* [PATCH 6.6 000/341] 6.6.48-rc1 review
@ 2024-08-27 14:33 Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 001/341] tty: serial: fsl_lpuart: mark last busy before uart_add_one_port Greg Kroah-Hartman
` (353 more replies)
0 siblings, 354 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
This is the start of the stable review cycle for the 6.6.48 release.
There are 341 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.48-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.6.48-rc1
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Input: MT - limit max slots
Jan Höppner <hoeppner@linux.ibm.com>
Revert "s390/dasd: Establish DMA alignment"
Mengyuan Lou <mengyuanlou@net-swift.com>
net: ngbe: Fix phy mode set to external phy
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix race condition between destroy_previous_session() and smb2 operations()
Boyuan Zhang <boyuan.zhang@amd.com>
drm/amdgpu/vcn: not pause dpg for unified queue
Boyuan Zhang <boyuan.zhang@amd.com>
drm/amdgpu/vcn: identify unified queue in sw init
NeilBrown <neilb@suse.de>
NFSD: simplify error paths in nfsd_svc()
Yonghong Song <yonghong.song@linux.dev>
selftests/bpf: Add a test to verify previous stacksafe() fix
Yonghong Song <yonghong.song@linux.dev>
bpf: Fix a kernel verifier crash in stacksafe()
Zi Yan <ziy@nvidia.com>
mm/numa: no task_numa_fault() call if PTE is changed
Zi Yan <ziy@nvidia.com>
mm/numa: no task_numa_fault() call if PMD is changed
Takashi Iwai <tiwai@suse.de>
ALSA: timer: Relax start tick time check for slave timer elements
Faizal Rahim <faizal.abdul.rahim@linux.intel.com>
igc: Fix qbv tx latency by setting gtxoffset
Jianhua Lu <lujianhua000@gmail.com>
drm/panel: nt36523: Set 120Hz fps for xiaomi,elish panels
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm/mdss: specify cfg bandwidth for SDM670
Javier Carrasco <javier.carrasco.cruz@gmail.com>
hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt()
Eric Dumazet <edumazet@google.com>
tcp: do not export tcp_twsk_purge()
Jithu Joseph <jithu.joseph@intel.com>
platform/x86/intel/ifs: Call release_firmware() when handling errors.
Alex Hung <alex.hung@amd.com>
Revert "drm/amd/display: Validate hw_points_num before using it"
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Revert "usb: gadget: uvc: cleanup request when not in correct state"
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: join: check re-using ID of closed subflow
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: join: validate fullmesh endp on 1st sf
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: avoid possible UaF when selecting endp
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: fullmesh: select the right ID later
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: only in-kernel cannot have entries with ID 0
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: only decrement add_addr_accepted for MPJ req
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: only mark 'subflow' endp as available
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: remove mptcp_pm_remove_subflow()
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: re-using ID of unused flushed subflows
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: re-using ID of unused removed subflows
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: re-using ID of unused removed ADD_ADDR
Dave Airlie <airlied@redhat.com>
nouveau/firmware: use dma non-coherent allocator
Peng Fan <peng.fan@nxp.com>
pmdomain: imx: wait SSAR when i.MX93 power domain on
Alexander Stein <alexander.stein@ew.tq-group.com>
pmdomain: imx: scu-pd: Remove duplicated clocks
Ben Whitten <ben.whitten@gmail.com>
mmc: dw_mmc: allow biu and ciu clocks to defer
Mengqi Zhang <mengqi.zhang@mediatek.com>
mmc: mtk-sd: receive cmd8 data when hs400 tuning fail
Marc Zyngier <maz@kernel.org>
KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3
Nikolay Kuratov <kniv@yandex-team.ru>
cxgb4: add forgotten u64 ivlan cast before shift
Werner Sembach <wse@tuxedocomputers.com>
Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination
Werner Sembach <wse@tuxedocomputers.com>
Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3
Jason Gerecke <jason.gerecke@wacom.com>
HID: wacom: Defer calculation of resolution until resolution_code is known
Jiaxun Yang <jiaxun.yang@flygoat.com>
MIPS: Loongson64: Set timer mode in cpu-probe
Martin Whitaker <foss@martin-whitaker.me.uk>
net: dsa: microchip: fix PTP config failure when using multiple ports
Candice Li <candice.li@amd.com>
drm/amdgpu: Validate TA binary size
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: the buffer of smb2 query dir response has at least 1 byte
Chaotian Jing <chaotian.jing@mediatek.com>
scsi: core: Fix the return value of scsi_logical_block_count()
Griffin Kroah-Hartman <griffin@kroah.com>
Bluetooth: MGMT: Add error handling to pair_device()
Paulo Alcantara <pc@manguebit.com>
smb: client: ignore unhandled reparse tags
Dan Carpenter <dan.carpenter@linaro.org>
mmc: mmc_test: Fix NULL dereference on allocation failure
Abhinav Kumar <quic_abhinavk@quicinc.com>
drm/msm: fix the highest_bank_bit for sc7180
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm/mdss: Handle the reg bus ICC path
Konrad Dybcio <konrad.dybcio@linaro.org>
drm/msm/mdss: Rename path references to mdp_path
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm/mdss: switch mdss to use devm_of_icc_get()
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm/dpu: take plane rotation into account for wide planes
Abhinav Kumar <quic_abhinavk@quicinc.com>
drm/msm/dpu: try multirect based on mdp clock limits
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails
Abhinav Kumar <quic_abhinavk@quicinc.com>
drm/msm/dp: reset the link phy params before link training
Abhinav Kumar <quic_abhinavk@quicinc.com>
drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable()
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm/dpu: capture snapshot on the first commit_done timeout
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm/dpu: split dpu_encoder_wait_for_event into two functions
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm/dpu: drop MSM_ENC_VBLANK support
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm/dpu: use drmm-managed allocation for dpu_encoder_phys
Abhinav Kumar <quic_abhinavk@quicinc.com>
drm/msm/dp: fix the max supported bpp logic
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm/dpu: don't play tricks with debug macros
Menglong Dong <menglong8.dong@gmail.com>
net: ovs: fix ovs_drop_reasons error
Sean Anderson <sean.anderson@linux.dev>
net: xilinx: axienet: Fix dangling multicast addresses
Sean Anderson <sean.anderson@linux.dev>
net: xilinx: axienet: Always disable promiscuous mode
Bharat Bhushan <bbhushan2@marvell.com>
octeontx2-af: Fix CPT AF register offset calculation
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: flowtable: validate vlan header
Somnath Kotur <somnath.kotur@broadcom.com>
bnxt_en: Fix double DMA unmapping for XDP_REDIRECT
Eric Dumazet <edumazet@google.com>
ipv6: prevent possible UAF in ip6_xmit()
Eric Dumazet <edumazet@google.com>
ipv6: fix possible UAF in ip6_finish_output2()
Eric Dumazet <edumazet@google.com>
ipv6: prevent UAF in ip6_send_skb()
Felix Fietkau <nbd@nbd.name>
udp: fix receiving fraglist GSO packets
Stephen Hemminger <stephen@networkplumber.org>
netem: fix return value if duplicate enqueue fails
Joseph Huang <Joseph.Huang@garmin.com>
net: dsa: mv88e6xxx: Fix out-of-bound access
Paolo Abeni <pabeni@redhat.com>
igb: cope with large MAX_SKB_FRAGS
Dan Carpenter <dan.carpenter@linaro.org>
dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp()
Maciej Fijalkowski <maciej.fijalkowski@intel.com>
ice: fix truesize operations for PAGE_SIZE >= 8192
Maciej Fijalkowski <maciej.fijalkowski@intel.com>
ice: fix ICE_LAST_OFFSET formula
Maciej Fijalkowski <maciej.fijalkowski@intel.com>
ice: fix page reuse when PAGE_SIZE is over 8k
Nikolay Aleksandrov <razor@blackwall.org>
bonding: fix xfrm state handling when clearing active slave
Nikolay Aleksandrov <razor@blackwall.org>
bonding: fix xfrm real_dev null pointer dereference
Nikolay Aleksandrov <razor@blackwall.org>
bonding: fix null pointer deref in bond_ipsec_offload_ok
Nikolay Aleksandrov <razor@blackwall.org>
bonding: fix bond_ipsec_offload_ok return type
Thomas Bogendoerfer <tbogendoerfer@suse.de>
ip6_tunnel: Fix broken GRO
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
netfilter: nft_counter: Synchronize nft_counter_reset() against reader.
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
netfilter: nft_counter: Disable BH in nft_counter_offload_stats().
Kuniyuki Iwashima <kuniyu@amazon.com>
kcm: Serialise kcm_sendmsg() for the same socket.
Jeremy Kerr <jk@codeconstruct.com.au>
net: mctp: test: Use correct skb for route input check
Florian Westphal <fw@strlen.de>
tcp: prevent concurrent execution of tcp_sk_exit_batch
Eric Dumazet <edumazet@google.com>
tcp/dccp: do not care about families in inet_twsk_purge()
Eric Dumazet <edumazet@google.com>
tcp/dccp: bypass empty buckets in inet_twsk_purge()
Hangbin Liu <liuhangbin@gmail.com>
selftests: udpgro: report error when receive failed
Simon Horman <horms@kernel.org>
tc-testing: don't access non-existent variable on exception
Vladimir Oltean <vladimir.oltean@nxp.com>
net: mscc: ocelot: serialize access to the injection/extraction groups
Vladimir Oltean <vladimir.oltean@nxp.com>
net: mscc: ocelot: fix QoS class for injected packets with "ocelot-8021q"
Vladimir Oltean <vladimir.oltean@nxp.com>
net: mscc: ocelot: use ocelot_xmit_get_vlan_info() also for FDMA and register injection
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: SMP: Fix assumption of Central always being Initiator
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_core: Fix LE quote calculation
Lang Yu <Lang.Yu@amd.com>
drm/amdkfd: reserve the BO before validating it
Takashi Iwai <tiwai@suse.de>
ALSA: hda/tas2781: Use correct endian conversion
Maximilian Luz <luzmaximilian@gmail.com>
platform/surface: aggregator: Fix warning when controller is destroyed in probe
David (Ming Qiang) Wu <David.Wu3@amd.com>
drm/amd/amdgpu: command submission parser for JPEG
Melissa Wen <mwen@igalia.com>
drm/amd/display: fix cursor offset on rotation 180
Loan Chen <lo-an.chen@amd.com>
drm/amd/display: Enable otg synchronization logic for DCN321
Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
drm/amd/display: Adjust cursor position
Filipe Manana <fdmanana@suse.com>
btrfs: send: allow cloning non-aligned extent if it ends at i_size
David Sterba <dsterba@suse.com>
btrfs: replace sb::s_blocksize by fs_info::sectorsize
Hailong Liu <hailong.liu@oppo.com>
mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0
Suren Baghdasaryan <surenb@google.com>
change alloc_pages name in dma_map_ops to avoid name conflicts
Muhammad Usama Anjum <usama.anjum@collabora.com>
selftests: memfd_secret: don't build memfd_secret test on unsupported arches
Ryan Roberts <ryan.roberts@arm.com>
selftests/mm: log run_vmtests.sh results in TAP format
Itaru Kitayama <itaru.kitayama@linux.dev>
tools/testing/selftests/mm/run_vmtests.sh: lower the ptrace permissions
Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
mm: fix endless reclaim on machines with unaccepted memory
Mikulas Patocka <mpatocka@redhat.com>
dm suspend: return -ERESTARTSYS instead of -EINTR
Celeste Liu <coelacanthushex@gmail.com>
riscv: entry: always initialize regs->a0 to -ENOSYS
Sean Nyekjaer <sean@geanix.com>
i2c: stm32f7: Add atomic_xfer method to driver
Dave Kleikamp <dave.kleikamp@oracle.com>
jfs: define xtree root and page independently
Eric Dumazet <edumazet@google.com>
gtp: pull network headers in gtp_dev_xmit()
Keith Busch <kbusch@kernel.org>
nvme: fix namespace removal list
Qiuxu Zhuo <qiuxu.zhuo@intel.com>
EDAC/skx_common: Allow decoding of SGX addresses
Shannon Nelson <shannon.nelson@amd.com>
ionic: check cmd_regs before copying in or out
Shannon Nelson <shannon.nelson@amd.com>
ionic: use pci_is_enabled not open code
Phil Chang <phil.chang@mediatek.com>
hrtimer: Prevent queuing of hrtimer without a function callback
Jesse Zhang <jesse.zhang@amd.com>
drm/amdgpu: fix dereference null return value for the function amdgpu_vm_pt_parent
Keith Busch <kbusch@kernel.org>
nvme: use srcu for iterating namespace list
Jakub Sitnicki <jakub@cloudflare.com>
Revert "bpf, sockmap: Prevent lock inversion deadlock in map delete elem"
Cupertino Miranda <cupertino.miranda@oracle.com>
selftests/bpf: Fix a few tests for GCC related warnings.
Sagi Grimberg <sagi@grimberg.me>
nvmet-rdma: fix possible bad dereference when freeing rsps
Baokun Li <libaokun1@huawei.com>
ext4: set the type of max_zeroout to unsigned int to avoid overflow
Guanrui Huang <guanrui.huang@linux.alibaba.com>
irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
Krishna Kurapati <quic_kriskura@quicinc.com>
usb: dwc3: core: Skip setting event buffers for host only controllers
Gergo Koteles <soyer@irl.hu>
platform/x86: lg-laptop: fix %s null argument warning
Adrian Hunter <adrian.hunter@intel.com>
clocksource: Make watchdog and suspend-timing multiplication overflow safe
Biju Das <biju.das.jz@bp.renesas.com>
irqchip/renesas-rzg2l: Do not set TIEN and TINT source at the same time
Alexander Gordeev <agordeev@linux.ibm.com>
s390/iucv: fix receive buffer virtual vs physical address confusion
Oreoluwa Babatunde <quic_obabatun@quicinc.com>
openrisc: Call setup_memory() earlier in the init sequence
NeilBrown <neilb@suse.de>
NFS: avoid infinite loop in pnfs_update_layout.
Hannes Reinecke <hare@suse.de>
nvmet-tcp: do not continue for invalid icreq
Jian Shen <shenjian15@huawei.com>
net: hns3: add checking for vf id of mailbox
Alexandre Belloni <alexandre.belloni@bootlin.com>
rtc: nct3018y: fix possible NULL dereference
Richard Fitzgerald <rf@opensource.cirrus.com>
firmware: cirrus: cs_dsp: Initialize debugfs_root to invalid
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: bnep: Fix out-of-bound access
Keith Busch <kbusch@kernel.org>
nvme: clear caller pointer on identify failure
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
usb: gadget: fsl: Increase size of name buffer for endpoints
Zhiguo Niu <zhiguo.niu@unisoc.com>
f2fs: fix to do sanity check in update_sit_entry
David Sterba <dsterba@suse.com>
btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent()
David Sterba <dsterba@suse.com>
btrfs: change BUG_ON to assertion in tree_move_down()
David Sterba <dsterba@suse.com>
btrfs: send: handle unexpected inode in header process_recorded_refs()
David Sterba <dsterba@suse.com>
btrfs: send: handle unexpected data in header buffer in begin_cmd()
David Sterba <dsterba@suse.com>
btrfs: handle invalid root reference found in may_destroy_subvol()
David Sterba <dsterba@suse.com>
btrfs: push errors up from add_async_extent()
David Sterba <dsterba@suse.com>
btrfs: tests: allocate dummy fs_info and root in test_find_delalloc()
David Sterba <dsterba@suse.com>
btrfs: change BUG_ON to assertion when checking for delayed_node root
David Sterba <dsterba@suse.com>
btrfs: defrag: change BUG_ON to assertion in btrfs_defrag_leaves()
David Sterba <dsterba@suse.com>
btrfs: delayed-inode: drop pointless BUG_ON in __btrfs_remove_delayed_item()
Michael Ellerman <mpe@ellerman.id.au>
powerpc/boot: Only free if realloc() succeeds
Li zeming <zeming@nfschina.com>
powerpc/boot: Handle allocation failure in simple_realloc()
Zhiguo Niu <zhiguo.niu@unisoc.com>
f2fs: stop checkpoint when get a out-of-bounds segment
David Howells <dhowells@redhat.com>
rxrpc: Don't pick values out of the wire header when setting up security
Helge Deller <deller@gmx.de>
parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367
Christophe Kerello <christophe.kerello@foss.st.com>
memory: stm32-fmc2-ebi: check regmap_read return value
Kees Cook <keescook@chromium.org>
x86: Increase brk randomness entropy for 64-bit systems
Li Nan <linan122@huawei.com>
md: clean up invalid BUG_ON in md_ioctl
Eric Dumazet <edumazet@google.com>
netlink: hold nlk->cb_mutex longer in __netlink_dump_start()
Frederic Weisbecker <frederic@kernel.org>
tick: Move got_idle_tick away from common flags
Martin Blumenstingl <martin.blumenstingl@googlemail.com>
clocksource/drivers/arm_global_timer: Guard against division by zero
Avri Kehat <akehat@habana.ai>
accel/habanalabs: fix debugfs files permissions
Stefan Hajnoczi <stefanha@redhat.com>
virtiofs: forbid newlines in tags
Costa Shulyupin <costa.shul@redhat.com>
hrtimer: Select housekeeping CPU during migration
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
gpio: sysfs: extend the critical section for unregistering sysfs devices
Erico Nunes <nunes.erico@gmail.com>
drm/lima: set gp bus_stop bit before hard reset
Kees Cook <keescook@chromium.org>
net/sun3_82586: Avoid reading past buffer in debug output
Shaul Triebitz <shaul.triebitz@intel.com>
wifi: iwlwifi: mvm: avoid garbage iPN
Philipp Stanner <pstanner@redhat.com>
media: drivers/media/dvb-core: copy user arrays safely
Justin Tee <justin.tee@broadcom.com>
scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()
Max Filippov <jcmvbkbc@gmail.com>
fs: binfmt_elf_efpic: don't use missing interpreter's properties
Hans Verkuil <hverkuil-cisco@xs4all.nl>
media: pci: cx23885: check cx23885_vdev_init() return
Neel Natu <neelnatu@google.com>
kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files
Clément Léger <cleger@rivosinc.com>
riscv: blacklist assembly symbols for kprobe
Jan Kara <jack@suse.cz>
quota: Remove BUG_ON from dqget()
Jeff Johnson <quic_jjohnson@quicinc.com>
wifi: ath12k: Add missing qmi_txn_cancel() calls
Al Viro <viro@zeniv.linux.org.uk>
fuse: fix UAF in rcu pathwalks
Al Viro <viro@zeniv.linux.org.uk>
afs: fix __afs_break_callback() / afs_drop_open_mmap() race
Qu Wenruo <wqu@suse.com>
btrfs: zlib: fix and simplify the inline extent decompression
Baokun Li <libaokun1@huawei.com>
ext4: do not trim the group with corrupted block bitmap
Daniel Wagner <dwagner@suse.de>
nvmet-trace: avoid dereferencing pointer too early
Qiuxu Zhuo <qiuxu.zhuo@intel.com>
EDAC/skx_common: Filter out the invalid address
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: Refcounting fix in gfs2_thaw_super
Zijun Hu <quic_zijuhu@quicinc.com>
Bluetooth: hci_conn: Check non NULL function before calling for HFP offload
Mimi Zohar <zohar@linux.ibm.com>
evm: don't copy up 'security.evm' xattr
Andy Yan <andy.yan@rock-chips.com>
drm/rockchip: vop2: clear afbc en and transform bit for cluster window at linear mode
Shannon Nelson <shannon.nelson@amd.com>
ionic: no fw read when PCI reset failed
Shannon Nelson <shannon.nelson@amd.com>
ionic: prevent pci disable of already disabled device
Nathan Lynch <nathanl@linux.ibm.com>
powerpc/pseries/papr-sysparm: Validate buffer object lengths
Kees Cook <keescook@chromium.org>
hwmon: (pc87360) Bounds check data->innr usage
Bard Liao <yung-chuan.liao@linux.intel.com>
ASoC: SOF: ipc4: check return value of snd_sof_ipc_msg_data
Kunwu Chan <chentao@kylinos.cn>
powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu
Ashish Mhetre <amhetre@nvidia.com>
memory: tegra: Skip SID programming if SID registers aren't set
Rob Clark <robdclark@chromium.org>
drm/msm: Reduce fallout of fence signaling vs reclaim hangs
Li Lingfeng <lilingfeng3@huawei.com>
block: Fix lockdep warning in blk_mq_mark_tag_wait
Samuel Holland <samuel.holland@sifive.com>
arm64: Fix KASAN random tag seed initialization
Nysal Jan K.A <nysal@linux.ibm.com>
powerpc/topology: Check if a core is online
Nysal Jan K.A <nysal@linux.ibm.com>
cpu/SMT: Enable SMT only if a core is online
Masahiro Yamada <masahiroy@kernel.org>
rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT
Masahiro Yamada <masahiroy@kernel.org>
rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT
Miguel Ojeda <ojeda@kernel.org>
rust: work around `bindgen` 0.69.0 issue
Antoniu Miclaus <antoniu.miclaus@analog.com>
hwmon: (ltc2992) Avoid division by zero
Chengfeng Ye <dg573847474@gmail.com>
IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock
Gustavo A. R. Silva <gustavoars@kernel.org>
clk: visconti: Add bounds-checking coverage for struct visconti_pll_provider
Dmitry Antipov <dmantipov@yandex.ru>
wifi: iwlwifi: check for kmemdup() return value in iwl_parse_tlv_firmware()
Mukesh Sisodiya <mukesh.sisodiya@intel.com>
wifi: iwlwifi: fw: Fix debugfs command sending
Miri Korenblit <miriam.rachel.korenblit@intel.com>
wifi: iwlwifi: abort scan when rfkill on but device enabled
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: setattr_chown: Add missing initialization
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: flush STA queues on unauthorization
Mike Christie <michael.christie@oracle.com>
scsi: spi: Fix sshdr use
Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
ASoC: SOF: Intel: hda-dsp: Make sure that no irq handler is pending before suspend
Richard Acayan <mailingradian@gmail.com>
iommu/arm-smmu-qcom: Add SDM670 MDSS compatible
Hans Verkuil <hverkuil-cisco@xs4all.nl>
media: qcom: venus: fix incorrect return value
Mikko Perttunen <mperttunen@nvidia.com>
drm/tegra: Zero-initialize iosys_map
Christian Brauner <brauner@kernel.org>
binfmt_misc: cleanup on filesystem umount
Yu Kuai <yukuai3@huawei.com>
md/raid5-cache: use READ_ONCE/WRITE_ONCE for 'conf->log'
farah kassabri <fkassabri@habana.ai>
accel/habanalabs: fix bug in timestamp interrupt handling
Tomer Tayar <ttayar@habana.ai>
accel/habanalabs: export dma-buf only if size/offset multiples of PAGE_SIZE
Ofir Bitton <obitton@habana.ai>
accel/habanalabs/gaudi2: unsecure tpc count registers
Chengfeng Ye <dg573847474@gmail.com>
media: s5p-mfc: Fix potential deadlock on condlock
Jithu Joseph <jithu.joseph@intel.com>
platform/x86/intel/ifs: Validate image size
Chengfeng Ye <dg573847474@gmail.com>
staging: ks7010: disable bh on tx_dev_lock
Alex Hung <alex.hung@amd.com>
drm/amd/display: Validate hw_points_num before using it
Michael Grzeschik <m.grzeschik@pengutronix.de>
usb: gadget: uvc: cleanup request when not in correct state
Felix Fietkau <nbd@nbd.name>
wifi: mt76: fix race condition related to checking tx queue fill status
David Lechner <dlechner@baylibre.com>
staging: iio: resolver: ad2s1210: fix use before initialization
Dmitry Antipov <dmantipov@yandex.ru>
wifi: ath11k: fix ath11k_mac_op_remain_on_channel() stack usage
Hans Verkuil <hverkuil-cisco@xs4all.nl>
media: radio-isa: use dev_name to fill in bus_info
Philip Yang <Philip.Yang@amd.com>
drm/amdkfd: Move dma unmapping after TLB flush
Jarkko Nikula <jarkko.nikula@linux.intel.com>
i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer
Jarkko Nikula <jarkko.nikula@linux.intel.com>
i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out
Manish Dharanenthiran <quic_mdharane@quicinc.com>
wifi: ath12k: fix WARN_ON during ath12k_mac_update_vif_chan
Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
drm/bridge: tc358768: Attempt to fix DSI horizontal timings
Heiko Carstens <hca@linux.ibm.com>
s390/smp,mcck: fix early IPI handling
Zhu Yanjun <yanjun.zhu@linux.dev>
RDMA/rtrs: Fix the problem of variable not initialized fully
Wolfram Sang <wsa+renesas@sang-engineering.com>
i2c: riic: avoid potential division by zero
Kamalesh Babulal <kamalesh.babulal@oracle.com>
cgroup: Avoid extra dereference in css_populate_dir()
Jeff Johnson <quic_jjohnson@quicinc.com>
wifi: cw1200: Avoid processing an invalid TIM IE
Yury Norov <yury.norov@gmail.com>
sched/topology: Handle NUMA_NO_NODE in sched_numa_find_nth_cpu()
Lorenzo Bianconi <lorenzo@kernel.org>
net: ethernet: mtk_wed: check update_wo_rx_stats in mtk_wed_update_rx_stats()
Paul E. McKenney <paulmck@kernel.org>
rcu: Eliminate rcu_gp_slow_unregister() false positive
Zhen Lei <thunder.leizhen@huawei.com>
rcu: Dump memory object info if callback function is invalid
Emmanuel Grumbach <emmanuel.grumbach@intel.com>
wifi: iwlwifi: mvm: fix recovery flow in CSA
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: fix BA session teardown race
Johannes Berg <johannes.berg@intel.com>
wifi: cfg80211: check wiphy mutex is held for wdev mutex
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: lock wiphy in IP address notifier
Ricardo Rivera-Matos <rriveram@opensource.cirrus.com>
ASoC: cs35l45: Checks index of cs35l45_irqs[]
Rand Deeb <rand.sec96@gmail.com>
ssb: Fix division by zero issue in ssb_calc_clock_rate
ZhenGuo Yin <zhenguo.yin@amd.com>
drm/amdgpu: access RLC_SPM_MC_CNTL through MMIO in SRIOV runtime
Lee Jones <lee@kernel.org>
drm/amd/amdgpu/imu_v11_0: Increase buffer size to ensure all possible values can be stored
Alex Deucher <alexander.deucher@amd.com>
drm/amd/pm: fix error flow in sensor fetching
Parsa Poorshikhian <parsa.poorsh@gmail.com>
ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7
Asmaa Mnebhi <asmaa@nvidia.com>
gpio: mlxbf3: Support shutdown() function
Jie Wang <wangjie125@huawei.com>
net: hns3: fix a deadlock problem when config TC during resetting
Peiyang Wang <wangpeiyang1@huawei.com>
net: hns3: use the user's cfg after reset
Jie Wang <wangjie125@huawei.com>
net: hns3: fix wrong use of semaphore up
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: net: lib: kill PIDs before del netns
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: net: lib: ignore possible errors
Cong Wang <cong.wang@bytedance.com>
vsock: fix recursive ->recvmsg calls
Phil Sutter <phil@nwl.cc>
netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests
Phil Sutter <phil@nwl.cc>
netfilter: nf_tables: Introduce nf_tables_getobj_single
Phil Sutter <phil@nwl.cc>
netfilter: nf_tables: Carry reset boolean in nft_obj_dump_ctx
Phil Sutter <phil@nwl.cc>
netfilter: nf_tables: nft_obj_filter fits into cb->ctx
Phil Sutter <phil@nwl.cc>
netfilter: nf_tables: Carry s_idx in nft_obj_dump_ctx
Phil Sutter <phil@nwl.cc>
netfilter: nf_tables: A better name for nft_obj_filter
Phil Sutter <phil@nwl.cc>
netfilter: nf_tables: Unconditionally allocate nft_obj_filter
Phil Sutter <phil@nwl.cc>
netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj
Phil Sutter <phil@nwl.cc>
netfilter: nf_tables: Audit log dump reset after the fact
Florian Westphal <fw@strlen.de>
netfilter: nf_queue: drop packets with cloned unconfirmed conntracks
Donald Hunter <donald.hunter@gmail.com>
netfilter: flowtable: initialise extack before use
Tom Hughes <tom@compton.nu>
netfilter: allow ipv6 fragments to arrive on different devices
Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com>
tcp: Update window clamping condition
Eugene Syromiatnikov <esyr@redhat.com>
mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size
David Thompson <davthompson@nvidia.com>
mlxbf_gige: disable RX filters until RX path initialized
Zheng Zhang <everything411@qq.com>
net: ethernet: mtk_wed: fix use-after-free panic in mtk_wed_setup_tc_block_cb()
Pawel Dembicki <paweldembicki@gmail.com>
net: dsa: vsc73xx: check busy flag in MDIO operations
Pawel Dembicki <paweldembicki@gmail.com>
net: dsa: vsc73xx: use read_poll_timeout instead delay loop
Pawel Dembicki <paweldembicki@gmail.com>
net: dsa: vsc73xx: pass value in phy_write operation
Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
net: axienet: Fix register defines comment description
Dan Carpenter <dan.carpenter@linaro.org>
atm: idt77252: prevent use after free in dequeue_rx()
Cosmin Ratiu <cratiu@nvidia.com>
net/mlx5e: Correctly report errors for ethtool rx flows
Dragos Tatulea <dtatulea@nvidia.com>
net/mlx5e: Take state lock during tx timeout reporter
Faizal Rahim <faizal.abdul.rahim@linux.intel.com>
igc: Fix reset adapter logics when tx mode change
Faizal Rahim <faizal.abdul.rahim@linux.intel.com>
igc: Fix qbv_config_change_errors logics
Faizal Rahim <faizal.abdul.rahim@linux.intel.com>
igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer
Leon Hwang <leon.hwang@linux.dev>
bpf: Fix updating attached freplace prog in prog_array map
Claudio Imbrenda <imbrenda@linux.ibm.com>
s390/uv: Panic for set and remove shared access UVC errors
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/jpeg4: properly set atomics vmid field
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/jpeg2: properly set atomics vmid field
Al Viro <viro@zeniv.linux.org.uk>
memcg_write_event_control(): fix a user-triggerable oops
Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
drm/amdgpu: Actually check flags for all context ops.
