balance_push_set(cpu, false);
set_cpu_active(cpu, true);
sched_update_numa(cpu, true);
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 124/150] drm/bridge: analogix_dp: properly handle zero sized AUX transactions
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 123/150] sched/smt: Fix unbalance sched_smt_present dec/inc Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 125/150] drm/dp_mst: Skip CSN if topology probing is not done yet Greg Kroah-Hartman
` (28 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lucas Stach, Robert Foss
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lucas Stach <l.stach@pengutronix.de>
commit e82290a2e0e8ec5e836ecad1ca025021b3855c2d upstream.
Address only transactions without any data are valid and should not
be flagged as short transactions. Simply return the message size when
no transaction errors occured.
CC: stable@vger.kernel.org
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Reviewed-by: Robert Foss <rfoss@kernel.org>
Signed-off-by: Robert Foss <rfoss@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20240318203925.2837689-1-l.stach@pengutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c
+++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c
@@ -1027,7 +1027,6 @@ ssize_t analogix_dp_transfer(struct anal
u32 status_reg;
u8 *buffer = msg->buffer;
unsigned int i;
- int num_transferred = 0;
int ret;
/* Buffer size of AUX CH is 16 bytes */
@@ -1079,7 +1078,6 @@ ssize_t analogix_dp_transfer(struct anal
reg = buffer[i];
writel(reg, dp->reg_base + ANALOGIX_DP_BUF_DATA_0 +
4 * i);
- num_transferred++;
}
}
@@ -1127,7 +1125,6 @@ ssize_t analogix_dp_transfer(struct anal
reg = readl(dp->reg_base + ANALOGIX_DP_BUF_DATA_0 +
4 * i);
buffer[i] = (unsigned char)reg;
- num_transferred++;
}
}
@@ -1144,7 +1141,7 @@ ssize_t analogix_dp_transfer(struct anal
(msg->request & ~DP_AUX_I2C_MOT) == DP_AUX_NATIVE_READ)
msg->reply = DP_AUX_NATIVE_REPLY_ACK;
- return num_transferred > 0 ? num_transferred : -EBUSY;
+ return msg->size;
aux_error:
/* if aux err happen, reset aux */
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 125/150] drm/dp_mst: Skip CSN if topology probing is not done yet
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 124/150] drm/bridge: analogix_dp: properly handle zero sized AUX transactions Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 126/150] drm/lima: Mark simple_ondemand governor as softdep Greg Kroah-Hartman
` (27 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lyude Paul, Harry Wentland,
Jani Nikula, Imre Deak, Daniel Vetter, Wayne Lin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wayne Lin <Wayne.Lin@amd.com>
commit ddf983488c3e8d30d5c2e2b315ae7d9cd87096ed upstream.
[Why]
During resume, observe that we receive CSN event before we start topology
probing. Handling CSN at this moment based on uncertain topology is
unnecessary.
[How]
Add checking condition in drm_dp_mst_handle_up_req() to skip handling CSN
if the topology is yet to be probed.
Cc: Lyude Paul <lyude@redhat.com>
Cc: Harry Wentland <hwentlan@amd.com>
Cc: Jani Nikula <jani.nikula@intel.com>
Cc: Imre Deak <imre.deak@intel.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: stable@vger.kernel.org
Signed-off-by: Wayne Lin <Wayne.Lin@amd.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Lyude Paul <lyude@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240626084825.878565-3-Wayne.Lin@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/display/drm_dp_mst_topology.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/gpu/drm/display/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c
@@ -4024,6 +4024,7 @@ static int drm_dp_mst_handle_up_req(stru
if (up_req->msg.req_type == DP_CONNECTION_STATUS_NOTIFY) {
const struct drm_dp_connection_status_notify *conn_stat =
&up_req->msg.u.conn_stat;
+ bool handle_csn;
drm_dbg_kms(mgr->dev, "Got CSN: pn: %d ldps:%d ddps: %d mcs: %d ip: %d pdt: %d\n",
conn_stat->port_number,
@@ -4032,6 +4033,16 @@ static int drm_dp_mst_handle_up_req(stru
conn_stat->message_capability_status,
conn_stat->input_port,
conn_stat->peer_device_type);
+
+ mutex_lock(&mgr->probe_lock);
+ handle_csn = mgr->mst_primary->link_address_sent;
+ mutex_unlock(&mgr->probe_lock);
+
+ if (!handle_csn) {
+ drm_dbg_kms(mgr->dev, "Got CSN before finish topology probing. Skip it.");
+ kfree(up_req);
+ goto out;
+ }
} else if (up_req->msg.req_type == DP_RESOURCE_STATUS_NOTIFY) {
const struct drm_dp_resource_status_notify *res_stat =
&up_req->msg.u.resource_stat;
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 126/150] drm/lima: Mark simple_ondemand governor as softdep
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 125/150] drm/dp_mst: Skip CSN if topology probing is not done yet Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 127/150] drm/mgag200: Set DDC timeout in milliseconds Greg Kroah-Hartman
` (26 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Muller, Oliver Smith,
Daniel Smith, Dragan Simic, Qiang Yu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dragan Simic <dsimic@manjaro.org>
commit 0c94f58cef319ad054fd909b3bf4b7d09c03e11c upstream.
Lima DRM driver uses devfreq to perform DVFS, while using simple_ondemand
devfreq governor by default. This causes driver initialization to fail on
boot when simple_ondemand governor isn't built into the kernel statically,
as a result of the missing module dependency and, consequently, the
required governor module not being included in the initial ramdisk. Thus,
let's mark simple_ondemand governor as a softdep for Lima, to have its
kernel module included in the initial ramdisk.
This is a rather longstanding issue that has forced distributions to build
devfreq governors statically into their kernels, [1][2] or may have forced
some users to introduce unnecessary workarounds.
Having simple_ondemand marked as a softdep for Lima may not resolve this
issue for all Linux distributions. In particular, it will remain
unresolved for the distributions whose utilities for the initial ramdisk
generation do not handle the available softdep information [3] properly
yet. However, some Linux distributions already handle softdeps properly
while generating their initial ramdisks, [4] and this is a prerequisite
step in the right direction for the distributions that don't handle them
properly yet.
[1] https://gitlab.manjaro.org/manjaro-arm/packages/core/linux-pinephone/-/blob/6.7-megi/config?ref_type=heads#L5749
[2] https://gitlab.com/postmarketOS/pmaports/-/blob/7f64e287e7732c9eaa029653e73ca3d4ba1c8598/main/linux-postmarketos-allwinner/config-postmarketos-allwinner.aarch64#L4654
[3] https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/commit/?id=49d8e0b59052999de577ab732b719cfbeb89504d
[4] https://github.com/archlinux/mkinitcpio/commit/97ac4d37aae084a050be512f6d8f4489054668ad
Cc: Philip Muller <philm@manjaro.org>
Cc: Oliver Smith <ollieparanoid@postmarketos.org>
Cc: Daniel Smith <danct12@disroot.org>
Cc: stable@vger.kernel.org
Fixes: 1996970773a3 ("drm/lima: Add optional devfreq and cooling device support")
Signed-off-by: Dragan Simic <dsimic@manjaro.org>
Signed-off-by: Qiang Yu <yuq825@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/fdaf2e41bb6a0c5118ff9cc21f4f62583208d885.1718655070.git.dsimic@manjaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/lima/lima_drv.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/lima/lima_drv.c
+++ b/drivers/gpu/drm/lima/lima_drv.c
@@ -489,3 +489,4 @@ module_platform_driver(lima_platform_dri
MODULE_AUTHOR("Lima Project Developers");
MODULE_DESCRIPTION("Lima DRM Driver");
MODULE_LICENSE("GPL v2");
+MODULE_SOFTDEP("pre: governor_simpleondemand");
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 127/150] drm/mgag200: Set DDC timeout in milliseconds
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 126/150] drm/lima: Mark simple_ondemand governor as softdep Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 128/150] drm/mgag200: Bind I2C lifetime to DRM device Greg Kroah-Hartman
` (25 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Jocelyn Falempe,
Dave Airlie, Maarten Lankhorst, Maxime Ripard, dri-devel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
commit ecde5db1598aecab54cc392282c15114f526f05f upstream.
Compute the i2c timeout in jiffies from a value in milliseconds. The
original values of 2 jiffies equals 2 milliseconds if HZ has been
configured to a value of 1000. This corresponds to 2.2 milliseconds
used by most other DRM drivers. Update mgag200 accordingly.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
Fixes: 414c45310625 ("mgag200: initial g200se driver (v2)")
Cc: Dave Airlie <airlied@redhat.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Jocelyn Falempe <jfalempe@redhat.com>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v3.5+
Link: https://patchwork.freedesktop.org/patch/msgid/20240513125620.6337-2-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/mgag200/mgag200_i2c.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/mgag200/mgag200_i2c.c
+++ b/drivers/gpu/drm/mgag200/mgag200_i2c.c
@@ -115,7 +115,7 @@ int mgag200_i2c_init(struct mga_device *
i2c->adapter.algo_data = &i2c->bit;
i2c->bit.udelay = 10;
- i2c->bit.timeout = 2;
+ i2c->bit.timeout = usecs_to_jiffies(2200);
i2c->bit.data = i2c;
i2c->bit.setsda = mga_gpio_setsda;
i2c->bit.setscl = mga_gpio_setscl;
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 128/150] drm/mgag200: Bind I2C lifetime to DRM device
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 127/150] drm/mgag200: Set DDC timeout in milliseconds Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 129/150] mptcp: mib: count MPJ with backup flag Greg Kroah-Hartman
` (24 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Jocelyn Falempe,
Dave Airlie, dri-devel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
commit eb1ae34e48a09b7a1179c579aed042b032e408f4 upstream.
Managed cleanup with devm_add_action_or_reset() will release the I2C
adapter when the underlying Linux device goes away. But the connector
still refers to it, so this cleanup leaves behind a stale pointer
in struct drm_connector.ddc.
Bind the lifetime of the I2C adapter to the connector's lifetime by
using DRM's managed release. When the DRM device goes away (after
the Linux device) DRM will first clean up the connector and then
clean up the I2C adapter.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
Fixes: b279df242972 ("drm/mgag200: Switch I2C code to managed cleanup")
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Jocelyn Falempe <jfalempe@redhat.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v6.0+
Link: https://patchwork.freedesktop.org/patch/msgid/20240513125620.6337-3-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/mgag200/mgag200_i2c.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/mgag200/mgag200_i2c.c
+++ b/drivers/gpu/drm/mgag200/mgag200_i2c.c
@@ -31,6 +31,8 @@
#include <linux/i2c.h>
#include <linux/pci.h>
+#include <drm/drm_managed.h>
+
#include "mgag200_drv.h"
static int mga_i2c_read_gpio(struct mga_device *mdev)
@@ -86,7 +88,7 @@ static int mga_gpio_getscl(void *data)
return (mga_i2c_read_gpio(mdev) & i2c->clock) ? 1 : 0;
}
-static void mgag200_i2c_release(void *res)
+static void mgag200_i2c_release(struct drm_device *dev, void *res)
{
struct mga_i2c_chan *i2c = res;
@@ -126,5 +128,5 @@ int mgag200_i2c_init(struct mga_device *
if (ret)
return ret;
- return devm_add_action_or_reset(dev->dev, mgag200_i2c_release, i2c);
+ return drmm_add_action_or_reset(dev, mgag200_i2c_release, i2c);
}
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 129/150] mptcp: mib: count MPJ with backup flag
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 128/150] drm/mgag200: Bind I2C lifetime to DRM device Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 130/150] mptcp: export local_address Greg Kroah-Hartman
` (23 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
commit 4dde0d72ccec500c60c798e036b852e013d6e124 upstream.
Without such counters, it is difficult to easily debug issues with MPJ
not having the backup flags on production servers.
This is not strictly a fix, but it eases to validate the following
patches without requiring to take packet traces, to query ongoing
connections with Netlink with admin permissions, or to guess by looking
at the behaviour of the packet scheduler. Also, the modification is self
contained, isolated, well controlled, and the increments are done just
after others, there from the beginning. It looks then safe, and helpful
to backport this.
Fixes: 4596a2c1b7f5 ("mptcp: allow creating non-backup subflows")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ Conflicts in subflow.c because the context has changed in
commit b3ea6b272d79 ("mptcp: consolidate initial ack seq generation")
which is not in this version. This commit is unrelated to this
modification. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/mib.c | 2 ++
net/mptcp/mib.h | 2 ++
net/mptcp/subflow.c | 6 ++++++
3 files changed, 10 insertions(+)
--- a/net/mptcp/mib.c
+++ b/net/mptcp/mib.c
@@ -19,7 +19,9 @@ static const struct snmp_mib mptcp_snmp_
SNMP_MIB_ITEM("MPTCPRetrans", MPTCP_MIB_RETRANSSEGS),
SNMP_MIB_ITEM("MPJoinNoTokenFound", MPTCP_MIB_JOINNOTOKEN),
SNMP_MIB_ITEM("MPJoinSynRx", MPTCP_MIB_JOINSYNRX),
+ SNMP_MIB_ITEM("MPJoinSynBackupRx", MPTCP_MIB_JOINSYNBACKUPRX),
SNMP_MIB_ITEM("MPJoinSynAckRx", MPTCP_MIB_JOINSYNACKRX),
+ SNMP_MIB_ITEM("MPJoinSynAckBackupRx", MPTCP_MIB_JOINSYNACKBACKUPRX),
SNMP_MIB_ITEM("MPJoinSynAckHMacFailure", MPTCP_MIB_JOINSYNACKMAC),
SNMP_MIB_ITEM("MPJoinAckRx", MPTCP_MIB_JOINACKRX),
SNMP_MIB_ITEM("MPJoinAckHMacFailure", MPTCP_MIB_JOINACKMAC),
--- a/net/mptcp/mib.h
+++ b/net/mptcp/mib.h
@@ -12,7 +12,9 @@ enum linux_mptcp_mib_field {
MPTCP_MIB_RETRANSSEGS, /* Segments retransmitted at the MPTCP-level */
MPTCP_MIB_JOINNOTOKEN, /* Received MP_JOIN but the token was not found */
MPTCP_MIB_JOINSYNRX, /* Received a SYN + MP_JOIN */
+ MPTCP_MIB_JOINSYNBACKUPRX, /* Received a SYN + MP_JOIN + backup flag */
MPTCP_MIB_JOINSYNACKRX, /* Received a SYN/ACK + MP_JOIN */
+ MPTCP_MIB_JOINSYNACKBACKUPRX, /* Received a SYN/ACK + MP_JOIN + backup flag */
MPTCP_MIB_JOINSYNACKMAC, /* HMAC was wrong on SYN/ACK + MP_JOIN */
MPTCP_MIB_JOINACKRX, /* Received an ACK + MP_JOIN */
MPTCP_MIB_JOINACKMAC, /* HMAC was wrong on ACK + MP_JOIN */
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -165,6 +165,9 @@ static int subflow_check_req(struct requ
return 0;
} else if (opt_mp_join) {
SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINSYNRX);
+
+ if (mp_opt.backup)
+ SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINSYNBACKUPRX);
}
if (opt_mp_capable && listener->request_mptcp) {
@@ -469,6 +472,9 @@ static void subflow_finish_connect(struc
subflow->mp_join = 1;
MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_JOINSYNACKRX);
+ if (subflow->backup)
+ MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_JOINSYNACKBACKUPRX);
+
if (subflow_use_different_dport(mptcp_sk(parent), sk)) {
pr_debug("synack inet_dport=%d %d",
ntohs(inet_sk(sk)->inet_dport),
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 130/150] mptcp: export local_address
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 129/150] mptcp: mib: count MPJ with backup flag Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 131/150] mptcp: pm: fix backup support in signal endpoints Greg Kroah-Hartman
` (22 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geliang Tang, Matthieu Baerts,
Larysa Zaremba, Jakub Kicinski, Matthieu Baerts (NGI0)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geliang Tang <geliang.tang@suse.com>
commit dc886bce753cc2cf3c88ec5c7a6880a4e17d65ba upstream.
Rename local_address() with "mptcp_" prefix and export it in protocol.h.
This function will be re-used in the common PM code (pm.c) in the
following commit.
Signed-off-by: Geliang Tang <geliang.tang@suse.com>
Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Reviewed-by: Larysa Zaremba <larysa.zaremba@intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 6834097fc38c ("mptcp: pm: fix backup support in signal endpoints")
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 17 ++++++++---------
net/mptcp/protocol.h | 1 +
2 files changed, 9 insertions(+), 9 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -86,8 +86,7 @@ bool mptcp_addresses_equal(const struct
return a->port == b->port;
}
-static void local_address(const struct sock_common *skc,
- struct mptcp_addr_info *addr)
+void mptcp_local_address(const struct sock_common *skc, struct mptcp_addr_info *addr)
{
addr->family = skc->skc_family;
addr->port = htons(skc->skc_num);
@@ -122,7 +121,7 @@ static bool lookup_subflow_by_saddr(cons
list_for_each_entry(subflow, list, node) {
skc = (struct sock_common *)mptcp_subflow_tcp_sock(subflow);
- local_address(skc, &cur);
+ mptcp_local_address(skc, &cur);
if (mptcp_addresses_equal(&cur, saddr, saddr->port))
return true;
}
@@ -274,7 +273,7 @@ bool mptcp_pm_sport_in_anno_list(struct
struct mptcp_addr_info saddr;
bool ret = false;
- local_address((struct sock_common *)sk, &saddr);
+ mptcp_local_address((struct sock_common *)sk, &saddr);
spin_lock_bh(&msk->pm.lock);
list_for_each_entry(entry, &msk->pm.anno_list, list) {
@@ -545,7 +544,7 @@ static void mptcp_pm_create_subflow_or_s
struct mptcp_addr_info mpc_addr;
bool backup = false;
- local_address((struct sock_common *)msk->first, &mpc_addr);
+ mptcp_local_address((struct sock_common *)msk->first, &mpc_addr);
rcu_read_lock();
entry = __lookup_addr(pernet, &mpc_addr, false);
if (entry) {
@@ -753,7 +752,7 @@ int mptcp_pm_nl_mp_prio_send_ack(struct
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
struct mptcp_addr_info local, remote;
- local_address((struct sock_common *)ssk, &local);
+ mptcp_local_address((struct sock_common *)ssk, &local);
if (!mptcp_addresses_equal(&local, addr, addr->port))
continue;
@@ -1072,8 +1071,8 @@ int mptcp_pm_nl_get_local_id(struct mptc
/* The 0 ID mapping is defined by the first subflow, copied into the msk
* addr
*/
- local_address((struct sock_common *)msk, &msk_local);
- local_address((struct sock_common *)skc, &skc_local);
+ mptcp_local_address((struct sock_common *)msk, &msk_local);
+ mptcp_local_address((struct sock_common *)skc, &skc_local);
if (mptcp_addresses_equal(&msk_local, &skc_local, false))
return 0;
@@ -1507,7 +1506,7 @@ static int mptcp_nl_remove_id_zero_addre
if (list_empty(&msk->conn_list) || mptcp_pm_is_userspace(msk))
goto next;
- local_address((struct sock_common *)msk, &msk_local);
+ mptcp_local_address((struct sock_common *)msk, &msk_local);
if (!mptcp_addresses_equal(&msk_local, addr, addr->port))
goto next;
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -618,6 +618,7 @@ void __mptcp_unaccepted_force_close(stru
bool mptcp_addresses_equal(const struct mptcp_addr_info *a,
const struct mptcp_addr_info *b, bool use_port);
+void mptcp_local_address(const struct sock_common *skc, struct mptcp_addr_info *addr);
/* called with sk socket lock held */
int __mptcp_subflow_connect(struct sock *sk, const struct mptcp_addr_info *loc,
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 131/150] mptcp: pm: fix backup support in signal endpoints
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 130/150] mptcp: export local_address Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 132/150] selftests: mptcp: join: validate backup in MPJ Greg Kroah-Hartman
` (21 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
commit 6834097fc38c5416701c793da94558cea49c0a1f upstream.
There was a support for signal endpoints, but only when the endpoint's
flag was changed during a connection. If an endpoint with the signal and
backup was already present, the MP_JOIN reply was not containing the
backup flag as expected.
That's confusing to have this inconsistent behaviour. On the other hand,
the infrastructure to set the backup flag in the SYN + ACK + MP_JOIN was
already there, it was just never set before. Now when requesting the
local ID from the path-manager, the backup status is also requested.
Note that when the userspace PM is used, the backup flag can be set if
the local address was already used before with a backup flag, e.g. if
the address was announced with the 'backup' flag, or a subflow was
created with the 'backup' flag.
Fixes: 4596a2c1b7f5 ("mptcp: allow creating non-backup subflows")
Cc: stable@vger.kernel.org
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/507
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ Conflicts in pm_userspace.c because the context has changed in commit
1e07938e29c5 ("net: mptcp: rename netlink handlers to
mptcp_pm_nl_<blah>_{doit,dumpit}") which is not in this version. This
commit is unrelated to this modification.
Conflicts in protocol.h because the context has changed in commit
9ae7846c4b6b ("mptcp: dump addrs in userspace pm list") which is not
in this version. This commit is unrelated to this modification.
Conflicts in pm.c because the context has changed in commit
f40be0db0b76 ("mptcp: unify pm get_flags_and_ifindex_by_id") which is
not in this version. This commit is unrelated to this modification. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 12 ++++++++++++
net/mptcp/pm_netlink.c | 18 ++++++++++++++++++
net/mptcp/pm_userspace.c | 18 ++++++++++++++++++
net/mptcp/protocol.h | 3 +++
net/mptcp/subflow.c | 3 +++
5 files changed, 54 insertions(+)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -416,6 +416,18 @@ int mptcp_pm_get_local_id(struct mptcp_s
return mptcp_pm_nl_get_local_id(msk, skc);
}
+bool mptcp_pm_is_backup(struct mptcp_sock *msk, struct sock_common *skc)
+{
+ struct mptcp_addr_info skc_local;
+
+ mptcp_local_address((struct sock_common *)skc, &skc_local);
+
+ if (mptcp_pm_is_userspace(msk))
+ return mptcp_userspace_pm_is_backup(msk, &skc_local);
+
+ return mptcp_pm_nl_is_backup(msk, &skc_local);
+}
+
void mptcp_pm_subflow_chk_stale(const struct mptcp_sock *msk, struct sock *ssk)
{
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -1110,6 +1110,24 @@ int mptcp_pm_nl_get_local_id(struct mptc
return ret;
}
+bool mptcp_pm_nl_is_backup(struct mptcp_sock *msk, struct mptcp_addr_info *skc)
+{
+ struct pm_nl_pernet *pernet = pm_nl_get_pernet_from_msk(msk);
+ struct mptcp_pm_addr_entry *entry;
+ bool backup = false;
+
+ rcu_read_lock();
+ list_for_each_entry_rcu(entry, &pernet->local_addr_list, list) {
+ if (mptcp_addresses_equal(&entry->addr, skc, entry->addr.port)) {
+ backup = !!(entry->flags & MPTCP_PM_ADDR_FLAG_BACKUP);
+ break;
+ }
+ }
+ rcu_read_unlock();
+
+ return backup;
+}
+
#define MPTCP_PM_CMD_GRP_OFFSET 0
#define MPTCP_PM_EV_GRP_OFFSET 1
--- a/net/mptcp/pm_userspace.c
+++ b/net/mptcp/pm_userspace.c
@@ -159,6 +159,24 @@ int mptcp_userspace_pm_get_local_id(stru
return mptcp_userspace_pm_append_new_local_addr(msk, &new_entry, true);
}
+bool mptcp_userspace_pm_is_backup(struct mptcp_sock *msk,
+ struct mptcp_addr_info *skc)
+{
+ struct mptcp_pm_addr_entry *entry;
+ bool backup = false;
+
+ spin_lock_bh(&msk->pm.lock);
+ list_for_each_entry(entry, &msk->pm.userspace_pm_local_addr_list, list) {
+ if (mptcp_addresses_equal(&entry->addr, skc, false)) {
+ backup = !!(entry->flags & MPTCP_PM_ADDR_FLAG_BACKUP);
+ break;
+ }
+ }
+ spin_unlock_bh(&msk->pm.lock);
+
+ return backup;
+}
+
int mptcp_nl_cmd_announce(struct sk_buff *skb, struct genl_info *info)
{
struct nlattr *token = info->attrs[MPTCP_PM_ATTR_TOKEN];
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -913,6 +913,9 @@ bool mptcp_pm_rm_addr_signal(struct mptc
struct mptcp_rm_list *rm_list);
int mptcp_pm_get_local_id(struct mptcp_sock *msk, struct sock_common *skc);
int mptcp_userspace_pm_get_local_id(struct mptcp_sock *msk, struct mptcp_addr_info *skc);
+bool mptcp_pm_is_backup(struct mptcp_sock *msk, struct sock_common *skc);
+bool mptcp_pm_nl_is_backup(struct mptcp_sock *msk, struct mptcp_addr_info *skc);
+bool mptcp_userspace_pm_is_backup(struct mptcp_sock *msk, struct mptcp_addr_info *skc);
static inline u8 subflow_get_local_id(const struct mptcp_subflow_context *subflow)
{
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -99,6 +99,7 @@ static struct mptcp_sock *subflow_token_
return NULL;
}
subflow_req->local_id = local_id;
+ subflow_req->request_bkup = mptcp_pm_is_backup(msk, (struct sock_common *)req);
return msk;
}
@@ -513,6 +514,8 @@ static int subflow_chk_local_id(struct s
return err;
subflow_set_local_id(subflow, err);
+ subflow->request_bkup = mptcp_pm_is_backup(msk, (struct sock_common *)sk);
+
return 0;
}
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 132/150] selftests: mptcp: join: validate backup in MPJ
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 131/150] mptcp: pm: fix backup support in signal endpoints Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 133/150] selftests: mptcp: join: check backup support in signal endp Greg Kroah-Hartman
` (20 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
commit 935ff5bb8a1cfcdf8e60c8f5c794d0bbbc234437 upstream.