Qu Wenruo <wqu@suse.com>
btrfs: tree-checker: add dev extent item checks
Naohiro Aota <naohiro.aota@wdc.com>
btrfs: zoned: properly take lock to read/update block group's zoned variables
Qu Wenruo <wqu@suse.com>
btrfs: tree-checker: reject BTRFS_FT_UNKNOWN dir type
Waiman Long <longman@redhat.com>
mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu
Zhen Lei <thunder.leizhen@huawei.com>
selinux: add the processing of the failure of avc_add_xperms_decision()
Zhen Lei <thunder.leizhen@huawei.com>
selinux: fix potential counting error in avc_add_xperms_decision()
Max Kellermann <max.kellermann@ionos.com>
fs/netfs/fscache_cookie: add missing "n_accesses" check
Janne Grunau <j@jannau.net>
wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion
Long Li <longli@microsoft.com>
net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings
Haiyang Zhang <haiyangz@microsoft.com>
net: mana: Fix RX buf alloc_size alignment and atomic op panic
Dan Carpenter <dan.carpenter@linaro.org>
rtla/osnoise: Prevent NULL dereference in error handling
Andi Shyti <andi.shyti@kernel.org>
i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume
Al Viro <viro@zeniv.linux.org.uk>
fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE
Alexander Lobakin <aleksander.lobakin@intel.com>
bitmap: introduce generic optimized bitmap_size()
Alexander Lobakin <aleksander.lobakin@intel.com>
btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()
Alexander Lobakin <aleksander.lobakin@intel.com>
s390/cio: rename bitmap_size() -> idset_bitmap_size()
Alexander Lobakin <aleksander.lobakin@intel.com>
fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64()
Zhihao Cheng <chengzhihao1@huawei.com>
vfs: Don't evict inode under the inode lru traversing context
Mikulas Patocka <mpatocka@redhat.com>
dm persistent data: fix memory allocation failure
Khazhismel Kumykov <khazhy@google.com>
dm resume: don't return EINVAL when signalled
Haibo Xu <haibo1.xu@intel.com>
arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: EC: Evaluate _REG outside the EC scope more carefully
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPICA: Add a depth argument to acpi_execute_reg_methods()
Breno Leitao <leitao@debian.org>
i2c: tegra: Do not mark ACPI devices as irq safe
Nam Cao <namcao@linutronix.de>
riscv: change XIP's kernel_map.size to be size of the entire kernel
Michael Mueller <mimu@linux.ibm.com>
KVM: s390: fix validity interception issue when gisa is switched off
Stefan Haberland <sth@linux.ibm.com>
s390/dasd: fix error recovery leading to data corruption on ESE devices
Baojun Xu <baojun.xu@ti.com>
ALSA: hda/tas2781: fix wrong calibrated data order
Mika Westerberg <mika.westerberg@linux.intel.com>
thunderbolt: Mark XDomain as unplugged when router is removed
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration
Juan José Arboleda <soyjuanarbol@gmail.com>
ALSA: usb-audio: Support Yamaha P-125 quirk entry
Lianqin Hu <hulianqin@vivo.com>
ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET
Eli Billauer <eli.billauer@gmail.com>
char: xillybus: Check USB endpoints when probing device
Eli Billauer <eli.billauer@gmail.com>
char: xillybus: Refine workqueue handling
Eli Billauer <eli.billauer@gmail.com>
char: xillybus: Don't destroy workqueue from work item running on it
Jann Horn <jannh@google.com>
fuse: Initialize beyond-EOF page contents before setting uptodate
Paul Moore <paul@paul-moore.com>
selinux: revert our use of vma_is_initial_heap()
Xu Yang <xu.yang_2@nxp.com>
Revert "usb: typec: tcpm: clear pd_event queue in PORT_RESET"
Griffin Kroah-Hartman <griffin@kroah.com>
Revert "misc: fastrpc: Restrict untrusted app to attach to privileged PD"
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Revert "ACPI: EC: Evaluate orphan _REG under EC device"
Mathieu Othacehe <othacehe@gnu.org>
tty: atmel_serial: use the correct RTS flag.
Peng Fan <peng.fan@nxp.com>
tty: serial: fsl_lpuart: mark last busy before uart_add_one_port
-------------
Diffstat:
Documentation/ABI/testing/sysfs-devices-system-cpu | 3 +-
Makefile | 4 +-
arch/alpha/kernel/pci_iommu.c | 2 +-
arch/arm64/kernel/acpi_numa.c | 2 +-
arch/arm64/kernel/setup.c | 3 -
arch/arm64/kernel/smp.c | 2 +
arch/arm64/kvm/sys_regs.c | 6 +
arch/arm64/kvm/vgic/vgic.h | 7 +
arch/mips/jazz/jazzdma.c | 2 +-
arch/mips/kernel/cpu-probe.c | 4 +
arch/openrisc/kernel/setup.c | 6 +-
arch/parisc/kernel/irq.c | 4 +-
arch/powerpc/boot/simple_alloc.c | 7 +-
arch/powerpc/include/asm/topology.h | 13 ++
arch/powerpc/kernel/dma-iommu.c | 2 +-
arch/powerpc/platforms/ps3/system-bus.c | 4 +-
arch/powerpc/platforms/pseries/papr-sysparm.c | 47 +++++
arch/powerpc/platforms/pseries/vio.c | 2 +-
arch/powerpc/sysdev/xics/icp-native.c | 2 +
arch/riscv/include/asm/asm.h | 10 +
arch/riscv/kernel/entry.S | 3 +
arch/riscv/kernel/traps.c | 3 +-
arch/riscv/mm/init.c | 4 +-
arch/s390/include/asm/uv.h | 5 +-
arch/s390/kernel/early.c | 12 +-
arch/s390/kernel/smp.c | 4 +-
arch/s390/kvm/kvm-s390.h | 7 +-
arch/x86/kernel/amd_gart_64.c | 2 +-
arch/x86/kernel/process.c | 5 +-
block/blk-mq-tag.c | 5 +-
drivers/accel/habanalabs/common/debugfs.c | 14 +-
drivers/accel/habanalabs/common/irq.c | 3 +
drivers/accel/habanalabs/common/memory.c | 15 +-
drivers/accel/habanalabs/gaudi2/gaudi2_security.c | 1 +
drivers/acpi/acpica/acevents.h | 6 +-
drivers/acpi/acpica/evregion.c | 12 +-
drivers/acpi/acpica/evxfregn.c | 64 +-----
drivers/acpi/ec.c | 14 +-
drivers/acpi/internal.h | 1 +
drivers/acpi/scan.c | 2 +
drivers/atm/idt77252.c | 9 +-
drivers/char/xillybus/xillyusb.c | 42 +++-
drivers/clk/visconti/pll.c | 6 +-
drivers/clocksource/arm_global_timer.c | 11 +-
drivers/edac/skx_common.c | 4 +
drivers/firmware/cirrus/cs_dsp.c | 7 +-
drivers/gpio/gpio-mlxbf3.c | 14 ++
drivers/gpio/gpiolib-sysfs.c | 15 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 40 +++-
drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 3 +
drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c | 8 +
drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c | 3 +
drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 53 +++--
drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c | 6 +-
drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 13 +-
drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 13 +-
drivers/gpu/drm/amd/amdgpu/imu_v11_0.c | 2 +-
drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 4 +-
drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 63 +++++-
drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.h | 6 +
drivers/gpu/drm/amd/amdgpu/soc15d.h | 6 +
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 24 ++-
.../drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 4 +-
.../drm/amd/display/dc/dcn321/dcn321_resource.c | 3 +
drivers/gpu/drm/amd/pm/amdgpu_pm.c | 14 +-
drivers/gpu/drm/bridge/tc358768.c | 215 +++++++++++++++++---
drivers/gpu/drm/lima/lima_gp.c | 12 ++
drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 96 ++++++---
drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.h | 22 +-
drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys.h | 9 +-
.../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c | 43 +---
.../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 22 +-
.../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 21 +-
drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 2 +-
drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h | 14 +-
drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 23 ++-
drivers/gpu/drm/msm/dp/dp_ctrl.c | 2 +
drivers/gpu/drm/msm/dp/dp_panel.c | 19 +-
drivers/gpu/drm/msm/msm_drv.h | 12 --
drivers/gpu/drm/msm/msm_gem_shrinker.c | 2 +-
drivers/gpu/drm/msm/msm_mdss.c | 84 +++++---
drivers/gpu/drm/msm/msm_mdss.h | 1 +
drivers/gpu/drm/nouveau/nvkm/core/firmware.c | 9 +-
drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 6 +
drivers/gpu/drm/panel/panel-novatek-nt36523.c | 6 +-
drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 5 +
drivers/gpu/drm/tegra/gem.c | 2 +-
drivers/hid/wacom_wac.c | 4 +-
drivers/hwmon/ltc2992.c | 8 +-
drivers/hwmon/pc87360.c | 6 +-
drivers/i2c/busses/i2c-qcom-geni.c | 4 +-
drivers/i2c/busses/i2c-riic.c | 2 +-
drivers/i2c/busses/i2c-stm32f7.c | 51 ++++-
drivers/i2c/busses/i2c-tegra.c | 4 +-
drivers/i3c/master/mipi-i3c-hci/dma.c | 5 +-
drivers/infiniband/hw/hfi1/chip.c | 5 +-
drivers/infiniband/ulp/rtrs/rtrs.c | 2 +-
drivers/input/input-mt.c | 3 +
drivers/input/serio/i8042-acpipnpio.h | 20 +-
drivers/input/serio/i8042.c | 10 +-
drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 1 +
drivers/iommu/dma-iommu.c | 2 +-
drivers/irqchip/irq-gic-v3-its.c | 2 -
drivers/irqchip/irq-renesas-rzg2l.c | 5 +-
drivers/md/dm-clone-metadata.c | 5 -
drivers/md/dm-ioctl.c | 22 +-
drivers/md/dm.c | 4 +-
drivers/md/md.c | 5 -
drivers/md/persistent-data/dm-space-map-metadata.c | 4 +-
drivers/md/raid5-cache.c | 47 +++--
drivers/media/dvb-core/dvb_frontend.c | 12 +-
drivers/media/pci/cx23885/cx23885-video.c | 8 +
drivers/media/platform/qcom/venus/pm_helpers.c | 2 +-
.../media/platform/samsung/s5p-mfc/s5p_mfc_enc.c | 2 +-
drivers/media/radio/radio-isa.c | 2 +-
drivers/memory/stm32-fmc2-ebi.c | 122 +++++++----
drivers/memory/tegra/tegra186.c | 3 +
drivers/misc/fastrpc.c | 22 +-
drivers/mmc/core/mmc_test.c | 9 +-
drivers/mmc/host/dw_mmc.c | 8 +
drivers/mmc/host/mtk-sd.c | 8 +-
drivers/net/bonding/bond_main.c | 21 +-
drivers/net/bonding/bond_options.c | 2 +-
drivers/net/dsa/microchip/ksz_ptp.c | 5 +-
drivers/net/dsa/mv88e6xxx/global1_atu.c | 3 +-
drivers/net/dsa/ocelot/felix.c | 11 +
drivers/net/dsa/vitesse-vsc73xx-core.c | 69 +++++--
drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 5 -
drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 3 +-
.../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 7 +-
drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 3 +
.../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 28 ++-
.../net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 7 +-
.../ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 3 +
.../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 +-
drivers/net/ethernet/i825xx/sun3_82586.c | 2 +-
drivers/net/ethernet/intel/ice/ice_base.c | 21 +-
drivers/net/ethernet/intel/ice/ice_txrx.c | 47 +----
drivers/net/ethernet/intel/igb/igb_main.c | 1 +
drivers/net/ethernet/intel/igc/igc_defines.h | 6 +
drivers/net/ethernet/intel/igc/igc_main.c | 8 +-
drivers/net/ethernet/intel/igc/igc_tsn.c | 76 +++++--
drivers/net/ethernet/intel/igc/igc_tsn.h | 1 +
.../net/ethernet/marvell/octeontx2/af/rvu_cpt.c | 23 +--
drivers/net/ethernet/mediatek/mtk_wed.c | 6 +-
drivers/net/ethernet/mediatek/mtk_wed_mcu.c | 3 +
.../ethernet/mellanox/mlx5/core/en/reporter_tx.c | 2 +
.../ethernet/mellanox/mlx5/core/en_fs_ethtool.c | 2 +-
.../net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h | 8 +
.../ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c | 10 +
.../ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h | 2 +
.../ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c | 50 ++++-
drivers/net/ethernet/microsoft/mana/mana_en.c | 28 ++-
drivers/net/ethernet/mscc/ocelot.c | 91 ++++++++-
drivers/net/ethernet/mscc/ocelot_fdma.c | 3 +-
drivers/net/ethernet/mscc/ocelot_vsc7514.c | 4 +
.../net/ethernet/pensando/ionic/ionic_bus_pci.c | 9 +-
drivers/net/ethernet/pensando/ionic/ionic_dev.c | 33 ++-
.../net/ethernet/pensando/ionic/ionic_ethtool.c | 7 +-
drivers/net/ethernet/pensando/ionic/ionic_fw.c | 5 +
drivers/net/ethernet/pensando/ionic/ionic_main.c | 3 +
drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c | 6 +-
drivers/net/ethernet/xilinx/xilinx_axienet.h | 17 +-
drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 25 +--
drivers/net/gtp.c | 3 +
drivers/net/wireless/ath/ath11k/mac.c | 42 ++--
drivers/net/wireless/ath/ath12k/mac.c | 27 ++-
drivers/net/wireless/ath/ath12k/qmi.c | 7 +
.../broadcom/brcm80211/brcmfmac/cfg80211.c | 13 +-
drivers/net/wireless/intel/iwlwifi/fw/debugfs.c | 6 +-
drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 6 +-
drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 3 +
drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 7 +-
drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +-
drivers/net/wireless/mediatek/mt76/mac80211.c | 50 ++++-
drivers/net/wireless/mediatek/mt76/mt76.h | 24 +--
drivers/net/wireless/mediatek/mt76/mt7603/main.c | 4 +-
drivers/net/wireless/mediatek/mt76/mt7615/main.c | 4 +-
drivers/net/wireless/mediatek/mt76/mt76x02_util.c | 4 +-
drivers/net/wireless/mediatek/mt76/mt7915/main.c | 4 +-
drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 +-
drivers/net/wireless/mediatek/mt76/mt792x_core.c | 2 +-
drivers/net/wireless/mediatek/mt76/mt7996/main.c | 4 +-
drivers/net/wireless/mediatek/mt76/tx.c | 108 ++++++++--
drivers/net/wireless/st/cw1200/txrx.c | 2 +-
drivers/nvme/host/core.c | 107 ++++++----
drivers/nvme/host/ioctl.c | 15 +-
drivers/nvme/host/multipath.c | 21 +-
drivers/nvme/host/nvme.h | 4 +-
drivers/nvme/target/rdma.c | 16 +-
drivers/nvme/target/tcp.c | 1 +
drivers/nvme/target/trace.c | 6 +-
drivers/nvme/target/trace.h | 28 ++-
drivers/parisc/ccio-dma.c | 2 +-
drivers/parisc/sba_iommu.c | 2 +-
drivers/platform/surface/aggregator/controller.c | 3 +-
drivers/platform/x86/intel/ifs/load.c | 9 +
drivers/platform/x86/lg-laptop.c | 2 +-
drivers/pmdomain/imx/imx93-pd.c | 5 +-
drivers/pmdomain/imx/scu-pd.c | 5 -
drivers/rtc/rtc-nct3018y.c | 6 +-
drivers/s390/block/dasd.c | 36 ++--
drivers/s390/block/dasd_3990_erp.c | 10 +-
drivers/s390/block/dasd_diag.c | 1 -
drivers/s390/block/dasd_eckd.c | 58 +++---
drivers/s390/block/dasd_int.h | 2 +-
drivers/s390/cio/idset.c | 12 +-
drivers/scsi/lpfc/lpfc_sli.c | 2 +-
drivers/scsi/scsi_transport_spi.c | 4 +-
drivers/ssb/main.c | 2 +-
drivers/staging/iio/resolver/ad2s1210.c | 7 +-
drivers/staging/ks7010/ks7010_sdio.c | 4 +-
drivers/thunderbolt/switch.c | 1 +
drivers/tty/serial/atmel_serial.c | 2 +-
drivers/tty/serial/fsl_lpuart.c | 1 +
drivers/usb/dwc3/core.c | 13 ++
drivers/usb/gadget/udc/fsl_udc_core.c | 2 +-
drivers/usb/host/xhci.c | 8 +-
drivers/usb/typec/tcpm/tcpm.c | 1 -
drivers/xen/grant-dma-ops.c | 2 +-
drivers/xen/swiotlb-xen.c | 2 +-
fs/afs/file.c | 8 +-
fs/binfmt_elf_fdpic.c | 2 +-
fs/binfmt_misc.c | 216 +++++++++++++++-----
fs/btrfs/compression.c | 23 ++-
fs/btrfs/compression.h | 2 +-
fs/btrfs/defrag.c | 2 +-
fs/btrfs/delayed-inode.c | 4 +-
fs/btrfs/disk-io.c | 2 +
fs/btrfs/extent_io.c | 4 +-
fs/btrfs/free-space-cache.c | 22 +-
fs/btrfs/inode.c | 24 ++-
fs/btrfs/ioctl.c | 2 +-
fs/btrfs/qgroup.c | 2 -
fs/btrfs/reflink.c | 6 +-
fs/btrfs/send.c | 71 +++++--
fs/btrfs/super.c | 2 +-
fs/btrfs/tests/extent-io-tests.c | 28 ++-
fs/btrfs/tree-checker.c | 74 ++++++-
fs/btrfs/zlib.c | 73 ++-----
fs/ext4/extents.c | 3 +-
fs/ext4/mballoc.c | 3 +
fs/f2fs/segment.c | 17 +-
fs/file.c | 28 ++-
fs/fscache/cookie.c | 4 +
fs/fuse/cuse.c | 3 +-
fs/fuse/dev.c | 6 +-
fs/fuse/fuse_i.h | 1 +
fs/fuse/inode.c | 15 +-
fs/fuse/virtio_fs.c | 10 +
fs/gfs2/inode.c | 2 +-
fs/gfs2/super.c | 2 +
fs/inode.c | 39 +++-
fs/jfs/jfs_dinode.h | 2 +-
fs/jfs/jfs_imap.c | 6 +-
fs/jfs/jfs_incore.h | 2 +-
fs/jfs/jfs_txnmgr.c | 4 +-
fs/jfs/jfs_xtree.c | 4 +-
fs/jfs/jfs_xtree.h | 37 ++--
fs/kernfs/file.c | 8 +-
fs/nfs/pnfs.c | 8 +
fs/nfsd/nfssvc.c | 14 +-
fs/ntfs3/bitmap.c | 4 +-
fs/ntfs3/fsntfs.c | 2 +-
fs/ntfs3/index.c | 11 +-
fs/ntfs3/ntfs_fs.h | 4 +-
fs/ntfs3/super.c | 2 +-
fs/quota/dquot.c | 5 +-
fs/smb/client/reparse.c | 11 +-
fs/smb/server/connection.c | 34 +++-
fs/smb/server/connection.h | 3 +-
fs/smb/server/mgmt/user_session.c | 8 +
fs/smb/server/smb2pdu.c | 5 +-
include/acpi/acpixf.h | 5 +-
include/linux/bitmap.h | 20 +-
include/linux/bpf_verifier.h | 4 +-
include/linux/cpumask.h | 2 +-
include/linux/dma-map-ops.h | 2 +-
include/linux/dsa/ocelot.h | 47 +++++
include/linux/evm.h | 6 +
include/linux/f2fs_fs.h | 1 +
include/linux/fs.h | 5 +
include/net/af_vsock.h | 4 +
include/net/inet_timewait_sock.h | 2 +-
include/net/kcm.h | 1 +
include/net/mana/mana.h | 1 +
include/net/tcp.h | 2 +-
include/scsi/scsi_cmnd.h | 2 +-
include/soc/mscc/ocelot.h | 12 +-
include/uapi/misc/fastrpc.h | 3 -
init/Kconfig | 7 +-
kernel/bpf/verifier.c | 5 +-
kernel/cgroup/cgroup.c | 4 +-
kernel/cpu.c | 12 +-
kernel/dma/mapping.c | 4 +-
kernel/rcu/rcu.h | 7 +
kernel/rcu/srcutiny.c | 1 +
kernel/rcu/srcutree.c | 1 +
kernel/rcu/tasks.h | 1 +
kernel/rcu/tiny.c | 1 +
kernel/rcu/tree.c | 3 +-
kernel/sched/topology.c | 3 +
kernel/time/clocksource.c | 42 ++--
kernel/time/hrtimer.c | 5 +-
kernel/time/tick-sched.h | 2 +-
lib/cpumask.c | 4 +-
lib/math/prime_numbers.c | 2 -
mm/huge_memory.c | 30 ++-
mm/memcontrol.c | 7 +-
mm/memory-failure.c | 20 +-
mm/memory.c | 33 ++-
mm/page_alloc.c | 42 ++--
mm/vmalloc.c | 11 +-
net/bluetooth/bnep/core.c | 3 +-
net/bluetooth/hci_conn.c | 11 +-
net/bluetooth/hci_core.c | 19 +-
net/bluetooth/mgmt.c | 4 +
net/bluetooth/smp.c | 146 ++++++-------
net/bridge/br_netfilter_hooks.c | 6 +-
net/core/sock_map.c | 6 -
net/dccp/ipv4.c | 2 +-
net/dccp/ipv6.c | 6 -
net/dsa/tag_ocelot.c | 37 +---
net/ipv4/inet_timewait_sock.c | 16 +-
net/ipv4/tcp_input.c | 28 ++-
net/ipv4/tcp_ipv4.c | 16 +-
net/ipv4/tcp_minisocks.c | 7 +-
net/ipv4/udp_offload.c | 3 +-
net/ipv6/ip6_output.c | 10 +
net/ipv6/ip6_tunnel.c | 12 +-
net/ipv6/netfilter/nf_conntrack_reasm.c | 4 +
net/ipv6/tcp_ipv6.c | 6 -
net/iucv/iucv.c | 3 +-
net/kcm/kcmsock.c | 4 +
net/mac80211/agg-tx.c | 6 +-
net/mac80211/driver-ops.c | 3 -
net/mac80211/iface.c | 14 ++
net/mac80211/main.c | 22 +-
net/mac80211/sta_info.c | 46 +++--
net/mctp/test/route-test.c | 2 +-
net/mptcp/diag.c | 2 +-
net/mptcp/pm.c | 13 --
net/mptcp/pm_netlink.c | 142 ++++++++-----
net/mptcp/protocol.h | 3 -
net/netfilter/nf_flow_table_inet.c | 3 +
net/netfilter/nf_flow_table_ip.c | 3 +
net/netfilter/nf_flow_table_offload.c | 2 +-
net/netfilter/nf_tables_api.c | 225 ++++++++++++---------
net/netfilter/nfnetlink_queue.c | 35 +++-
net/netfilter/nft_counter.c | 9 +-
net/netlink/af_netlink.c | 13 +-
net/openvswitch/datapath.c | 2 +-
net/rxrpc/rxkad.c | 8 +-
net/sched/sch_netem.c | 47 +++--
net/vmw_vsock/af_vsock.c | 50 +++--
net/vmw_vsock/vsock_bpf.c | 4 +-
net/wireless/core.h | 8 +-
scripts/rust_is_available.sh | 6 +-
security/integrity/evm/evm_main.c | 7 +
security/security.c | 2 +-
security/selinux/avc.c | 8 +-
security/selinux/hooks.c | 12 +-
sound/core/timer.c | 2 +-
sound/pci/hda/patch_realtek.c | 1 -
sound/pci/hda/tas2781_hda_i2c.c | 14 +-
sound/soc/codecs/cs35l45.c | 5 +-
sound/soc/sof/intel/hda-dsp.c | 3 +
sound/soc/sof/ipc4.c | 9 +-
sound/usb/quirks-table.h | 1 +
sound/usb/quirks.c | 2 +
tools/include/linux/bitmap.h | 7 +-
.../testing/selftests/bpf/progs/cpumask_failure.c | 3 -
tools/testing/selftests/bpf/progs/dynptr_fail.c | 12 +-
tools/testing/selftests/bpf/progs/iters.c | 54 +++++
.../selftests/bpf/progs/jeq_infer_not_null_fail.c | 4 +
.../testing/selftests/bpf/progs/test_tunnel_kern.c | 47 +++--
tools/testing/selftests/core/close_range_test.c | 35 ++++
tools/testing/selftests/mm/Makefile | 2 +
tools/testing/selftests/mm/run_vmtests.sh | 53 ++++-
tools/testing/selftests/net/lib.sh | 11 +-
tools/testing/selftests/net/mptcp/mptcp_join.sh | 28 ++-
tools/testing/selftests/net/udpgro.sh | 44 ++--
tools/testing/selftests/tc-testing/tdc.py | 1 -
tools/tracing/rtla/src/osnoise_top.c | 11 +-
386 files changed, 3829 insertions(+), 1937 deletions(-)
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 001/341] tty: serial: fsl_lpuart: mark last busy before uart_add_one_port
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
@ 2024-08-27 14:33 ` Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 002/341] tty: atmel_serial: use the correct RTS flag Greg Kroah-Hartman
` (352 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Peng Fan
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
commit dc98d76a15bc29a9a4e76f2f65f39f3e590fb15c upstream.
With "earlycon initcall_debug=1 loglevel=8" in bootargs, kernel
sometimes boot hang. It is because normal console still is not ready,
but runtime suspend is called, so early console putchar will hang
in waiting TRDE set in UARTSTAT.
The lpuart driver has auto suspend delay set to 3000ms, but during
uart_add_one_port, a child device serial ctrl will added and probed with
its pm runtime enabled(see serial_ctrl.c).
The runtime suspend call path is:
device_add
|-> bus_probe_device
|->device_initial_probe
|->__device_attach
|-> pm_runtime_get_sync(dev->parent);
|-> pm_request_idle(dev);
|-> pm_runtime_put(dev->parent);
So in the end, before normal console ready, the lpuart get runtime
suspended. And earlycon putchar will hang.
To address the issue, mark last busy just after pm_runtime_enable,
three seconds is long enough to switch from bootconsole to normal
console.
Fixes: 43543e6f539b ("tty: serial: fsl_lpuart: Add runtime pm support")
Cc: stable <stable@kernel.org>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Link: https://lore.kernel.org/r/20240808140325.580105-1-peng.fan@oss.nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/fsl_lpuart.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -2930,6 +2930,7 @@ static int lpuart_probe(struct platform_
pm_runtime_set_autosuspend_delay(&pdev->dev, UART_AUTOSUSPEND_TIMEOUT);
pm_runtime_set_active(&pdev->dev);
pm_runtime_enable(&pdev->dev);
+ pm_runtime_mark_last_busy(&pdev->dev);
ret = lpuart_global_reset(sport);
if (ret)
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 002/341] tty: atmel_serial: use the correct RTS flag.
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 001/341] tty: serial: fsl_lpuart: mark last busy before uart_add_one_port Greg Kroah-Hartman
@ 2024-08-27 14:33 ` Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 003/341] Revert "ACPI: EC: Evaluate orphan _REG under EC device" Greg Kroah-Hartman
` (351 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Othacehe, stable,
Alexander Dahl
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathieu Othacehe <othacehe@gnu.org>
commit c9f6613b16123989f2c3bd04b1d9b2365d6914e7 upstream.
In RS485 mode, the RTS pin is driven high by hardware when the transmitter
is operating. This behaviour cannot be changed. This means that the driver
should claim that it supports SER_RS485_RTS_ON_SEND and not
SER_RS485_RTS_AFTER_SEND.
Otherwise, when configuring the port with the SER_RS485_RTS_ON_SEND, one
get the following warning:
kern.warning kernel: atmel_usart_serial atmel_usart_serial.2.auto:
ttyS1 (1): invalid RTS setting, using RTS_AFTER_SEND instead
which is contradictory with what's really happening.
Signed-off-by: Mathieu Othacehe <othacehe@gnu.org>
Cc: stable <stable@kernel.org>
Tested-by: Alexander Dahl <ada@thorsis.com>
Fixes: af47c491e3c7 ("serial: atmel: Fill in rs485_supported")
Link: https://lore.kernel.org/r/20240808060637.19886-1-othacehe@gnu.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/atmel_serial.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/atmel_serial.c
+++ b/drivers/tty/serial/atmel_serial.c
@@ -2522,7 +2522,7 @@ static const struct uart_ops atmel_pops
};
static const struct serial_rs485 atmel_rs485_supported = {
- .flags = SER_RS485_ENABLED | SER_RS485_RTS_AFTER_SEND | SER_RS485_RX_DURING_TX,
+ .flags = SER_RS485_ENABLED | SER_RS485_RTS_ON_SEND | SER_RS485_RX_DURING_TX,
.delay_rts_before_send = 1,
.delay_rts_after_send = 1,
};
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 003/341] Revert "ACPI: EC: Evaluate orphan _REG under EC device"
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 001/341] tty: serial: fsl_lpuart: mark last busy before uart_add_one_port Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 002/341] tty: atmel_serial: use the correct RTS flag Greg Kroah-Hartman
@ 2024-08-27 14:33 ` Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 004/341] Revert "misc: fastrpc: Restrict untrusted app to attach to privileged PD" Greg Kroah-Hartman
` (350 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Hans de Goede
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 779bac9994452f6a894524f70c00cfb0cd4b6364 upstream.
This reverts commit 0e6b6dedf168 ("Revert "ACPI: EC: Evaluate orphan
_REG under EC device") because the problem addressed by it will be
addressed differently in what follows.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Cc: All applicable <stable@vger.kernel.org>
Link: https://patch.msgid.link/3236716.5fSG56mABF@rjwysocki.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/acpica/acevents.h | 4 ---
drivers/acpi/acpica/evregion.c | 6 +++-
drivers/acpi/acpica/evxfregn.c | 54 -----------------------------------------
drivers/acpi/ec.c | 3 --
include/acpi/acpixf.h | 4 ---
5 files changed, 5 insertions(+), 66 deletions(-)
--- a/drivers/acpi/acpica/acevents.h
+++ b/drivers/acpi/acpica/acevents.h
@@ -191,10 +191,6 @@ void
acpi_ev_execute_reg_methods(struct acpi_namespace_node *node,
acpi_adr_space_type space_id, u32 function);
-void
-acpi_ev_execute_orphan_reg_method(struct acpi_namespace_node *node,
- acpi_adr_space_type space_id);
-
acpi_status
acpi_ev_execute_reg_method(union acpi_operand_object *region_obj, u32 function);
--- a/drivers/acpi/acpica/evregion.c
+++ b/drivers/acpi/acpica/evregion.c
@@ -20,6 +20,10 @@ extern u8 acpi_gbl_default_address_space
/* Local prototypes */
+static void
+acpi_ev_execute_orphan_reg_method(struct acpi_namespace_node *device_node,
+ acpi_adr_space_type space_id);
+
static acpi_status
acpi_ev_reg_run(acpi_handle obj_handle,
u32 level, void *context, void **return_value);
@@ -814,7 +818,7 @@ acpi_ev_reg_run(acpi_handle obj_handle,
*
******************************************************************************/
-void
+static void
acpi_ev_execute_orphan_reg_method(struct acpi_namespace_node *device_node,
acpi_adr_space_type space_id)
{
--- a/drivers/acpi/acpica/evxfregn.c
+++ b/drivers/acpi/acpica/evxfregn.c
@@ -306,57 +306,3 @@ acpi_execute_reg_methods(acpi_handle dev
}
ACPI_EXPORT_SYMBOL(acpi_execute_reg_methods)
-
-/*******************************************************************************
- *
- * FUNCTION: acpi_execute_orphan_reg_method
- *
- * PARAMETERS: device - Handle for the device
- * space_id - The address space ID
- *
- * RETURN: Status
- *
- * DESCRIPTION: Execute an "orphan" _REG method that appears under an ACPI
- * device. This is a _REG method that has no corresponding region
- * within the device's scope.
- *
- ******************************************************************************/
-acpi_status
-acpi_execute_orphan_reg_method(acpi_handle device, acpi_adr_space_type space_id)
-{
- struct acpi_namespace_node *node;
- acpi_status status;
-
- ACPI_FUNCTION_TRACE(acpi_execute_orphan_reg_method);
-
- /* Parameter validation */
-
- if (!device) {
- return_ACPI_STATUS(AE_BAD_PARAMETER);
- }
-
- status = acpi_ut_acquire_mutex(ACPI_MTX_NAMESPACE);
- if (ACPI_FAILURE(status)) {
- return_ACPI_STATUS(status);
- }
-
- /* Convert and validate the device handle */
-
- node = acpi_ns_validate_handle(device);
- if (node) {
-
- /*
- * If an "orphan" _REG method is present in the device's scope
- * for the given address space ID, run it.
- */
-
- acpi_ev_execute_orphan_reg_method(node, space_id);
- } else {
- status = AE_BAD_PARAMETER;
- }
-
- (void)acpi_ut_release_mutex(ACPI_MTX_NAMESPACE);
- return_ACPI_STATUS(status);
-}
-
-ACPI_EXPORT_SYMBOL(acpi_execute_orphan_reg_method)
--- a/drivers/acpi/ec.c
+++ b/drivers/acpi/ec.c
@@ -1507,9 +1507,6 @@ static int ec_install_handlers(struct ac
if (call_reg && !test_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags)) {
acpi_execute_reg_methods(scope_handle, ACPI_ADR_SPACE_EC);
- if (scope_handle != ec->handle)
- acpi_execute_orphan_reg_method(ec->handle, ACPI_ADR_SPACE_EC);
-
set_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags);
}
--- a/include/acpi/acpixf.h
+++ b/include/acpi/acpixf.h
@@ -663,10 +663,6 @@ ACPI_EXTERNAL_RETURN_STATUS(acpi_status
acpi_adr_space_type
space_id))
ACPI_EXTERNAL_RETURN_STATUS(acpi_status
- acpi_execute_orphan_reg_method(acpi_handle device,
- acpi_adr_space_type
- space_id))
-ACPI_EXTERNAL_RETURN_STATUS(acpi_status
acpi_remove_address_space_handler(acpi_handle
device,
acpi_adr_space_type
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 004/341] Revert "misc: fastrpc: Restrict untrusted app to attach to privileged PD"
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2024-08-27 14:33 ` [PATCH 6.6 003/341] Revert "ACPI: EC: Evaluate orphan _REG under EC device" Greg Kroah-Hartman
@ 2024-08-27 14:33 ` Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 005/341] Revert "usb: typec: tcpm: clear pd_event queue in PORT_RESET" Greg Kroah-Hartman
` (349 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Ekansh Gupta,
Dmitry Baryshkov, Joel Selvaraj, Griffin Kroah-Hartman,
Srinivas Kandagatla
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Griffin Kroah-Hartman <griffin@kroah.com>
commit 9bb5e74b2bf88fbb024bb15ded3b011e02c673be upstream.
This reverts commit bab2f5e8fd5d2f759db26b78d9db57412888f187.
Joel reported that this commit breaks userspace and stops sensors in
SDM845 from working. Also breaks other qcom SoC devices running postmarketOS.
Cc: stable <stable@kernel.org>
Cc: Ekansh Gupta <quic_ekangupt@quicinc.com>
Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reported-by: Joel Selvaraj <joelselvaraj.oss@gmail.com>
Link: https://lore.kernel.org/r/9a9f5646-a554-4b65-8122-d212bb665c81@umsystem.edu
Signed-off-by: Griffin Kroah-Hartman <griffin@kroah.com>
Acked-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Fixes: bab2f5e8fd5d ("misc: fastrpc: Restrict untrusted app to attach to privileged PD")
Link: https://lore.kernel.org/r/20240815094920.8242-1-griffin@kroah.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/fastrpc.c | 22 +++-------------------
include/uapi/misc/fastrpc.h | 3 ---
2 files changed, 3 insertions(+), 22 deletions(-)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -2087,16 +2087,6 @@ err_invoke:
return err;
}
-static int is_attach_rejected(struct fastrpc_user *fl)
-{
- /* Check if the device node is non-secure */
- if (!fl->is_secure_dev) {
- dev_dbg(&fl->cctx->rpdev->dev, "untrusted app trying to attach to privileged DSP PD\n");
- return -EACCES;
- }
- return 0;
-}
-
static long fastrpc_device_ioctl(struct file *file, unsigned int cmd,
unsigned long arg)
{
@@ -2109,19 +2099,13 @@ static long fastrpc_device_ioctl(struct
err = fastrpc_invoke(fl, argp);
break;
case FASTRPC_IOCTL_INIT_ATTACH:
- err = is_attach_rejected(fl);
- if (!err)
- err = fastrpc_init_attach(fl, ROOT_PD);
+ err = fastrpc_init_attach(fl, ROOT_PD);
break;
case FASTRPC_IOCTL_INIT_ATTACH_SNS:
- err = is_attach_rejected(fl);
- if (!err)
- err = fastrpc_init_attach(fl, SENSORS_PD);
+ err = fastrpc_init_attach(fl, SENSORS_PD);
break;
case FASTRPC_IOCTL_INIT_CREATE_STATIC:
- err = is_attach_rejected(fl);
- if (!err)
- err = fastrpc_init_create_static_process(fl, argp);
+ err = fastrpc_init_create_static_process(fl, argp);
break;
case FASTRPC_IOCTL_INIT_CREATE:
err = fastrpc_init_create_process(fl, argp);
--- a/include/uapi/misc/fastrpc.h
+++ b/include/uapi/misc/fastrpc.h
@@ -8,14 +8,11 @@
#define FASTRPC_IOCTL_ALLOC_DMA_BUFF _IOWR('R', 1, struct fastrpc_alloc_dma_buf)
#define FASTRPC_IOCTL_FREE_DMA_BUFF _IOWR('R', 2, __u32)
#define FASTRPC_IOCTL_INVOKE _IOWR('R', 3, struct fastrpc_invoke)
-/* This ioctl is only supported with secure device nodes */
#define FASTRPC_IOCTL_INIT_ATTACH _IO('R', 4)
#define FASTRPC_IOCTL_INIT_CREATE _IOWR('R', 5, struct fastrpc_init_create)
#define FASTRPC_IOCTL_MMAP _IOWR('R', 6, struct fastrpc_req_mmap)
#define FASTRPC_IOCTL_MUNMAP _IOWR('R', 7, struct fastrpc_req_munmap)
-/* This ioctl is only supported with secure device nodes */
#define FASTRPC_IOCTL_INIT_ATTACH_SNS _IO('R', 8)
-/* This ioctl is only supported with secure device nodes */
#define FASTRPC_IOCTL_INIT_CREATE_STATIC _IOWR('R', 9, struct fastrpc_init_create_static)
#define FASTRPC_IOCTL_MEM_MAP _IOWR('R', 10, struct fastrpc_mem_map)
#define FASTRPC_IOCTL_MEM_UNMAP _IOWR('R', 11, struct fastrpc_mem_unmap)
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 005/341] Revert "usb: typec: tcpm: clear pd_event queue in PORT_RESET"
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2024-08-27 14:33 ` [PATCH 6.6 004/341] Revert "misc: fastrpc: Restrict untrusted app to attach to privileged PD" Greg Kroah-Hartman
@ 2024-08-27 14:33 ` Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 006/341] selinux: revert our use of vma_is_initial_heap() Greg Kroah-Hartman
` (348 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xu Yang, Heikki Krogerus
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 21ea1ce37fc267dc45fe27517bbde926211683df upstream.
This reverts commit bf20c69cf3cf9c6445c4925dd9a8a6ca1b78bfdf.
During tcpm_init() stage, if the VBUS is still present after
tcpm_reset_port(), then we assume that VBUS will off and goto safe0v
after a specific discharge time. Following a TCPM_VBUS_EVENT event if
VBUS reach to off state. TCPM_VBUS_EVENT event may be set during
PORT_RESET handling stage. If pd_events reset to 0 after TCPM_VBUS_EVENT
set, we will lost this VBUS event. Then the port state machine may stuck
at one state.
Before:
[ 2.570172] pending state change PORT_RESET -> PORT_RESET_WAIT_OFF @ 100 ms [rev1 NONE_AMS]
[ 2.570179] state change PORT_RESET -> PORT_RESET_WAIT_OFF [delayed 100 ms]
[ 2.570182] pending state change PORT_RESET_WAIT_OFF -> SNK_UNATTACHED @ 920 ms [rev1 NONE_AMS]
[ 3.490213] state change PORT_RESET_WAIT_OFF -> SNK_UNATTACHED [delayed 920 ms]
[ 3.490220] Start toggling
[ 3.546050] CC1: 0 -> 0, CC2: 0 -> 2 [state TOGGLING, polarity 0, connected]
[ 3.546057] state change TOGGLING -> SRC_ATTACH_WAIT [rev1 NONE_AMS]
After revert this patch, we can see VBUS off event and the port will goto
expected state.
[ 2.441992] pending state change PORT_RESET -> PORT_RESET_WAIT_OFF @ 100 ms [rev1 NONE_AMS]
[ 2.441999] state change PORT_RESET -> PORT_RESET_WAIT_OFF [delayed 100 ms]
[ 2.442002] pending state change PORT_RESET_WAIT_OFF -> SNK_UNATTACHED @ 920 ms [rev1 NONE_AMS]
[ 2.442122] VBUS off
[ 2.442125] state change PORT_RESET_WAIT_OFF -> SNK_UNATTACHED [rev1 NONE_AMS]
[ 2.442127] VBUS VSAFE0V
[ 2.442351] CC1: 0 -> 0, CC2: 0 -> 0 [state SNK_UNATTACHED, polarity 0, disconnected]
[ 2.442357] Start toggling
[ 2.491850] CC1: 0 -> 0, CC2: 0 -> 2 [state TOGGLING, polarity 0, connected]
[ 2.491858] state change TOGGLING -> SRC_ATTACH_WAIT [rev1 NONE_AMS]
[ 2.491863] pending state change SRC_ATTACH_WAIT -> SNK_TRY @ 200 ms [rev1 NONE_AMS]
[ 2.691905] state change SRC_ATTACH_WAIT -> SNK_TRY [delayed 200 ms]
Fixes: bf20c69cf3cf ("usb: typec: tcpm: clear pd_event queue in PORT_RESET")
Cc: stable@vger.kernel.org
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20240809112901.535072-1-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -4880,7 +4880,6 @@ static void run_state_machine(struct tcp
break;
case PORT_RESET:
tcpm_reset_port(port);
- port->pd_events = 0;
if (port->self_powered)
tcpm_set_cc(port, TYPEC_CC_OPEN);
else
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 006/341] selinux: revert our use of vma_is_initial_heap()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2024-08-27 14:33 ` [PATCH 6.6 005/341] Revert "usb: typec: tcpm: clear pd_event queue in PORT_RESET" Greg Kroah-Hartman
@ 2024-08-27 14:33 ` Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 007/341] fuse: Initialize beyond-EOF page contents before setting uptodate Greg Kroah-Hartman
` (347 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Reisner, Paul Moore
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Moore <paul@paul-moore.com>
commit 05a3d6e9307250a5911d75308e4363466794ab21 upstream.
Unfortunately it appears that vma_is_initial_heap() is currently broken
for applications that do not currently have any heap allocated, e.g.
brk == start_brk. The breakage is such that it will cause SELinux to
check for the process/execheap permission on memory regions that cross
brk/start_brk even when there is no heap.
The proper fix would be to correct vma_is_initial_heap(), but as there
are multiple callers I am hesitant to unilaterally modify the helper
out of concern that I would end up breaking some other subsystem. The
mm developers have been made aware of the situation and hopefully they
will have a fix at some point in the future, but we need a fix soon so
we are simply going to revert our use of vma_is_initial_heap() in favor
of our old logic/code which works as expected, even in the face of a
zero size heap. We can return to using vma_is_initial_heap() at some
point in the future when it is fixed.
Cc: stable@vger.kernel.org
Reported-by: Marc Reisner <reisner.marc@gmail.com>
Closes: https://lore.kernel.org/all/ZrPmoLKJEf1wiFmM@marcreisner.com
Fixes: 68df1baf158f ("selinux: use vma_is_initial_stack() and vma_is_initial_heap()")
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/hooks.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3835,7 +3835,17 @@ static int selinux_file_mprotect(struct
if (default_noexec &&
(prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
int rc = 0;
- if (vma_is_initial_heap(vma)) {
+ /*
+ * We don't use the vma_is_initial_heap() helper as it has
+ * a history of problems and is currently broken on systems
+ * where there is no heap, e.g. brk == start_brk. Before
+ * replacing the conditional below with vma_is_initial_heap(),
+ * or something similar, please ensure that the logic is the
+ * same as what we have below or you have tested every possible
+ * corner case you can think to test.
+ */
+ if (vma->vm_start >= vma->vm_mm->start_brk &&
+ vma->vm_end <= vma->vm_mm->brk) {
rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
PROCESS__EXECHEAP, NULL);
} else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 007/341] fuse: Initialize beyond-EOF page contents before setting uptodate
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2024-08-27 14:33 ` [PATCH 6.6 006/341] selinux: revert our use of vma_is_initial_heap() Greg Kroah-Hartman
@ 2024-08-27 14:33 ` Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 008/341] char: xillybus: Dont destroy workqueue from work item running on it Greg Kroah-Hartman
` (346 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Jann Horn, Linus Torvalds
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 3c0da3d163eb32f1f91891efaade027fa9b245b9 upstream.
fuse_notify_store(), unlike fuse_do_readpage(), does not enable page
zeroing (because it can be used to change partial page contents).
So fuse_notify_store() must be more careful to fully initialize page
contents (including parts of the page that are beyond end-of-file)
before marking the page uptodate.
The current code can leave beyond-EOF page contents uninitialized, which
makes these uninitialized page contents visible to userspace via mmap().
This is an information leak, but only affects systems which do not
enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the
corresponding kernel command line parameter).
Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2574
Cc: stable@kernel.org
Fixes: a1d75f258230 ("fuse: add store request")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1618,9 +1618,11 @@ static int fuse_notify_store(struct fuse
this_num = min_t(unsigned, num, PAGE_SIZE - offset);
err = fuse_copy_page(cs, &page, offset, this_num, 0);
- if (!err && offset == 0 &&
- (this_num == PAGE_SIZE || file_size == end))
+ if (!PageUptodate(page) && !err && offset == 0 &&
+ (this_num == PAGE_SIZE || file_size == end)) {
+ zero_user_segment(page, this_num, PAGE_SIZE);
SetPageUptodate(page);
+ }
unlock_page(page);
put_page(page);
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 008/341] char: xillybus: Dont destroy workqueue from work item running on it
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2024-08-27 14:33 ` [PATCH 6.6 007/341] fuse: Initialize beyond-EOF page contents before setting uptodate Greg Kroah-Hartman
@ 2024-08-27 14:33 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 009/341] char: xillybus: Refine workqueue handling Greg Kroah-Hartman
` (345 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+91dbdfecdd3287734d8e, stable,
Eli Billauer
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eli Billauer <eli.billauer@gmail.com>
commit ccbde4b128ef9c73d14d0d7817d68ef795f6d131 upstream.
Triggered by a kref decrement, destroy_workqueue() may be called from
within a work item for destroying its own workqueue. This illegal
situation is averted by adding a module-global workqueue for exclusive
use of the offending work item. Other work items continue to be queued
on per-device workqueues to ensure performance.
Reported-by: syzbot+91dbdfecdd3287734d8e@syzkaller.appspotmail.com
Cc: stable <stable@kernel.org>
Closes: https://lore.kernel.org/lkml/0000000000000ab25a061e1dfe9f@google.com/
Signed-off-by: Eli Billauer <eli.billauer@gmail.com>
Link: https://lore.kernel.org/r/20240801121126.60183-1-eli.billauer@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/xillybus/xillyusb.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
--- a/drivers/char/xillybus/xillyusb.c
+++ b/drivers/char/xillybus/xillyusb.c
@@ -50,6 +50,7 @@ MODULE_LICENSE("GPL v2");
static const char xillyname[] = "xillyusb";
static unsigned int fifo_buf_order;
+static struct workqueue_struct *wakeup_wq;
#define USB_VENDOR_ID_XILINX 0x03fd
#define USB_VENDOR_ID_ALTERA 0x09fb
@@ -569,10 +570,6 @@ static void cleanup_dev(struct kref *kre
* errors if executed. The mechanism relies on that xdev->error is assigned
* a non-zero value by report_io_error() prior to queueing wakeup_all(),
* which prevents bulk_in_work() from calling process_bulk_in().
- *
- * The fact that wakeup_all() and bulk_in_work() are queued on the same
- * workqueue makes their concurrent execution very unlikely, however the
- * kernel's API doesn't seem to ensure this strictly.
*/
static void wakeup_all(struct work_struct *work)
@@ -627,7 +624,7 @@ static void report_io_error(struct xilly
if (do_once) {
kref_get(&xdev->kref); /* xdev is used by work item */
- queue_work(xdev->workq, &xdev->wakeup_workitem);
+ queue_work(wakeup_wq, &xdev->wakeup_workitem);
}
}
@@ -2258,6 +2255,10 @@ static int __init xillyusb_init(void)
{
int rc = 0;
+ wakeup_wq = alloc_workqueue(xillyname, 0, 0);
+ if (!wakeup_wq)
+ return -ENOMEM;
+
if (LOG2_INITIAL_FIFO_BUF_SIZE > PAGE_SHIFT)
fifo_buf_order = LOG2_INITIAL_FIFO_BUF_SIZE - PAGE_SHIFT;
else
@@ -2265,11 +2266,16 @@ static int __init xillyusb_init(void)
rc = usb_register(&xillyusb_driver);
+ if (rc)
+ destroy_workqueue(wakeup_wq);
+
return rc;
}
static void __exit xillyusb_exit(void)
{
+ destroy_workqueue(wakeup_wq);
+
usb_deregister(&xillyusb_driver);
}
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 009/341] char: xillybus: Refine workqueue handling
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2024-08-27 14:33 ` [PATCH 6.6 008/341] char: xillybus: Dont destroy workqueue from work item running on it Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 010/341] char: xillybus: Check USB endpoints when probing device Greg Kroah-Hartman
` (344 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Eli Billauer
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eli Billauer <eli.billauer@gmail.com>
commit ad899c301c880766cc709aad277991b3ab671b66 upstream.
As the wakeup work item now runs on a separate workqueue, it needs to be
flushed separately along with flushing the device's workqueue.
Also, move the destroy_workqueue() call to the end of the exit method,
so that deinitialization is done in the opposite order of
initialization.
Fixes: ccbde4b128ef ("char: xillybus: Don't destroy workqueue from work item running on it")
Cc: stable <stable@kernel.org>
Signed-off-by: Eli Billauer <eli.billauer@gmail.com>
Link: https://lore.kernel.org/r/20240816070200.50695-1-eli.billauer@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/xillybus/xillyusb.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/char/xillybus/xillyusb.c
+++ b/drivers/char/xillybus/xillyusb.c
@@ -2093,9 +2093,11 @@ static int xillyusb_discovery(struct usb
* just after responding with the IDT, there is no reason for any
* work item to be running now. To be sure that xdev->channels
* is updated on anything that might run in parallel, flush the
- * workqueue, which rarely does anything.
+ * device's workqueue and the wakeup work item. This rarely
+ * does anything.
*/
flush_workqueue(xdev->workq);
+ flush_work(&xdev->wakeup_workitem);
xdev->num_channels = num_channels;
@@ -2274,9 +2276,9 @@ static int __init xillyusb_init(void)
static void __exit xillyusb_exit(void)
{
- destroy_workqueue(wakeup_wq);
-
usb_deregister(&xillyusb_driver);
+
+ destroy_workqueue(wakeup_wq);
}
module_init(xillyusb_init);
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 010/341] char: xillybus: Check USB endpoints when probing device
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 009/341] char: xillybus: Refine workqueue handling Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 011/341] ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET Greg Kroah-Hartman
` (343 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+eac39cba052f2e750dbe, stable,
Eli Billauer
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eli Billauer <eli.billauer@gmail.com>
commit 2374bf7558de915edc6ec8cb10ec3291dfab9594 upstream.
Ensure, as the driver probes the device, that all endpoints that the
driver may attempt to access exist and are of the correct type.
All XillyUSB devices must have a Bulk IN and Bulk OUT endpoint at
address 1. This is verified in xillyusb_setup_base_eps().
On top of that, a XillyUSB device may have additional Bulk OUT
endpoints. The information about these endpoints' addresses is deduced
from a data structure (the IDT) that the driver fetches from the device
while probing it. These endpoints are checked in setup_channels().
A XillyUSB device never has more than one IN endpoint, as all data
towards the host is multiplexed in this single Bulk IN endpoint. This is
why setup_channels() only checks OUT endpoints.
Reported-by: syzbot+eac39cba052f2e750dbe@syzkaller.appspotmail.com
Cc: stable <stable@kernel.org>
Closes: https://lore.kernel.org/all/0000000000001d44a6061f7a54ee@google.com/T/
Fixes: a53d1202aef1 ("char: xillybus: Add driver for XillyUSB (Xillybus variant for USB)").
Signed-off-by: Eli Billauer <eli.billauer@gmail.com>
Link: https://lore.kernel.org/r/20240816070200.50695-2-eli.billauer@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/xillybus/xillyusb.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
--- a/drivers/char/xillybus/xillyusb.c
+++ b/drivers/char/xillybus/xillyusb.c
@@ -1903,6 +1903,13 @@ static const struct file_operations xill
static int xillyusb_setup_base_eps(struct xillyusb_dev *xdev)
{
+ struct usb_device *udev = xdev->udev;
+
+ /* Verify that device has the two fundamental bulk in/out endpoints */
+ if (usb_pipe_type_check(udev, usb_sndbulkpipe(udev, MSG_EP_NUM)) ||
+ usb_pipe_type_check(udev, usb_rcvbulkpipe(udev, IN_EP_NUM)))
+ return -ENODEV;
+
xdev->msg_ep = endpoint_alloc(xdev, MSG_EP_NUM | USB_DIR_OUT,
bulk_out_work, 1, 2);
if (!xdev->msg_ep)
@@ -1932,14 +1939,15 @@ static int setup_channels(struct xillyus
__le16 *chandesc,
int num_channels)
{
- struct xillyusb_channel *chan;
+ struct usb_device *udev = xdev->udev;
+ struct xillyusb_channel *chan, *new_channels;
int i;
chan = kcalloc(num_channels, sizeof(*chan), GFP_KERNEL);
if (!chan)
return -ENOMEM;
- xdev->channels = chan;
+ new_channels = chan;
for (i = 0; i < num_channels; i++, chan++) {
unsigned int in_desc = le16_to_cpu(*chandesc++);
@@ -1968,6 +1976,15 @@ static int setup_channels(struct xillyus
*/
if ((out_desc & 0x80) && i < 14) { /* Entry is valid */
+ if (usb_pipe_type_check(udev,
+ usb_sndbulkpipe(udev, i + 2))) {
+ dev_err(xdev->dev,
+ "Missing BULK OUT endpoint %d\n",
+ i + 2);
+ kfree(new_channels);
+ return -ENODEV;
+ }
+
chan->writable = 1;
chan->out_synchronous = !!(out_desc & 0x40);
chan->out_seekable = !!(out_desc & 0x20);
@@ -1977,6 +1994,7 @@ static int setup_channels(struct xillyus
}
}
+ xdev->channels = new_channels;
return 0;
}
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 011/341] ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 010/341] char: xillybus: Check USB endpoints when probing device Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 012/341] ALSA: usb-audio: Support Yamaha P-125 quirk entry Greg Kroah-Hartman
` (342 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lianqin Hu, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lianqin Hu <hulianqin@vivo.com>
commit 004eb8ba776ccd3e296ea6f78f7ae7985b12824e upstream.
Audio control requests that sets sampling frequency sometimes fail on
this card. Adding delay between control messages eliminates that problem.
Signed-off-by: Lianqin Hu <hulianqin@vivo.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/TYUPR06MB6217FF67076AF3E49E12C877D2842@TYUPR06MB6217.apcprd06.prod.outlook.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/quirks.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -2181,6 +2181,8 @@ static const struct usb_audio_quirk_flag
QUIRK_FLAG_GENERIC_IMPLICIT_FB),
DEVICE_FLG(0x2b53, 0x0031, /* Fiero SC-01 (firmware v1.1.0) */
QUIRK_FLAG_GENERIC_IMPLICIT_FB),
+ DEVICE_FLG(0x2d95, 0x8021, /* VIVO USB-C-XE710 HEADSET */
+ QUIRK_FLAG_CTL_MSG_DELAY_1M),
DEVICE_FLG(0x30be, 0x0101, /* Schiit Hel */
QUIRK_FLAG_IGNORE_CTL_ERROR),
DEVICE_FLG(0x413c, 0xa506, /* Dell AE515 sound bar */
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 012/341] ALSA: usb-audio: Support Yamaha P-125 quirk entry
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 011/341] ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 013/341] xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration Greg Kroah-Hartman
` (341 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Juan José Arboleda,
Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Juan José Arboleda <soyjuanarbol@gmail.com>
commit c286f204ce6ba7b48e3dcba53eda7df8eaa64dd9 upstream.
This patch adds a USB quirk for the Yamaha P-125 digital piano.
Signed-off-by: Juan José Arboleda <soyjuanarbol@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20240813161053.70256-1-soyjuanarbol@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/quirks-table.h | 1 +
1 file changed, 1 insertion(+)
--- a/sound/usb/quirks-table.h
+++ b/sound/usb/quirks-table.h
@@ -273,6 +273,7 @@ YAMAHA_DEVICE(0x105a, NULL),
YAMAHA_DEVICE(0x105b, NULL),
YAMAHA_DEVICE(0x105c, NULL),
YAMAHA_DEVICE(0x105d, NULL),
+YAMAHA_DEVICE(0x1718, "P-125"),
{
USB_DEVICE(0x0499, 0x1503),
.driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 013/341] xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 012/341] ALSA: usb-audio: Support Yamaha P-125 quirk entry Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 014/341] thunderbolt: Mark XDomain as unplugged when router is removed Greg Kroah-Hartman
` (340 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Karel Balej, Mathias Nyman
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit af8e119f52e9c13e556be9e03f27957554a84656 upstream.
re-enumerating full-speed devices after a failed address device command
can trigger a NULL pointer dereference.
Full-speed devices may need to reconfigure the endpoint 0 Max Packet Size
value during enumeration. Usb core calls usb_ep0_reinit() in this case,
which ends up calling xhci_configure_endpoint().
On Panther point xHC the xhci_configure_endpoint() function will
additionally check and reserve bandwidth in software. Other hosts do
this in hardware
If xHC address device command fails then a new xhci_virt_device structure
is allocated as part of re-enabling the slot, but the bandwidth table
pointers are not set up properly here.
This triggers the NULL pointer dereference the next time usb_ep0_reinit()
is called and xhci_configure_endpoint() tries to check and reserve
bandwidth
[46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd
[46710.713699] usb 3-1: Device not responding to setup address.
[46710.917684] usb 3-1: Device not responding to setup address.
[46711.125536] usb 3-1: device not accepting address 5, error -71
[46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008
[46711.125600] #PF: supervisor read access in kernel mode
[46711.125603] #PF: error_code(0x0000) - not-present page
[46711.125606] PGD 0 P4D 0
[46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI
[46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1
[46711.125620] Hardware name: Gigabyte Technology Co., Ltd.
[46711.125623] Workqueue: usb_hub_wq hub_event [usbcore]
[46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c
Fix this by making sure bandwidth table pointers are set up correctly
after a failed address device command, and additionally by avoiding
checking for bandwidth in cases like this where no actual endpoints are
added or removed, i.e. only context for default control endpoint 0 is
evaluated.
Reported-by: Karel Balej <balejk@matfyz.cz>
Closes: https://lore.kernel.org/linux-usb/D3CKQQAETH47.1MUO22RTCH2O3@matfyz.cz/
Cc: stable@vger.kernel.org
Fixes: 651aaf36a7d7 ("usb: xhci: Handle USB transaction error on address command")
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20240815141117.2702314-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -2808,7 +2808,7 @@ static int xhci_configure_endpoint(struc
xhci->num_active_eps);
return -ENOMEM;
}
- if ((xhci->quirks & XHCI_SW_BW_CHECKING) &&
+ if ((xhci->quirks & XHCI_SW_BW_CHECKING) && !ctx_change &&
xhci_reserve_bandwidth(xhci, virt_dev, command->in_ctx)) {
if ((xhci->quirks & XHCI_EP_LIMIT_QUIRK))
xhci_free_host_resources(xhci, ctrl_ctx);
@@ -4150,8 +4150,10 @@ static int xhci_setup_device(struct usb_
mutex_unlock(&xhci->mutex);
ret = xhci_disable_slot(xhci, udev->slot_id);
xhci_free_virt_device(xhci, udev->slot_id);
- if (!ret)
- xhci_alloc_dev(hcd, udev);
+ if (!ret) {
+ if (xhci_alloc_dev(hcd, udev) == 1)
+ xhci_setup_addressable_virt_dev(xhci, udev);
+ }
kfree(command->completion);
kfree(command);
return -EPROTO;
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 014/341] thunderbolt: Mark XDomain as unplugged when router is removed
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 013/341] xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 015/341] ALSA: hda/tas2781: fix wrong calibrated data order Greg Kroah-Hartman
` (339 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mika Westerberg
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mika Westerberg <mika.westerberg@linux.intel.com>
commit e2006140ad2e01a02ed0aff49cc2ae3ceeb11f8d upstream.
I noticed that when we do discrete host router NVM upgrade and it gets
hot-removed from the PCIe side as a result of NVM firmware authentication,
if there is another host connected with enabled paths we hang in tearing
them down. This is due to fact that the Thunderbolt networking driver
also tries to cleanup the paths and ends up blocking in
tb_disconnect_xdomain_paths() waiting for the domain lock.
However, at this point we already cleaned the paths in tb_stop() so
there is really no need for tb_disconnect_xdomain_paths() to do that
anymore. Furthermore it already checks if the XDomain is unplugged and
bails out early so take advantage of that and mark the XDomain as
unplugged when we remove the parent router.
Cc: stable@vger.kernel.org
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/switch.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/thunderbolt/switch.c
+++ b/drivers/thunderbolt/switch.c
@@ -3159,6 +3159,7 @@ void tb_switch_remove(struct tb_switch *
tb_switch_remove(port->remote->sw);
port->remote = NULL;
} else if (port->xdomain) {
+ port->xdomain->is_unplugged = true;
tb_xdomain_remove(port->xdomain);
port->xdomain = NULL;
}
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 015/341] ALSA: hda/tas2781: fix wrong calibrated data order
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 014/341] thunderbolt: Mark XDomain as unplugged when router is removed Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 016/341] s390/dasd: fix error recovery leading to data corruption on ESE devices Greg Kroah-Hartman
` (338 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Baojun Xu, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baojun Xu <baojun.xu@ti.com>
commit 3beddef84d90590270465a907de1cfe2539ac70d upstream.
Wrong calibration data order cause sound too low in some device.
Fix wrong calibrated data order, add calibration data converssion
by get_unaligned_be32() after reading from UEFI.
Fixes: 5be27f1e3ec9 ("ALSA: hda/tas2781: Add tas2781 HDA driver")
Cc: <stable@vger.kernel.org>
Signed-off-by: Baojun Xu <baojun.xu@ti.com>
Link: https://patch.msgid.link/20240813043749.108-1-shenghao-ding@ti.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/tas2781_hda_i2c.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/sound/pci/hda/tas2781_hda_i2c.c
+++ b/sound/pci/hda/tas2781_hda_i2c.c
@@ -2,10 +2,12 @@
//
// TAS2781 HDA I2C driver
//
-// Copyright 2023 Texas Instruments, Inc.
+// Copyright 2023 - 2024 Texas Instruments, Inc.
//
// Author: Shenghao Ding <shenghao-ding@ti.com>
+// Current maintainer: Baojun Xu <baojun.xu@ti.com>
+#include <asm/unaligned.h>
#include <linux/acpi.h>
#include <linux/crc8.h>
#include <linux/crc32.h>
@@ -425,20 +427,22 @@ static void tas2781_apply_calib(struct t
static const unsigned char rgno_array[CALIB_MAX] = {
0x74, 0x0c, 0x14, 0x70, 0x7c,
};
- unsigned char *data;
+ int offset = 0;
int i, j, rc;
+ __be32 data;
for (i = 0; i < tas_priv->ndev; i++) {
- data = tas_priv->cali_data.data +
- i * TASDEVICE_SPEAKER_CALIBRATION_SIZE;
for (j = 0; j < CALIB_MAX; j++) {
+ data = get_unaligned_be32(
+ &tas_priv->cali_data.data[offset]);
rc = tasdevice_dev_bulk_write(tas_priv, i,
TASDEVICE_REG(0, page_array[j], rgno_array[j]),
- &(data[4 * j]), 4);
+ (unsigned char *)&data, 4);
if (rc < 0)
dev_err(tas_priv->dev,
"chn %d calib %d bulk_wr err = %d\n",
i, j, rc);
+ offset += 4;
}
}
}
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 016/341] s390/dasd: fix error recovery leading to data corruption on ESE devices
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 015/341] ALSA: hda/tas2781: fix wrong calibrated data order Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 017/341] KVM: s390: fix validity interception issue when gisa is switched off Greg Kroah-Hartman
` (337 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Hoeppner, Stefan Haberland,
Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Haberland <sth@linux.ibm.com>
commit 7db4042336580dfd75cb5faa82c12cd51098c90b upstream.
Extent Space Efficient (ESE) or thin provisioned volumes need to be
formatted on demand during usual IO processing.
The dasd_ese_needs_format function checks for error codes that signal
the non existence of a proper track format.
The check for incorrect length is to imprecise since other error cases
leading to transport of insufficient data also have this flag set.
This might lead to data corruption in certain error cases for example
during a storage server warmstart.
Fix by removing the check for incorrect length and replacing by
explicitly checking for invalid track format in transport mode.