A peer can notify the other one that a subflow has to be treated as
"backup" by two different ways: either by sending a dedicated MP_PRIO
notification, or by setting the backup flag in the MP_JOIN handshake.
The selftests were previously monitoring the former, but not the latter.
This is what is now done here by looking at these new MIB counters when
validating the 'backup' cases:
MPTcpExtMPJoinSynBackupRx
MPTcpExtMPJoinSynAckBackupRx
The 'Fixes' tag here below is the same as the one from the previous
commit: this patch here is not fixing anything wrong in the selftests,
but it will help to validate a new fix for an issue introduced by this
commit ID.
Fixes: 4596a2c1b7f5 ("mptcp: allow creating non-backup subflows")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ Conflicts in mptcp_join.sh because the check are done has changed,
e.g. in commit 03668c65d153 ("selftests: mptcp: join: rework detailed
report"), or commit 985de45923e2 ("selftests: mptcp: centralize stats
dumping"), etc. Adaptations have been made to use the old way, similar
to what is done just above. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 46 ++++++++++++++++++------
1 file changed, 36 insertions(+), 10 deletions(-)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -1800,6 +1800,8 @@ chk_prio_nr()
{
local mp_prio_nr_tx=$1
local mp_prio_nr_rx=$2
+ local mpj_syn=$3
+ local mpj_syn_ack=$4
local count
local dump_stats
@@ -1827,6 +1829,30 @@ chk_prio_nr()
echo "[ ok ]"
fi
+ printf "%-${nr_blank}s %s" " " "bkp syn"
+ count=$(get_counter ${ns1} "MPTcpExtMPJoinSynBackupRx")
+ if [ -z "$count" ]; then
+ echo -n "[skip]"
+ elif [ "$count" != "$mpj_syn" ]; then
+ echo "[fail] got $count JOIN[s] syn with Backup expected $mpj_syn"
+ fail_test
+ dump_stats=1
+ else
+ echo -n "[ ok ]"
+ fi
+
+ echo -n " - synack "
+ count=$(get_counter ${ns2} "MPTcpExtMPJoinSynAckBackupRx")
+ if [ -z "$count" ]; then
+ echo "[skip]"
+ elif [ "$count" != "$mpj_syn_ack" ]; then
+ echo "[fail] got $count JOIN[s] synack with Backup expected $mpj_syn_ack"
+ fail_test
+ dump_stats=1
+ else
+ echo "[ ok ]"
+ fi
+
[ "${dump_stats}" = 1 ] && dump_stats
}
@@ -2633,7 +2659,7 @@ backup_tests()
pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
run_tests $ns1 $ns2 10.0.1.1 0 0 0 slow nobackup
chk_join_nr 1 1 1
- chk_prio_nr 0 1
+ chk_prio_nr 0 1 1 0
fi
# single address, backup
@@ -2645,7 +2671,7 @@ backup_tests()
run_tests $ns1 $ns2 10.0.1.1 0 0 0 slow backup
chk_join_nr 1 1 1
chk_add_nr 1 1
- chk_prio_nr 1 1
+ chk_prio_nr 1 1 0 0
fi
# single address with port, backup
@@ -2657,7 +2683,7 @@ backup_tests()
run_tests $ns1 $ns2 10.0.1.1 0 0 0 slow backup
chk_join_nr 1 1 1
chk_add_nr 1 1
- chk_prio_nr 1 1
+ chk_prio_nr 1 1 0 0
fi
if reset "mpc backup" &&
@@ -2665,7 +2691,7 @@ backup_tests()
pm_nl_add_endpoint $ns2 10.0.1.2 flags subflow,backup
run_tests $ns1 $ns2 10.0.1.1 0 0 0 slow
chk_join_nr 0 0 0
- chk_prio_nr 0 1
+ chk_prio_nr 0 1 0 0
fi
if reset "mpc backup both sides" &&
@@ -2674,7 +2700,7 @@ backup_tests()
pm_nl_add_endpoint $ns2 10.0.1.2 flags subflow,backup
run_tests $ns1 $ns2 10.0.1.1 0 0 0 slow
chk_join_nr 0 0 0
- chk_prio_nr 1 1
+ chk_prio_nr 1 1 0 0
fi
if reset "mpc switch to backup" &&
@@ -2682,7 +2708,7 @@ backup_tests()
pm_nl_add_endpoint $ns2 10.0.1.2 flags subflow
run_tests $ns1 $ns2 10.0.1.1 0 0 0 slow backup
chk_join_nr 0 0 0
- chk_prio_nr 0 1
+ chk_prio_nr 0 1 0 0
fi
if reset "mpc switch to backup both sides" &&
@@ -2691,7 +2717,7 @@ backup_tests()
pm_nl_add_endpoint $ns2 10.0.1.2 flags subflow
run_tests $ns1 $ns2 10.0.1.1 0 0 0 slow backup
chk_join_nr 0 0 0
- chk_prio_nr 1 1
+ chk_prio_nr 1 1 0 0
fi
}
@@ -3022,7 +3048,7 @@ fullmesh_tests()
pm_nl_set_limits $ns2 4 4
run_tests $ns1 $ns2 10.0.1.1 0 0 1 slow backup,fullmesh
chk_join_nr 2 2 2
- chk_prio_nr 0 1
+ chk_prio_nr 0 1 1 0
chk_rm_nr 0 1
fi
@@ -3034,7 +3060,7 @@ fullmesh_tests()
pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow,backup,fullmesh
run_tests $ns1 $ns2 10.0.1.1 0 0 0 slow nobackup,nofullmesh
chk_join_nr 2 2 2
- chk_prio_nr 0 1
+ chk_prio_nr 0 1 1 0
chk_rm_nr 0 1
fi
}
@@ -3140,7 +3166,7 @@ userspace_tests()
pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
run_tests $ns1 $ns2 10.0.1.1 0 0 0 slow backup
chk_join_nr 1 1 0
- chk_prio_nr 0 0
+ chk_prio_nr 0 0 0 0
fi
# userspace pm type prevents rm_addr
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 133/150] selftests: mptcp: join: check backup support in signal endp
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 132/150] selftests: mptcp: join: validate backup in MPJ Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 134/150] mptcp: pm: deny endp with signal + subflow + port Greg Kroah-Hartman
` (19 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
commit f833470c27832136d4416d8fc55d658082af0989 upstream.
Before the previous commit, 'signal' endpoints with the 'backup' flag
were ignored when sending the MP_JOIN.
The MPTCP Join selftest has then been modified to validate this case:
the "single address, backup" test, is now validating the MP_JOIN with a
backup flag as it is what we expect it to do with such name. The
previous version has been kept, but renamed to "single address, switch
to backup" to avoid confusions.
The "single address with port, backup" test is also now validating the
MPJ with a backup flag, which makes more sense than checking the switch
to backup with an MP_PRIO.
The "mpc backup both sides" test is now validating that the backup flag
is also set in MP_JOIN from and to the addresses used in the initial
subflow, using the special ID 0.
The 'Fixes' tag here below is the same as the one from the previous
commit: this patch here is not fixing anything wrong in the selftests,
but it validates the previous fix for an issue introduced by this commit
ID.
Fixes: 4596a2c1b7f5 ("mptcp: allow creating non-backup subflows")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ Conflicts in mptcp_join.sh because 'run_tests' helper has been
modified in multiple commits that are not in this version, e.g. commit
e571fb09c893 ("selftests: mptcp: add speed env var"). Adaptations
have been made to use the old way, similar to what is done around. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 33 +++++++++++++++++++-----
1 file changed, 27 insertions(+), 6 deletions(-)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -2666,6 +2666,18 @@ backup_tests()
if reset "single address, backup" &&
continue_if mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then
pm_nl_set_limits $ns1 0 1
+ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup
+ pm_nl_set_limits $ns2 1 1
+ run_tests $ns1 $ns2 10.0.1.1 0 0 0 slow nobackup
+ chk_join_nr 1 1 1
+ chk_add_nr 1 1
+ chk_prio_nr 1 0 0 1
+ fi
+
+ # single address, switch to backup
+ if reset "single address, switch to backup" &&
+ continue_if mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then
+ pm_nl_set_limits $ns1 0 1
pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
pm_nl_set_limits $ns2 1 1
run_tests $ns1 $ns2 10.0.1.1 0 0 0 slow backup
@@ -2678,12 +2690,12 @@ backup_tests()
if reset "single address with port, backup" &&
continue_if mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then
pm_nl_set_limits $ns1 0 1
- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal port 10100
+ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup port 10100
pm_nl_set_limits $ns2 1 1
- run_tests $ns1 $ns2 10.0.1.1 0 0 0 slow backup
+ run_tests $ns1 $ns2 10.0.1.1 0 0 0 slow nobackup
chk_join_nr 1 1 1
chk_add_nr 1 1
- chk_prio_nr 1 1 0 0
+ chk_prio_nr 1 0 0 1
fi
if reset "mpc backup" &&
@@ -2696,11 +2708,20 @@ backup_tests()
if reset "mpc backup both sides" &&
continue_if mptcp_lib_kallsyms_doesnt_have "T mptcp_subflow_send_ack$"; then
- pm_nl_add_endpoint $ns1 10.0.1.1 flags subflow,backup
+ pm_nl_set_limits $ns1 0 2
+ pm_nl_set_limits $ns2 1 2
+ pm_nl_add_endpoint $ns1 10.0.1.1 flags signal,backup
pm_nl_add_endpoint $ns2 10.0.1.2 flags subflow,backup
+
+ # 10.0.2.2 (non-backup) -> 10.0.1.1 (backup)
+ pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow
+ # 10.0.1.2 (backup) -> 10.0.2.1 (non-backup)
+ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
+ ip -net "$ns2" route add 10.0.2.1 via 10.0.1.1 dev ns2eth1 # force this path
+
run_tests $ns1 $ns2 10.0.1.1 0 0 0 slow
- chk_join_nr 0 0 0
- chk_prio_nr 1 1 0 0
+ chk_join_nr 2 2 2
+ chk_prio_nr 1 1 1 1
fi
if reset "mpc switch to backup" &&
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 134/150] mptcp: pm: deny endp with signal + subflow + port
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 133/150] selftests: mptcp: join: check backup support in signal endp Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 135/150] block: use the right type for stub rq_integrity_vec() Greg Kroah-Hartman
` (18 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 8af1f11865f259c882cce71d32f85ee9004e2660 upstream.
As mentioned in the 'Fixes' commit, the port flag is only supported by
the 'signal' flag, and not by the 'subflow' one. Then if both the
'signal' and 'subflow' flags are set, the problem is the same: the
feature cannot work with the 'subflow' flag.
Technically, if both the 'signal' and 'subflow' flags are set, it will
be possible to create the listening socket, but not to establish a
subflow using this source port. So better to explicitly deny it, not to
create some confusions because the expected behaviour is not possible.
Fixes: 09f12c3ab7a5 ("mptcp: allow to use port and non-signal in set_flags")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240731-upstream-net-20240731-mptcp-endp-subflow-signal-v1-2-c8a9b036493b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -1360,8 +1360,8 @@ static int mptcp_nl_cmd_add_addr(struct
if (ret < 0)
return ret;
- if (addr.addr.port && !(addr.flags & MPTCP_PM_ADDR_FLAG_SIGNAL)) {
- GENL_SET_ERR_MSG(info, "flags must have signal when using port");
+ if (addr.addr.port && !address_use_port(&addr)) {
+ GENL_SET_ERR_MSG(info, "flags must have signal and not subflow when using port");
return -EINVAL;
}
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 135/150] block: use the right type for stub rq_integrity_vec()
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 134/150] mptcp: pm: deny endp with signal + subflow + port Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 136/150] Revert "drm/amd/display: Add NULL check for afb before dereferencing in amdgpu_dm_plane_handle_cursor_update" Greg Kroah-Hartman
` (17 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe, Matthieu Baerts
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
commit 69b6517687a4b1fb250bd8c9c193a0a304c8ba17 upstream.