Also remove the check for file protected since this is not a valid
ESE handling case.
Cc: stable@vger.kernel.org # 5.3+
Fixes: 5e2b17e712cf ("s390/dasd: Add dynamic formatting support for ESE volumes")
Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Link: https://lore.kernel.org/r/20240812125733.126431-3-sth@linux.ibm.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/block/dasd.c | 36 +++++++++++++++---------
drivers/s390/block/dasd_3990_erp.c | 10 +-----
drivers/s390/block/dasd_eckd.c | 55 ++++++++++++++++---------------------
drivers/s390/block/dasd_int.h | 2 -
4 files changed, 50 insertions(+), 53 deletions(-)
--- a/drivers/s390/block/dasd.c
+++ b/drivers/s390/block/dasd.c
@@ -1599,9 +1599,15 @@ static int dasd_ese_needs_format(struct
if (!sense)
return 0;
- return !!(sense[1] & SNS1_NO_REC_FOUND) ||
- !!(sense[1] & SNS1_FILE_PROTECTED) ||
- scsw_cstat(&irb->scsw) == SCHN_STAT_INCORR_LEN;
+ if (sense[1] & SNS1_NO_REC_FOUND)
+ return 1;
+
+ if ((sense[1] & SNS1_INV_TRACK_FORMAT) &&
+ scsw_is_tm(&irb->scsw) &&
+ !(sense[2] & SNS2_ENV_DATA_PRESENT))
+ return 1;
+
+ return 0;
}
static int dasd_ese_oos_cond(u8 *sense)
@@ -1622,7 +1628,7 @@ void dasd_int_handler(struct ccw_device
struct dasd_device *device;
unsigned long now;
int nrf_suppressed = 0;
- int fp_suppressed = 0;
+ int it_suppressed = 0;
struct request *req;
u8 *sense = NULL;
int expires;
@@ -1677,8 +1683,9 @@ void dasd_int_handler(struct ccw_device
*/
sense = dasd_get_sense(irb);
if (sense) {
- fp_suppressed = (sense[1] & SNS1_FILE_PROTECTED) &&
- test_bit(DASD_CQR_SUPPRESS_FP, &cqr->flags);
+ it_suppressed = (sense[1] & SNS1_INV_TRACK_FORMAT) &&
+ !(sense[2] & SNS2_ENV_DATA_PRESENT) &&
+ test_bit(DASD_CQR_SUPPRESS_IT, &cqr->flags);
nrf_suppressed = (sense[1] & SNS1_NO_REC_FOUND) &&
test_bit(DASD_CQR_SUPPRESS_NRF, &cqr->flags);
@@ -1693,7 +1700,7 @@ void dasd_int_handler(struct ccw_device
return;
}
}
- if (!(fp_suppressed || nrf_suppressed))
+ if (!(it_suppressed || nrf_suppressed))
device->discipline->dump_sense_dbf(device, irb, "int");
if (device->features & DASD_FEATURE_ERPLOG)
@@ -2465,14 +2472,17 @@ retry:
rc = 0;
list_for_each_entry_safe(cqr, n, ccw_queue, blocklist) {
/*
- * In some cases the 'File Protected' or 'Incorrect Length'
- * error might be expected and error recovery would be
- * unnecessary in these cases. Check if the according suppress
- * bit is set.
+ * In some cases certain errors might be expected and
+ * error recovery would be unnecessary in these cases.
+ * Check if the according suppress bit is set.
*/
sense = dasd_get_sense(&cqr->irb);
- if (sense && sense[1] & SNS1_FILE_PROTECTED &&
- test_bit(DASD_CQR_SUPPRESS_FP, &cqr->flags))
+ if (sense && (sense[1] & SNS1_INV_TRACK_FORMAT) &&
+ !(sense[2] & SNS2_ENV_DATA_PRESENT) &&
+ test_bit(DASD_CQR_SUPPRESS_IT, &cqr->flags))
+ continue;
+ if (sense && (sense[1] & SNS1_NO_REC_FOUND) &&
+ test_bit(DASD_CQR_SUPPRESS_NRF, &cqr->flags))
continue;
if (scsw_cstat(&cqr->irb.scsw) == 0x40 &&
test_bit(DASD_CQR_SUPPRESS_IL, &cqr->flags))
--- a/drivers/s390/block/dasd_3990_erp.c
+++ b/drivers/s390/block/dasd_3990_erp.c
@@ -1406,14 +1406,8 @@ dasd_3990_erp_file_prot(struct dasd_ccw_
struct dasd_device *device = erp->startdev;
- /*
- * In some cases the 'File Protected' error might be expected and
- * log messages shouldn't be written then.
- * Check if the according suppress bit is set.
- */
- if (!test_bit(DASD_CQR_SUPPRESS_FP, &erp->flags))
- dev_err(&device->cdev->dev,
- "Accessing the DASD failed because of a hardware error\n");
+ dev_err(&device->cdev->dev,
+ "Accessing the DASD failed because of a hardware error\n");
return dasd_3990_erp_cleanup(erp, DASD_CQR_FAILED);
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -2289,6 +2289,7 @@ dasd_eckd_analysis_ccw(struct dasd_devic
cqr->status = DASD_CQR_FILLED;
/* Set flags to suppress output for expected errors */
set_bit(DASD_CQR_SUPPRESS_NRF, &cqr->flags);
+ set_bit(DASD_CQR_SUPPRESS_IT, &cqr->flags);
return cqr;
}
@@ -2570,7 +2571,6 @@ dasd_eckd_build_check_tcw(struct dasd_de
cqr->buildclk = get_tod_clock();
cqr->status = DASD_CQR_FILLED;
/* Set flags to suppress output for expected errors */
- set_bit(DASD_CQR_SUPPRESS_FP, &cqr->flags);
set_bit(DASD_CQR_SUPPRESS_IL, &cqr->flags);
return cqr;
@@ -4146,8 +4146,6 @@ static struct dasd_ccw_req *dasd_eckd_bu
/* Set flags to suppress output for expected errors */
if (dasd_eckd_is_ese(basedev)) {
- set_bit(DASD_CQR_SUPPRESS_FP, &cqr->flags);
- set_bit(DASD_CQR_SUPPRESS_IL, &cqr->flags);
set_bit(DASD_CQR_SUPPRESS_NRF, &cqr->flags);
}
@@ -4649,9 +4647,8 @@ static struct dasd_ccw_req *dasd_eckd_bu
/* Set flags to suppress output for expected errors */
if (dasd_eckd_is_ese(basedev)) {
- set_bit(DASD_CQR_SUPPRESS_FP, &cqr->flags);
- set_bit(DASD_CQR_SUPPRESS_IL, &cqr->flags);
set_bit(DASD_CQR_SUPPRESS_NRF, &cqr->flags);
+ set_bit(DASD_CQR_SUPPRESS_IT, &cqr->flags);
}
return cqr;
@@ -5820,36 +5817,32 @@ static void dasd_eckd_dump_sense(struct
{
u8 *sense = dasd_get_sense(irb);
- if (scsw_is_tm(&irb->scsw)) {
- /*
- * In some cases the 'File Protected' or 'Incorrect Length'
- * error might be expected and log messages shouldn't be written
- * then. Check if the according suppress bit is set.
- */
- if (sense && (sense[1] & SNS1_FILE_PROTECTED) &&
- test_bit(DASD_CQR_SUPPRESS_FP, &req->flags))
- return;
- if (scsw_cstat(&irb->scsw) == 0x40 &&
- test_bit(DASD_CQR_SUPPRESS_IL, &req->flags))
- return;
+ /*
+ * In some cases certain errors might be expected and
+ * log messages shouldn't be written then.
+ * Check if the according suppress bit is set.
+ */
+ if (sense && (sense[1] & SNS1_INV_TRACK_FORMAT) &&
+ !(sense[2] & SNS2_ENV_DATA_PRESENT) &&
+ test_bit(DASD_CQR_SUPPRESS_IT, &req->flags))
+ return;
- dasd_eckd_dump_sense_tcw(device, req, irb);
- } else {
- /*
- * In some cases the 'Command Reject' or 'No Record Found'
- * error might be expected and log messages shouldn't be
- * written then. Check if the according suppress bit is set.
- */
- if (sense && sense[0] & SNS0_CMD_REJECT &&
- test_bit(DASD_CQR_SUPPRESS_CR, &req->flags))
- return;
+ if (sense && sense[0] & SNS0_CMD_REJECT &&
+ test_bit(DASD_CQR_SUPPRESS_CR, &req->flags))
+ return;
- if (sense && sense[1] & SNS1_NO_REC_FOUND &&
- test_bit(DASD_CQR_SUPPRESS_NRF, &req->flags))
- return;
+ if (sense && sense[1] & SNS1_NO_REC_FOUND &&
+ test_bit(DASD_CQR_SUPPRESS_NRF, &req->flags))
+ return;
+ if (scsw_cstat(&irb->scsw) == 0x40 &&
+ test_bit(DASD_CQR_SUPPRESS_IL, &req->flags))
+ return;
+
+ if (scsw_is_tm(&irb->scsw))
+ dasd_eckd_dump_sense_tcw(device, req, irb);
+ else
dasd_eckd_dump_sense_ccw(device, req, irb);
- }
}
static int dasd_eckd_reload_device(struct dasd_device *device)
--- a/drivers/s390/block/dasd_int.h
+++ b/drivers/s390/block/dasd_int.h
@@ -225,7 +225,7 @@ struct dasd_ccw_req {
* The following flags are used to suppress output of certain errors.
*/
#define DASD_CQR_SUPPRESS_NRF 4 /* Suppress 'No Record Found' error */
-#define DASD_CQR_SUPPRESS_FP 5 /* Suppress 'File Protected' error*/
+#define DASD_CQR_SUPPRESS_IT 5 /* Suppress 'Invalid Track' error*/
#define DASD_CQR_SUPPRESS_IL 6 /* Suppress 'Incorrect Length' error */
#define DASD_CQR_SUPPRESS_CR 7 /* Suppress 'Command Reject' error */
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 017/341] KVM: s390: fix validity interception issue when gisa is switched off
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 016/341] s390/dasd: fix error recovery leading to data corruption on ESE devices Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 018/341] riscv: change XIPs kernel_map.size to be size of the entire kernel Greg Kroah-Hartman
` (336 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Borntraeger,
Michael Mueller, Janosch Frank
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Mueller <mimu@linux.ibm.com>
commit 5a44bb061d04b0306f2aa8add761d86d152b9377 upstream.
We might run into a SIE validity if gisa has been disabled either via using
kernel parameter "kvm.use_gisa=0" or by setting the related sysfs
attribute to N (echo N >/sys/module/kvm/parameters/use_gisa).
The validity is caused by an invalid value in the SIE control block's
gisa designation. That happens because we pass the uninitialized gisa
origin to virt_to_phys() before writing it to the gisa designation.
To fix this we return 0 in kvm_s390_get_gisa_desc() if the origin is 0.
kvm_s390_get_gisa_desc() is used to determine which gisa designation to
set in the SIE control block. A value of 0 in the gisa designation disables
gisa usage.
The issue surfaces in the host kernel with the following kernel message as
soon a new kvm guest start is attemted.
kvm: unhandled validity intercept 0x1011
WARNING: CPU: 0 PID: 781237 at arch/s390/kvm/intercept.c:101 kvm_handle_sie_intercept+0x42e/0x4d0 [kvm]
Modules linked in: vhost_net tap tun xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT xt_tcpudp nft_compat x_tables nf_nat_tftp nf_conntrack_tftp vfio_pci_core irqbypass vhost_vsock vmw_vsock_virtio_transport_common vsock vhost vhost_iotlb kvm nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables sunrpc mlx5_ib ib_uverbs ib_core mlx5_core uvdevice s390_trng eadm_sch vfio_ccw zcrypt_cex4 mdev vfio_iommu_type1 vfio sch_fq_codel drm i2c_core loop drm_panel_orientation_quirks configfs nfnetlink lcs ctcm fsm dm_service_time ghash_s390 prng chacha_s390 libchacha aes_s390 des_s390 libdes sha3_512_s390 sha3_256_s390 sha512_s390 sha256_s390 sha1_s390 sha_common dm_mirror dm_region_hash dm_log zfcp scsi_transport_fc scsi_dh_rdac scsi_dh_emc scsi_dh_alua pkey zcrypt dm_multipath rng_core autofs4 [last unloaded: vfio_pci]
CPU: 0 PID: 781237 Comm: CPU 0/KVM Not tainted 6.10.0-08682-gcad9f11498ea #6
Hardware name: IBM 3931 A01 701 (LPAR)
Krnl PSW : 0704c00180000000 000003d93deb0122 (kvm_handle_sie_intercept+0x432/0x4d0 [kvm])
R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
Krnl GPRS: 000003d900000027 000003d900000023 0000000000000028 000002cd00000000
000002d063a00900 00000359c6daf708 00000000000bebb5 0000000000001eff
000002cfd82e9000 000002cfd80bc000 0000000000001011 000003d93deda412
000003ff8962df98 000003d93de77ce0 000003d93deb011e 00000359c6daf960
Krnl Code: 000003d93deb0112: c020fffe7259 larl %r2,000003d93de7e5c4
000003d93deb0118: c0e53fa8beac brasl %r14,000003d9bd3c7e70
#000003d93deb011e: af000000 mc 0,0
>000003d93deb0122: a728ffea lhi %r2,-22
000003d93deb0126: a7f4fe24 brc 15,000003d93deafd6e
000003d93deb012a: 9101f0b0 tm 176(%r15),1
000003d93deb012e: a774fe48 brc 7,000003d93deafdbe
000003d93deb0132: 40a0f0ae sth %r10,174(%r15)
Call Trace:
[<000003d93deb0122>] kvm_handle_sie_intercept+0x432/0x4d0 [kvm]
([<000003d93deb011e>] kvm_handle_sie_intercept+0x42e/0x4d0 [kvm])
[<000003d93deacc10>] vcpu_post_run+0x1d0/0x3b0 [kvm]
[<000003d93deaceda>] __vcpu_run+0xea/0x2d0 [kvm]
[<000003d93dead9da>] kvm_arch_vcpu_ioctl_run+0x16a/0x430 [kvm]
[<000003d93de93ee0>] kvm_vcpu_ioctl+0x190/0x7c0 [kvm]
[<000003d9bd728b4e>] vfs_ioctl+0x2e/0x70
[<000003d9bd72a092>] __s390x_sys_ioctl+0xc2/0xd0
[<000003d9be0e9222>] __do_syscall+0x1f2/0x2e0
[<000003d9be0f9a90>] system_call+0x70/0x98
Last Breaking-Event-Address:
[<000003d9bd3c7f58>] __warn_printk+0xe8/0xf0
Cc: stable@vger.kernel.org
Reported-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Fixes: fe0ef0030463 ("KVM: s390: sort out physical vs virtual pointers usage")
Signed-off-by: Michael Mueller <mimu@linux.ibm.com>
Tested-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
Link: https://lore.kernel.org/r/20240801123109.2782155-1-mimu@linux.ibm.com
Message-ID: <20240801123109.2782155-1-mimu@linux.ibm.com>
Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kvm/kvm-s390.h | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/arch/s390/kvm/kvm-s390.h
+++ b/arch/s390/kvm/kvm-s390.h
@@ -249,7 +249,12 @@ static inline unsigned long kvm_s390_get
static inline u32 kvm_s390_get_gisa_desc(struct kvm *kvm)
{
- u32 gd = virt_to_phys(kvm->arch.gisa_int.origin);
+ u32 gd;
+
+ if (!kvm->arch.gisa_int.origin)
+ return 0;
+
+ gd = virt_to_phys(kvm->arch.gisa_int.origin);
if (gd && sclp.has_gisaf)
gd |= GISA_FORMAT1;
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 018/341] riscv: change XIPs kernel_map.size to be size of the entire kernel
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 017/341] KVM: s390: fix validity interception issue when gisa is switched off Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 019/341] i2c: tegra: Do not mark ACPI devices as irq safe Greg Kroah-Hartman
` (335 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nam Cao, Alexandre Ghiti,
Palmer Dabbelt
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nam Cao <namcao@linutronix.de>
commit 57d76bc51fd80824bcc0c84a5b5ec944f1b51edd upstream.
With XIP kernel, kernel_map.size is set to be only the size of data part of
the kernel. This is inconsistent with "normal" kernel, who sets it to be
the size of the entire kernel.
More importantly, XIP kernel fails to boot if CONFIG_DEBUG_VIRTUAL is
enabled, because there are checks on virtual addresses with the assumption
that kernel_map.size is the size of the entire kernel (these checks are in
arch/riscv/mm/physaddr.c).
Change XIP's kernel_map.size to be the size of the entire kernel.
Signed-off-by: Nam Cao <namcao@linutronix.de>
Cc: <stable@vger.kernel.org> # v6.1+
Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Link: https://lore.kernel.org/r/20240508191917.2892064-1-namcao@linutronix.de
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/mm/init.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/riscv/mm/init.c
+++ b/arch/riscv/mm/init.c
@@ -912,7 +912,7 @@ static void __init create_kernel_page_ta
PMD_SIZE, PAGE_KERNEL_EXEC);
/* Map the data in RAM */
- end_va = kernel_map.virt_addr + XIP_OFFSET + kernel_map.size;
+ end_va = kernel_map.virt_addr + kernel_map.size;
for (va = kernel_map.virt_addr + XIP_OFFSET; va < end_va; va += PMD_SIZE)
create_pgd_mapping(pgdir, va,
kernel_map.phys_addr + (va - (kernel_map.virt_addr + XIP_OFFSET)),
@@ -1081,7 +1081,7 @@ asmlinkage void __init setup_vm(uintptr_
phys_ram_base = CONFIG_PHYS_RAM_BASE;
kernel_map.phys_addr = (uintptr_t)CONFIG_PHYS_RAM_BASE;
- kernel_map.size = (uintptr_t)(&_end) - (uintptr_t)(&_sdata);
+ kernel_map.size = (uintptr_t)(&_end) - (uintptr_t)(&_start);
kernel_map.va_kernel_xip_pa_offset = kernel_map.virt_addr - kernel_map.xiprom;
#else
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 019/341] i2c: tegra: Do not mark ACPI devices as irq safe
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 018/341] riscv: change XIPs kernel_map.size to be size of the entire kernel Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 020/341] ACPICA: Add a depth argument to acpi_execute_reg_methods() Greg Kroah-Hartman
` (334 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael van der Westhuizen,
Breno Leitao, Dmitry Osipenko, Andy Shevchenko, Andi Shyti
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
commit 14d069d92951a3e150c0a81f2ca3b93e54da913b upstream.
On ACPI machines, the tegra i2c module encounters an issue due to a
mutex being called inside a spinlock. This leads to the following bug:
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585
...
Call trace:
__might_sleep
__mutex_lock_common
mutex_lock_nested
acpi_subsys_runtime_resume
rpm_resume
tegra_i2c_xfer
The problem arises because during __pm_runtime_resume(), the spinlock
&dev->power.lock is acquired before rpm_resume() is called. Later,
rpm_resume() invokes acpi_subsys_runtime_resume(), which relies on
mutexes, triggering the error.
To address this issue, devices on ACPI are now marked as not IRQ-safe,
considering the dependency of acpi_subsys_runtime_resume() on mutexes.
Fixes: bd2fdedbf2ba ("i2c: tegra: Add the ACPI support")
Cc: <stable@vger.kernel.org> # v5.17+
Co-developed-by: Michael van der Westhuizen <rmikey@meta.com>
Signed-off-by: Michael van der Westhuizen <rmikey@meta.com>
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-tegra.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/i2c/busses/i2c-tegra.c
+++ b/drivers/i2c/busses/i2c-tegra.c
@@ -1804,9 +1804,9 @@ static int tegra_i2c_probe(struct platfo
* domain.
*
* VI I2C device shouldn't be marked as IRQ-safe because VI I2C won't
- * be used for atomic transfers.
+ * be used for atomic transfers. ACPI device is not IRQ safe also.
*/
- if (!IS_VI(i2c_dev))
+ if (!IS_VI(i2c_dev) && !has_acpi_companion(i2c_dev->dev))
pm_runtime_irq_safe(i2c_dev->dev);
pm_runtime_enable(i2c_dev->dev);
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 020/341] ACPICA: Add a depth argument to acpi_execute_reg_methods()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 019/341] i2c: tegra: Do not mark ACPI devices as irq safe Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 021/341] ACPI: EC: Evaluate _REG outside the EC scope more carefully Greg Kroah-Hartman
` (333 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Hans de Goede
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit cdf65d73e001fde600b18d7e45afadf559425ce5 upstream.
A subsequent change will need to pass a depth argument to
acpi_execute_reg_methods(), so prepare that function for it.
No intentional functional changes.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Cc: All applicable <stable@vger.kernel.org>
Link: https://patch.msgid.link/8451567.NyiUUSuA9g@rjwysocki.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/acpica/acevents.h | 2 +-
drivers/acpi/acpica/evregion.c | 6 ++++--
drivers/acpi/acpica/evxfregn.c | 10 +++++++---
drivers/acpi/ec.c | 2 +-
include/acpi/acpixf.h | 1 +
5 files changed, 14 insertions(+), 7 deletions(-)
--- a/drivers/acpi/acpica/acevents.h
+++ b/drivers/acpi/acpica/acevents.h
@@ -188,7 +188,7 @@ acpi_ev_detach_region(union acpi_operand
u8 acpi_ns_is_locked);
void
-acpi_ev_execute_reg_methods(struct acpi_namespace_node *node,
+acpi_ev_execute_reg_methods(struct acpi_namespace_node *node, u32 max_depth,
acpi_adr_space_type space_id, u32 function);
acpi_status
--- a/drivers/acpi/acpica/evregion.c
+++ b/drivers/acpi/acpica/evregion.c
@@ -65,6 +65,7 @@ acpi_status acpi_ev_initialize_op_region
acpi_gbl_default_address_spaces
[i])) {
acpi_ev_execute_reg_methods(acpi_gbl_root_node,
+ ACPI_UINT32_MAX,
acpi_gbl_default_address_spaces
[i], ACPI_REG_CONNECT);
}
@@ -672,6 +673,7 @@ cleanup1:
* FUNCTION: acpi_ev_execute_reg_methods
*
* PARAMETERS: node - Namespace node for the device
+ * max_depth - Depth to which search for _REG
* space_id - The address space ID
* function - Passed to _REG: On (1) or Off (0)
*
@@ -683,7 +685,7 @@ cleanup1:
******************************************************************************/
void
-acpi_ev_execute_reg_methods(struct acpi_namespace_node *node,
+acpi_ev_execute_reg_methods(struct acpi_namespace_node *node, u32 max_depth,
acpi_adr_space_type space_id, u32 function)
{
struct acpi_reg_walk_info info;
@@ -717,7 +719,7 @@ acpi_ev_execute_reg_methods(struct acpi_
* regions and _REG methods. (i.e. handlers must be installed for all
* regions of this Space ID before we can run any _REG methods)
*/
- (void)acpi_ns_walk_namespace(ACPI_TYPE_ANY, node, ACPI_UINT32_MAX,
+ (void)acpi_ns_walk_namespace(ACPI_TYPE_ANY, node, max_depth,
ACPI_NS_WALK_UNLOCK, acpi_ev_reg_run, NULL,
&info, NULL);
--- a/drivers/acpi/acpica/evxfregn.c
+++ b/drivers/acpi/acpica/evxfregn.c
@@ -85,7 +85,8 @@ acpi_install_address_space_handler_inter
/* Run all _REG methods for this address space */
if (run_reg) {
- acpi_ev_execute_reg_methods(node, space_id, ACPI_REG_CONNECT);
+ acpi_ev_execute_reg_methods(node, ACPI_UINT32_MAX, space_id,
+ ACPI_REG_CONNECT);
}
unlock_and_exit:
@@ -263,6 +264,7 @@ ACPI_EXPORT_SYMBOL(acpi_remove_address_s
* FUNCTION: acpi_execute_reg_methods
*
* PARAMETERS: device - Handle for the device
+ * max_depth - Depth to which search for _REG
* space_id - The address space ID
*
* RETURN: Status
@@ -271,7 +273,8 @@ ACPI_EXPORT_SYMBOL(acpi_remove_address_s
*
******************************************************************************/
acpi_status
-acpi_execute_reg_methods(acpi_handle device, acpi_adr_space_type space_id)
+acpi_execute_reg_methods(acpi_handle device, u32 max_depth,
+ acpi_adr_space_type space_id)
{
struct acpi_namespace_node *node;
acpi_status status;
@@ -296,7 +299,8 @@ acpi_execute_reg_methods(acpi_handle dev
/* Run all _REG methods for this address space */
- acpi_ev_execute_reg_methods(node, space_id, ACPI_REG_CONNECT);
+ acpi_ev_execute_reg_methods(node, max_depth, space_id,
+ ACPI_REG_CONNECT);
} else {
status = AE_BAD_PARAMETER;
}
--- a/drivers/acpi/ec.c
+++ b/drivers/acpi/ec.c
@@ -1506,7 +1506,7 @@ static int ec_install_handlers(struct ac
}
if (call_reg && !test_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags)) {
- acpi_execute_reg_methods(scope_handle, ACPI_ADR_SPACE_EC);
+ acpi_execute_reg_methods(scope_handle, ACPI_UINT32_MAX, ACPI_ADR_SPACE_EC);
set_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags);
}
--- a/include/acpi/acpixf.h
+++ b/include/acpi/acpixf.h
@@ -660,6 +660,7 @@ ACPI_EXTERNAL_RETURN_STATUS(acpi_status
void *context))
ACPI_EXTERNAL_RETURN_STATUS(acpi_status
acpi_execute_reg_methods(acpi_handle device,
+ u32 nax_depth,
acpi_adr_space_type
space_id))
ACPI_EXTERNAL_RETURN_STATUS(acpi_status
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 021/341] ACPI: EC: Evaluate _REG outside the EC scope more carefully
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 020/341] ACPICA: Add a depth argument to acpi_execute_reg_methods() Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 022/341] arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE Greg Kroah-Hartman
` (332 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans de Goede, Rafael J. Wysocki
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 71bf41b8e913ec9fc91f0d39ab8fb320229ec604 upstream.
Commit 60fa6ae6e6d0 ("ACPI: EC: Install address space handler at the
namespace root") caused _REG methods for EC operation regions outside
the EC device scope to be evaluated which on some systems leads to the
evaluation of _REG methods in the scopes of device objects representing
devices that are not present and not functional according to the _STA
return values. Some of those device objects represent EC "alternatives"
and if _REG is evaluated for their operation regions, the platform
firmware may be confused and the platform may start to behave
incorrectly.
To avoid this problem, only evaluate _REG for EC operation regions
located in the scopes of device objects representing known-to-be-present
devices.
For this purpose, partially revert commit 60fa6ae6e6d0 and trigger the
evaluation of _REG for EC operation regions from acpi_bus_attach() for
the known-valid devices.
Fixes: 60fa6ae6e6d0 ("ACPI: EC: Install address space handler at the namespace root")
Link: https://lore.kernel.org/linux-acpi/1f76b7e2-1928-4598-8037-28a1785c2d13@redhat.com
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2298938
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2302253
Reported-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Cc: All applicable <stable@vger.kernel.org>
Link: https://patch.msgid.link/23612351.6Emhk5qWAg@rjwysocki.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/ec.c | 11 +++++++++--
drivers/acpi/internal.h | 1 +
drivers/acpi/scan.c | 2 ++
3 files changed, 12 insertions(+), 2 deletions(-)
--- a/drivers/acpi/ec.c
+++ b/drivers/acpi/ec.c
@@ -1487,12 +1487,13 @@ static bool install_gpio_irq_event_handl
static int ec_install_handlers(struct acpi_ec *ec, struct acpi_device *device,
bool call_reg)
{
- acpi_handle scope_handle = ec == first_ec ? ACPI_ROOT_OBJECT : ec->handle;
acpi_status status;
acpi_ec_start(ec, false);
if (!test_bit(EC_FLAGS_EC_HANDLER_INSTALLED, &ec->flags)) {
+ acpi_handle scope_handle = ec == first_ec ? ACPI_ROOT_OBJECT : ec->handle;
+
acpi_ec_enter_noirq(ec);
status = acpi_install_address_space_handler_no_reg(scope_handle,
ACPI_ADR_SPACE_EC,
@@ -1506,7 +1507,7 @@ static int ec_install_handlers(struct ac
}
if (call_reg && !test_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags)) {
- acpi_execute_reg_methods(scope_handle, ACPI_UINT32_MAX, ACPI_ADR_SPACE_EC);
+ acpi_execute_reg_methods(ec->handle, ACPI_UINT32_MAX, ACPI_ADR_SPACE_EC);
set_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags);
}
@@ -1721,6 +1722,12 @@ static void acpi_ec_remove(struct acpi_d
}
}
+void acpi_ec_register_opregions(struct acpi_device *adev)
+{
+ if (first_ec && first_ec->handle != adev->handle)
+ acpi_execute_reg_methods(adev->handle, 1, ACPI_ADR_SPACE_EC);
+}
+
static acpi_status
ec_parse_io_ports(struct acpi_resource *resource, void *context)
{
--- a/drivers/acpi/internal.h
+++ b/drivers/acpi/internal.h
@@ -204,6 +204,7 @@ int acpi_ec_add_query_handler(struct acp
acpi_handle handle, acpi_ec_query_func func,
void *data);
void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit);
+void acpi_ec_register_opregions(struct acpi_device *adev);
#ifdef CONFIG_PM_SLEEP
void acpi_ec_flush_work(void);
--- a/drivers/acpi/scan.c
+++ b/drivers/acpi/scan.c
@@ -2198,6 +2198,8 @@ static int acpi_bus_attach(struct acpi_d
if (device->handler)
goto ok;
+ acpi_ec_register_opregions(device);
+
if (!device->flags.initialized) {
device->flags.power_manageable =
device->power.states[ACPI_STATE_D0].flags.valid;
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 022/341] arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 021/341] ACPI: EC: Evaluate _REG outside the EC scope more carefully Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 023/341] dm resume: dont return EINVAL when signalled Greg Kroah-Hartman
` (331 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Jones, Haibo Xu,
Anshuman Khandual, Sunil V L, Catalin Marinas, Lorenzo Pieralisi,
Hanjun Guo
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haibo Xu <haibo1.xu@intel.com>
commit a21dcf0ea8566ebbe011c79d6ed08cdfea771de3 upstream.
Currently, only acpi_early_node_map[0] was initialized to NUMA_NO_NODE.
To ensure all the values were properly initialized, switch to initialize
all of them to NUMA_NO_NODE.
Fixes: e18962491696 ("arm64: numa: rework ACPI NUMA initialization")
Cc: <stable@vger.kernel.org> # 4.19.x
Reported-by: Andrew Jones <ajones@ventanamicro.com>
Suggested-by: Andrew Jones <ajones@ventanamicro.com>
Signed-off-by: Haibo Xu <haibo1.xu@intel.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Reviewed-by: Sunil V L <sunilvl@ventanamicro.com>
Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Link: https://lore.kernel.org/r/853d7f74aa243f6f5999e203246f0d1ae92d2b61.1722828421.git.haibo1.xu@intel.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/acpi_numa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/kernel/acpi_numa.c
+++ b/arch/arm64/kernel/acpi_numa.c
@@ -27,7 +27,7 @@
#include <asm/numa.h>
-static int acpi_early_node_map[NR_CPUS] __initdata = { NUMA_NO_NODE };
+static int acpi_early_node_map[NR_CPUS] __initdata = { [0 ... NR_CPUS - 1] = NUMA_NO_NODE };
int __init acpi_numa_get_nid(unsigned int cpu)
{
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 023/341] dm resume: dont return EINVAL when signalled
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 022/341] arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 024/341] dm persistent data: fix memory allocation failure Greg Kroah-Hartman
` (330 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Khazhismel Kumykov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Khazhismel Kumykov <khazhy@google.com>
commit 7a636b4f03af9d541205f69e373672e7b2b60a8a upstream.
If the dm_resume method is called on a device that is not suspended, the
method will suspend the device briefly, before resuming it (so that the
table will be swapped).