For !CONFIG_BLK_DEV_INTEGRITY, rq_integrity_vec() wasn't updated
properly. Fix it up.
Fixes: cf546dd289e0 ("block: change rq_integrity_vec to respect the iterator")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Cc: Matthieu Baerts <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/blk-integrity.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/linux/blk-integrity.h
+++ b/include/linux/blk-integrity.h
@@ -175,7 +175,7 @@ static inline int blk_integrity_rq(struc
return 0;
}
-static inline struct bio_vec *rq_integrity_vec(struct request *rq)
+static inline struct bio_vec rq_integrity_vec(struct request *rq)
{
/* the optimizer will remove all calls to this function */
return (struct bio_vec){ };
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 136/150] Revert "drm/amd/display: Add NULL check for afb before dereferencing in amdgpu_dm_plane_handle_cursor_update"
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 135/150] block: use the right type for stub rq_integrity_vec() Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 137/150] mm: huge_memory: use !CONFIG_64BIT to relax huge page alignment on 32 bit machines Greg Kroah-Hartman
` (16 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivasan Shanmugam, George Zhang,
Ivan Lipski, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Lipski <ivlipski@amd.com>
commit 778e3979c5dc9cbdb5d1b92afed427de6bc483b4 upstream.
[WHY]
This patch is a dupplicate implementation of 14bcf29b, which we
are reverting due to a regression with kms_plane_cursor IGT tests.
This reverts commit 38e6f715b02b572f74677eb2f29d3b4bc6f1ddff.
Reviewed-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Tested-by: George Zhang <George.zhang@amd.com>
Signed-off-by: Ivan Lipski <ivlipski@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
@@ -1225,22 +1225,14 @@ void handle_cursor_update(struct drm_pla
{
struct amdgpu_device *adev = drm_to_adev(plane->dev);
struct amdgpu_framebuffer *afb = to_amdgpu_framebuffer(plane->state->fb);
- struct drm_crtc *crtc;
- struct dm_crtc_state *crtc_state;
- struct amdgpu_crtc *amdgpu_crtc;
- u64 address;
+ struct drm_crtc *crtc = afb ? plane->state->crtc : old_plane_state->crtc;
+ struct dm_crtc_state *crtc_state = crtc ? to_dm_crtc_state(crtc->state) : NULL;
+ struct amdgpu_crtc *amdgpu_crtc = to_amdgpu_crtc(crtc);
+ uint64_t address = afb ? afb->address : 0;
struct dc_cursor_position position = {0};
struct dc_cursor_attributes attributes;
int ret;
- if (!afb)
- return;
-
- crtc = plane->state->crtc ? plane->state->crtc : old_plane_state->crtc;
- crtc_state = crtc ? to_dm_crtc_state(crtc->state) : NULL;
- amdgpu_crtc = to_amdgpu_crtc(crtc);
- address = afb->address;
-
if (!plane->state->fb && !old_plane_state->fb)
return;
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 137/150] mm: huge_memory: use !CONFIG_64BIT to relax huge page alignment on 32 bit machines
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 136/150] Revert "drm/amd/display: Add NULL check for afb before dereferencing in amdgpu_dm_plane_handle_cursor_update" Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 138/150] btrfs: fix corruption after buffer fault in during direct IO append write Greg Kroah-Hartman
` (15 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Shi, Yves-Alexis Perez,
David Hildenbrand, Ben Hutchings, Christoph Lameter, Jiri Slaby,
Matthew Wilcox (Oracle), Rik van Riel, Salvatore Bonaccorso,
Suren Baghdasaryan, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Shi <yang@os.amperecomputing.com>
commit d9592025000b3cf26c742f3505da7b83aedc26d5 upstream.
Yves-Alexis Perez reported commit 4ef9ad19e176 ("mm: huge_memory: don't
force huge page alignment on 32 bit") didn't work for x86_32 [1]. It is
because x86_32 uses CONFIG_X86_32 instead of CONFIG_32BIT.
!CONFIG_64BIT should cover all 32 bit machines.
[1] https://lore.kernel.org/linux-mm/CAHbLzkr1LwH3pcTgM+aGQ31ip2bKqiqEQ8=FQB+t2c3dhNKNHA@mail.gmail.com/
Link: https://lkml.kernel.org/r/20240712155855.1130330-1-yang@os.amperecomputing.com
Fixes: 4ef9ad19e176 ("mm: huge_memory: don't force huge page alignment on 32 bit")
Signed-off-by: Yang Shi <yang@os.amperecomputing.com>
Reported-by: Yves-Alexis Perez <corsac@debian.org>
Tested-by: Yves-Alexis Perez <corsac@debian.org>
Acked-by: David Hildenbrand <david@redhat.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: Christoph Lameter <cl@linux.com>
Cc: Jiri Slaby <jirislaby@kernel.org>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Rik van Riel <riel@surriel.com>
Cc: Salvatore Bonaccorso <carnil@debian.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: <stable@vger.kernel.org> [6.8+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/huge_memory.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -608,7 +608,7 @@ static unsigned long __thp_get_unmapped_
loff_t off_align = round_up(off, size);
unsigned long len_pad, ret;
- if (IS_ENABLED(CONFIG_32BIT) || in_compat_syscall())
+ if (!IS_ENABLED(CONFIG_64BIT) || in_compat_syscall())
return 0;
if (off_end <= off_align || (off_end - off_align) < size)
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 138/150] btrfs: fix corruption after buffer fault in during direct IO append write
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 137/150] mm: huge_memory: use !CONFIG_64BIT to relax huge page alignment on 32 bit machines Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 139/150] ipv6: fix source address selection with route leak Greg Kroah-Hartman
` (14 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hanna Czenczek, Josef Bacik,
Filipe Manana, David Sterba
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 939b656bc8ab203fdbde26ccac22bcb7f0985be5 upstream.
During an append (O_APPEND write flag) direct IO write if the input buffer
was not previously faulted in, we can corrupt the file in a way that the
final size is unexpected and it includes an unexpected hole.
The problem happens like this:
1) We have an empty file, with size 0, for example;
2) We do an O_APPEND direct IO with a length of 4096 bytes and the input
buffer is not currently faulted in;
3) We enter btrfs_direct_write(), lock the inode and call
generic_write_checks(), which calls generic_write_checks_count(), and
that function sets the iocb position to 0 with the following code:
if (iocb->ki_flags & IOCB_APPEND)
iocb->ki_pos = i_size_read(inode);
4) We call btrfs_dio_write() and enter into iomap, which will end up
calling btrfs_dio_iomap_begin() and that calls
btrfs_get_blocks_direct_write(), where we update the i_size of the
inode to 4096 bytes;
5) After btrfs_dio_iomap_begin() returns, iomap will attempt to access
the page of the write input buffer (at iomap_dio_bio_iter(), with a
call to bio_iov_iter_get_pages()) and fail with -EFAULT, which gets
returned to btrfs at btrfs_direct_write() via btrfs_dio_write();
6) At btrfs_direct_write() we get the -EFAULT error, unlock the inode,
fault in the write buffer and then goto to the label 'relock';
7) We lock again the inode, do all the necessary checks again and call
again generic_write_checks(), which calls generic_write_checks_count()
again, and there we set the iocb's position to 4K, which is the current
i_size of the inode, with the following code pointed above:
if (iocb->ki_flags & IOCB_APPEND)
iocb->ki_pos = i_size_read(inode);
8) Then we go again to btrfs_dio_write() and enter iomap and the write
succeeds, but it wrote to the file range [4K, 8K), leaving a hole in
the [0, 4K) range and an i_size of 8K, which goes against the
expectations of having the data written to the range [0, 4K) and get an
i_size of 4K.
Fix this by not unlocking the inode before faulting in the input buffer,
in case we get -EFAULT or an incomplete write, and not jumping to the
'relock' label after faulting in the buffer - instead jump to a location
immediately before calling iomap, skipping all the write checks and
relocking. This solves this problem and it's fine even in case the input
buffer is memory mapped to the same file range, since only holding the
range locked in the inode's io tree can cause a deadlock, it's safe to
keep the inode lock (VFS lock), as was fixed and described in commit
51bd9563b678 ("btrfs: fix deadlock due to page faults during direct IO
reads and writes").
A sample reproducer provided by a reporter is the following:
$ cat test.c
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include <fcntl.h>
#include <stdio.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
if (argc < 2) {
fprintf(stderr, "Usage: %s <test file>\n", argv[0]);
return 1;
}
int fd = open(argv[1], O_WRONLY | O_CREAT | O_TRUNC | O_DIRECT |
O_APPEND, 0644);
if (fd < 0) {
perror("creating test file");
return 1;
}
char *buf = mmap(NULL, 4096, PROT_READ,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
ssize_t ret = write(fd, buf, 4096);
if (ret < 0) {
perror("pwritev2");
return 1;
}
struct stat stbuf;
ret = fstat(fd, &stbuf);
if (ret < 0) {
perror("stat");
return 1;
}
printf("size: %llu\n", (unsigned long long)stbuf.st_size);
return stbuf.st_size == 4096 ? 0 : 1;
}
A test case for fstests will be sent soon.
Reported-by: Hanna Czenczek <hreitz@redhat.com>
Link: https://lore.kernel.org/linux-btrfs/0b841d46-12fe-4e64-9abb-871d8d0de271@redhat.com/
Fixes: 8184620ae212 ("btrfs: fix lost file sync on direct IO write with nowait and dsync iocb")
CC: stable@vger.kernel.org # 6.1+
Tested-by: Hanna Czenczek <hreitz@redhat.com>
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ctree.h | 1 +
fs/btrfs/file.c | 55 ++++++++++++++++++++++++++++++++++++++++++-------------
2 files changed, 43 insertions(+), 13 deletions(-)
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h
@@ -1553,6 +1553,7 @@ struct btrfs_drop_extents_args {
struct btrfs_file_private {
void *filldir_buf;
u64 last_index;
+ bool fsync_skip_inode_lock;
};
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -1526,21 +1526,37 @@ relock:
* So here we disable page faults in the iov_iter and then retry if we
* got -EFAULT, faulting in the pages before the retry.
*/
+again:
from->nofault = true;
dio = btrfs_dio_write(iocb, from, written);
from->nofault = false;
- /*
- * iomap_dio_complete() will call btrfs_sync_file() if we have a dsync
- * iocb, and that needs to lock the inode. So unlock it before calling
- * iomap_dio_complete() to avoid a deadlock.
- */
- btrfs_inode_unlock(inode, ilock_flags);
-
- if (IS_ERR_OR_NULL(dio))
+ if (IS_ERR_OR_NULL(dio)) {
err = PTR_ERR_OR_ZERO(dio);
- else
+ } else {
+ struct btrfs_file_private stack_private = { 0 };
+ struct btrfs_file_private *private;
+ const bool have_private = (file->private_data != NULL);
+
+ if (!have_private)
+ file->private_data = &stack_private;
+
+ /*
+ * If we have a synchoronous write, we must make sure the fsync
+ * triggered by the iomap_dio_complete() call below doesn't
+ * deadlock on the inode lock - we are already holding it and we
+ * can't call it after unlocking because we may need to complete
+ * partial writes due to the input buffer (or parts of it) not
+ * being already faulted in.
+ */
+ private = file->private_data;
+ private->fsync_skip_inode_lock = true;
err = iomap_dio_complete(dio);
+ private->fsync_skip_inode_lock = false;
+
+ if (!have_private)
+ file->private_data = NULL;
+ }
/* No increment (+=) because iomap returns a cumulative value. */
if (err > 0)
@@ -1567,10 +1583,12 @@ relock:
} else {
fault_in_iov_iter_readable(from, left);
prev_left = left;
- goto relock;
+ goto again;
}
}
+ btrfs_inode_unlock(inode, ilock_flags);
+
/*
* If 'err' is -ENOTBLK or we have not written all data, then it means
* we must fallback to buffered IO.
@@ -1777,6 +1795,7 @@ static inline bool skip_inode_logging(co
*/
int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync)
{
+ struct btrfs_file_private *private = file->private_data;
struct dentry *dentry = file_dentry(file);
struct inode *inode = d_inode(dentry);
struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb);
@@ -1786,6 +1805,7 @@ int btrfs_sync_file(struct file *file, l
int ret = 0, err;
u64 len;
bool full_sync;
+ const bool skip_ilock = (private ? private->fsync_skip_inode_lock : false);
trace_btrfs_sync_file(file, datasync);
@@ -1813,7 +1833,10 @@ int btrfs_sync_file(struct file *file, l
if (ret)
goto out;
- btrfs_inode_lock(inode, BTRFS_ILOCK_MMAP);
+ if (skip_ilock)
+ down_write(&BTRFS_I(inode)->i_mmap_lock);
+ else
+ btrfs_inode_lock(inode, BTRFS_ILOCK_MMAP);
atomic_inc(&root->log_batch);
@@ -1837,7 +1860,10 @@ int btrfs_sync_file(struct file *file, l
*/
ret = start_ordered_ops(inode, start, end);
if (ret) {
- btrfs_inode_unlock(inode, BTRFS_ILOCK_MMAP);
+ if (skip_ilock)
+ up_write(&BTRFS_I(inode)->i_mmap_lock);
+ else
+ btrfs_inode_unlock(inode, BTRFS_ILOCK_MMAP);
goto out;
}
@@ -1940,7 +1966,10 @@ int btrfs_sync_file(struct file *file, l
* file again, but that will end up using the synchronization
* inside btrfs_sync_log to keep things safe.
*/
- btrfs_inode_unlock(inode, BTRFS_ILOCK_MMAP);
+ if (skip_ilock)
+ up_write(&BTRFS_I(inode)->i_mmap_lock);
+ else
+ btrfs_inode_unlock(inode, BTRFS_ILOCK_MMAP);
if (ret == BTRFS_NO_LOG_SYNC) {
ret = btrfs_end_transaction(trans);
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 139/150] ipv6: fix source address selection with route leak
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 138/150] btrfs: fix corruption after buffer fault in during direct IO append write Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 140/150] tools headers arm64: Sync arm64s cputype.h with the kernel sources Greg Kroah-Hartman
` (13 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nicolas Dichtel, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
commit 252442f2ae317d109ef0b4b39ce0608c09563042 upstream.
By default, an address assigned to the output interface is selected when
the source address is not specified. This is problematic when a route,
configured in a vrf, uses an interface from another vrf (aka route leak).
The original vrf does not own the selected source address.
Let's add a check against the output interface and call the appropriate
function to select the source address.
CC: stable@vger.kernel.org
Fixes: 0d240e7811c4 ("net: vrf: Implement get_saddr for IPv6")
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Link: https://patch.msgid.link/20240710081521.3809742-3-nicolas.dichtel@6wind.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/ip6_route.h | 20 ++++++++++++++------
net/ipv6/ip6_output.c | 1 +
net/ipv6/route.c | 2 +-
3 files changed, 16 insertions(+), 7 deletions(-)
--- a/include/net/ip6_route.h
+++ b/include/net/ip6_route.h
@@ -132,18 +132,26 @@ void rt6_age_exceptions(struct fib6_info
static inline int ip6_route_get_saddr(struct net *net, struct fib6_info *f6i,
const struct in6_addr *daddr,
- unsigned int prefs,
+ unsigned int prefs, int l3mdev_index,
struct in6_addr *saddr)
{
+ struct net_device *l3mdev;
+ struct net_device *dev;
+ bool same_vrf;
int err = 0;
- if (f6i && f6i->fib6_prefsrc.plen) {
+ rcu_read_lock();
+
+ l3mdev = dev_get_by_index_rcu(net, l3mdev_index);
+ if (!f6i || !f6i->fib6_prefsrc.plen || l3mdev)
+ dev = f6i ? fib6_info_nh_dev(f6i) : NULL;
+ same_vrf = !l3mdev || l3mdev_master_dev_rcu(dev) == l3mdev;
+ if (f6i && f6i->fib6_prefsrc.plen && same_vrf)
*saddr = f6i->fib6_prefsrc.addr;
- } else {
- struct net_device *dev = f6i ? fib6_info_nh_dev(f6i) : NULL;
+ else
+ err = ipv6_dev_get_saddr(net, same_vrf ? dev : l3mdev, daddr, prefs, saddr);
- err = ipv6_dev_get_saddr(net, dev, daddr, prefs, saddr);
- }
+ rcu_read_unlock();
return err;
}
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1120,6 +1120,7 @@ static int ip6_dst_lookup_tail(struct ne
from = rt ? rcu_dereference(rt->from) : NULL;
err = ip6_route_get_saddr(net, from, &fl6->daddr,
sk ? inet6_sk(sk)->srcprefs : 0,
+ fl6->flowi6_l3mdev,
&fl6->saddr);
rcu_read_unlock();
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -5681,7 +5681,7 @@ static int rt6_fill_node(struct net *net
goto nla_put_failure;
} else if (dest) {
struct in6_addr saddr_buf;
- if (ip6_route_get_saddr(net, rt, dest, 0, &saddr_buf) == 0 &&
+ if (ip6_route_get_saddr(net, rt, dest, 0, 0, &saddr_buf) == 0 &&
nla_put_in6_addr(skb, RTA_PREFSRC, &saddr_buf))
goto nla_put_failure;
}
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 140/150] tools headers arm64: Sync arm64s cputype.h with the kernel sources
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 139/150] ipv6: fix source address selection with route leak Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 141/150] mm/hugetlb: fix potential race in __update_and_free_hugetlb_folio() Greg Kroah-Hartman
` (12 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Adrian Hunter,
Besar Wicaksono, Ian Rogers, Jiri Olsa, Kan Liang, Namhyung Kim,
Will Deacon, Arnaldo Carvalho de Melo
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
commit dc6abbbde4b099e936cd5428e196d86a5e119aae upstream.
To get the changes in:
0ce85db6c2141b7f ("arm64: cputype: Add Neoverse-V3 definitions")
02a0a04676fa7796 ("arm64: cputype: Add Cortex-X4 definitions")
f4d9d9dcc70b96b5 ("arm64: Add Neoverse-V2 part")
That makes this perf source code to be rebuilt:
CC /tmp/build/perf-tools/util/arm-spe.o
The changes in the above patch add MIDR_NEOVERSE_V[23] and
MIDR_NEOVERSE_V1 is used in arm-spe.c, so probably we need to add those
and perhaps MIDR_CORTEX_X4 to that array? Or maybe we need to leave this
for later when this is all tested on those machines?
static const struct midr_range neoverse_spe[] = {
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
{},
};
Mark Rutland recommended about arm-spe.c:
"I would not touch this for now -- someone would have to go audit the
TRMs to check that those other cores have the same encoding, and I think
it'd be better to do that as a follow-up."
That addresses this perf build warning:
Warning: Kernel ABI header differences:
diff -u tools/arch/arm64/include/asm/cputype.h arch/arm64/include/asm/cputype.h
Acked-by: Mark Rutland <mark.rutland@arm.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Besar Wicaksono <bwicaksono@nvidia.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/lkml/Zl8cYk0Tai2fs7aM@x1
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/arch/arm64/include/asm/cputype.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/tools/arch/arm64/include/asm/cputype.h
+++ b/tools/arch/arm64/include/asm/cputype.h
@@ -83,6 +83,9 @@
#define ARM_CPU_PART_CORTEX_X2 0xD48
#define ARM_CPU_PART_NEOVERSE_N2 0xD49
#define ARM_CPU_PART_CORTEX_A78C 0xD4B
+#define ARM_CPU_PART_NEOVERSE_V2 0xD4F
+#define ARM_CPU_PART_CORTEX_X4 0xD82
+#define ARM_CPU_PART_NEOVERSE_V3 0xD84
#define APM_CPU_PART_POTENZA 0x000
@@ -145,6 +148,9 @@
#define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2)
#define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2)
#define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C)
+#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2)
+#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4)
+#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3)
#define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
#define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
#define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX)
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 141/150] mm/hugetlb: fix potential race in __update_and_free_hugetlb_folio()
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 140/150] tools headers arm64: Sync arm64s cputype.h with the kernel sources Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 142/150] block: Call .limit_depth() after .hctx has been set Greg Kroah-Hartman
` (11 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaohe Lin, Muchun Song,
Oscar Salvador, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaohe Lin <linmiaohe@huawei.com>
commit 5596d9e8b553dacb0ac34bcf873cbbfb16c3ba3e upstream.
There is a potential race between __update_and_free_hugetlb_folio() and
try_memory_failure_hugetlb():
CPU1 CPU2
__update_and_free_hugetlb_folio try_memory_failure_hugetlb
folio_test_hugetlb
-- It's still hugetlb folio.
folio_clear_hugetlb_hwpoison
spin_lock_irq(&hugetlb_lock);
__get_huge_page_for_hwpoison
folio_set_hugetlb_hwpoison
spin_unlock_irq(&hugetlb_lock);
spin_lock_irq(&hugetlb_lock);
__folio_clear_hugetlb(folio);
-- Hugetlb flag is cleared but too late.
spin_unlock_irq(&hugetlb_lock);
When the above race occurs, raw error page info will be leaked. Even
worse, raw error pages won't have hwpoisoned flag set and hit
pcplists/buddy. Fix this issue by deferring
folio_clear_hugetlb_hwpoison() until __folio_clear_hugetlb() is done. So
all raw error pages will have hwpoisoned flag set.
Link: https://lkml.kernel.org/r/20240708025127.107713-1-linmiaohe@huawei.com
Fixes: 32c877191e02 ("hugetlb: do not clear hugetlb dtor until allocating vmemmap")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: Muchun Song <muchun.song@linux.dev>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/hugetlb.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -1786,13 +1786,6 @@ static void __update_and_free_page(struc
}
/*
- * Move PageHWPoison flag from head page to the raw error pages,
- * which makes any healthy subpages reusable.
- */
- if (unlikely(PageHWPoison(page)))
- hugetlb_clear_page_hwpoison(page);
-
- /*
* If vmemmap pages were allocated above, then we need to clear the
* hugetlb destructor under the hugetlb lock.
*/
@@ -1802,6 +1795,13 @@ static void __update_and_free_page(struc
spin_unlock_irq(&hugetlb_lock);
}
+ /*
+ * Move PageHWPoison flag from head page to the raw error pages,
+ * which makes any healthy subpages reusable.
+ */
+ if (unlikely(PageHWPoison(page)))
+ hugetlb_clear_page_hwpoison(page);
+
for (i = 0; i < pages_per_huge_page(h); i++) {
subpage = nth_page(page, i);
subpage->flags &= ~(1 << PG_locked | 1 << PG_error |
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 142/150] block: Call .limit_depth() after .hctx has been set
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 141/150] mm/hugetlb: fix potential race in __update_and_free_hugetlb_folio() Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 143/150] block/mq-deadline: Fix the tag reservation code Greg Kroah-Hartman
` (10 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Damien Le Moal,
Zhiguo Niu, Bart Van Assche, Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
commit 6259151c04d4e0085e00d2dcb471ebdd1778e72e upstream.
Call .limit_depth() after data->hctx has been set such that data->hctx can
be used in .limit_depth() implementations.
Cc: Christoph Hellwig <hch@lst.de>
Cc: Damien Le Moal <dlemoal@kernel.org>
Cc: Zhiguo Niu <zhiguo.niu@unisoc.com>
Fixes: 07757588e507 ("block/mq-deadline: Reserve 25% of scheduler tags for synchronous requests")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Tested-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20240509170149.7639-2-bvanassche@acm.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-mq.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -439,6 +439,7 @@ __blk_mq_alloc_requests_batch(struct blk
static struct request *__blk_mq_alloc_requests(struct blk_mq_alloc_data *data)
{
+ void (*limit_depth)(blk_opf_t, struct blk_mq_alloc_data *) = NULL;
struct request_queue *q = data->q;
u64 alloc_time_ns = 0;
struct request *rq;
@@ -465,7 +466,7 @@ static struct request *__blk_mq_alloc_re
!blk_op_is_passthrough(data->cmd_flags) &&
e->type->ops.limit_depth &&
!(data->flags & BLK_MQ_REQ_RESERVED))
- e->type->ops.limit_depth(data->cmd_flags, data);
+ limit_depth = e->type->ops.limit_depth;
}
retry:
@@ -477,6 +478,9 @@ retry:
if (data->flags & BLK_MQ_REQ_RESERVED)
data->rq_flags |= RQF_RESV;
+ if (limit_depth)
+ limit_depth(data->cmd_flags, data);
+
/*
* Try batched alloc if we want more than 1 tag.
*/
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 143/150] block/mq-deadline: Fix the tag reservation code
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 142/150] block: Call .limit_depth() after .hctx has been set Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 144/150] xfs: fix log recovery buffer allocation for the legacy h_size fixup Greg Kroah-Hartman
` (9 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Damien Le Moal,
Zhiguo Niu, Bart Van Assche, Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
commit 39823b47bbd40502632ffba90ebb34fff7c8b5e8 upstream.