However, there was a bug that the return value of dm_suspended_md was not
checked. dm_suspended_md may return an error when it is interrupted by a
signal. In this case, do_resume would call dm_swap_table, which would
return -EINVAL.
This commit fixes the logic, so that error returned by dm_suspend is
checked and the resume operation is undone.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-ioctl.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1181,8 +1181,26 @@ static int do_resume(struct dm_ioctl *pa
suspend_flags &= ~DM_SUSPEND_LOCKFS_FLAG;
if (param->flags & DM_NOFLUSH_FLAG)
suspend_flags |= DM_SUSPEND_NOFLUSH_FLAG;
- if (!dm_suspended_md(md))
- dm_suspend(md, suspend_flags);
+ if (!dm_suspended_md(md)) {
+ r = dm_suspend(md, suspend_flags);
+ if (r) {
+ down_write(&_hash_lock);
+ hc = dm_get_mdptr(md);
+ if (hc && !hc->new_map) {
+ hc->new_map = new_map;
+ new_map = NULL;
+ } else {
+ r = -ENXIO;
+ }
+ up_write(&_hash_lock);
+ if (new_map) {
+ dm_sync_table(md);
+ dm_table_destroy(new_map);
+ }
+ dm_put(md);
+ return r;
+ }
+ }
old_size = dm_get_size(md);
old_map = dm_swap_table(md, new_map);
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 024/341] dm persistent data: fix memory allocation failure
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 023/341] dm resume: dont return EINVAL when signalled Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 025/341] vfs: Dont evict inode under the inode lru traversing context Greg Kroah-Hartman
` (329 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Zdenek Kabelac,
Mike Snitzer
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit faada2174c08662ae98b439c69efe3e79382c538 upstream.
kmalloc is unreliable when allocating more than 8 pages of memory. It may
fail when there is plenty of free memory but the memory is fragmented.
Zdenek Kabelac observed such failure in his tests.
This commit changes kmalloc to kvmalloc - kvmalloc will fall back to
vmalloc if the large allocation fails.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Zdenek Kabelac <zkabelac@redhat.com>
Reviewed-by: Mike Snitzer <snitzer@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/persistent-data/dm-space-map-metadata.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/md/persistent-data/dm-space-map-metadata.c
+++ b/drivers/md/persistent-data/dm-space-map-metadata.c
@@ -277,7 +277,7 @@ static void sm_metadata_destroy(struct d
{
struct sm_metadata *smm = container_of(sm, struct sm_metadata, sm);
- kfree(smm);
+ kvfree(smm);
}
static int sm_metadata_get_nr_blocks(struct dm_space_map *sm, dm_block_t *count)
@@ -772,7 +772,7 @@ struct dm_space_map *dm_sm_metadata_init
{
struct sm_metadata *smm;
- smm = kmalloc(sizeof(*smm), GFP_KERNEL);
+ smm = kvmalloc(sizeof(*smm), GFP_KERNEL);
if (!smm)
return ERR_PTR(-ENOMEM);
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 025/341] vfs: Dont evict inode under the inode lru traversing context
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 024/341] dm persistent data: fix memory allocation failure Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 026/341] fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64() Greg Kroah-Hartman
` (328 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhihao Cheng, Jan Kara,
Mateusz Guzik, Christian Brauner
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhihao Cheng <chengzhihao1@huawei.com>
commit 2a0629834cd82f05d424bbc193374f9a43d1f87d upstream.
The inode reclaiming process(See function prune_icache_sb) collects all
reclaimable inodes and mark them with I_FREEING flag at first, at that
time, other processes will be stuck if they try getting these inodes
(See function find_inode_fast), then the reclaiming process destroy the
inodes by function dispose_list(). Some filesystems(eg. ext4 with
ea_inode feature, ubifs with xattr) may do inode lookup in the inode
evicting callback function, if the inode lookup is operated under the
inode lru traversing context, deadlock problems may happen.
Case 1: In function ext4_evict_inode(), the ea inode lookup could happen
if ea_inode feature is enabled, the lookup process will be stuck
under the evicting context like this:
1. File A has inode i_reg and an ea inode i_ea
2. getfattr(A, xattr_buf) // i_ea is added into lru // lru->i_ea
3. Then, following three processes running like this:
PA PB
echo 2 > /proc/sys/vm/drop_caches
shrink_slab
prune_dcache_sb
// i_reg is added into lru, lru->i_ea->i_reg
prune_icache_sb
list_lru_walk_one
inode_lru_isolate
i_ea->i_state |= I_FREEING // set inode state
inode_lru_isolate
__iget(i_reg)
spin_unlock(&i_reg->i_lock)
spin_unlock(lru_lock)
rm file A
i_reg->nlink = 0
iput(i_reg) // i_reg->nlink is 0, do evict
ext4_evict_inode
ext4_xattr_delete_inode
ext4_xattr_inode_dec_ref_all
ext4_xattr_inode_iget
ext4_iget(i_ea->i_ino)
iget_locked
find_inode_fast
__wait_on_freeing_inode(i_ea) ----→ AA deadlock
dispose_list // cannot be executed by prune_icache_sb
wake_up_bit(&i_ea->i_state)
Case 2: In deleted inode writing function ubifs_jnl_write_inode(), file
deleting process holds BASEHD's wbuf->io_mutex while getting the
xattr inode, which could race with inode reclaiming process(The
reclaiming process could try locking BASEHD's wbuf->io_mutex in
inode evicting function), then an ABBA deadlock problem would
happen as following:
1. File A has inode ia and a xattr(with inode ixa), regular file B has
inode ib and a xattr.
2. getfattr(A, xattr_buf) // ixa is added into lru // lru->ixa
3. Then, following three processes running like this:
PA PB PC
echo 2 > /proc/sys/vm/drop_caches
shrink_slab
prune_dcache_sb
// ib and ia are added into lru, lru->ixa->ib->ia
prune_icache_sb
list_lru_walk_one
inode_lru_isolate
ixa->i_state |= I_FREEING // set inode state
inode_lru_isolate
__iget(ib)
spin_unlock(&ib->i_lock)
spin_unlock(lru_lock)
rm file B
ib->nlink = 0
rm file A
iput(ia)
ubifs_evict_inode(ia)
ubifs_jnl_delete_inode(ia)
ubifs_jnl_write_inode(ia)
make_reservation(BASEHD) // Lock wbuf->io_mutex
ubifs_iget(ixa->i_ino)
iget_locked
find_inode_fast
__wait_on_freeing_inode(ixa)
| iput(ib) // ib->nlink is 0, do evict
| ubifs_evict_inode
| ubifs_jnl_delete_inode(ib)
↓ ubifs_jnl_write_inode
ABBA deadlock ←-----make_reservation(BASEHD)
dispose_list // cannot be executed by prune_icache_sb
wake_up_bit(&ixa->i_state)
Fix the possible deadlock by using new inode state flag I_LRU_ISOLATING
to pin the inode in memory while inode_lru_isolate() reclaims its pages
instead of using ordinary inode reference. This way inode deletion
cannot be triggered from inode_lru_isolate() thus avoiding the deadlock.
evict() is made to wait for I_LRU_ISOLATING to be cleared before
proceeding with inode cleanup.
Link: https://lore.kernel.org/all/37c29c42-7685-d1f0-067d-63582ffac405@huaweicloud.com/
Link: https://bugzilla.kernel.org/show_bug.cgi?id=219022
Fixes: e50e5129f384 ("ext4: xattr-in-inode support")
Fixes: 7959cf3a7506 ("ubifs: journal: Handle xattrs like files")
Cc: stable@vger.kernel.org
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Link: https://lore.kernel.org/r/20240809031628.1069873-1-chengzhihao@huaweicloud.com
Reviewed-by: Jan Kara <jack@suse.cz>
Suggested-by: Jan Kara <jack@suse.cz>
Suggested-by: Mateusz Guzik <mjguzik@gmail.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/inode.c | 39 +++++++++++++++++++++++++++++++++++++--
include/linux/fs.h | 5 +++++
2 files changed, 42 insertions(+), 2 deletions(-)
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -486,6 +486,39 @@ static void inode_lru_list_del(struct in
this_cpu_dec(nr_unused);
}
+static void inode_pin_lru_isolating(struct inode *inode)
+{
+ lockdep_assert_held(&inode->i_lock);
+ WARN_ON(inode->i_state & (I_LRU_ISOLATING | I_FREEING | I_WILL_FREE));
+ inode->i_state |= I_LRU_ISOLATING;
+}
+
+static void inode_unpin_lru_isolating(struct inode *inode)
+{
+ spin_lock(&inode->i_lock);
+ WARN_ON(!(inode->i_state & I_LRU_ISOLATING));
+ inode->i_state &= ~I_LRU_ISOLATING;
+ smp_mb();
+ wake_up_bit(&inode->i_state, __I_LRU_ISOLATING);
+ spin_unlock(&inode->i_lock);
+}
+
+static void inode_wait_for_lru_isolating(struct inode *inode)
+{
+ spin_lock(&inode->i_lock);
+ if (inode->i_state & I_LRU_ISOLATING) {
+ DEFINE_WAIT_BIT(wq, &inode->i_state, __I_LRU_ISOLATING);
+ wait_queue_head_t *wqh;
+
+ wqh = bit_waitqueue(&inode->i_state, __I_LRU_ISOLATING);
+ spin_unlock(&inode->i_lock);
+ __wait_on_bit(wqh, &wq, bit_wait, TASK_UNINTERRUPTIBLE);
+ spin_lock(&inode->i_lock);
+ WARN_ON(inode->i_state & I_LRU_ISOLATING);
+ }
+ spin_unlock(&inode->i_lock);
+}
+
/**
* inode_sb_list_add - add inode to the superblock list of inodes
* @inode: inode to add
@@ -654,6 +687,8 @@ static void evict(struct inode *inode)
inode_sb_list_del(inode);
+ inode_wait_for_lru_isolating(inode);
+
/*
* Wait for flusher thread to be done with the inode so that filesystem
* does not start destroying it while writeback is still running. Since
@@ -842,7 +877,7 @@ static enum lru_status inode_lru_isolate
* be under pressure before the cache inside the highmem zone.
*/
if (inode_has_buffers(inode) || !mapping_empty(&inode->i_data)) {
- __iget(inode);
+ inode_pin_lru_isolating(inode);
spin_unlock(&inode->i_lock);
spin_unlock(lru_lock);
if (remove_inode_buffers(inode)) {
@@ -854,7 +889,7 @@ static enum lru_status inode_lru_isolate
__count_vm_events(PGINODESTEAL, reap);
mm_account_reclaimed_pages(reap);
}
- iput(inode);
+ inode_unpin_lru_isolating(inode);
spin_lock(lru_lock);
return LRU_RETRY;
}
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2265,6 +2265,9 @@ static inline void kiocb_clone(struct ki
*
* I_PINNING_FSCACHE_WB Inode is pinning an fscache object for writeback.
*
+ * I_LRU_ISOLATING Inode is pinned being isolated from LRU without holding
+ * i_count.
+ *
* Q: What is the difference between I_WILL_FREE and I_FREEING?
*/
#define I_DIRTY_SYNC (1 << 0)
@@ -2288,6 +2291,8 @@ static inline void kiocb_clone(struct ki
#define I_DONTCACHE (1 << 16)
#define I_SYNC_QUEUED (1 << 17)
#define I_PINNING_FSCACHE_WB (1 << 18)
+#define __I_LRU_ISOLATING 19
+#define I_LRU_ISOLATING (1 << __I_LRU_ISOLATING)
#define I_DIRTY_INODE (I_DIRTY_SYNC | I_DIRTY_DATASYNC)
#define I_DIRTY (I_DIRTY_INODE | I_DIRTY_PAGES)
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 026/341] fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 025/341] vfs: Dont evict inode under the inode lru traversing context Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 027/341] s390/cio: rename bitmap_size() -> idset_bitmap_size() Greg Kroah-Hartman
` (327 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Przemek Kitszel, Yury Norov,
Alexander Lobakin, David S. Miller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Lobakin <aleksander.lobakin@intel.com>
commit 3f5ef5109f6a054ce58b3bec7214ed76c9cc269f upstream.
bitmap_size() is a pretty generic name and one may want to use it for
a generic bitmap API function. At the same time, its logic is
NTFS-specific, as it aligns to the sizeof(u64), not the sizeof(long)
(although it uses ideologically right ALIGN() instead of division).
Add the prefix 'ntfs3_' used for that FS (not just 'ntfs_' to not mix
it with the legacy module) and use generic BITS_TO_U64() while at it.
Suggested-by: Yury Norov <yury.norov@gmail.com> # BITS_TO_U64()
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Yury Norov <yury.norov@gmail.com>
Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/bitmap.c | 4 ++--
fs/ntfs3/fsntfs.c | 2 +-
fs/ntfs3/index.c | 11 ++++++-----
fs/ntfs3/ntfs_fs.h | 4 ++--
fs/ntfs3/super.c | 2 +-
5 files changed, 12 insertions(+), 11 deletions(-)
--- a/fs/ntfs3/bitmap.c
+++ b/fs/ntfs3/bitmap.c
@@ -654,7 +654,7 @@ int wnd_init(struct wnd_bitmap *wnd, str
wnd->total_zeroes = nbits;
wnd->extent_max = MINUS_ONE_T;
wnd->zone_bit = wnd->zone_end = 0;
- wnd->nwnd = bytes_to_block(sb, bitmap_size(nbits));
+ wnd->nwnd = bytes_to_block(sb, ntfs3_bitmap_size(nbits));
wnd->bits_last = nbits & (wbits - 1);
if (!wnd->bits_last)
wnd->bits_last = wbits;
@@ -1347,7 +1347,7 @@ int wnd_extend(struct wnd_bitmap *wnd, s
return -EINVAL;
/* Align to 8 byte boundary. */
- new_wnd = bytes_to_block(sb, bitmap_size(new_bits));
+ new_wnd = bytes_to_block(sb, ntfs3_bitmap_size(new_bits));
new_last = new_bits & (wbits - 1);
if (!new_last)
new_last = wbits;
--- a/fs/ntfs3/fsntfs.c
+++ b/fs/ntfs3/fsntfs.c
@@ -522,7 +522,7 @@ static int ntfs_extend_mft(struct ntfs_s
ni->mi.dirty = true;
/* Step 2: Resize $MFT::BITMAP. */
- new_bitmap_bytes = bitmap_size(new_mft_total);
+ new_bitmap_bytes = ntfs3_bitmap_size(new_mft_total);
err = attr_set_size(ni, ATTR_BITMAP, NULL, 0, &sbi->mft.bitmap.run,
new_bitmap_bytes, &new_bitmap_bytes, true, NULL);
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -1456,8 +1456,8 @@ static int indx_create_allocate(struct n
alloc->nres.valid_size = alloc->nres.data_size = cpu_to_le64(data_size);
- err = ni_insert_resident(ni, bitmap_size(1), ATTR_BITMAP, in->name,
- in->name_len, &bitmap, NULL, NULL);
+ err = ni_insert_resident(ni, ntfs3_bitmap_size(1), ATTR_BITMAP,
+ in->name, in->name_len, &bitmap, NULL, NULL);
if (err)
goto out2;
@@ -1518,8 +1518,9 @@ static int indx_add_allocate(struct ntfs
if (bmp) {
/* Increase bitmap. */
err = attr_set_size(ni, ATTR_BITMAP, in->name, in->name_len,
- &indx->bitmap_run, bitmap_size(bit + 1),
- NULL, true, NULL);
+ &indx->bitmap_run,
+ ntfs3_bitmap_size(bit + 1), NULL, true,
+ NULL);
if (err)
goto out1;
}
@@ -2098,7 +2099,7 @@ static int indx_shrink(struct ntfs_index
if (in->name == I30_NAME)
i_size_write(&ni->vfs_inode, new_data);
- bpb = bitmap_size(bit);
+ bpb = ntfs3_bitmap_size(bit);
if (bpb * 8 == nbits)
return 0;
--- a/fs/ntfs3/ntfs_fs.h
+++ b/fs/ntfs3/ntfs_fs.h
@@ -964,9 +964,9 @@ static inline bool run_is_empty(struct r
}
/* NTFS uses quad aligned bitmaps. */
-static inline size_t bitmap_size(size_t bits)
+static inline size_t ntfs3_bitmap_size(size_t bits)
{
- return ALIGN((bits + 7) >> 3, 8);
+ return BITS_TO_U64(bits) * sizeof(u64);
}
#define _100ns2seconds 10000000
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -1341,7 +1341,7 @@ static int ntfs_fill_super(struct super_
/* Check bitmap boundary. */
tt = sbi->used.bitmap.nbits;
- if (inode->i_size < bitmap_size(tt)) {
+ if (inode->i_size < ntfs3_bitmap_size(tt)) {
ntfs_err(sb, "$Bitmap is corrupted.");
err = -EINVAL;
goto put_inode_out;
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 027/341] s390/cio: rename bitmap_size() -> idset_bitmap_size()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 026/341] fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64() Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 028/341] btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits() Greg Kroah-Hartman
` (326 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Przemek Kitszel, Peter Oberparleiter,
Alexander Lobakin, David S. Miller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Lobakin <aleksander.lobakin@intel.com>
commit c1023f5634b9bfcbfff0dc200245309e3cde9b54 upstream.
bitmap_size() is a pretty generic name and one may want to use it for
a generic bitmap API function. At the same time, its logic is not
"generic", i.e. it's not just `nbits -> size of bitmap in bytes`
converter as it would be expected from its name.
Add the prefix 'idset_' used throughout the file where the function
resides.
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Acked-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/cio/idset.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/s390/cio/idset.c
+++ b/drivers/s390/cio/idset.c
@@ -16,7 +16,7 @@ struct idset {
unsigned long bitmap[];
};
-static inline unsigned long bitmap_size(int num_ssid, int num_id)
+static inline unsigned long idset_bitmap_size(int num_ssid, int num_id)
{
return BITS_TO_LONGS(num_ssid * num_id) * sizeof(unsigned long);
}
@@ -25,11 +25,12 @@ static struct idset *idset_new(int num_s
{
struct idset *set;
- set = vmalloc(sizeof(struct idset) + bitmap_size(num_ssid, num_id));
+ set = vmalloc(sizeof(struct idset) +
+ idset_bitmap_size(num_ssid, num_id));
if (set) {
set->num_ssid = num_ssid;
set->num_id = num_id;
- memset(set->bitmap, 0, bitmap_size(num_ssid, num_id));
+ memset(set->bitmap, 0, idset_bitmap_size(num_ssid, num_id));
}
return set;
}
@@ -41,7 +42,8 @@ void idset_free(struct idset *set)
void idset_fill(struct idset *set)
{
- memset(set->bitmap, 0xff, bitmap_size(set->num_ssid, set->num_id));
+ memset(set->bitmap, 0xff,
+ idset_bitmap_size(set->num_ssid, set->num_id));
}
static inline void idset_add(struct idset *set, int ssid, int id)
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 028/341] btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 027/341] s390/cio: rename bitmap_size() -> idset_bitmap_size() Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 029/341] bitmap: introduce generic optimized bitmap_size() Greg Kroah-Hartman
` (325 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Przemek Kitszel, David Sterba,
Yury Norov, Alexander Lobakin, David S. Miller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Lobakin <aleksander.lobakin@intel.com>
commit 4ca532d64648d4776d15512caed3efea05ca7195 upstream.
bitmap_set_bits() does not start with the FS' prefix and may collide
with a new generic helper one day. It operates with the FS-specific
types, so there's no change those two could do the same thing.
Just add the prefix to exclude such possible conflict.
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Acked-by: David Sterba <dsterba@suse.com>
Reviewed-by: Yury Norov <yury.norov@gmail.com>
Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/free-space-cache.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/fs/btrfs/free-space-cache.c
+++ b/fs/btrfs/free-space-cache.c
@@ -1910,9 +1910,9 @@ static inline void bitmap_clear_bits(str
ctl->free_space -= bytes;
}
-static void bitmap_set_bits(struct btrfs_free_space_ctl *ctl,
- struct btrfs_free_space *info, u64 offset,
- u64 bytes)
+static void btrfs_bitmap_set_bits(struct btrfs_free_space_ctl *ctl,
+ struct btrfs_free_space *info, u64 offset,
+ u64 bytes)
{
unsigned long start, count, end;
int extent_delta = 1;
@@ -2248,7 +2248,7 @@ static u64 add_bytes_to_bitmap(struct bt
bytes_to_set = min(end - offset, bytes);
- bitmap_set_bits(ctl, info, offset, bytes_to_set);
+ btrfs_bitmap_set_bits(ctl, info, offset, bytes_to_set);
return bytes_to_set;
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 029/341] bitmap: introduce generic optimized bitmap_size()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 028/341] btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits() Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 030/341] fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE Greg Kroah-Hartman
` (324 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Przemek Kitszel, Yury Norov,
Alexander Lobakin, David S. Miller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Lobakin <aleksander.lobakin@intel.com>
commit a37fbe666c016fd89e4460d0ebfcea05baba46dc upstream.
The number of times yet another open coded
`BITS_TO_LONGS(nbits) * sizeof(long)` can be spotted is huge.
Some generic helper is long overdue.
Add one, bitmap_size(), but with one detail.
BITS_TO_LONGS() uses DIV_ROUND_UP(). The latter works well when both
divident and divisor are compile-time constants or when the divisor
is not a pow-of-2. When it is however, the compilers sometimes tend
to generate suboptimal code (GCC 13):
48 83 c0 3f add $0x3f,%rax
48 c1 e8 06 shr $0x6,%rax
48 8d 14 c5 00 00 00 00 lea 0x0(,%rax,8),%rdx
%BITS_PER_LONG is always a pow-2 (either 32 or 64), but GCC still does
full division of `nbits + 63` by it and then multiplication by 8.
Instead of BITS_TO_LONGS(), use ALIGN() and then divide by 8. GCC:
8d 50 3f lea 0x3f(%rax),%edx
c1 ea 03 shr $0x3,%edx
81 e2 f8 ff ff 1f and $0x1ffffff8,%edx
Now it shifts `nbits + 63` by 3 positions (IOW performs fast division
by 8) and then masks bits[2:0]. bloat-o-meter:
add/remove: 0/0 grow/shrink: 20/133 up/down: 156/-773 (-617)
Clang does it better and generates the same code before/after starting
from -O1, except that with the ALIGN() approach it uses %edx and thus
still saves some bytes:
add/remove: 0/0 grow/shrink: 9/133 up/down: 18/-538 (-520)
Note that we can't expand DIV_ROUND_UP() by adding a check and using
this approach there, as it's used in array declarations where
expressions are not allowed.
Add this helper to tools/ as well.
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Acked-by: Yury Norov <yury.norov@gmail.com>
Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-clone-metadata.c | 5 -----
drivers/s390/cio/idset.c | 2 +-
include/linux/bitmap.h | 8 +++++---
include/linux/cpumask.h | 2 +-
lib/math/prime_numbers.c | 2 --
tools/include/linux/bitmap.h | 7 ++++---
6 files changed, 11 insertions(+), 15 deletions(-)
--- a/drivers/md/dm-clone-metadata.c
+++ b/drivers/md/dm-clone-metadata.c
@@ -465,11 +465,6 @@ static void __destroy_persistent_data_st
/*---------------------------------------------------------------------------*/
-static size_t bitmap_size(unsigned long nr_bits)
-{
- return BITS_TO_LONGS(nr_bits) * sizeof(long);
-}
-
static int __dirty_map_init(struct dirty_map *dmap, unsigned long nr_words,
unsigned long nr_regions)
{
--- a/drivers/s390/cio/idset.c
+++ b/drivers/s390/cio/idset.c
@@ -18,7 +18,7 @@ struct idset {
static inline unsigned long idset_bitmap_size(int num_ssid, int num_id)
{
- return BITS_TO_LONGS(num_ssid * num_id) * sizeof(unsigned long);
+ return bitmap_size(size_mul(num_ssid, num_id));
}
static struct idset *idset_new(int num_ssid, int num_id)
--- a/include/linux/bitmap.h
+++ b/include/linux/bitmap.h
@@ -237,9 +237,11 @@ extern int bitmap_print_list_to_buf(char
#define BITMAP_FIRST_WORD_MASK(start) (~0UL << ((start) & (BITS_PER_LONG - 1)))
#define BITMAP_LAST_WORD_MASK(nbits) (~0UL >> (-(nbits) & (BITS_PER_LONG - 1)))
+#define bitmap_size(nbits) (ALIGN(nbits, BITS_PER_LONG) / BITS_PER_BYTE)
+
static inline void bitmap_zero(unsigned long *dst, unsigned int nbits)
{
- unsigned int len = BITS_TO_LONGS(nbits) * sizeof(unsigned long);
+ unsigned int len = bitmap_size(nbits);
if (small_const_nbits(nbits))
*dst = 0;
@@ -249,7 +251,7 @@ static inline void bitmap_zero(unsigned
static inline void bitmap_fill(unsigned long *dst, unsigned int nbits)
{
- unsigned int len = BITS_TO_LONGS(nbits) * sizeof(unsigned long);
+ unsigned int len = bitmap_size(nbits);
if (small_const_nbits(nbits))
*dst = ~0UL;
@@ -260,7 +262,7 @@ static inline void bitmap_fill(unsigned
static inline void bitmap_copy(unsigned long *dst, const unsigned long *src,
unsigned int nbits)
{
- unsigned int len = BITS_TO_LONGS(nbits) * sizeof(unsigned long);
+ unsigned int len = bitmap_size(nbits);
if (small_const_nbits(nbits))
*dst = *src;
--- a/include/linux/cpumask.h
+++ b/include/linux/cpumask.h
@@ -821,7 +821,7 @@ static inline int cpulist_parse(const ch
*/
static inline unsigned int cpumask_size(void)
{
- return BITS_TO_LONGS(large_cpumask_bits) * sizeof(long);
+ return bitmap_size(large_cpumask_bits);
}
/*
--- a/lib/math/prime_numbers.c
+++ b/lib/math/prime_numbers.c
@@ -6,8 +6,6 @@
#include <linux/prime_numbers.h>
#include <linux/slab.h>
-#define bitmap_size(nbits) (BITS_TO_LONGS(nbits) * sizeof(unsigned long))
-
struct primes {
struct rcu_head rcu;
unsigned long last, sz;
--- a/tools/include/linux/bitmap.h
+++ b/tools/include/linux/bitmap.h
@@ -25,13 +25,14 @@ bool __bitmap_intersects(const unsigned
#define BITMAP_FIRST_WORD_MASK(start) (~0UL << ((start) & (BITS_PER_LONG - 1)))
#define BITMAP_LAST_WORD_MASK(nbits) (~0UL >> (-(nbits) & (BITS_PER_LONG - 1)))
+#define bitmap_size(nbits) (ALIGN(nbits, BITS_PER_LONG) / BITS_PER_BYTE)
+
static inline void bitmap_zero(unsigned long *dst, unsigned int nbits)
{
if (small_const_nbits(nbits))
*dst = 0UL;
else {
- int len = BITS_TO_LONGS(nbits) * sizeof(unsigned long);
- memset(dst, 0, len);
+ memset(dst, 0, bitmap_size(nbits));
}
}
@@ -83,7 +84,7 @@ static inline void bitmap_or(unsigned lo
*/
static inline unsigned long *bitmap_zalloc(int nbits)
{
- return calloc(1, BITS_TO_LONGS(nbits) * sizeof(unsigned long));
+ return calloc(1, bitmap_size(nbits));
}
/*
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 030/341] fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 029/341] bitmap: introduce generic optimized bitmap_size() Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 031/341] i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume Greg Kroah-Hartman
` (323 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Al Viro
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 9a2fa1472083580b6c66bdaf291f591e1170123a upstream.
copy_fd_bitmaps(new, old, count) is expected to copy the first
count/BITS_PER_LONG bits from old->full_fds_bits[] and fill
the rest with zeroes. What it does is copying enough words
(BITS_TO_LONGS(count/BITS_PER_LONG)), then memsets the rest.
That works fine, *if* all bits past the cutoff point are
clear. Otherwise we are risking garbage from the last word
we'd copied.
For most of the callers that is true - expand_fdtable() has
count equal to old->max_fds, so there's no open descriptors
past count, let alone fully occupied words in ->open_fds[],
which is what bits in ->full_fds_bits[] correspond to.
The other caller (dup_fd()) passes sane_fdtable_size(old_fdt, max_fds),
which is the smallest multiple of BITS_PER_LONG that covers all
opened descriptors below max_fds. In the common case (copying on
fork()) max_fds is ~0U, so all opened descriptors will be below
it and we are fine, by the same reasons why the call in expand_fdtable()
is safe.
Unfortunately, there is a case where max_fds is less than that
and where we might, indeed, end up with junk in ->full_fds_bits[] -
close_range(from, to, CLOSE_RANGE_UNSHARE) with
* descriptor table being currently shared
* 'to' being above the current capacity of descriptor table
* 'from' being just under some chunk of opened descriptors.
In that case we end up with observably wrong behaviour - e.g. spawn
a child with CLONE_FILES, get all descriptors in range 0..127 open,
then close_range(64, ~0U, CLOSE_RANGE_UNSHARE) and watch dup(0) ending
up with descriptor #128, despite #64 being observably not open.
The minimally invasive fix would be to deal with that in dup_fd().
If this proves to add measurable overhead, we can go that way, but
let's try to fix copy_fd_bitmaps() first.
* new helper: bitmap_copy_and_expand(to, from, bits_to_copy, size).
* make copy_fd_bitmaps() take the bitmap size in words, rather than
bits; it's 'count' argument is always a multiple of BITS_PER_LONG,
so we are not losing any information, and that way we can use the
same helper for all three bitmaps - compiler will see that count
is a multiple of BITS_PER_LONG for the large ones, so it'll generate
plain memcpy()+memset().
Reproducer added to tools/testing/selftests/core/close_range_test.c
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/file.c | 28 ++++++++-----------
include/linux/bitmap.h | 12 ++++++++
tools/testing/selftests/core/close_range_test.c | 35 ++++++++++++++++++++++++
3 files changed, 59 insertions(+), 16 deletions(-)
--- a/fs/file.c
+++ b/fs/file.c
@@ -46,27 +46,23 @@ static void free_fdtable_rcu(struct rcu_
#define BITBIT_NR(nr) BITS_TO_LONGS(BITS_TO_LONGS(nr))
#define BITBIT_SIZE(nr) (BITBIT_NR(nr) * sizeof(long))
+#define fdt_words(fdt) ((fdt)->max_fds / BITS_PER_LONG) // words in ->open_fds
/*
* Copy 'count' fd bits from the old table to the new table and clear the extra
* space if any. This does not copy the file pointers. Called with the files
* spinlock held for write.
*/
-static void copy_fd_bitmaps(struct fdtable *nfdt, struct fdtable *ofdt,
- unsigned int count)
+static inline void copy_fd_bitmaps(struct fdtable *nfdt, struct fdtable *ofdt,
+ unsigned int copy_words)
{
- unsigned int cpy, set;
+ unsigned int nwords = fdt_words(nfdt);
- cpy = count / BITS_PER_BYTE;
- set = (nfdt->max_fds - count) / BITS_PER_BYTE;
- memcpy(nfdt->open_fds, ofdt->open_fds, cpy);
- memset((char *)nfdt->open_fds + cpy, 0, set);
- memcpy(nfdt->close_on_exec, ofdt->close_on_exec, cpy);
- memset((char *)nfdt->close_on_exec + cpy, 0, set);
-
- cpy = BITBIT_SIZE(count);
- set = BITBIT_SIZE(nfdt->max_fds) - cpy;
- memcpy(nfdt->full_fds_bits, ofdt->full_fds_bits, cpy);
- memset((char *)nfdt->full_fds_bits + cpy, 0, set);
+ bitmap_copy_and_extend(nfdt->open_fds, ofdt->open_fds,
+ copy_words * BITS_PER_LONG, nwords * BITS_PER_LONG);
+ bitmap_copy_and_extend(nfdt->close_on_exec, ofdt->close_on_exec,
+ copy_words * BITS_PER_LONG, nwords * BITS_PER_LONG);
+ bitmap_copy_and_extend(nfdt->full_fds_bits, ofdt->full_fds_bits,
+ copy_words, nwords);
}
/*
@@ -84,7 +80,7 @@ static void copy_fdtable(struct fdtable
memcpy(nfdt->fd, ofdt->fd, cpy);
memset((char *)nfdt->fd + cpy, 0, set);
- copy_fd_bitmaps(nfdt, ofdt, ofdt->max_fds);
+ copy_fd_bitmaps(nfdt, ofdt, fdt_words(ofdt));
}
/*
@@ -374,7 +370,7 @@ struct files_struct *dup_fd(struct files
open_files = sane_fdtable_size(old_fdt, max_fds);
}
- copy_fd_bitmaps(new_fdt, old_fdt, open_files);
+ copy_fd_bitmaps(new_fdt, old_fdt, open_files / BITS_PER_LONG);
old_fds = old_fdt->fd;
new_fds = new_fdt->fd;
--- a/include/linux/bitmap.h
+++ b/include/linux/bitmap.h
@@ -281,6 +281,18 @@ static inline void bitmap_copy_clear_tai
dst[nbits / BITS_PER_LONG] &= BITMAP_LAST_WORD_MASK(nbits);
}
+static inline void bitmap_copy_and_extend(unsigned long *to,
+ const unsigned long *from,
+ unsigned int count, unsigned int size)
+{
+ unsigned int copy = BITS_TO_LONGS(count);
+
+ memcpy(to, from, copy * sizeof(long));
+ if (count % BITS_PER_LONG)
+ to[copy - 1] &= BITMAP_LAST_WORD_MASK(count);
+ memset(to + copy, 0, bitmap_size(size) - copy * sizeof(long));
+}
+
/*
* On 32-bit systems bitmaps are represented as u32 arrays internally. On LE64
* machines the order of hi and lo parts of numbers match the bitmap structure.