The current tag reservation code is based on a misunderstanding of the
meaning of data->shallow_depth. Fix the tag reservation code as follows:
* By default, do not reserve any tags for synchronous requests because
for certain use cases reserving tags reduces performance. See also
Harshit Mogalapalli, [bug-report] Performance regression with fio
sequential-write on a multipath setup, 2024-03-07
(https://lore.kernel.org/linux-block/5ce2ae5d-61e2-4ede-ad55-551112602401@oracle.com/)
* Reduce min_shallow_depth to one because min_shallow_depth must be less
than or equal any shallow_depth value.
* Scale dd->async_depth from the range [1, nr_requests] to [1,
bits_per_sbitmap_word].
Cc: Christoph Hellwig <hch@lst.de>
Cc: Damien Le Moal <dlemoal@kernel.org>
Cc: Zhiguo Niu <zhiguo.niu@unisoc.com>
Fixes: 07757588e507 ("block/mq-deadline: Reserve 25% of scheduler tags for synchronous requests")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20240509170149.7639-3-bvanassche@acm.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/mq-deadline.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
--- a/block/mq-deadline.c
+++ b/block/mq-deadline.c
@@ -598,6 +598,20 @@ unlock:
}
/*
+ * 'depth' is a number in the range 1..INT_MAX representing a number of
+ * requests. Scale it with a factor (1 << bt->sb.shift) / q->nr_requests since
+ * 1..(1 << bt->sb.shift) is the range expected by sbitmap_get_shallow().
+ * Values larger than q->nr_requests have the same effect as q->nr_requests.
+ */
+static int dd_to_word_depth(struct blk_mq_hw_ctx *hctx, unsigned int qdepth)
+{
+ struct sbitmap_queue *bt = &hctx->sched_tags->bitmap_tags;
+ const unsigned int nrr = hctx->queue->nr_requests;
+
+ return ((qdepth << bt->sb.shift) + nrr - 1) / nrr;
+}
+
+/*
* Called by __blk_mq_alloc_request(). The shallow_depth value set by this
* function is used by __blk_mq_get_tag().
*/
@@ -613,7 +627,7 @@ static void dd_limit_depth(blk_opf_t opf
* Throttle asynchronous requests and writes such that these requests
* do not block the allocation of synchronous requests.
*/
- data->shallow_depth = dd->async_depth;
+ data->shallow_depth = dd_to_word_depth(data->hctx, dd->async_depth);
}
/* Called by blk_mq_update_nr_requests(). */
@@ -623,9 +637,9 @@ static void dd_depth_updated(struct blk_
struct deadline_data *dd = q->elevator->elevator_data;
struct blk_mq_tags *tags = hctx->sched_tags;
- dd->async_depth = max(1UL, 3 * q->nr_requests / 4);
+ dd->async_depth = q->nr_requests;
- sbitmap_queue_min_shallow_depth(&tags->bitmap_tags, dd->async_depth);
+ sbitmap_queue_min_shallow_depth(&tags->bitmap_tags, 1);
}
/* Called by blk_mq_init_hctx() and blk_mq_init_sched(). */
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 144/150] xfs: fix log recovery buffer allocation for the legacy h_size fixup
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 143/150] block/mq-deadline: Fix the tag reservation code Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 145/150] drm/amd/display: Defer handling mst up request in resume Greg Kroah-Hartman
` (8 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sam Sun, Christoph Hellwig,
Brian Foster, Darrick J. Wong, Chandan Babu R, Kevin Berry
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
commit 45cf976008ddef4a9c9a30310c9b4fb2a9a6602a upstream.
Commit a70f9fe52daa ("xfs: detect and handle invalid iclog size set by
mkfs") added a fixup for incorrect h_size values used for the initial
umount record in old xfsprogs versions. Later commit 0c771b99d6c9
("xfs: clean up calculation of LR header blocks") cleaned up the log
reover buffer calculation, but stoped using the fixed up h_size value
to size the log recovery buffer, which can lead to an out of bounds
access when the incorrect h_size does not come from the old mkfs
tool, but a fuzzer.
Fix this by open coding xlog_logrec_hblks and taking the fixed h_size
into account for this calculation.
Fixes: 0c771b99d6c9 ("xfs: clean up calculation of LR header blocks")
Reported-by: Sam Sun <samsun1006219@gmail.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Kevin Berry <kpberry@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_log_recover.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
--- a/fs/xfs/xfs_log_recover.c
+++ b/fs/xfs/xfs_log_recover.c
@@ -2960,7 +2960,7 @@ xlog_do_recovery_pass(
int error = 0, h_size, h_len;
int error2 = 0;
int bblks, split_bblks;
- int hblks, split_hblks, wrapped_hblks;
+ int hblks = 1, split_hblks, wrapped_hblks;
int i;
struct hlist_head rhash[XLOG_RHASH_SIZE];
LIST_HEAD (buffer_list);
@@ -3016,14 +3016,22 @@ xlog_do_recovery_pass(
if (error)
goto bread_err1;
- hblks = xlog_logrec_hblks(log, rhead);
- if (hblks != 1) {
- kmem_free(hbp);
- hbp = xlog_alloc_buffer(log, hblks);
+ /*
+ * This open codes xlog_logrec_hblks so that we can reuse the
+ * fixed up h_size value calculated above. Without that we'd
+ * still allocate the buffer based on the incorrect on-disk
+ * size.
+ */
+ if (h_size > XLOG_HEADER_CYCLE_SIZE &&
+ (rhead->h_version & cpu_to_be32(XLOG_VERSION_2))) {
+ hblks = DIV_ROUND_UP(h_size, XLOG_HEADER_CYCLE_SIZE);
+ if (hblks > 1) {
+ kmem_free(hbp);
+ hbp = xlog_alloc_buffer(log, hblks);
+ }
}
} else {
ASSERT(log->l_sectBBsize == 1);
- hblks = 1;
hbp = xlog_alloc_buffer(log, 1);
h_size = XLOG_BIG_RECORD_BSIZE;
}
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 145/150] drm/amd/display: Defer handling mst up request in resume
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 144/150] xfs: fix log recovery buffer allocation for the legacy h_size fixup Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 146/150] netfilter: nf_tables: bail out if stateful expression provides no .clone Greg Kroah-Hartman
` (7 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Hersen Wu, Wayne Lin, Daniel Wheeler
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wayne Lin <wayne.lin@amd.com>
commit 202dc359addab29451d3d18243c3d957da5392c8 upstream.
[Why]
Like commit ec5fa9fcdeca ("drm/amd/display: Adjust the MST resume flow"), we
want to avoid handling mst topology changes before restoring the old state.
If we enable DP_UP_REQ_EN before calling drm_atomic_helper_resume(), have
changce to handle CSN event first and fire hotplug event before restoring the
cached state.
[How]
Disable mst branch sending up request event before we restoring the cached state.
DP_UP_REQ_EN will be set later when we call drm_dp_mst_topology_mgr_resume().
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Reviewed-by: Hersen Wu <hersenxs.wu@amd.com>
Signed-off-by: Wayne Lin <wayne.lin@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -2363,7 +2363,6 @@ static void resume_mst_branch_status(str
ret = drm_dp_dpcd_writeb(mgr->aux, DP_MSTM_CTRL,
DP_MST_EN |
- DP_UP_REQ_EN |
DP_UPSTREAM_IS_SRC);
if (ret < 0) {
drm_dbg_kms(mgr->dev, "mst write failed - undocked during suspend?\n");
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 146/150] netfilter: nf_tables: bail out if stateful expression provides no .clone
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 145/150] drm/amd/display: Defer handling mst up request in resume Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 147/150] netfilter: nf_tables: allow clone callbacks to sleep Greg Kroah-Hartman
` (6 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable, netfilter-devel; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
commit 3c13725f43dcf43ad8a9bcd6a9f12add19a8f93e upstream.
All existing NFT_EXPR_STATEFUL provide a .clone interface, remove
fallback to copy content of stateful expression since this is never
exercised and bail out if .clone interface is not defined.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3123,14 +3123,13 @@ int nft_expr_clone(struct nft_expr *dst,
{
int err;
- if (src->ops->clone) {
- dst->ops = src->ops;
- err = src->ops->clone(dst, src);
- if (err < 0)
- return err;
- } else {
- memcpy(dst, src, src->ops->size);
- }
+ if (WARN_ON_ONCE(!src->ops->clone))
+ return -EINVAL;
+
+ dst->ops = src->ops;
+ err = src->ops->clone(dst, src);
+ if (err < 0)
+ return err;
__module_get(src->ops->type->owner);
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 147/150] netfilter: nf_tables: allow clone callbacks to sleep
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 146/150] netfilter: nf_tables: bail out if stateful expression provides no .clone Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 148/150] netfilter: nf_tables: prefer nft_chain_validate Greg Kroah-Hartman
` (5 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable, netfilter-devel
Cc: Greg Kroah-Hartman, patches, Sven Auhagen, Florian Westphal,
Pablo Neira Ayuso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit fa23e0d4b756d25829e124d6b670a4c6bbd4bf7e upstream.
Sven Auhagen reports transaction failures with following error:
./main.nft:13:1-26: Error: Could not process rule: Cannot allocate memory
percpu: allocation failed, size=16 align=8 atomic=1, atomic alloc failed, no space left
This points to failing pcpu allocation with GFP_ATOMIC flag.
However, transactions happen from user context and are allowed to sleep.
One case where we can call into percpu allocator with GFP_ATOMIC is
nft_counter expression.
Normally this happens from control plane, so this could use GFP_KERNEL
instead. But one use case, element insertion from packet path,
needs to use GFP_ATOMIC allocations (nft_dynset expression).
At this time, .clone callbacks always use GFP_ATOMIC for this reason.
Add gfp_t argument to the .clone function and pass GFP_KERNEL or
GFP_ATOMIC flag depending on context, this allows all clone memory
allocations to sleep for the normal (transaction) case.
Cc: Sven Auhagen <sven.auhagen@voleatech.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/netfilter/nf_tables.h | 4 ++--
net/netfilter/nf_tables_api.c | 8 ++++----
net/netfilter/nft_connlimit.c | 4 ++--
net/netfilter/nft_counter.c | 4 ++--
net/netfilter/nft_dynset.c | 2 +-
net/netfilter/nft_last.c | 4 ++--
net/netfilter/nft_limit.c | 14 ++++++++------
net/netfilter/nft_quota.c | 4 ++--
8 files changed, 23 insertions(+), 21 deletions(-)
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -387,7 +387,7 @@ static inline void *nft_expr_priv(const
return (void *)expr->data;
}
-int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src);
+int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src, gfp_t gfp);
void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);
int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
const struct nft_expr *expr);
@@ -889,7 +889,7 @@ struct nft_expr_ops {
struct nft_regs *regs,
const struct nft_pktinfo *pkt);
int (*clone)(struct nft_expr *dst,
- const struct nft_expr *src);
+ const struct nft_expr *src, gfp_t gfp);
unsigned int size;
int (*init)(const struct nft_ctx *ctx,
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3119,7 +3119,7 @@ err_expr_parse:
return ERR_PTR(err);
}
-int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
+int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src, gfp_t gfp)
{
int err;
@@ -3127,7 +3127,7 @@ int nft_expr_clone(struct nft_expr *dst,
return -EINVAL;
dst->ops = src->ops;
- err = src->ops->clone(dst, src);
+ err = src->ops->clone(dst, src, gfp);
if (err < 0)
return err;
@@ -6059,7 +6059,7 @@ int nft_set_elem_expr_clone(const struct
if (!expr)
goto err_expr;
- err = nft_expr_clone(expr, set->exprs[i]);
+ err = nft_expr_clone(expr, set->exprs[i], GFP_KERNEL_ACCOUNT);
if (err < 0) {
kfree(expr);
goto err_expr;
@@ -6098,7 +6098,7 @@ static int nft_set_elem_expr_setup(struc
for (i = 0; i < num_exprs; i++) {
expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
- err = nft_expr_clone(expr, expr_array[i]);
+ err = nft_expr_clone(expr, expr_array[i], GFP_KERNEL_ACCOUNT);
if (err < 0)
goto err_elem_expr_setup;
--- a/net/netfilter/nft_connlimit.c
+++ b/net/netfilter/nft_connlimit.c
@@ -209,12 +209,12 @@ static void nft_connlimit_destroy(const
nft_connlimit_do_destroy(ctx, priv);
}
-static int nft_connlimit_clone(struct nft_expr *dst, const struct nft_expr *src)
+static int nft_connlimit_clone(struct nft_expr *dst, const struct nft_expr *src, gfp_t gfp)
{
struct nft_connlimit *priv_dst = nft_expr_priv(dst);
struct nft_connlimit *priv_src = nft_expr_priv(src);
- priv_dst->list = kmalloc(sizeof(*priv_dst->list), GFP_ATOMIC);
+ priv_dst->list = kmalloc(sizeof(*priv_dst->list), gfp);
if (!priv_dst->list)
return -ENOMEM;
--- a/net/netfilter/nft_counter.c
+++ b/net/netfilter/nft_counter.c
@@ -225,7 +225,7 @@ static void nft_counter_destroy(const st
nft_counter_do_destroy(priv);
}
-static int nft_counter_clone(struct nft_expr *dst, const struct nft_expr *src)
+static int nft_counter_clone(struct nft_expr *dst, const struct nft_expr *src, gfp_t gfp)
{
struct nft_counter_percpu_priv *priv = nft_expr_priv(src);
struct nft_counter_percpu_priv *priv_clone = nft_expr_priv(dst);
@@ -235,7 +235,7 @@ static int nft_counter_clone(struct nft_
nft_counter_fetch(priv, &total);
- cpu_stats = alloc_percpu_gfp(struct nft_counter, GFP_ATOMIC);
+ cpu_stats = alloc_percpu_gfp(struct nft_counter, gfp);
if (cpu_stats == NULL)
return -ENOMEM;
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -35,7 +35,7 @@ static int nft_dynset_expr_setup(const s
for (i = 0; i < priv->num_exprs; i++) {
expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
- if (nft_expr_clone(expr, priv->expr_array[i]) < 0)
+ if (nft_expr_clone(expr, priv->expr_array[i], GFP_ATOMIC) < 0)
return -1;
elem_expr->size += priv->expr_array[i]->ops->size;
--- a/net/netfilter/nft_last.c
+++ b/net/netfilter/nft_last.c
@@ -101,12 +101,12 @@ static void nft_last_destroy(const struc
kfree(priv->last);
}
-static int nft_last_clone(struct nft_expr *dst, const struct nft_expr *src)
+static int nft_last_clone(struct nft_expr *dst, const struct nft_expr *src, gfp_t gfp)
{
struct nft_last_priv *priv_dst = nft_expr_priv(dst);
struct nft_last_priv *priv_src = nft_expr_priv(src);
- priv_dst->last = kzalloc(sizeof(*priv_dst->last), GFP_ATOMIC);
+ priv_dst->last = kzalloc(sizeof(*priv_dst->last), gfp);
if (!priv_dst->last)
return -ENOMEM;
--- a/net/netfilter/nft_limit.c
+++ b/net/netfilter/nft_limit.c
@@ -150,7 +150,7 @@ static void nft_limit_destroy(const stru
}
static int nft_limit_clone(struct nft_limit_priv *priv_dst,
- const struct nft_limit_priv *priv_src)
+ const struct nft_limit_priv *priv_src, gfp_t gfp)
{
priv_dst->tokens_max = priv_src->tokens_max;
priv_dst->rate = priv_src->rate;
@@ -158,7 +158,7 @@ static int nft_limit_clone(struct nft_li
priv_dst->burst = priv_src->burst;
priv_dst->invert = priv_src->invert;
- priv_dst->limit = kmalloc(sizeof(*priv_dst->limit), GFP_ATOMIC);
+ priv_dst->limit = kmalloc(sizeof(*priv_dst->limit), gfp);
if (!priv_dst->limit)
return -ENOMEM;
@@ -222,14 +222,15 @@ static void nft_limit_pkts_destroy(const
nft_limit_destroy(ctx, &priv->limit);
}
-static int nft_limit_pkts_clone(struct nft_expr *dst, const struct nft_expr *src)
+static int nft_limit_pkts_clone(struct nft_expr *dst, const struct nft_expr *src,
+ gfp_t gfp)
{
struct nft_limit_priv_pkts *priv_dst = nft_expr_priv(dst);
struct nft_limit_priv_pkts *priv_src = nft_expr_priv(src);
priv_dst->cost = priv_src->cost;
- return nft_limit_clone(&priv_dst->limit, &priv_src->limit);
+ return nft_limit_clone(&priv_dst->limit, &priv_src->limit, gfp);
}
static struct nft_expr_type nft_limit_type;
@@ -280,12 +281,13 @@ static void nft_limit_bytes_destroy(cons
nft_limit_destroy(ctx, priv);
}
-static int nft_limit_bytes_clone(struct nft_expr *dst, const struct nft_expr *src)
+static int nft_limit_bytes_clone(struct nft_expr *dst, const struct nft_expr *src,
+ gfp_t gfp)
{
struct nft_limit_priv *priv_dst = nft_expr_priv(dst);
struct nft_limit_priv *priv_src = nft_expr_priv(src);
- return nft_limit_clone(priv_dst, priv_src);
+ return nft_limit_clone(priv_dst, priv_src, gfp);
}
static const struct nft_expr_ops nft_limit_bytes_ops = {
--- a/net/netfilter/nft_quota.c
+++ b/net/netfilter/nft_quota.c
@@ -232,7 +232,7 @@ static void nft_quota_destroy(const stru
return nft_quota_do_destroy(ctx, priv);
}
-static int nft_quota_clone(struct nft_expr *dst, const struct nft_expr *src)
+static int nft_quota_clone(struct nft_expr *dst, const struct nft_expr *src, gfp_t gfp)
{
struct nft_quota *priv_dst = nft_expr_priv(dst);
struct nft_quota *priv_src = nft_expr_priv(src);
@@ -240,7 +240,7 @@ static int nft_quota_clone(struct nft_ex
priv_dst->quota = priv_src->quota;
priv_dst->flags = priv_src->flags;
- priv_dst->consumed = kmalloc(sizeof(*priv_dst->consumed), GFP_ATOMIC);
+ priv_dst->consumed = kmalloc(sizeof(*priv_dst->consumed), gfp);
if (!priv_dst->consumed)
return -ENOMEM;
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 148/150] netfilter: nf_tables: prefer nft_chain_validate
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 147/150] netfilter: nf_tables: allow clone callbacks to sleep Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 149/150] i2c: qcom-geni: fix missing clk_disable_unprepare() and geni_se_resources_off() Greg Kroah-Hartman
` (4 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable, netfilter-devel
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit cff3bd012a9512ac5ed858d38e6ed65f6391008c upstream.
nft_chain_validate already performs loop detection because a cycle will
result in a call stack overflow (ctx->level >= NFT_JUMP_STACK_SIZE).
It also follows maps via ->validate callback in nft_lookup, so there
appears no reason to iterate the maps again.
nf_tables_check_loops() and all its helper functions can be removed.
This improves ruleset load time significantly, from 23s down to 12s.
This also fixes a crash bug. Old loop detection code can result in
unbounded recursion:
BUG: TASK stack guard page was hit at ....
Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN
CPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1
[..]
with a suitable ruleset during validation of register stores.
I can't see any actual reason to attempt to check for this from
nft_validate_register_store(), at this point the transaction is still in
progress, so we don't have a full picture of the rule graph.
For nf-next it might make sense to either remove it or make this depend
on table->validate_state in case we could catch an error earlier
(for improved error reporting to userspace).
Fixes: 20a69341f2d0 ("netfilter: nf_tables: add netlink set API")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 151 +++---------------------------------------
1 file changed, 13 insertions(+), 138 deletions(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3515,6 +3515,15 @@ static void nf_tables_rule_release(const
nf_tables_rule_destroy(ctx, rule);
}
+/** nft_chain_validate - loop detection and hook validation
+ *
+ * @ctx: context containing call depth and base chain
+ * @chain: chain to validate
+ *
+ * Walk through the rules of the given chain and chase all jumps/gotos
+ * and set lookups until either the jump limit is hit or all reachable
+ * chains have been validated.
+ */
int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
{
struct nft_expr *expr, *last;
@@ -3533,6 +3542,9 @@ int nft_chain_validate(const struct nft_
if (!expr->ops->validate)
continue;
+ /* This may call nft_chain_validate() recursively,
+ * callers that do so must increment ctx->level.
+ */
err = expr->ops->validate(ctx, expr, &data);
if (err < 0)
return err;
@@ -10190,143 +10202,6 @@ int nft_chain_validate_hooks(const struc
}
EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
-/*
- * Loop detection - walk through the ruleset beginning at the destination chain
- * of a new jump until either the source chain is reached (loop) or all
- * reachable chains have been traversed.
- *
- * The loop check is performed whenever a new jump verdict is added to an
- * expression or verdict map or a verdict map is bound to a new chain.
- */
-
-static int nf_tables_check_loops(const struct nft_ctx *ctx,
- const struct nft_chain *chain);
-
-static int nft_check_loops(const struct nft_ctx *ctx,
- const struct nft_set_ext *ext)
-{
- const struct nft_data *data;
- int ret;
-
- data = nft_set_ext_data(ext);
- switch (data->verdict.code) {
- case NFT_JUMP:
- case NFT_GOTO:
- ret = nf_tables_check_loops(ctx, data->verdict.chain);
- break;
- default:
- ret = 0;
- break;
- }
-
- return ret;
-}
-
-static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
- struct nft_set *set,
- const struct nft_set_iter *iter,
- struct nft_set_elem *elem)
-{
- const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
-
- if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
- *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
- return 0;
-
- return nft_check_loops(ctx, ext);
-}
-
-static int nft_set_catchall_loops(const struct nft_ctx *ctx,
- struct nft_set *set)
-{
- u8 genmask = nft_genmask_next(ctx->net);
- struct nft_set_elem_catchall *catchall;
- struct nft_set_ext *ext;
- int ret = 0;
-
- list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
- ext = nft_set_elem_ext(set, catchall->elem);
- if (!nft_set_elem_active(ext, genmask))
- continue;
-
- ret = nft_check_loops(ctx, ext);
- if (ret < 0)
- return ret;
- }
-
- return ret;
-}
-
-static int nf_tables_check_loops(const struct nft_ctx *ctx,
- const struct nft_chain *chain)
-{
- const struct nft_rule *rule;
- const struct nft_expr *expr, *last;
- struct nft_set *set;
- struct nft_set_binding *binding;
- struct nft_set_iter iter;
-
- if (ctx->chain == chain)
- return -ELOOP;
-
- list_for_each_entry(rule, &chain->rules, list) {
- nft_rule_for_each_expr(expr, last, rule) {
- struct nft_immediate_expr *priv;
- const struct nft_data *data;
- int err;
-
- if (strcmp(expr->ops->type->name, "immediate"))
- continue;
-
- priv = nft_expr_priv(expr);
- if (priv->dreg != NFT_REG_VERDICT)
- continue;
-
- data = &priv->data;
- switch (data->verdict.code) {
- case NFT_JUMP:
- case NFT_GOTO:
- err = nf_tables_check_loops(ctx,
- data->verdict.chain);
- if (err < 0)
- return err;
- break;
- default:
- break;
- }
- }
- }
-
- list_for_each_entry(set, &ctx->table->sets, list) {
- if (!nft_is_active_next(ctx->net, set))
- continue;
- if (!(set->flags & NFT_SET_MAP) ||
- set->dtype != NFT_DATA_VERDICT)
- continue;
-
- list_for_each_entry(binding, &set->bindings, list) {
- if (!(binding->flags & NFT_SET_MAP) ||
- binding->chain != chain)
- continue;
-
- iter.genmask = nft_genmask_next(ctx->net);
- iter.skip = 0;
- iter.count = 0;
- iter.err = 0;
- iter.fn = nf_tables_loop_check_setelem;
-
- set->ops->walk(ctx, set, &iter);
- if (!iter.err)
- iter.err = nft_set_catchall_loops(ctx, set);
-
- if (iter.err < 0)
- return iter.err;
- }
- }
-
- return 0;
-}
-
/**
* nft_parse_u32_check - fetch u32 attribute and check for maximum value
*
@@ -10439,7 +10314,7 @@ static int nft_validate_register_store(c
if (data != NULL &&
(data->verdict.code == NFT_GOTO ||
data->verdict.code == NFT_JUMP)) {
- err = nf_tables_check_loops(ctx, data->verdict.chain);
+ err = nft_chain_validate(ctx, data->verdict.chain);
if (err < 0)
return err;
}
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 149/150] i2c: qcom-geni: fix missing clk_disable_unprepare() and geni_se_resources_off()
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 148/150] netfilter: nf_tables: prefer nft_chain_validate Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 16:03 ` [PATCH 6.1 150/150] btrfs: fix double inode unlock for direct IO sync writes Greg Kroah-Hartman
` (3 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Andi Shyti,
Wolfram Sang
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
commit 043465b66506e8c647cdd38a2db1f2ee0f369a1b upstream.
Add missing clk_disable_unprepare() and geni_se_resources_off() in the error
path in geni_i2c_probe().