--- a/tools/testing/selftests/core/close_range_test.c
+++ b/tools/testing/selftests/core/close_range_test.c
@@ -563,4 +563,39 @@ TEST(close_range_cloexec_unshare_syzbot)
EXPECT_EQ(close(fd3), 0);
}
+TEST(close_range_bitmap_corruption)
+{
+ pid_t pid;
+ int status;
+ struct __clone_args args = {
+ .flags = CLONE_FILES,
+ .exit_signal = SIGCHLD,
+ };
+
+ /* get the first 128 descriptors open */
+ for (int i = 2; i < 128; i++)
+ EXPECT_GE(dup2(0, i), 0);
+
+ /* get descriptor table shared */
+ pid = sys_clone3(&args, sizeof(args));
+ ASSERT_GE(pid, 0);
+
+ if (pid == 0) {
+ /* unshare and truncate descriptor table down to 64 */
+ if (sys_close_range(64, ~0U, CLOSE_RANGE_UNSHARE))
+ exit(EXIT_FAILURE);
+
+ ASSERT_EQ(fcntl(64, F_GETFD), -1);
+ /* ... and verify that the range 64..127 is not
+ stuck "fully used" according to secondary bitmap */
+ EXPECT_EQ(dup(0), 64)
+ exit(EXIT_FAILURE);
+ exit(EXIT_SUCCESS);
+ }
+
+ EXPECT_EQ(waitpid(pid, &status, 0), pid);
+ EXPECT_EQ(true, WIFEXITED(status));
+ EXPECT_EQ(0, WEXITSTATUS(status));
+}
+
TEST_HARNESS_MAIN
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 031/341] i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 030/341] fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 032/341] rtla/osnoise: Prevent NULL dereference in error handling Greg Kroah-Hartman
` (322 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Andi Shyti
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andi Shyti <andi.shyti@kernel.org>
commit 4e91fa1ef3ce6290b4c598e54b5eb6cf134fbec8 upstream.
Add the missing geni_icc_disable() call before returning in the
geni_i2c_runtime_resume() function.
Commit 9ba48db9f77c ("i2c: qcom-geni: Add missing
geni_icc_disable in geni_i2c_runtime_resume") by Gaosheng missed
disabling the interconnect in one case.
Fixes: bf225ed357c6 ("i2c: i2c-qcom-geni: Add interconnect support")
Cc: Gaosheng Cui <cuigaosheng1@huawei.com>
Cc: stable@vger.kernel.org # v5.9+
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-qcom-geni.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-qcom-geni.c
+++ b/drivers/i2c/busses/i2c-qcom-geni.c
@@ -987,8 +987,10 @@ static int __maybe_unused geni_i2c_runti
return ret;
ret = clk_prepare_enable(gi2c->core_clk);
- if (ret)
+ if (ret) {
+ geni_icc_disable(&gi2c->se);
return ret;
+ }
ret = geni_se_resources_on(&gi2c->se);
if (ret) {
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 032/341] rtla/osnoise: Prevent NULL dereference in error handling
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 031/341] i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 033/341] net: mana: Fix RX buf alloc_size alignment and atomic op panic Greg Kroah-Hartman
` (321 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Kacur,
Luis Claudio R. Goncalves, Clark Williams, Dan Carpenter,
Steven Rostedt (Google)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
commit 90574d2a675947858b47008df8d07f75ea50d0d0 upstream.
If the "tool->data" allocation fails then there is no need to call
osnoise_free_top() and, in fact, doing so will lead to a NULL dereference.
Cc: stable@vger.kernel.org
Cc: John Kacur <jkacur@redhat.com>
Cc: "Luis Claudio R. Goncalves" <lgoncalv@redhat.com>
Cc: Clark Williams <williams@redhat.com>
Fixes: 1eceb2fc2ca5 ("rtla/osnoise: Add osnoise top mode")
Link: https://lore.kernel.org/f964ed1f-64d2-4fde-ad3e-708331f8f358@stanley.mountain
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/tracing/rtla/src/osnoise_top.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
--- a/tools/tracing/rtla/src/osnoise_top.c
+++ b/tools/tracing/rtla/src/osnoise_top.c
@@ -624,8 +624,10 @@ struct osnoise_tool *osnoise_init_top(st
return NULL;
tool->data = osnoise_alloc_top(nr_cpus);
- if (!tool->data)
- goto out_err;
+ if (!tool->data) {
+ osnoise_destroy_tool(tool);
+ return NULL;
+ }
tool->params = params;
@@ -633,11 +635,6 @@ struct osnoise_tool *osnoise_init_top(st
osnoise_top_handler, NULL);
return tool;
-
-out_err:
- osnoise_free_top(tool->data);
- osnoise_destroy_tool(tool);
- return NULL;
}
static int stop_tracing;
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 033/341] net: mana: Fix RX buf alloc_size alignment and atomic op panic
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 032/341] rtla/osnoise: Prevent NULL dereference in error handling Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 034/341] net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings Greg Kroah-Hartman
` (320 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haiyang Zhang, Long Li,
David S. Miller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haiyang Zhang <haiyangz@microsoft.com>
commit 32316f676b4ee87c0404d333d248ccf777f739bc upstream.
The MANA driver's RX buffer alloc_size is passed into napi_build_skb() to
create SKB. skb_shinfo(skb) is located at the end of skb, and its alignment
is affected by the alloc_size passed into napi_build_skb(). The size needs
to be aligned properly for better performance and atomic operations.
Otherwise, on ARM64 CPU, for certain MTU settings like 4000, atomic
operations may panic on the skb_shinfo(skb)->dataref due to alignment fault.
To fix this bug, add proper alignment to the alloc_size calculation.
Sample panic info:
[ 253.298819] Unable to handle kernel paging request at virtual address ffff000129ba5cce
[ 253.300900] Mem abort info:
[ 253.301760] ESR = 0x0000000096000021
[ 253.302825] EC = 0x25: DABT (current EL), IL = 32 bits
[ 253.304268] SET = 0, FnV = 0
[ 253.305172] EA = 0, S1PTW = 0
[ 253.306103] FSC = 0x21: alignment fault
Call trace:
__skb_clone+0xfc/0x198
skb_clone+0x78/0xe0
raw6_local_deliver+0xfc/0x228
ip6_protocol_deliver_rcu+0x80/0x500
ip6_input_finish+0x48/0x80
ip6_input+0x48/0xc0
ip6_sublist_rcv_finish+0x50/0x78
ip6_sublist_rcv+0x1cc/0x2b8
ipv6_list_rcv+0x100/0x150
__netif_receive_skb_list_core+0x180/0x220
netif_receive_skb_list_internal+0x198/0x2a8
__napi_poll+0x138/0x250
net_rx_action+0x148/0x330
handle_softirqs+0x12c/0x3a0
Cc: stable@vger.kernel.org
Fixes: 80f6215b450e ("net: mana: Add support for jumbo frame")
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: Long Li <longli@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index d2f07e179e86..ae717d06e66f 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -599,7 +599,11 @@ static void mana_get_rxbuf_cfg(int mtu, u32 *datasize, u32 *alloc_size,
else
*headroom = XDP_PACKET_HEADROOM;
- *alloc_size = mtu + MANA_RXBUF_PAD + *headroom;
+ *alloc_size = SKB_DATA_ALIGN(mtu + MANA_RXBUF_PAD + *headroom);
+
+ /* Using page pool in this case, so alloc_size is PAGE_SIZE */
+ if (*alloc_size < PAGE_SIZE)
+ *alloc_size = PAGE_SIZE;
*datasize = mtu + ETH_HLEN;
}
--
2.46.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 034/341] net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 033/341] net: mana: Fix RX buf alloc_size alignment and atomic op panic Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 035/341] wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion Greg Kroah-Hartman
` (319 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haiyang Zhang, Long Li, Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <longli@microsoft.com>
commit 58a63729c957621f1990c3494c702711188ca347 upstream.
After napi_complete_done() is called when NAPI is polling in the current
process context, another NAPI may be scheduled and start running in
softirq on another CPU and may ring the doorbell before the current CPU
does. When combined with unnecessary rings when there is no need to arm
the CQ, it triggers error paths in the hardware.
This patch fixes this by calling napi_complete_done() after doorbell
rings. It limits the number of unnecessary rings when there is
no need to arm. MANA hardware specifies that there must be one doorbell
ring every 8 CQ wraparounds. This driver guarantees one doorbell ring as
soon as the number of consumed CQEs exceeds 4 CQ wraparounds. In practical
workloads, the 4 CQ wraparounds proves to be big enough that it rarely
exceeds this limit before all the napi weight is consumed.
To implement this, add a per-CQ counter cq->work_done_since_doorbell,
and make sure the CQ is armed as soon as passing 4 wraparounds of the CQ.
Cc: stable@vger.kernel.org
Fixes: e1b5683ff62e ("net: mana: Move NAPI from EQ to CQ")
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: Long Li <longli@microsoft.com>
Link: https://patch.msgid.link/1723219138-29887-1-git-send-email-longli@linuxonhyperv.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 22 ++++++++++++++--------
include/net/mana/mana.h | 1 +
2 files changed, 15 insertions(+), 8 deletions(-)
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -1778,7 +1778,6 @@ static void mana_poll_rx_cq(struct mana_
static int mana_cq_handler(void *context, struct gdma_queue *gdma_queue)
{
struct mana_cq *cq = context;
- u8 arm_bit;
int w;
WARN_ON_ONCE(cq->gdma_cq != gdma_queue);
@@ -1789,16 +1788,23 @@ static int mana_cq_handler(void *context
mana_poll_tx_cq(cq);
w = cq->work_done;
+ cq->work_done_since_doorbell += w;
- if (w < cq->budget &&
- napi_complete_done(&cq->napi, w)) {
- arm_bit = SET_ARM_BIT;
- } else {
- arm_bit = 0;
+ if (w < cq->budget) {
+ mana_gd_ring_cq(gdma_queue, SET_ARM_BIT);
+ cq->work_done_since_doorbell = 0;
+ napi_complete_done(&cq->napi, w);
+ } else if (cq->work_done_since_doorbell >
+ cq->gdma_cq->queue_size / COMP_ENTRY_SIZE * 4) {
+ /* MANA hardware requires at least one doorbell ring every 8
+ * wraparounds of CQ even if there is no need to arm the CQ.
+ * This driver rings the doorbell as soon as we have exceeded
+ * 4 wraparounds.
+ */
+ mana_gd_ring_cq(gdma_queue, 0);
+ cq->work_done_since_doorbell = 0;
}
- mana_gd_ring_cq(gdma_queue, arm_bit);
-
return w;
}
--- a/include/net/mana/mana.h
+++ b/include/net/mana/mana.h
@@ -274,6 +274,7 @@ struct mana_cq {
/* NAPI data */
struct napi_struct napi;
int work_done;
+ int work_done_since_doorbell;
int budget;
};
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 035/341] wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 034/341] net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 036/341] fs/netfs/fscache_cookie: add missing "n_accesses" check Greg Kroah-Hartman
` (318 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Janne Grunau, Neal Gompa,
Arend van Spriel, Kalle Valo
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Janne Grunau <j@jannau.net>
commit 2ad4e1ada8eebafa2d75a4b75eeeca882de6ada1 upstream.
wpa_supplicant 2.11 sends since 1efdba5fdc2c ("Handle PMKSA flush in the
driver for SAE/OWE offload cases") SSID based PMKSA del commands.
brcmfmac is not prepared and tries to dereference the NULL bssid and
pmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based
updates so copy the SSID.
Fixes: a96202acaea4 ("wifi: brcmfmac: cfg80211: Add support for PMKID_V3 operations")
Cc: stable@vger.kernel.org # 6.4.x
Signed-off-by: Janne Grunau <j@jannau.net>
Reviewed-by: Neal Gompa <neal@gompa.dev>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://patch.msgid.link/20240803-brcmfmac_pmksa_del_ssid-v1-1-4e85f19135e1@jannau.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 13 +++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -4321,9 +4321,16 @@ brcmf_pmksa_v3_op(struct brcmf_if *ifp,
/* Single PMK operation */
pmk_op->count = cpu_to_le16(1);
length += sizeof(struct brcmf_pmksa_v3);
- memcpy(pmk_op->pmk[0].bssid, pmksa->bssid, ETH_ALEN);
- memcpy(pmk_op->pmk[0].pmkid, pmksa->pmkid, WLAN_PMKID_LEN);
- pmk_op->pmk[0].pmkid_len = WLAN_PMKID_LEN;
+ if (pmksa->bssid)
+ memcpy(pmk_op->pmk[0].bssid, pmksa->bssid, ETH_ALEN);
+ if (pmksa->pmkid) {
+ memcpy(pmk_op->pmk[0].pmkid, pmksa->pmkid, WLAN_PMKID_LEN);
+ pmk_op->pmk[0].pmkid_len = WLAN_PMKID_LEN;
+ }
+ if (pmksa->ssid && pmksa->ssid_len) {
+ memcpy(pmk_op->pmk[0].ssid.SSID, pmksa->ssid, pmksa->ssid_len);
+ pmk_op->pmk[0].ssid.SSID_len = pmksa->ssid_len;
+ }
pmk_op->pmk[0].time_left = cpu_to_le32(alive ? BRCMF_PMKSA_NO_EXPIRY : 0);
}
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 036/341] fs/netfs/fscache_cookie: add missing "n_accesses" check
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 035/341] wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 037/341] selinux: fix potential counting error in avc_add_xperms_decision() Greg Kroah-Hartman
` (317 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Kellermann, David Howells,
Jeff Layton, netfs, linux-fsdevel, Christian Brauner
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Kellermann <max.kellermann@ionos.com>
commit f71aa06398aabc2e3eaac25acdf3d62e0094ba70 upstream.
This fixes a NULL pointer dereference bug due to a data race which
looks like this:
BUG: kernel NULL pointer dereference, address: 0000000000000008
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 33 PID: 16573 Comm: kworker/u97:799 Not tainted 6.8.7-cm4all1-hp+ #43
Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 10/17/2018
Workqueue: events_unbound netfs_rreq_write_to_cache_work
RIP: 0010:cachefiles_prepare_write+0x30/0xa0
Code: 57 41 56 45 89 ce 41 55 49 89 cd 41 54 49 89 d4 55 53 48 89 fb 48 83 ec 08 48 8b 47 08 48 83 7f 10 00 48 89 34 24 48 8b 68 20 <48> 8b 45 08 4c 8b 38 74 45 49 8b 7f 50 e8 4e a9 b0 ff 48 8b 73 10
RSP: 0018:ffffb4e78113bde0 EFLAGS: 00010286
RAX: ffff976126be6d10 RBX: ffff97615cdb8438 RCX: 0000000000020000
RDX: ffff97605e6c4c68 RSI: ffff97605e6c4c60 RDI: ffff97615cdb8438
RBP: 0000000000000000 R08: 0000000000278333 R09: 0000000000000001
R10: ffff97605e6c4600 R11: 0000000000000001 R12: ffff97605e6c4c68
R13: 0000000000020000 R14: 0000000000000001 R15: ffff976064fe2c00
FS: 0000000000000000(0000) GS:ffff9776dfd40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 000000005942c002 CR4: 00000000001706f0
Call Trace:
<TASK>
? __die+0x1f/0x70
? page_fault_oops+0x15d/0x440
? search_module_extables+0xe/0x40
? fixup_exception+0x22/0x2f0
? exc_page_fault+0x5f/0x100
? asm_exc_page_fault+0x22/0x30
? cachefiles_prepare_write+0x30/0xa0
netfs_rreq_write_to_cache_work+0x135/0x2e0
process_one_work+0x137/0x2c0
worker_thread+0x2e9/0x400
? __pfx_worker_thread+0x10/0x10
kthread+0xcc/0x100
? __pfx_kthread+0x10/0x10
ret_from_fork+0x30/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
Modules linked in:
CR2: 0000000000000008
---[ end trace 0000000000000000 ]---
This happened because fscache_cookie_state_machine() was slow and was
still running while another process invoked fscache_unuse_cookie();
this led to a fscache_cookie_lru_do_one() call, setting the
FSCACHE_COOKIE_DO_LRU_DISCARD flag, which was picked up by
fscache_cookie_state_machine(), withdrawing the cookie via
cachefiles_withdraw_cookie(), clearing cookie->cache_priv.
At the same time, yet another process invoked
cachefiles_prepare_write(), which found a NULL pointer in this code
line:
struct cachefiles_object *object = cachefiles_cres_object(cres);
The next line crashes, obviously:
struct cachefiles_cache *cache = object->volume->cache;
During cachefiles_prepare_write(), the "n_accesses" counter is
non-zero (via fscache_begin_operation()). The cookie must not be
withdrawn until it drops to zero.
The counter is checked by fscache_cookie_state_machine() before
switching to FSCACHE_COOKIE_STATE_RELINQUISHING and
FSCACHE_COOKIE_STATE_WITHDRAWING (in "case
FSCACHE_COOKIE_STATE_FAILED"), but not for
FSCACHE_COOKIE_STATE_LRU_DISCARDING ("case
FSCACHE_COOKIE_STATE_ACTIVE").
This patch adds the missing check. With a non-zero access counter,
the function returns and the next fscache_end_cookie_access() call
will queue another fscache_cookie_state_machine() call to handle the
still-pending FSCACHE_COOKIE_DO_LRU_DISCARD.
Fixes: 12bb21a29c19 ("fscache: Implement cookie user counting and resource pinning")
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://lore.kernel.org/r/20240729162002.3436763-2-dhowells@redhat.com
cc: Jeff Layton <jlayton@kernel.org>
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
cc: stable@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fscache/cookie.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/fscache/cookie.c
+++ b/fs/fscache/cookie.c
@@ -741,6 +741,10 @@ again_locked:
spin_lock(&cookie->lock);
}
if (test_bit(FSCACHE_COOKIE_DO_LRU_DISCARD, &cookie->flags)) {
+ if (atomic_read(&cookie->n_accesses) != 0)
+ /* still being accessed: postpone it */
+ break;
+
__fscache_set_cookie_state(cookie,
FSCACHE_COOKIE_STATE_LRU_DISCARDING);
wake = true;
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 037/341] selinux: fix potential counting error in avc_add_xperms_decision()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 036/341] fs/netfs/fscache_cookie: add missing "n_accesses" check Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 038/341] selinux: add the processing of the failure of avc_add_xperms_decision() Greg Kroah-Hartman
` (316 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhen Lei, Stephen Smalley,
Paul Moore
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhen Lei <thunder.leizhen@huawei.com>
commit 379d9af3f3da2da1bbfa67baf1820c72a080d1f1 upstream.
The count increases only when a node is successfully added to
the linked list.
Cc: stable@vger.kernel.org
Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls")
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/avc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -330,12 +330,12 @@ static int avc_add_xperms_decision(struc
{
struct avc_xperms_decision_node *dest_xpd;
- node->ae.xp_node->xp.len++;
dest_xpd = avc_xperms_decision_alloc(src->used);
if (!dest_xpd)
return -ENOMEM;
avc_copy_xperms_decision(&dest_xpd->xpd, src);
list_add(&dest_xpd->xpd_list, &node->ae.xp_node->xpd_head);
+ node->ae.xp_node->xp.len++;
return 0;
}
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 038/341] selinux: add the processing of the failure of avc_add_xperms_decision()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 037/341] selinux: fix potential counting error in avc_add_xperms_decision() Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 039/341] mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu Greg Kroah-Hartman
` (315 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stephen Smalley, Zhen Lei,
Paul Moore
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhen Lei <thunder.leizhen@huawei.com>
commit 6dd1e4c045afa6a4ba5d46f044c83bd357c593c2 upstream.
When avc_add_xperms_decision() fails, the information recorded by the new
avc node is incomplete. In this case, the new avc node should be released
instead of replacing the old avc node.
Cc: stable@vger.kernel.org
Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls")
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/avc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -907,7 +907,11 @@ static int avc_update_node(u32 event, u3
node->ae.avd.auditdeny &= ~perms;
break;
case AVC_CALLBACK_ADD_XPERMS:
- avc_add_xperms_decision(node, xpd);
+ rc = avc_add_xperms_decision(node, xpd);
+ if (rc) {
+ avc_node_kill(node);
+ goto out_unlock;
+ }
break;
}
avc_node_replace(node, orig);
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 039/341] mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 038/341] selinux: add the processing of the failure of avc_add_xperms_decision() Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 040/341] btrfs: tree-checker: reject BTRFS_FT_UNKNOWN dir type Greg Kroah-Hartman
` (314 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Waiman Long, Miaohe Lin, Huang, Ying,
Juri Lelli, Len Brown, Naoya Horiguchi, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
commit d75abd0d0bc29e6ebfebbf76d11b4067b35844af upstream.
The memory_failure_cpu structure is a per-cpu structure. Access to its
content requires the use of get_cpu_var() to lock in the current CPU and
disable preemption. The use of a regular spinlock_t for locking purpose
is fine for a non-RT kernel.
Since the integration of RT spinlock support into the v5.15 kernel, a
spinlock_t in a RT kernel becomes a sleeping lock and taking a sleeping
lock in a preemption disabled context is illegal resulting in the
following kind of warning.
[12135.732244] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
[12135.732248] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 270076, name: kworker/0:0
[12135.732252] preempt_count: 1, expected: 0
[12135.732255] RCU nest depth: 2, expected: 2
:
[12135.732420] Hardware name: Dell Inc. PowerEdge R640/0HG0J8, BIOS 2.10.2 02/24/2021
[12135.732423] Workqueue: kacpi_notify acpi_os_execute_deferred
[12135.732433] Call Trace:
[12135.732436] <TASK>
[12135.732450] dump_stack_lvl+0x57/0x81
[12135.732461] __might_resched.cold+0xf4/0x12f
[12135.732479] rt_spin_lock+0x4c/0x100
[12135.732491] memory_failure_queue+0x40/0xe0
[12135.732503] ghes_do_memory_failure+0x53/0x390
[12135.732516] ghes_do_proc.constprop.0+0x229/0x3e0
[12135.732575] ghes_proc+0xf9/0x1a0
[12135.732591] ghes_notify_hed+0x6a/0x150
[12135.732602] notifier_call_chain+0x43/0xb0
[12135.732626] blocking_notifier_call_chain+0x43/0x60
[12135.732637] acpi_ev_notify_dispatch+0x47/0x70
[12135.732648] acpi_os_execute_deferred+0x13/0x20
[12135.732654] process_one_work+0x41f/0x500
[12135.732695] worker_thread+0x192/0x360
[12135.732715] kthread+0x111/0x140
[12135.732733] ret_from_fork+0x29/0x50
[12135.732779] </TASK>
Fix it by using a raw_spinlock_t for locking instead.
Also move the pr_err() out of the lock critical section and after
put_cpu_ptr() to avoid indeterminate latency and the possibility of sleep
with this call.
[longman@redhat.com: don't hold percpu ref across pr_err(), per Miaohe]
Link: https://lkml.kernel.org/r/20240807181130.1122660-1-longman@redhat.com
Link: https://lkml.kernel.org/r/20240806164107.1044956-1-longman@redhat.com
Fixes: 0f383b6dc96e ("locking/spinlock: Provide RT variant")
Signed-off-by: Waiman Long <longman@redhat.com>
Acked-by: Miaohe Lin <linmiaohe@huawei.com>
Cc: "Huang, Ying" <ying.huang@intel.com>
Cc: Juri Lelli <juri.lelli@redhat.com>
Cc: Len Brown <len.brown@intel.com>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory-failure.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -2395,7 +2395,7 @@ struct memory_failure_entry {
struct memory_failure_cpu {
DECLARE_KFIFO(fifo, struct memory_failure_entry,
MEMORY_FAILURE_FIFO_SIZE);
- spinlock_t lock;
+ raw_spinlock_t lock;
struct work_struct work;
};
@@ -2421,20 +2421,22 @@ void memory_failure_queue(unsigned long
{
struct memory_failure_cpu *mf_cpu;
unsigned long proc_flags;
+ bool buffer_overflow;
struct memory_failure_entry entry = {
.pfn = pfn,
.flags = flags,
};
mf_cpu = &get_cpu_var(memory_failure_cpu);
- spin_lock_irqsave(&mf_cpu->lock, proc_flags);
- if (kfifo_put(&mf_cpu->fifo, entry))
+ raw_spin_lock_irqsave(&mf_cpu->lock, proc_flags);
+ buffer_overflow = !kfifo_put(&mf_cpu->fifo, entry);
+ if (!buffer_overflow)
schedule_work_on(smp_processor_id(), &mf_cpu->work);
- else
+ raw_spin_unlock_irqrestore(&mf_cpu->lock, proc_flags);
+ put_cpu_var(memory_failure_cpu);
+ if (buffer_overflow)
pr_err("buffer overflow when queuing memory failure at %#lx\n",
pfn);
- spin_unlock_irqrestore(&mf_cpu->lock, proc_flags);
- put_cpu_var(memory_failure_cpu);
}
EXPORT_SYMBOL_GPL(memory_failure_queue);
@@ -2447,9 +2449,9 @@ static void memory_failure_work_func(str
mf_cpu = container_of(work, struct memory_failure_cpu, work);
for (;;) {
- spin_lock_irqsave(&mf_cpu->lock, proc_flags);
+ raw_spin_lock_irqsave(&mf_cpu->lock, proc_flags);
gotten = kfifo_get(&mf_cpu->fifo, &entry);
- spin_unlock_irqrestore(&mf_cpu->lock, proc_flags);
+ raw_spin_unlock_irqrestore(&mf_cpu->lock, proc_flags);
if (!gotten)
break;
if (entry.flags & MF_SOFT_OFFLINE)
@@ -2479,7 +2481,7 @@ static int __init memory_failure_init(vo
for_each_possible_cpu(cpu) {
mf_cpu = &per_cpu(memory_failure_cpu, cpu);
- spin_lock_init(&mf_cpu->lock);
+ raw_spin_lock_init(&mf_cpu->lock);
INIT_KFIFO(mf_cpu->fifo);
INIT_WORK(&mf_cpu->work, memory_failure_work_func);
}
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 040/341] btrfs: tree-checker: reject BTRFS_FT_UNKNOWN dir type
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 039/341] mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 041/341] btrfs: zoned: properly take lock to read/update block groups zoned variables Greg Kroah-Hartman
` (313 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kota, Qu Wenruo, David Sterba
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
commit 31723c9542dba1681cc3720571fdf12ffe0eddd9 upstream.
[REPORT]
There is a bug report that kernel is rejecting a mismatching inode mode
and its dir item:
[ 1881.553937] BTRFS critical (device dm-0): inode mode mismatch with
dir: inode mode=040700 btrfs type=2 dir type=0
[CAUSE]
It looks like the inode mode is correct, while the dir item type
0 is BTRFS_FT_UNKNOWN, which should not be generated by btrfs at all.
This may be caused by a memory bit flip.
[ENHANCEMENT]
Although tree-checker is not able to do any cross-leaf verification, for
this particular case we can at least reject any dir type with
BTRFS_FT_UNKNOWN.
So here we enhance the dir type check from [0, BTRFS_FT_MAX), to
(0, BTRFS_FT_MAX).
Although the existing corruption can not be fixed just by such enhanced
checking, it should prevent the same 0x2->0x0 bitflip for dir type to
reach disk in the future.
Reported-by: Kota <nospam@kota.moe>
Link: https://lore.kernel.org/linux-btrfs/CACsxjPYnQF9ZF-0OhH16dAx50=BXXOcP74MxBc3BG+xae4vTTw@mail.gmail.com/
CC: stable@vger.kernel.org # 5.4+
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/tree-checker.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/btrfs/tree-checker.c
+++ b/fs/btrfs/tree-checker.c
@@ -548,9 +548,10 @@ static int check_dir_item(struct extent_
/* dir type check */
dir_type = btrfs_dir_ftype(leaf, di);
- if (unlikely(dir_type >= BTRFS_FT_MAX)) {
+ if (unlikely(dir_type <= BTRFS_FT_UNKNOWN ||
+ dir_type >= BTRFS_FT_MAX)) {
dir_item_err(leaf, slot,
- "invalid dir item type, have %u expect [0, %u)",
+ "invalid dir item type, have %u expect (0, %u)",
dir_type, BTRFS_FT_MAX);
return -EUCLEAN;
}
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 041/341] btrfs: zoned: properly take lock to read/update block groups zoned variables
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 040/341] btrfs: tree-checker: reject BTRFS_FT_UNKNOWN dir type Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 042/341] btrfs: tree-checker: add dev extent item checks Greg Kroah-Hartman
` (312 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Naohiro Aota,
David Sterba
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naohiro Aota <naohiro.aota@wdc.com>
commit e30729d4bd4001881be4d1ad4332a5d4985398f8 upstream.
__btrfs_add_free_space_zoned() references and modifies bg's alloc_offset,
ro, and zone_unusable, but without taking the lock. It is mostly safe
because they monotonically increase (at least for now) and this function is
mostly called by a transaction commit, which is serialized by itself.
Still, taking the lock is a safer and correct option and I'm going to add a
change to reset zone_unusable while a block group is still alive. So, add
locking around the operations.
Fixes: 169e0da91a21 ("btrfs: zoned: track unusable bytes for zones")
CC: stable@vger.kernel.org # 5.15+
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/free-space-cache.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/fs/btrfs/free-space-cache.c
+++ b/fs/btrfs/free-space-cache.c
@@ -2696,15 +2696,16 @@ static int __btrfs_add_free_space_zoned(
u64 offset = bytenr - block_group->start;
u64 to_free, to_unusable;
int bg_reclaim_threshold = 0;
- bool initial = ((size == block_group->length) && (block_group->alloc_offset == 0));
+ bool initial;
u64 reclaimable_unusable;
- WARN_ON(!initial && offset + size > block_group->zone_capacity);
+ spin_lock(&block_group->lock);
+ initial = ((size == block_group->length) && (block_group->alloc_offset == 0));
+ WARN_ON(!initial && offset + size > block_group->zone_capacity);
if (!initial)
bg_reclaim_threshold = READ_ONCE(sinfo->bg_reclaim_threshold);
- spin_lock(&ctl->tree_lock);
if (!used)
to_free = size;
else if (initial)
@@ -2717,7 +2718,9 @@ static int __btrfs_add_free_space_zoned(
to_free = offset + size - block_group->alloc_offset;
to_unusable = size - to_free;
+ spin_lock(&ctl->tree_lock);
ctl->free_space += to_free;
+ spin_unlock(&ctl->tree_lock);
/*
* If the block group is read-only, we should account freed space into
* bytes_readonly.
@@ -2726,11 +2729,8 @@ static int __btrfs_add_free_space_zoned(
block_group->zone_unusable += to_unusable;
WARN_ON(block_group->zone_unusable > block_group->length);
}
- spin_unlock(&ctl->tree_lock);
if (!used) {
- spin_lock(&block_group->lock);
block_group->alloc_offset -= size;
- spin_unlock(&block_group->lock);
}
reclaimable_unusable = block_group->zone_unusable -
@@ -2744,6 +2744,8 @@ static int __btrfs_add_free_space_zoned(
btrfs_mark_bg_to_reclaim(block_group);
}
+ spin_unlock(&block_group->lock);
+
return 0;
}
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 042/341] btrfs: tree-checker: add dev extent item checks
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 041/341] btrfs: zoned: properly take lock to read/update block groups zoned variables Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 043/341] drm/amdgpu: Actually check flags for all context ops Greg Kroah-Hartman
` (311 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Anand Jain, Qu Wenruo, David Sterba
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
commit 008e2512dc5696ab2dc5bf264e98a9fe9ceb830e upstream.
[REPORT]
There is a corruption report that btrfs refused to mount a fs that has
overlapping dev extents:
BTRFS error (device sdc): dev extent devid 4 physical offset 14263979671552 overlap with previous dev extent end 14263980982272
BTRFS error (device sdc): failed to verify dev extents against chunks: -117
BTRFS error (device sdc): open_ctree failed
[CAUSE]
The direct cause is very obvious, there is a bad dev extent item with
incorrect length.
With btrfs check reporting two overlapping extents, the second one shows
some clue on the cause:
ERROR: dev extent devid 4 offset 14263979671552 len 6488064 overlap with previous dev extent end 14263980982272
ERROR: dev extent devid 13 offset 2257707008000 len 6488064 overlap with previous dev extent end 2257707270144
ERROR: errors found in extent allocation tree or chunk allocation
The second one looks like a bitflip happened during new chunk
allocation:
hex(2257707008000) = 0x20da9d30000
hex(2257707270144) = 0x20da9d70000
diff = 0x00000040000
So it looks like a bitflip happened during new dev extent allocation,
resulting the second overlap.
Currently we only do the dev-extent verification at mount time, but if the
corruption is caused by memory bitflip, we really want to catch it before
writing the corruption to the storage.
Furthermore the dev extent items has the following key definition:
(<device id> DEV_EXTENT <physical offset>)
Thus we can not just rely on the generic key order check to make sure
there is no overlapping.
[ENHANCEMENT]
Introduce dedicated dev extent checks, including:
- Fixed member checks
* chunk_tree should always be BTRFS_CHUNK_TREE_OBJECTID (3)
* chunk_objectid should always be
BTRFS_FIRST_CHUNK_CHUNK_TREE_OBJECTID (256)
- Alignment checks
* chunk_offset should be aligned to sectorsize
* length should be aligned to sectorsize
* key.offset should be aligned to sectorsize
- Overlap checks
If the previous key is also a dev-extent item, with the same
device id, make sure we do not overlap with the previous dev extent.
Reported: Stefan N <stefannnau@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/CA+W5K0rSO3koYTo=nzxxTm1-Pdu1HYgVxEpgJ=aGc7d=E8mGEg@mail.gmail.com/
CC: stable@vger.kernel.org # 5.10+
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/tree-checker.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 69 insertions(+)
--- a/fs/btrfs/tree-checker.c
+++ b/fs/btrfs/tree-checker.c
@@ -1671,6 +1671,72 @@ static int check_inode_ref(struct extent
return 0;
}
+static int check_dev_extent_item(const struct extent_buffer *leaf,
+ const struct btrfs_key *key,
+ int slot,
+ struct btrfs_key *prev_key)
+{
+ struct btrfs_dev_extent *de;
+ const u32 sectorsize = leaf->fs_info->sectorsize;
+
+ de = btrfs_item_ptr(leaf, slot, struct btrfs_dev_extent);
+ /* Basic fixed member checks. */
+ if (unlikely(btrfs_dev_extent_chunk_tree(leaf, de) !=
+ BTRFS_CHUNK_TREE_OBJECTID)) {
+ generic_err(leaf, slot,
+ "invalid dev extent chunk tree id, has %llu expect %llu",
+ btrfs_dev_extent_chunk_tree(leaf, de),
+ BTRFS_CHUNK_TREE_OBJECTID);
+ return -EUCLEAN;
+ }
+ if (unlikely(btrfs_dev_extent_chunk_objectid(leaf, de) !=
+ BTRFS_FIRST_CHUNK_TREE_OBJECTID)) {
+ generic_err(leaf, slot,
+ "invalid dev extent chunk objectid, has %llu expect %llu",
+ btrfs_dev_extent_chunk_objectid(leaf, de),
+ BTRFS_FIRST_CHUNK_TREE_OBJECTID);
+ return -EUCLEAN;
+ }
+ /* Alignment check. */
+ if (unlikely(!IS_ALIGNED(key->offset, sectorsize))) {
+ generic_err(leaf, slot,
+ "invalid dev extent key.offset, has %llu not aligned to %u",
+ key->offset, sectorsize);
+ return -EUCLEAN;
+ }
+ if (unlikely(!IS_ALIGNED(btrfs_dev_extent_chunk_offset(leaf, de),
+ sectorsize))) {
+ generic_err(leaf, slot,
+ "invalid dev extent chunk offset, has %llu not aligned to %u",
+ btrfs_dev_extent_chunk_objectid(leaf, de),
+ sectorsize);
+ return -EUCLEAN;
+ }
+ if (unlikely(!IS_ALIGNED(btrfs_dev_extent_length(leaf, de),
+ sectorsize))) {
+ generic_err(leaf, slot,
+ "invalid dev extent length, has %llu not aligned to %u",
+ btrfs_dev_extent_length(leaf, de), sectorsize);
+ return -EUCLEAN;
+ }
+ /* Overlap check with previous dev extent. */
+ if (slot && prev_key->objectid == key->objectid &&
+ prev_key->type == key->type) {
+ struct btrfs_dev_extent *prev_de;
+ u64 prev_len;
+
+ prev_de = btrfs_item_ptr(leaf, slot - 1, struct btrfs_dev_extent);
+ prev_len = btrfs_dev_extent_length(leaf, prev_de);
+ if (unlikely(prev_key->offset + prev_len > key->offset)) {
+ generic_err(leaf, slot,
+ "dev extent overlap, prev offset %llu len %llu current offset %llu",
+ prev_key->objectid, prev_len, key->offset);
+ return -EUCLEAN;
+ }
+ }
+ return 0;
+}
+
/*
* Common point to switch the item-specific validation.
*/
@@ -1707,6 +1773,9 @@ static enum btrfs_tree_block_status chec
case BTRFS_DEV_ITEM_KEY:
ret = check_dev_item(leaf, key, slot);
break;
+ case BTRFS_DEV_EXTENT_KEY:
+ ret = check_dev_extent_item(leaf, key, slot, prev_key);
+ break;
case BTRFS_INODE_ITEM_KEY:
ret = check_inode_item(leaf, key, slot);
break;
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 043/341] drm/amdgpu: Actually check flags for all context ops.
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 042/341] btrfs: tree-checker: add dev extent item checks Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 044/341] memcg_write_event_control(): fix a user-triggerable oops Greg Kroah-Hartman
` (310 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bas Nieuwenhuizen, Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
commit 0573a1e2ea7e35bff08944a40f1adf2bb35cea61 upstream.
Missing validation ...
Checked libdrm and it clears all the structs, so we should be
safe to just check everything.
Signed-off-by: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit c6b86421f1f9ddf9d706f2453159813ee39d0cf9)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c
@@ -684,16 +684,24 @@ int amdgpu_ctx_ioctl(struct drm_device *
switch (args->in.op) {
case AMDGPU_CTX_OP_ALLOC_CTX:
+ if (args->in.flags)
+ return -EINVAL;
r = amdgpu_ctx_alloc(adev, fpriv, filp, priority, &id);
args->out.alloc.ctx_id = id;
break;
case AMDGPU_CTX_OP_FREE_CTX:
+ if (args->in.flags)
+ return -EINVAL;
r = amdgpu_ctx_free(fpriv, id);
break;
case AMDGPU_CTX_OP_QUERY_STATE:
+ if (args->in.flags)
+ return -EINVAL;
r = amdgpu_ctx_query(adev, fpriv, id, &args->out);
break;
case AMDGPU_CTX_OP_QUERY_STATE2:
+ if (args->in.flags)
+ return -EINVAL;
r = amdgpu_ctx_query2(adev, fpriv, id, &args->out);
break;
case AMDGPU_CTX_OP_GET_STABLE_PSTATE:
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 044/341] memcg_write_event_control(): fix a user-triggerable oops
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 043/341] drm/amdgpu: Actually check flags for all context ops Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 045/341] drm/amdgpu/jpeg2: properly set atomics vmid field Greg Kroah-Hartman
` (309 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrew Morton, Michal Hocko, Al Viro
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 046667c4d3196938e992fba0dfcde570aa85cd0e upstream.
we are *not* guaranteed that anything past the terminating NUL
is mapped (let alone initialized with anything sane).
Fixes: 0dea116876ee ("cgroup: implement eventfd-based generic API for notifications")
Cc: stable@vger.kernel.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memcontrol.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -4880,9 +4880,12 @@ static ssize_t memcg_write_event_control
buf = endp + 1;
cfd = simple_strtoul(buf, &endp, 10);
- if ((*endp != ' ') && (*endp != '\0'))
+ if (*endp == '\0')
+ buf = endp;
+ else if (*endp == ' ')
+ buf = endp + 1;
+ else
return -EINVAL;
- buf = endp + 1;
event = kzalloc(sizeof(*event), GFP_KERNEL);
if (!event)
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 045/341] drm/amdgpu/jpeg2: properly set atomics vmid field
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 044/341] memcg_write_event_control(): fix a user-triggerable oops Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 046/341] drm/amdgpu/jpeg4: " Greg Kroah-Hartman
` (308 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Leo Liu, Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit e414a304f2c5368a84f03ad34d29b89f965a33c9 upstream.
This needs to be set as well if the IB uses atomics.
Reviewed-by: Leo Liu <leo.liu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 35c628774e50b3784c59e8ca7973f03bcb067132)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c
@@ -543,11 +543,11 @@ void jpeg_v2_0_dec_ring_emit_ib(struct a
amdgpu_ring_write(ring, PACKETJ(mmUVD_LMI_JRBC_IB_VMID_INTERNAL_OFFSET,
0, 0, PACKETJ_TYPE0));
- amdgpu_ring_write(ring, (vmid | (vmid << 4)));
+ amdgpu_ring_write(ring, (vmid | (vmid << 4) | (vmid << 8)));
amdgpu_ring_write(ring, PACKETJ(mmUVD_LMI_JPEG_VMID_INTERNAL_OFFSET,
0, 0, PACKETJ_TYPE0));
- amdgpu_ring_write(ring, (vmid | (vmid << 4)));
+ amdgpu_ring_write(ring, (vmid | (vmid << 4) | (vmid << 8)));
amdgpu_ring_write(ring, PACKETJ(mmUVD_LMI_JRBC_IB_64BIT_BAR_LOW_INTERNAL_OFFSET,
0, 0, PACKETJ_TYPE0));
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 046/341] drm/amdgpu/jpeg4: properly set atomics vmid field
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 045/341] drm/amdgpu/jpeg2: properly set atomics vmid field Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 047/341] s390/uv: Panic for set and remove shared access UVC errors Greg Kroah-Hartman
` (307 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Leo Liu, Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit e6c6bd6253e792cee6c5c065e106e87b9f0d9ae9 upstream.
This needs to be set as well if the IB uses atomics.
Reviewed-by: Leo Liu <leo.liu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit c6c2e8b6a427d4fecc7c36cffccb908185afcab2)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c
+++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c
@@ -769,11 +769,11 @@ static void jpeg_v4_0_3_dec_ring_emit_ib
amdgpu_ring_write(ring, PACKETJ(regUVD_LMI_JRBC_IB_VMID_INTERNAL_OFFSET,
0, 0, PACKETJ_TYPE0));
- amdgpu_ring_write(ring, (vmid | (vmid << 4)));
+ amdgpu_ring_write(ring, (vmid | (vmid << 4) | (vmid << 8)));
amdgpu_ring_write(ring, PACKETJ(regUVD_LMI_JPEG_VMID_INTERNAL_OFFSET,
0, 0, PACKETJ_TYPE0));
- amdgpu_ring_write(ring, (vmid | (vmid << 4)));
+ amdgpu_ring_write(ring, (vmid | (vmid << 4) | (vmid << 8)));
amdgpu_ring_write(ring, PACKETJ(regUVD_LMI_JRBC_IB_64BIT_BAR_LOW_INTERNAL_OFFSET,
0, 0, PACKETJ_TYPE0));
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 047/341] s390/uv: Panic for set and remove shared access UVC errors
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 046/341] drm/amdgpu/jpeg4: " Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 048/341] bpf: Fix updating attached freplace prog in prog_array map Greg Kroah-Hartman
` (306 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Claudio Imbrenda,
Christian Borntraeger, Steffen Eiden, Janosch Frank, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudio Imbrenda <imbrenda@linux.ibm.com>
[ Upstream commit cff59d8631e1409ffdd22d9d717e15810181b32c ]
The return value uv_set_shared() and uv_remove_shared() (which are
wrappers around the share() function) is not always checked. The system
integrity of a protected guest depends on the Share and Unshare UVCs
being successful. This means that any caller that fails to check the
return value will compromise the security of the protected guest.
No code path that would lead to such violation of the security
guarantees is currently exercised, since all the areas that are shared
never get unshared during the lifetime of the system. This might
change and become an issue in the future.
The Share and Unshare UVCs can only fail in case of hypervisor
misbehaviour (either a bug or malicious behaviour). In such cases there
is no reasonable way forward, and the system needs to panic.
This patch replaces the return at the end of the share() function with
a panic, to guarantee system integrity.
Fixes: 5abb9351dfd9 ("s390/uv: introduce guest side ultravisor code")
Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Reviewed-by: Steffen Eiden <seiden@linux.ibm.com>
Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
Link: https://lore.kernel.org/r/20240801112548.85303-1-imbrenda@linux.ibm.com
Message-ID: <20240801112548.85303-1-imbrenda@linux.ibm.com>
[frankja@linux.ibm.com: Fixed up patch subject]
Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/include/asm/uv.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/s390/include/asm/uv.h b/arch/s390/include/asm/uv.h
index 0e7bd3873907f..b2e2f9a4163c5 100644
--- a/arch/s390/include/asm/uv.h
+++ b/arch/s390/include/asm/uv.h
@@ -442,7 +442,10 @@ static inline int share(unsigned long addr, u16 cmd)
if (!uv_call(0, (u64)&uvcb))
return 0;
- return -EINVAL;
+ pr_err("%s UVC failed (rc: 0x%x, rrc: 0x%x), possible hypervisor bug.\n",
+ uvcb.header.cmd == UVC_CMD_SET_SHARED_ACCESS ? "Share" : "Unshare",
+ uvcb.header.rc, uvcb.header.rrc);
+ panic("System security cannot be guaranteed unless the system panics now.\n");
}
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 048/341] bpf: Fix updating attached freplace prog in prog_array map
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 047/341] s390/uv: Panic for set and remove shared access UVC errors Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 049/341] igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer Greg Kroah-Hartman
` (305 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Toke Høiland-Jørgensen,
Martin KaFai Lau, Yonghong Song, Leon Hwang, Alexei Starovoitov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Hwang <leon.hwang@linux.dev>
[ Upstream commit fdad456cbcca739bae1849549c7a999857c56f88 ]
The commit f7866c358733 ("bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT")
fixed a NULL pointer dereference panic, but didn't fix the issue that
fails to update attached freplace prog to prog_array map.
Since commit 1c123c567fb1 ("bpf: Resolve fext program type when checking map compatibility"),
freplace prog and its target prog are able to tail call each other.
And the commit 3aac1ead5eb6 ("bpf: Move prog->aux->linked_prog and trampoline into bpf_link on attach")
sets prog->aux->dst_prog as NULL after attaching freplace prog to its
target prog.
After loading freplace the prog_array's owner type is BPF_PROG_TYPE_SCHED_CLS.
Then, after attaching freplace its prog->aux->dst_prog is NULL.
Then, while updating freplace in prog_array the bpf_prog_map_compatible()
incorrectly returns false because resolve_prog_type() returns
BPF_PROG_TYPE_EXT instead of BPF_PROG_TYPE_SCHED_CLS.
After this patch the resolve_prog_type() returns BPF_PROG_TYPE_SCHED_CLS
and update to prog_array can succeed.
Fixes: f7866c358733 ("bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT")
Cc: Toke Høiland-Jørgensen <toke@redhat.com>
Cc: Martin KaFai Lau <martin.lau@kernel.org>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
Link: https://lore.kernel.org/r/20240728114612.48486-2-leon.hwang@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/bpf_verifier.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index b62535fd8de5f..92919d52f7e1b 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -760,8 +760,8 @@ static inline u32 type_flag(u32 type)
/* only use after check_attach_btf_id() */
static inline enum bpf_prog_type resolve_prog_type(const struct bpf_prog *prog)
{
- return (prog->type == BPF_PROG_TYPE_EXT && prog->aux->dst_prog) ?
- prog->aux->dst_prog->type : prog->type;
+ return (prog->type == BPF_PROG_TYPE_EXT && prog->aux->saved_dst_prog_type) ?
+ prog->aux->saved_dst_prog_type : prog->type;
}
static inline bool bpf_prog_check_recur(const struct bpf_prog *prog)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 049/341] igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 048/341] bpf: Fix updating attached freplace prog in prog_array map Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 050/341] igc: Fix qbv_config_change_errors logics Greg Kroah-Hartman
` (304 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Faizal Rahim, Vinicius Costa Gomes,
Mor Bar-Gabay, Tony Nguyen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Faizal Rahim <faizal.abdul.rahim@linux.intel.com>
[ Upstream commit e037a26ead187901f83cad9c503ccece5ff6817a ]
Testing uncovered that even when the taprio gate is closed, some packets
still transmit.
According to i225/6 hardware errata [1], traffic might overflow the
planned QBV window. This happens because MAC maintains an internal buffer,
primarily for supporting half duplex retries. Therefore, even when the
gate closes, residual MAC data in the buffer may still transmit.
To mitigate this for i226, reduce the MAC's internal buffer from 192 bytes
to the recommended 88 bytes by modifying the RETX_CTL register value.
This follows guidelines from:
[1] Ethernet Controller I225/I22 Spec Update Rev 2.1 Errata Item 9:
TSN: Packet Transmission Might Cross Qbv Window
[2] I225/6 SW User Manual Rev 1.2.4: Section 8.11.5 Retry Buffer Control
Note that the RETX_CTL register can't be used in TSN mode because half
duplex feature cannot coexist with TSN.
Test Steps:
1. Send taprio cmd to board A:
tc qdisc replace dev enp1s0 parent root handle 100 taprio \
num_tc 4 \
map 3 2 1 0 3 3 3 3 3 3 3 3 3 3 3 3 \
queues 1@0 1@1 1@2 1@3 \
base-time 0 \
sched-entry S 0x07 500000 \
sched-entry S 0x0f 500000 \
flags 0x2 \
txtime-delay 0
Note that for TC3, gate should open for 500us and close for another
500us.
3. Take tcpdump log on Board B.
4. Send udp packets via UDP tai app from Board A to Board B.
5. Analyze tcpdump log via wireshark log on Board B. Ensure that the
total time from the first to the last packet received during one cycle
for TC3 does not exceed 500us.
Fixes: 43546211738e ("igc: Add new device ID's")
Signed-off-by: Faizal Rahim <faizal.abdul.rahim@linux.intel.com>
Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_defines.h | 6 ++++
drivers/net/ethernet/intel/igc/igc_tsn.c | 34 ++++++++++++++++++++
2 files changed, 40 insertions(+)
diff --git a/drivers/net/ethernet/intel/igc/igc_defines.h b/drivers/net/ethernet/intel/igc/igc_defines.h
index b3037016f31d2..a18af5c87cde4 100644
--- a/drivers/net/ethernet/intel/igc/igc_defines.h
+++ b/drivers/net/ethernet/intel/igc/igc_defines.h
@@ -402,6 +402,12 @@
#define IGC_DTXMXPKTSZ_TSN 0x19 /* 1600 bytes of max TX DMA packet size */
#define IGC_DTXMXPKTSZ_DEFAULT 0x98 /* 9728-byte Jumbo frames */
+/* Retry Buffer Control */
+#define IGC_RETX_CTL 0x041C
+#define IGC_RETX_CTL_WATERMARK_MASK 0xF
+#define IGC_RETX_CTL_QBVFULLTH_SHIFT 8 /* QBV Retry Buffer Full Threshold */
+#define IGC_RETX_CTL_QBVFULLEN 0x1000 /* Enable QBV Retry Buffer Full Threshold */
+
/* Transmit Scheduling Latency */
/* Latency between transmission scheduling (LaunchTime) and the time
* the packet is transmitted to the network in nanosecond.
diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.c b/drivers/net/ethernet/intel/igc/igc_tsn.c
index 22cefb1eeedfa..46d4c3275bbb5 100644
--- a/drivers/net/ethernet/intel/igc/igc_tsn.c
+++ b/drivers/net/ethernet/intel/igc/igc_tsn.c
@@ -78,6 +78,15 @@ void igc_tsn_adjust_txtime_offset(struct igc_adapter *adapter)
wr32(IGC_GTXOFFSET, txoffset);
}
+static void igc_tsn_restore_retx_default(struct igc_adapter *adapter)
+{
+ struct igc_hw *hw = &adapter->hw;
+ u32 retxctl;
+
+ retxctl = rd32(IGC_RETX_CTL) & IGC_RETX_CTL_WATERMARK_MASK;
+ wr32(IGC_RETX_CTL, retxctl);
+}
+
/* Returns the TSN specific registers to their default values after
* the adapter is reset.
*/
@@ -91,6 +100,9 @@ static int igc_tsn_disable_offload(struct igc_adapter *adapter)
wr32(IGC_TXPBS, I225_TXPBSIZE_DEFAULT);
wr32(IGC_DTXMXPKTSZ, IGC_DTXMXPKTSZ_DEFAULT);
+ if (igc_is_device_id_i226(hw))
+ igc_tsn_restore_retx_default(adapter);
+
tqavctrl = rd32(IGC_TQAVCTRL);
tqavctrl &= ~(IGC_TQAVCTRL_TRANSMIT_MODE_TSN |
IGC_TQAVCTRL_ENHANCED_QAV | IGC_TQAVCTRL_FUTSCDDIS);
@@ -111,6 +123,25 @@ static int igc_tsn_disable_offload(struct igc_adapter *adapter)
return 0;
}
+/* To partially fix i226 HW errata, reduce MAC internal buffering from 192 Bytes
+ * to 88 Bytes by setting RETX_CTL register using the recommendation from:
+ * a) Ethernet Controller I225/I226 Specification Update Rev 2.1
+ * Item 9: TSN: Packet Transmission Might Cross the Qbv Window
+ * b) I225/6 SW User Manual Rev 1.2.4: Section 8.11.5 Retry Buffer Control
+ */
+static void igc_tsn_set_retx_qbvfullthreshold(struct igc_adapter *adapter)
+{
+ struct igc_hw *hw = &adapter->hw;
+ u32 retxctl, watermark;
+
+ retxctl = rd32(IGC_RETX_CTL);
+ watermark = retxctl & IGC_RETX_CTL_WATERMARK_MASK;
+ /* Set QBVFULLTH value using watermark and set QBVFULLEN */
+ retxctl |= (watermark << IGC_RETX_CTL_QBVFULLTH_SHIFT) |
+ IGC_RETX_CTL_QBVFULLEN;
+ wr32(IGC_RETX_CTL, retxctl);
+}
+
static int igc_tsn_enable_offload(struct igc_adapter *adapter)
{
struct igc_hw *hw = &adapter->hw;
@@ -123,6 +154,9 @@ static int igc_tsn_enable_offload(struct igc_adapter *adapter)
wr32(IGC_DTXMXPKTSZ, IGC_DTXMXPKTSZ_TSN);
wr32(IGC_TXPBS, IGC_TXPBSIZE_TSN);
+ if (igc_is_device_id_i226(hw))
+ igc_tsn_set_retx_qbvfullthreshold(adapter);
+
for (i = 0; i < adapter->num_tx_queues; i++) {
struct igc_ring *ring = adapter->tx_ring[i];
u32 txqctl = 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 050/341] igc: Fix qbv_config_change_errors logics
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 049/341] igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 051/341] igc: Fix reset adapter logics when tx mode change Greg Kroah-Hartman
` (303 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Faizal Rahim, Simon Horman,
Vinicius Costa Gomes, Mor Bar-Gabay, Tony Nguyen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Faizal Rahim <faizal.abdul.rahim@linux.intel.com>
[ Upstream commit f8d6acaee9d35cbff3c3cfad94641666c596f8da ]
When user issues these cmds:
1. Either a) or b)
a) mqprio with hardware offload disabled
b) taprio with txtime-assist feature enabled
2. etf
3. tc qdisc delete
4. taprio with base time in the past
At step 4, qbv_config_change_errors wrongly increased by 1.
Excerpt from IEEE 802.1Q-2018 8.6.9.3.1:
"If AdminBaseTime specifies a time in the past, and the current schedule
is running, then: Increment ConfigChangeError counter"
qbv_config_change_errors should only increase if base time is in the past
and no taprio is active. In user perspective, taprio was not active when
first triggered at step 4. However, i225/6 reuses qbv for etf, so qbv is
enabled with a dummy schedule at step 2 where it enters
igc_tsn_enable_offload() and qbv_count got incremented to 1. At step 4, it
enters igc_tsn_enable_offload() again, qbv_count is incremented to 2.
Because taprio is running, tc_setup_type is TC_SETUP_QDISC_ETF and
qbv_count > 1, qbv_config_change_errors value got incremented.
This issue happens due to reliance on qbv_count field where a non-zero
value indicates that taprio is running. But qbv_count increases
regardless if taprio is triggered by user or by other tsn feature. It does
not align with qbv_config_change_errors expectation where it is only
concerned with taprio triggered by user.
Fixing this by relocating the qbv_config_change_errors logic to
igc_save_qbv_schedule(), eliminating reliance on qbv_count and its
inaccuracies from i225/6's multiple uses of qbv feature for other TSN
features.
The new function created: igc_tsn_is_taprio_activated_by_user() uses
taprio_offload_enable field to indicate that the current running taprio
was triggered by user, instead of triggered by non-qbv feature like etf.
Fixes: ae4fe4698300 ("igc: Add qbv_config_change_errors counter")
Signed-off-by: Faizal Rahim <faizal.abdul.rahim@linux.intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_main.c | 8 ++++++--
drivers/net/ethernet/intel/igc/igc_tsn.c | 16 ++++++++--------
drivers/net/ethernet/intel/igc/igc_tsn.h | 1 +
3 files changed, 15 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
index d80bbcdeb93ed..21fb1a98ebca6 100644
--- a/drivers/net/ethernet/intel/igc/igc_main.c
+++ b/drivers/net/ethernet/intel/igc/igc_main.c
@@ -6217,12 +6217,16 @@ static int igc_save_qbv_schedule(struct igc_adapter *adapter,
if (!validate_schedule(adapter, qopt))
return -EINVAL;
+ igc_ptp_read(adapter, &now);
+
+ if (igc_tsn_is_taprio_activated_by_user(adapter) &&
+ is_base_time_past(qopt->base_time, &now))
+ adapter->qbv_config_change_errors++;
+
adapter->cycle_time = qopt->cycle_time;
adapter->base_time = qopt->base_time;
adapter->taprio_offload_enable = true;
- igc_ptp_read(adapter, &now);
-
for (n = 0; n < qopt->num_entries; n++) {
struct tc_taprio_sched_entry *e = &qopt->entries[n];
diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.c b/drivers/net/ethernet/intel/igc/igc_tsn.c
index 46d4c3275bbb5..8ed7b965484da 100644
--- a/drivers/net/ethernet/intel/igc/igc_tsn.c
+++ b/drivers/net/ethernet/intel/igc/igc_tsn.c
@@ -87,6 +87,14 @@ static void igc_tsn_restore_retx_default(struct igc_adapter *adapter)
wr32(IGC_RETX_CTL, retxctl);
}
+bool igc_tsn_is_taprio_activated_by_user(struct igc_adapter *adapter)
+{
+ struct igc_hw *hw = &adapter->hw;
+
+ return (rd32(IGC_BASET_H) || rd32(IGC_BASET_L)) &&
+ adapter->taprio_offload_enable;
+}
+
/* Returns the TSN specific registers to their default values after
* the adapter is reset.
*/
@@ -296,14 +304,6 @@ static int igc_tsn_enable_offload(struct igc_adapter *adapter)
s64 n = div64_s64(ktime_sub_ns(systim, base_time), cycle);
base_time = ktime_add_ns(base_time, (n + 1) * cycle);
-
- /* Increase the counter if scheduling into the past while
- * Gate Control List (GCL) is running.
- */
- if ((rd32(IGC_BASET_H) || rd32(IGC_BASET_L)) &&
- (adapter->tc_setup_type == TC_SETUP_QDISC_TAPRIO) &&
- (adapter->qbv_count > 1))
- adapter->qbv_config_change_errors++;
} else {
if (igc_is_device_id_i226(hw)) {
ktime_t adjust_time, expires_time;
diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.h b/drivers/net/ethernet/intel/igc/igc_tsn.h
index b53e6af560b73..98ec845a86bf0 100644
--- a/drivers/net/ethernet/intel/igc/igc_tsn.h
+++ b/drivers/net/ethernet/intel/igc/igc_tsn.h
@@ -7,5 +7,6 @@
int igc_tsn_offload_apply(struct igc_adapter *adapter);
int igc_tsn_reset(struct igc_adapter *adapter);
void igc_tsn_adjust_txtime_offset(struct igc_adapter *adapter);
+bool igc_tsn_is_taprio_activated_by_user(struct igc_adapter *adapter);
#endif /* _IGC_BASE_H */
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 051/341] igc: Fix reset adapter logics when tx mode change
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 050/341] igc: Fix qbv_config_change_errors logics Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 052/341] net/mlx5e: Take state lock during tx timeout reporter Greg Kroah-Hartman
` (302 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Faizal Rahim, Simon Horman,
Vinicius Costa Gomes, Mor Bar-Gabay, Tony Nguyen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Faizal Rahim <faizal.abdul.rahim@linux.intel.com>
[ Upstream commit 0afeaeb5dae86aceded0d5f0c3a54d27858c0c6f ]
Following the "igc: Fix TX Hang issue when QBV Gate is close" changes,
remaining issues with the reset adapter logic in igc_tsn_offload_apply()
have been observed:
1. The reset adapter logics for i225 and i226 differ, although they should
be the same according to the guidelines in I225/6 HW Design Section
7.5.2.1 on software initialization during tx mode changes.
2. The i225 resets adapter every time, even though tx mode doesn't change.
This occurs solely based on the condition igc_is_device_id_i225() when
calling schedule_work().
3. i226 doesn't reset adapter for tsn->legacy tx mode changes. It only
resets adapter for legacy->tsn tx mode transitions.
4. qbv_count introduced in the patch is actually not needed; in this
context, a non-zero value of qbv_count is used to indicate if tx mode
was unconditionally set to tsn in igc_tsn_enable_offload(). This could
be replaced by checking the existing register
IGC_TQAVCTRL_TRANSMIT_MODE_TSN bit.
This patch resolves all issues and enters schedule_work() to reset the
adapter only when changing tx mode. It also removes reliance on qbv_count.
qbv_count field will be removed in a future patch.
Test ran:
1. Verify reset adapter behaviour in i225/6:
a) Enrol a new GCL
Reset adapter observed (tx mode change legacy->tsn)
b) Enrol a new GCL without deleting qdisc
No reset adapter observed (tx mode remain tsn->tsn)
c) Delete qdisc
Reset adapter observed (tx mode change tsn->legacy)
2. Tested scenario from "igc: Fix TX Hang issue when QBV Gate is closed"
to confirm it remains resolved.