Fixes: 14d02fbadb5d ("i2c: qcom-geni: add desc struct to prepare support for I2C Master Hub variant")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-qcom-geni.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-qcom-geni.c
+++ b/drivers/i2c/busses/i2c-qcom-geni.c
@@ -859,6 +859,7 @@ static int geni_i2c_probe(struct platfor
ret = geni_se_resources_on(&gi2c->se);
if (ret) {
dev_err(dev, "Error turning on resources %d\n", ret);
+ clk_disable_unprepare(gi2c->core_clk);
return ret;
}
proto = geni_se_read_proto(&gi2c->se);
@@ -878,8 +879,11 @@ static int geni_i2c_probe(struct platfor
/* FIFO is disabled, so we can only use GPI DMA */
gi2c->gpi_mode = true;
ret = setup_gpi_dma(gi2c);
- if (ret)
+ if (ret) {
+ geni_se_resources_off(&gi2c->se);
+ clk_disable_unprepare(gi2c->core_clk);
return dev_err_probe(dev, ret, "Failed to setup GPI DMA mode\n");
+ }
dev_dbg(dev, "Using GPI DMA mode for I2C\n");
} else {
@@ -892,6 +896,8 @@ static int geni_i2c_probe(struct platfor
if (!tx_depth) {
dev_err(dev, "Invalid TX FIFO depth\n");
+ geni_se_resources_off(&gi2c->se);
+ clk_disable_unprepare(gi2c->core_clk);
return -EINVAL;
}
^ permalink raw reply [flat|nested] 156+ messages in thread* [PATCH 6.1 150/150] btrfs: fix double inode unlock for direct IO sync writes
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 149/150] i2c: qcom-geni: fix missing clk_disable_unprepare() and geni_se_resources_off() Greg Kroah-Hartman
@ 2024-08-12 16:03 ` Greg Kroah-Hartman
2024-08-12 19:36 ` [PATCH 6.1 000/150] 6.1.105-rc1 review ChromeOS Kernel Stable Merge
` (2 subsequent siblings)
152 siblings, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-12 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+7dbbb74af6291b5a5a8b,
Josef Bacik, Filipe Manana, David Sterba
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit e0391e92f9ab4fb3dbdeb139c967dcfa7ac4b115 upstream.
If we do a direct IO sync write, at btrfs_sync_file(), and we need to skip
inode logging or we get an error starting a transaction or an error when
flushing delalloc, we end up unlocking the inode when we shouldn't under
the 'out_release_extents' label, and then unlock it again at
btrfs_direct_write().
Fix that by checking if we have to skip inode unlocking under that label.
Reported-by: syzbot+7dbbb74af6291b5a5a8b@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-btrfs/000000000000dfd631061eaeb4bc@google.com/
Fixes: 939b656bc8ab ("btrfs: fix corruption after buffer fault in during direct IO append write")
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/file.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -2037,7 +2037,10 @@ out:
out_release_extents:
btrfs_release_log_ctx_extents(&ctx);
- btrfs_inode_unlock(inode, BTRFS_ILOCK_MMAP);
+ if (skip_ilock)
+ up_write(&BTRFS_I(inode)->i_mmap_lock);
+ else
+ btrfs_inode_unlock(inode, BTRFS_ILOCK_MMAP);
goto out;
}
^ permalink raw reply [flat|nested] 156+ messages in thread* Re: [PATCH 6.1 000/150] 6.1.105-rc1 review
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2024-08-12 16:03 ` [PATCH 6.1 150/150] btrfs: fix double inode unlock for direct IO sync writes Greg Kroah-Hartman
@ 2024-08-12 19:36 ` ChromeOS Kernel Stable Merge
2024-08-12 20:53 ` Pavel Machek
2024-08-12 21:42 ` Guenter Roeck
152 siblings, 0 replies; 156+ messages in thread
From: ChromeOS Kernel Stable Merge @ 2024-08-12 19:36 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, chromeos-kernel-stable-merge, Greg Kroah-Hartman, patches,
linux-kernel, torvalds, akpm, linux, shuah, patches, lkft-triage,
pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw, rwarsow,
conor, allen.lkml, broonie
Hello,
This rc kernel passed ChromeOS CQ tests:
https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5782314/1?tab=checks
Thanks,
Tested-by: ChromeOS CQ Test <chromeos-kernel-stable-merge@google.com>
^ permalink raw reply [flat|nested] 156+ messages in thread* Re: [PATCH 6.1 000/150] 6.1.105-rc1 review
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2024-08-12 19:36 ` [PATCH 6.1 000/150] 6.1.105-rc1 review ChromeOS Kernel Stable Merge
@ 2024-08-12 20:53 ` Pavel Machek
2024-08-12 21:42 ` Guenter Roeck
152 siblings, 0 replies; 156+ messages in thread
From: Pavel Machek @ 2024-08-12 20:53 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
[-- Attachment #1: Type: text/plain, Size: 660 bytes --]
Hi!
> This is the start of the stable review cycle for the 6.1.105 release.
> There are 150 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-6.1.y
Tested-by: Pavel Machek (CIP) <pavel@denx.de>
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 156+ messages in thread* Re: [PATCH 6.1 000/150] 6.1.105-rc1 review
2024-08-12 16:01 [PATCH 6.1 000/150] 6.1.105-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2024-08-12 20:53 ` Pavel Machek
@ 2024-08-12 21:42 ` Guenter Roeck
2024-08-13 5:45 ` Naresh Kamboju
2024-08-13 6:19 ` Greg Kroah-Hartman
152 siblings, 2 replies; 156+ messages in thread
From: Guenter Roeck @ 2024-08-12 21:42 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, broonie
On 8/12/24 09:01, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.105 release.
> There are 150 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 14 Aug 2024 16:00:26 +0000.
> Anything received after that time might be too late.
>
Building parisc64:C3700:smp:net=pcnet:initrd ... failed
------------
Error log:
In file included from /home/groeck/src/linux-stable/include/linux/fs.h:45,
from /home/groeck/src/linux-stable/include/linux/huge_mm.h:8,
from /home/groeck/src/linux-stable/include/linux/mm.h:745,
from /home/groeck/src/linux-stable/include/linux/pid_namespace.h:7,
from /home/groeck/src/linux-stable/include/linux/ptrace.h:10,
from /home/groeck/src/linux-stable/arch/parisc/kernel/asm-offsets.c:20:
/home/groeck/src/linux-stable/include/linux/slab.h:228: warning: "ARCH_KMALLOC_MINALIGN" redefined
228 | #define ARCH_KMALLOC_MINALIGN ARCH_DMA_MINALIGN
In file included from /home/groeck/src/linux-stable/arch/parisc/include/asm/atomic.h:23,
from /home/groeck/src/linux-stable/include/linux/atomic.h:7,
from /home/groeck/src/linux-stable/include/linux/rcupdate.h:25,
from /home/groeck/src/linux-stable/include/linux/rculist.h:11,
from /home/groeck/src/linux-stable/include/linux/pid.h:5,
from /home/groeck/src/linux-stable/include/linux/sched.h:14,
from /home/groeck/src/linux-stable/arch/parisc/kernel/asm-offsets.c:18:
/home/groeck/src/linux-stable/arch/parisc/include/asm/cache.h:28: note: this is the location of the previous definition
28 | #define ARCH_KMALLOC_MINALIGN 16 /* ldcw requires 16-byte alignment */
Guenter
^ permalink raw reply [flat|nested] 156+ messages in thread* Re: [PATCH 6.1 000/150] 6.1.105-rc1 review
2024-08-12 21:42 ` Guenter Roeck
@ 2024-08-13 5:45 ` Naresh Kamboju
2024-08-13 6:19 ` Greg Kroah-Hartman
1 sibling, 0 replies; 156+ messages in thread
From: Naresh Kamboju @ 2024-08-13 5:45 UTC (permalink / raw)
To: Guenter Roeck
Cc: Greg Kroah-Hartman, stable, patches, linux-kernel, torvalds, akpm,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
On Tue, 13 Aug 2024 at 03:13, Guenter Roeck <linux@roeck-us.net> wrote:
>
> On 8/12/24 09:01, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 6.1.105 release.
> > There are 150 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Wed, 14 Aug 2024 16:00:26 +0000.
> > Anything received after that time might be too late.
> >
>
> Building parisc64:C3700:smp:net=pcnet:initrd ... failed
As Guenter reported,
Parisc builds failed.
* parisc, build
- gcc-11-allnoconfig
- gcc-11-defconfig
- gcc-11-tinyconfig
> ------------
> Error log:
> In file included from /home/groeck/src/linux-stable/include/linux/fs.h:45,
> from /home/groeck/src/linux-stable/include/linux/huge_mm.h:8,
> from /home/groeck/src/linux-stable/include/linux/mm.h:745,
> from /home/groeck/src/linux-stable/include/linux/pid_namespace.h:7,
> from /home/groeck/src/linux-stable/include/linux/ptrace.h:10,
> from /home/groeck/src/linux-stable/arch/parisc/kernel/asm-offsets.c:20:
> /home/groeck/src/linux-stable/include/linux/slab.h:228: warning: "ARCH_KMALLOC_MINALIGN" redefined
> 228 | #define ARCH_KMALLOC_MINALIGN ARCH_DMA_MINALIGN
>
> In file included from /home/groeck/src/linux-stable/arch/parisc/include/asm/atomic.h:23,
> from /home/groeck/src/linux-stable/include/linux/atomic.h:7,
> from /home/groeck/src/linux-stable/include/linux/rcupdate.h:25,
> from /home/groeck/src/linux-stable/include/linux/rculist.h:11,
> from /home/groeck/src/linux-stable/include/linux/pid.h:5,
> from /home/groeck/src/linux-stable/include/linux/sched.h:14,
> from /home/groeck/src/linux-stable/arch/parisc/kernel/asm-offsets.c:18:
> /home/groeck/src/linux-stable/arch/parisc/include/asm/cache.h:28: note: this is the location of the previous definition
> 28 | #define ARCH_KMALLOC_MINALIGN 16 /* ldcw requires 16-byte alignment */
>
Thanks for the report.
> Guenter
>
^ permalink raw reply [flat|nested] 156+ messages in thread
* Re: [PATCH 6.1 000/150] 6.1.105-rc1 review
2024-08-12 21:42 ` Guenter Roeck
2024-08-13 5:45 ` Naresh Kamboju
@ 2024-08-13 6:19 ` Greg Kroah-Hartman
1 sibling, 0 replies; 156+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-13 6:19 UTC (permalink / raw)
To: Guenter Roeck
Cc: stable, patches, linux-kernel, torvalds, akpm, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, broonie
On Mon, Aug 12, 2024 at 02:42:58PM -0700, Guenter Roeck wrote:
> On 8/12/24 09:01, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 6.1.105 release.
> > There are 150 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Wed, 14 Aug 2024 16:00:26 +0000.
> > Anything received after that time might be too late.
> >
>
> Building parisc64:C3700:smp:net=pcnet:initrd ... failed
> ------------
> Error log:
> In file included from /home/groeck/src/linux-stable/include/linux/fs.h:45,
> from /home/groeck/src/linux-stable/include/linux/huge_mm.h:8,
> from /home/groeck/src/linux-stable/include/linux/mm.h:745,
> from /home/groeck/src/linux-stable/include/linux/pid_namespace.h:7,
> from /home/groeck/src/linux-stable/include/linux/ptrace.h:10,
> from /home/groeck/src/linux-stable/arch/parisc/kernel/asm-offsets.c:20:
> /home/groeck/src/linux-stable/include/linux/slab.h:228: warning: "ARCH_KMALLOC_MINALIGN" redefined
> 228 | #define ARCH_KMALLOC_MINALIGN ARCH_DMA_MINALIGN
>
> In file included from /home/groeck/src/linux-stable/arch/parisc/include/asm/atomic.h:23,
> from /home/groeck/src/linux-stable/include/linux/atomic.h:7,
> from /home/groeck/src/linux-stable/include/linux/rcupdate.h:25,
> from /home/groeck/src/linux-stable/include/linux/rculist.h:11,
> from /home/groeck/src/linux-stable/include/linux/pid.h:5,
> from /home/groeck/src/linux-stable/include/linux/sched.h:14,
> from /home/groeck/src/linux-stable/arch/parisc/kernel/asm-offsets.c:18:
> /home/groeck/src/linux-stable/arch/parisc/include/asm/cache.h:28: note: this is the location of the previous definition
> 28 | #define ARCH_KMALLOC_MINALIGN 16 /* ldcw requires 16-byte alignment */
>
Thanks, I'll go drop the offending commit now.
greg k-h
^ permalink raw reply [flat|nested] 156+ messages in thread