Fixes: 175c241288c0 ("igc: Fix TX Hang issue when QBV Gate is closed")
Signed-off-by: Faizal Rahim <faizal.abdul.rahim@linux.intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_tsn.c | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.c b/drivers/net/ethernet/intel/igc/igc_tsn.c
index 8ed7b965484da..ada7514305171 100644
--- a/drivers/net/ethernet/intel/igc/igc_tsn.c
+++ b/drivers/net/ethernet/intel/igc/igc_tsn.c
@@ -49,6 +49,13 @@ static unsigned int igc_tsn_new_flags(struct igc_adapter *adapter)
return new_flags;
}
+static bool igc_tsn_is_tx_mode_in_tsn(struct igc_adapter *adapter)
+{
+ struct igc_hw *hw = &adapter->hw;
+
+ return !!(rd32(IGC_TQAVCTRL) & IGC_TQAVCTRL_TRANSMIT_MODE_TSN);
+}
+
void igc_tsn_adjust_txtime_offset(struct igc_adapter *adapter)
{
struct igc_hw *hw = &adapter->hw;
@@ -365,15 +372,22 @@ int igc_tsn_reset(struct igc_adapter *adapter)
return err;
}
-int igc_tsn_offload_apply(struct igc_adapter *adapter)
+static bool igc_tsn_will_tx_mode_change(struct igc_adapter *adapter)
{
- struct igc_hw *hw = &adapter->hw;
+ bool any_tsn_enabled = !!(igc_tsn_new_flags(adapter) &
+ IGC_FLAG_TSN_ANY_ENABLED);
+
+ return (any_tsn_enabled && !igc_tsn_is_tx_mode_in_tsn(adapter)) ||
+ (!any_tsn_enabled && igc_tsn_is_tx_mode_in_tsn(adapter));
+}
- /* Per I225/6 HW Design Section 7.5.2.1, transmit mode
- * cannot be changed dynamically. Require reset the adapter.
+int igc_tsn_offload_apply(struct igc_adapter *adapter)
+{
+ /* Per I225/6 HW Design Section 7.5.2.1 guideline, if tx mode change
+ * from legacy->tsn or tsn->legacy, then reset adapter is needed.
*/
if (netif_running(adapter->netdev) &&
- (igc_is_device_id_i225(hw) || !adapter->qbv_count)) {
+ igc_tsn_will_tx_mode_change(adapter)) {
schedule_work(&adapter->reset_task);
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 052/341] net/mlx5e: Take state lock during tx timeout reporter
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 051/341] igc: Fix reset adapter logics when tx mode change Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 053/341] net/mlx5e: Correctly report errors for ethtool rx flows Greg Kroah-Hartman
` (301 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dragos Tatulea, Breno Leitao,
Moshe Shemesh, Tariq Toukan, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dragos Tatulea <dtatulea@nvidia.com>
[ Upstream commit e6b5afd30b99b43682a7764e1a74a42fe4d5f4b3 ]
mlx5e_safe_reopen_channels() requires the state lock taken. The
referenced changed in the Fixes tag removed the lock to fix another
issue. This patch adds it back but at a later point (when calling
mlx5e_safe_reopen_channels()) to avoid the deadlock referenced in the
Fixes tag.
Fixes: eab0da38912e ("net/mlx5e: Fix possible deadlock on mlx5e_tx_timeout_work")
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Link: https://lore.kernel.org/all/ZplpKq8FKi3vwfxv@gmail.com/T/
Reviewed-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20240808144107.2095424-4-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
index ff8242f67c545..51a23345caa18 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
@@ -149,7 +149,9 @@ static int mlx5e_tx_reporter_timeout_recover(void *ctx)
return err;
}
+ mutex_lock(&priv->state_lock);
err = mlx5e_safe_reopen_channels(priv);
+ mutex_unlock(&priv->state_lock);
if (!err) {
to_ctx->status = 1; /* all channels recovered */
return err;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 053/341] net/mlx5e: Correctly report errors for ethtool rx flows
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 052/341] net/mlx5e: Take state lock during tx timeout reporter Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 054/341] atm: idt77252: prevent use after free in dequeue_rx() Greg Kroah-Hartman
` (300 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cosmin Ratiu, Saeed Mahameed,
Dragos Tatulea, Tariq Toukan, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cosmin Ratiu <cratiu@nvidia.com>
[ Upstream commit cbc796be1779c4dbc9a482c7233995e2a8b6bfb3 ]
Previously, an ethtool rx flow with no attrs would not be added to the
NIC as it has no rules to configure the hw with, but it would be
reported as successful to the caller (return code 0). This is confusing
for the user as ethtool then reports "Added rule $num", but no rule was
actually added.
This change corrects that by instead reporting these wrong rules as
-EINVAL.
Fixes: b29c61dac3a2 ("net/mlx5e: Ethtool steering flow validation refactoring")
Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
Reviewed-by: Saeed Mahameed <saeedm@nvidia.com>
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20240808144107.2095424-5-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c
index 3eccdadc03578..773624bb2c5d5 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c
@@ -734,7 +734,7 @@ mlx5e_ethtool_flow_replace(struct mlx5e_priv *priv,
if (num_tuples <= 0) {
netdev_warn(priv->netdev, "%s: flow is not valid %d\n",
__func__, num_tuples);
- return num_tuples;
+ return num_tuples < 0 ? num_tuples : -EINVAL;
}
eth_ft = get_flow_table(priv, fs, num_tuples);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 054/341] atm: idt77252: prevent use after free in dequeue_rx()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 053/341] net/mlx5e: Correctly report errors for ethtool rx flows Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 055/341] net: axienet: Fix register defines comment description Greg Kroah-Hartman
` (299 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, David S. Miller,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit a9a18e8f770c9b0703dab93580d0b02e199a4c79 ]
We can't dereference "skb" after calling vcc->push() because the skb
is released.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/atm/idt77252.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c
index e7f713cd70d3f..a876024d8a05f 100644
--- a/drivers/atm/idt77252.c
+++ b/drivers/atm/idt77252.c
@@ -1118,8 +1118,8 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
rpp->len += skb->len;
if (stat & SAR_RSQE_EPDU) {
+ unsigned int len, truesize;
unsigned char *l1l2;
- unsigned int len;
l1l2 = (unsigned char *) ((unsigned long) skb->data + skb->len - 6);
@@ -1189,14 +1189,15 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
ATM_SKB(skb)->vcc = vcc;
__net_timestamp(skb);
+ truesize = skb->truesize;
vcc->push(vcc, skb);
atomic_inc(&vcc->stats->rx);
- if (skb->truesize > SAR_FB_SIZE_3)
+ if (truesize > SAR_FB_SIZE_3)
add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
- else if (skb->truesize > SAR_FB_SIZE_2)
+ else if (truesize > SAR_FB_SIZE_2)
add_rx_skb(card, 2, SAR_FB_SIZE_2, 1);
- else if (skb->truesize > SAR_FB_SIZE_1)
+ else if (truesize > SAR_FB_SIZE_1)
add_rx_skb(card, 1, SAR_FB_SIZE_1, 1);
else
add_rx_skb(card, 0, SAR_FB_SIZE_0, 1);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 055/341] net: axienet: Fix register defines comment description
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 054/341] atm: idt77252: prevent use after free in dequeue_rx() Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 056/341] net: dsa: vsc73xx: pass value in phy_write operation Greg Kroah-Hartman
` (298 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Radhey Shyam Pandey, Andrew Lunn,
David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
[ Upstream commit 9ff2f816e2aa65ca9a1cdf0954842f8173c0f48d ]
In axiethernet header fix register defines comment description to be
inline with IP documentation. It updates MAC configuration register,
MDIO configuration register and frame filter control description.
Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/xilinx/xilinx_axienet.h | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet.h b/drivers/net/ethernet/xilinx/xilinx_axienet.h
index 575ff9de8985b..a62c2b4c6b2f2 100644
--- a/drivers/net/ethernet/xilinx/xilinx_axienet.h
+++ b/drivers/net/ethernet/xilinx/xilinx_axienet.h
@@ -159,16 +159,16 @@
#define XAE_RCW1_OFFSET 0x00000404 /* Rx Configuration Word 1 */
#define XAE_TC_OFFSET 0x00000408 /* Tx Configuration */
#define XAE_FCC_OFFSET 0x0000040C /* Flow Control Configuration */
-#define XAE_EMMC_OFFSET 0x00000410 /* EMAC mode configuration */
-#define XAE_PHYC_OFFSET 0x00000414 /* RGMII/SGMII configuration */
+#define XAE_EMMC_OFFSET 0x00000410 /* MAC speed configuration */
+#define XAE_PHYC_OFFSET 0x00000414 /* RX Max Frame Configuration */
#define XAE_ID_OFFSET 0x000004F8 /* Identification register */
-#define XAE_MDIO_MC_OFFSET 0x00000500 /* MII Management Config */
-#define XAE_MDIO_MCR_OFFSET 0x00000504 /* MII Management Control */
-#define XAE_MDIO_MWD_OFFSET 0x00000508 /* MII Management Write Data */
-#define XAE_MDIO_MRD_OFFSET 0x0000050C /* MII Management Read Data */
+#define XAE_MDIO_MC_OFFSET 0x00000500 /* MDIO Setup */
+#define XAE_MDIO_MCR_OFFSET 0x00000504 /* MDIO Control */
+#define XAE_MDIO_MWD_OFFSET 0x00000508 /* MDIO Write Data */
+#define XAE_MDIO_MRD_OFFSET 0x0000050C /* MDIO Read Data */
#define XAE_UAW0_OFFSET 0x00000700 /* Unicast address word 0 */
#define XAE_UAW1_OFFSET 0x00000704 /* Unicast address word 1 */
-#define XAE_FMI_OFFSET 0x00000708 /* Filter Mask Index */
+#define XAE_FMI_OFFSET 0x00000708 /* Frame Filter Control */
#define XAE_AF0_OFFSET 0x00000710 /* Address Filter 0 */
#define XAE_AF1_OFFSET 0x00000714 /* Address Filter 1 */
@@ -307,7 +307,7 @@
*/
#define XAE_UAW1_UNICASTADDR_MASK 0x0000FFFF
-/* Bit masks for Axi Ethernet FMI register */
+/* Bit masks for Axi Ethernet FMC register */
#define XAE_FMI_PM_MASK 0x80000000 /* Promis. mode enable */
#define XAE_FMI_IND_MASK 0x00000003 /* Index Mask */
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 056/341] net: dsa: vsc73xx: pass value in phy_write operation
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 055/341] net: axienet: Fix register defines comment description Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 057/341] net: dsa: vsc73xx: use read_poll_timeout instead delay loop Greg Kroah-Hartman
` (297 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Florian Fainelli,
Pawel Dembicki, David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawel Dembicki <paweldembicki@gmail.com>
[ Upstream commit 5b9eebc2c7a5f0cc7950d918c1e8a4ad4bed5010 ]
In the 'vsc73xx_phy_write' function, the register value is missing,
and the phy write operation always sends zeros.
This commit passes the value variable into the proper register.
Fixes: 05bd97fc559d ("net: dsa: Add Vitesse VSC73xx DSA router driver")
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/vitesse-vsc73xx-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/dsa/vitesse-vsc73xx-core.c b/drivers/net/dsa/vitesse-vsc73xx-core.c
index c99fb1bd4c25a..dedebb95ece6c 100644
--- a/drivers/net/dsa/vitesse-vsc73xx-core.c
+++ b/drivers/net/dsa/vitesse-vsc73xx-core.c
@@ -530,7 +530,7 @@ static int vsc73xx_phy_write(struct dsa_switch *ds, int phy, int regnum,
return 0;
}
- cmd = (phy << 21) | (regnum << 16);
+ cmd = (phy << 21) | (regnum << 16) | val;
ret = vsc73xx_write(vsc, VSC73XX_BLOCK_MII, 0, 1, cmd);
if (ret)
return ret;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 057/341] net: dsa: vsc73xx: use read_poll_timeout instead delay loop
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 056/341] net: dsa: vsc73xx: pass value in phy_write operation Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 058/341] net: dsa: vsc73xx: check busy flag in MDIO operations Greg Kroah-Hartman
` (296 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Russell King, Andrew Lunn,
Linus Walleij, Florian Fainelli, Pawel Dembicki, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawel Dembicki <paweldembicki@gmail.com>
[ Upstream commit eb7e33d01db3aec128590391b2397384bab406b6 ]
Switch the delay loop during the Arbiter empty check from
vsc73xx_adjust_link() to use read_poll_timeout(). Functionally,
one msleep() call is eliminated at the end of the loop in the timeout
case.
As Russell King suggested:
"This [change] avoids the issue that on the last iteration, the code reads
the register, tests it, finds the condition that's being waiting for is
false, _then_ waits and end up printing the error message - that last
wait is rather useless, and as the arbiter state isn't checked after
waiting, it could be that we had success during the last wait."
Suggested-by: Russell King <linux@armlinux.org.uk>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Link: https://lore.kernel.org/r/20240417205048.3542839-2-paweldembicki@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: fa63c6434b6f ("net: dsa: vsc73xx: check busy flag in MDIO operations")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/vitesse-vsc73xx-core.c | 30 ++++++++++++++------------
1 file changed, 16 insertions(+), 14 deletions(-)
diff --git a/drivers/net/dsa/vitesse-vsc73xx-core.c b/drivers/net/dsa/vitesse-vsc73xx-core.c
index dedebb95ece6c..d8f368df8b06f 100644
--- a/drivers/net/dsa/vitesse-vsc73xx-core.c
+++ b/drivers/net/dsa/vitesse-vsc73xx-core.c
@@ -17,6 +17,7 @@
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/device.h>
+#include <linux/iopoll.h>
#include <linux/of.h>
#include <linux/of_mdio.h>
#include <linux/bitops.h>
@@ -268,6 +269,9 @@
#define IS_7398(a) ((a)->chipid == VSC73XX_CHIPID_ID_7398)
#define IS_739X(a) (IS_7395(a) || IS_7398(a))
+#define VSC73XX_POLL_SLEEP_US 1000
+#define VSC73XX_POLL_TIMEOUT_US 10000
+
struct vsc73xx_counter {
u8 counter;
const char *name;
@@ -779,7 +783,7 @@ static void vsc73xx_adjust_link(struct dsa_switch *ds, int port,
* after a PHY or the CPU port comes up or down.
*/
if (!phydev->link) {
- int maxloop = 10;
+ int ret, err;
dev_dbg(vsc->dev, "port %d: went down\n",
port);
@@ -794,19 +798,17 @@ static void vsc73xx_adjust_link(struct dsa_switch *ds, int port,
VSC73XX_ARBDISC, BIT(port), BIT(port));
/* Wait until queue is empty */
- vsc73xx_read(vsc, VSC73XX_BLOCK_ARBITER, 0,
- VSC73XX_ARBEMPTY, &val);
- while (!(val & BIT(port))) {
- msleep(1);
- vsc73xx_read(vsc, VSC73XX_BLOCK_ARBITER, 0,
- VSC73XX_ARBEMPTY, &val);
- if (--maxloop == 0) {
- dev_err(vsc->dev,
- "timeout waiting for block arbiter\n");
- /* Continue anyway */
- break;
- }
- }
+ ret = read_poll_timeout(vsc73xx_read, err,
+ err < 0 || (val & BIT(port)),
+ VSC73XX_POLL_SLEEP_US,
+ VSC73XX_POLL_TIMEOUT_US, false,
+ vsc, VSC73XX_BLOCK_ARBITER, 0,
+ VSC73XX_ARBEMPTY, &val);
+ if (ret)
+ dev_err(vsc->dev,
+ "timeout waiting for block arbiter\n");
+ else if (err < 0)
+ dev_err(vsc->dev, "error reading arbiter\n");
/* Put this port into reset */
vsc73xx_write(vsc, VSC73XX_BLOCK_MAC, port, VSC73XX_MAC_CFG,
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 058/341] net: dsa: vsc73xx: check busy flag in MDIO operations
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 057/341] net: dsa: vsc73xx: use read_poll_timeout instead delay loop Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 059/341] net: ethernet: mtk_wed: fix use-after-free panic in mtk_wed_setup_tc_block_cb() Greg Kroah-Hartman
` (295 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Florian Fainelli,
Pawel Dembicki, David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawel Dembicki <paweldembicki@gmail.com>
[ Upstream commit fa63c6434b6f6aaf9d8d599dc899bc0a074cc0ad ]
The VSC73xx has a busy flag used during MDIO operations. It is raised
when MDIO read/write operations are in progress. Without it, PHYs are
misconfigured and bus operations do not work as expected.
Fixes: 05bd97fc559d ("net: dsa: Add Vitesse VSC73xx DSA router driver")
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/vitesse-vsc73xx-core.c | 37 +++++++++++++++++++++++++-
1 file changed, 36 insertions(+), 1 deletion(-)
diff --git a/drivers/net/dsa/vitesse-vsc73xx-core.c b/drivers/net/dsa/vitesse-vsc73xx-core.c
index d8f368df8b06f..23bd8b3f89931 100644
--- a/drivers/net/dsa/vitesse-vsc73xx-core.c
+++ b/drivers/net/dsa/vitesse-vsc73xx-core.c
@@ -38,6 +38,10 @@
#define VSC73XX_BLOCK_ARBITER 0x5 /* Only subblock 0 */
#define VSC73XX_BLOCK_SYSTEM 0x7 /* Only subblock 0 */
+/* MII Block subblock */
+#define VSC73XX_BLOCK_MII_INTERNAL 0x0 /* Internal MDIO subblock */
+#define VSC73XX_BLOCK_MII_EXTERNAL 0x1 /* External MDIO subblock */
+
#define CPU_PORT 6 /* CPU port */
/* MAC Block registers */
@@ -196,6 +200,8 @@
#define VSC73XX_MII_CMD 0x1
#define VSC73XX_MII_DATA 0x2
+#define VSC73XX_MII_STAT_BUSY BIT(3)
+
/* Arbiter block 5 registers */
#define VSC73XX_ARBEMPTY 0x0c
#define VSC73XX_ARBDISC 0x0e
@@ -270,6 +276,7 @@
#define IS_739X(a) (IS_7395(a) || IS_7398(a))
#define VSC73XX_POLL_SLEEP_US 1000
+#define VSC73XX_MDIO_POLL_SLEEP_US 5
#define VSC73XX_POLL_TIMEOUT_US 10000
struct vsc73xx_counter {
@@ -487,6 +494,22 @@ static int vsc73xx_detect(struct vsc73xx *vsc)
return 0;
}
+static int vsc73xx_mdio_busy_check(struct vsc73xx *vsc)
+{
+ int ret, err;
+ u32 val;
+
+ ret = read_poll_timeout(vsc73xx_read, err,
+ err < 0 || !(val & VSC73XX_MII_STAT_BUSY),
+ VSC73XX_MDIO_POLL_SLEEP_US,
+ VSC73XX_POLL_TIMEOUT_US, false, vsc,
+ VSC73XX_BLOCK_MII, VSC73XX_BLOCK_MII_INTERNAL,
+ VSC73XX_MII_STAT, &val);
+ if (ret)
+ return ret;
+ return err;
+}
+
static int vsc73xx_phy_read(struct dsa_switch *ds, int phy, int regnum)
{
struct vsc73xx *vsc = ds->priv;
@@ -494,12 +517,20 @@ static int vsc73xx_phy_read(struct dsa_switch *ds, int phy, int regnum)
u32 val;
int ret;
+ ret = vsc73xx_mdio_busy_check(vsc);
+ if (ret)
+ return ret;
+
/* Setting bit 26 means "read" */
cmd = BIT(26) | (phy << 21) | (regnum << 16);
ret = vsc73xx_write(vsc, VSC73XX_BLOCK_MII, 0, 1, cmd);
if (ret)
return ret;
- msleep(2);
+
+ ret = vsc73xx_mdio_busy_check(vsc);
+ if (ret)
+ return ret;
+
ret = vsc73xx_read(vsc, VSC73XX_BLOCK_MII, 0, 2, &val);
if (ret)
return ret;
@@ -523,6 +554,10 @@ static int vsc73xx_phy_write(struct dsa_switch *ds, int phy, int regnum,
u32 cmd;
int ret;
+ ret = vsc73xx_mdio_busy_check(vsc);
+ if (ret)
+ return ret;
+
/* It was found through tedious experiments that this router
* chip really hates to have it's PHYs reset. They
* never recover if that happens: autonegotiation stops
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 059/341] net: ethernet: mtk_wed: fix use-after-free panic in mtk_wed_setup_tc_block_cb()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 058/341] net: dsa: vsc73xx: check busy flag in MDIO operations Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 060/341] mlxbf_gige: disable RX filters until RX path initialized Greg Kroah-Hartman
` (294 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zheng Zhang, David S. Miller,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zheng Zhang <everything411@qq.com>
[ Upstream commit db1b4bedb9b97c6d34b03d03815147c04fffe8b4 ]
When there are multiple ap interfaces on one band and with WED on,
turning the interface down will cause a kernel panic on MT798X.
Previously, cb_priv was freed in mtk_wed_setup_tc_block() without
marking NULL,and mtk_wed_setup_tc_block_cb() didn't check the value, too.
Assign NULL after free cb_priv in mtk_wed_setup_tc_block() and check NULL
in mtk_wed_setup_tc_block_cb().
----------
Unable to handle kernel paging request at virtual address 0072460bca32b4f5
Call trace:
mtk_wed_setup_tc_block_cb+0x4/0x38
0xffffffc0794084bc
tcf_block_playback_offloads+0x70/0x1e8
tcf_block_unbind+0x6c/0xc8
...
---------
Fixes: 799684448e3e ("net: ethernet: mtk_wed: introduce wed wo support")
Signed-off-by: Zheng Zhang <everything411@qq.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mediatek/mtk_wed.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/mediatek/mtk_wed.c b/drivers/net/ethernet/mediatek/mtk_wed.c
index c7196055c8c98..85a9ad2b86bff 100644
--- a/drivers/net/ethernet/mediatek/mtk_wed.c
+++ b/drivers/net/ethernet/mediatek/mtk_wed.c
@@ -1762,14 +1762,15 @@ mtk_wed_setup_tc_block_cb(enum tc_setup_type type, void *type_data, void *cb_pri
{
struct mtk_wed_flow_block_priv *priv = cb_priv;
struct flow_cls_offload *cls = type_data;
- struct mtk_wed_hw *hw = priv->hw;
+ struct mtk_wed_hw *hw = NULL;
- if (!tc_can_offload(priv->dev))
+ if (!priv || !tc_can_offload(priv->dev))
return -EOPNOTSUPP;
if (type != TC_SETUP_CLSFLOWER)
return -EOPNOTSUPP;
+ hw = priv->hw;
return mtk_flow_offload_cmd(hw->eth, cls, hw->index);
}
@@ -1825,6 +1826,7 @@ mtk_wed_setup_tc_block(struct mtk_wed_hw *hw, struct net_device *dev,
flow_block_cb_remove(block_cb, f);
list_del(&block_cb->driver_list);
kfree(block_cb->cb_priv);
+ block_cb->cb_priv = NULL;
}
return 0;
default:
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 060/341] mlxbf_gige: disable RX filters until RX path initialized
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 059/341] net: ethernet: mtk_wed: fix use-after-free panic in mtk_wed_setup_tc_block_cb() Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 061/341] mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size Greg Kroah-Hartman
` (293 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Asmaa Mnebhi, David Thompson,
Simon Horman, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Thompson <davthompson@nvidia.com>
[ Upstream commit df934abb185c71c9f2fa07a5013672d0cbd36560 ]
A recent change to the driver exposed a bug where the MAC RX
filters (unicast MAC, broadcast MAC, and multicast MAC) are
configured and enabled before the RX path is fully initialized.
The result of this bug is that after the PHY is started packets
that match these MAC RX filters start to flow into the RX FIFO.
And then, after rx_init() is completed, these packets will go
into the driver RX ring as well. If enough packets are received
to fill the RX ring (default size is 128 packets) before the call
to request_irq() completes, the driver RX function becomes stuck.
This bug is intermittent but is most likely to be seen where the
oob_net0 interface is connected to a busy network with lots of
broadcast and multicast traffic.
All the MAC RX filters must be disabled until the RX path is ready,
i.e. all initialization is done and all the IRQs are installed.
Fixes: f7442a634ac0 ("mlxbf_gige: call request_irq() after NAPI initialized")
Reviewed-by: Asmaa Mnebhi <asmaa@nvidia.com>
Signed-off-by: David Thompson <davthompson@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240809163612.12852-1-davthompson@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/mellanox/mlxbf_gige/mlxbf_gige.h | 8 +++
.../mellanox/mlxbf_gige/mlxbf_gige_main.c | 10 ++++
.../mellanox/mlxbf_gige/mlxbf_gige_regs.h | 2 +
.../mellanox/mlxbf_gige/mlxbf_gige_rx.c | 50 ++++++++++++++++---
4 files changed, 64 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h
index bc94e75a7aebd..e7777700ee18a 100644
--- a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h
+++ b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h
@@ -40,6 +40,7 @@
*/
#define MLXBF_GIGE_BCAST_MAC_FILTER_IDX 0
#define MLXBF_GIGE_LOCAL_MAC_FILTER_IDX 1
+#define MLXBF_GIGE_MAX_FILTER_IDX 3
/* Define for broadcast MAC literal */
#define BCAST_MAC_ADDR 0xFFFFFFFFFFFF
@@ -175,6 +176,13 @@ enum mlxbf_gige_res {
int mlxbf_gige_mdio_probe(struct platform_device *pdev,
struct mlxbf_gige *priv);
void mlxbf_gige_mdio_remove(struct mlxbf_gige *priv);
+
+void mlxbf_gige_enable_multicast_rx(struct mlxbf_gige *priv);
+void mlxbf_gige_disable_multicast_rx(struct mlxbf_gige *priv);
+void mlxbf_gige_enable_mac_rx_filter(struct mlxbf_gige *priv,
+ unsigned int index);
+void mlxbf_gige_disable_mac_rx_filter(struct mlxbf_gige *priv,
+ unsigned int index);
void mlxbf_gige_set_mac_rx_filter(struct mlxbf_gige *priv,
unsigned int index, u64 dmac);
void mlxbf_gige_get_mac_rx_filter(struct mlxbf_gige *priv,
diff --git a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c
index 7bb92e2dacda6..57e68bfd3b1a8 100644
--- a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c
+++ b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c
@@ -168,6 +168,10 @@ static int mlxbf_gige_open(struct net_device *netdev)
if (err)
goto napi_deinit;
+ mlxbf_gige_enable_mac_rx_filter(priv, MLXBF_GIGE_BCAST_MAC_FILTER_IDX);
+ mlxbf_gige_enable_mac_rx_filter(priv, MLXBF_GIGE_LOCAL_MAC_FILTER_IDX);
+ mlxbf_gige_enable_multicast_rx(priv);
+
/* Set bits in INT_EN that we care about */
int_en = MLXBF_GIGE_INT_EN_HW_ACCESS_ERROR |
MLXBF_GIGE_INT_EN_TX_CHECKSUM_INPUTS |
@@ -379,6 +383,7 @@ static int mlxbf_gige_probe(struct platform_device *pdev)
void __iomem *plu_base;
void __iomem *base;
int addr, phy_irq;
+ unsigned int i;
int err;
base = devm_platform_ioremap_resource(pdev, MLXBF_GIGE_RES_MAC);
@@ -423,6 +428,11 @@ static int mlxbf_gige_probe(struct platform_device *pdev)
priv->rx_q_entries = MLXBF_GIGE_DEFAULT_RXQ_SZ;
priv->tx_q_entries = MLXBF_GIGE_DEFAULT_TXQ_SZ;
+ for (i = 0; i <= MLXBF_GIGE_MAX_FILTER_IDX; i++)
+ mlxbf_gige_disable_mac_rx_filter(priv, i);
+ mlxbf_gige_disable_multicast_rx(priv);
+ mlxbf_gige_disable_promisc(priv);
+
/* Write initial MAC address to hardware */
mlxbf_gige_initial_mac(priv);
diff --git a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h
index cd0973229c9bb..74bd46bab4c05 100644
--- a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h
+++ b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h
@@ -62,6 +62,8 @@
#define MLXBF_GIGE_TX_STATUS_DATA_FIFO_FULL BIT(1)
#define MLXBF_GIGE_RX_MAC_FILTER_DMAC_RANGE_START 0x0520
#define MLXBF_GIGE_RX_MAC_FILTER_DMAC_RANGE_END 0x0528
+#define MLXBF_GIGE_RX_MAC_FILTER_GENERAL 0x0530
+#define MLXBF_GIGE_RX_MAC_FILTER_EN_MULTICAST BIT(1)
#define MLXBF_GIGE_RX_MAC_FILTER_COUNT_DISC 0x0540
#define MLXBF_GIGE_RX_MAC_FILTER_COUNT_DISC_EN BIT(0)
#define MLXBF_GIGE_RX_MAC_FILTER_COUNT_PASS 0x0548
diff --git a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c
index 6999843584934..eb62620b63c7f 100644
--- a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c
+++ b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c
@@ -11,15 +11,31 @@
#include "mlxbf_gige.h"
#include "mlxbf_gige_regs.h"
-void mlxbf_gige_set_mac_rx_filter(struct mlxbf_gige *priv,
- unsigned int index, u64 dmac)
+void mlxbf_gige_enable_multicast_rx(struct mlxbf_gige *priv)
{
void __iomem *base = priv->base;
- u64 control;
+ u64 data;
- /* Write destination MAC to specified MAC RX filter */
- writeq(dmac, base + MLXBF_GIGE_RX_MAC_FILTER +
- (index * MLXBF_GIGE_RX_MAC_FILTER_STRIDE));
+ data = readq(base + MLXBF_GIGE_RX_MAC_FILTER_GENERAL);
+ data |= MLXBF_GIGE_RX_MAC_FILTER_EN_MULTICAST;
+ writeq(data, base + MLXBF_GIGE_RX_MAC_FILTER_GENERAL);
+}
+
+void mlxbf_gige_disable_multicast_rx(struct mlxbf_gige *priv)
+{
+ void __iomem *base = priv->base;
+ u64 data;
+
+ data = readq(base + MLXBF_GIGE_RX_MAC_FILTER_GENERAL);
+ data &= ~MLXBF_GIGE_RX_MAC_FILTER_EN_MULTICAST;
+ writeq(data, base + MLXBF_GIGE_RX_MAC_FILTER_GENERAL);
+}
+
+void mlxbf_gige_enable_mac_rx_filter(struct mlxbf_gige *priv,
+ unsigned int index)
+{
+ void __iomem *base = priv->base;
+ u64 control;
/* Enable MAC receive filter mask for specified index */
control = readq(base + MLXBF_GIGE_CONTROL);
@@ -27,6 +43,28 @@ void mlxbf_gige_set_mac_rx_filter(struct mlxbf_gige *priv,
writeq(control, base + MLXBF_GIGE_CONTROL);
}
+void mlxbf_gige_disable_mac_rx_filter(struct mlxbf_gige *priv,
+ unsigned int index)
+{
+ void __iomem *base = priv->base;
+ u64 control;
+
+ /* Disable MAC receive filter mask for specified index */
+ control = readq(base + MLXBF_GIGE_CONTROL);
+ control &= ~(MLXBF_GIGE_CONTROL_EN_SPECIFIC_MAC << index);
+ writeq(control, base + MLXBF_GIGE_CONTROL);
+}
+
+void mlxbf_gige_set_mac_rx_filter(struct mlxbf_gige *priv,
+ unsigned int index, u64 dmac)
+{
+ void __iomem *base = priv->base;
+
+ /* Write destination MAC to specified MAC RX filter */
+ writeq(dmac, base + MLXBF_GIGE_RX_MAC_FILTER +
+ (index * MLXBF_GIGE_RX_MAC_FILTER_STRIDE));
+}
+
void mlxbf_gige_get_mac_rx_filter(struct mlxbf_gige *priv,
unsigned int index, u64 *dmac)
{
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 061/341] mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 060/341] mlxbf_gige: disable RX filters until RX path initialized Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 062/341] tcp: Update window clamping condition Greg Kroah-Hartman
` (292 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eugene Syromiatnikov,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eugene Syromiatnikov <esyr@redhat.com>
[ Upstream commit 655111b838cdabdb604f3625a9ff08c5eedb11da ]
ssn_offset field is u32 and is placed into the netlink response with
nla_put_u32(), but only 2 bytes are reserved for the attribute payload
in subflow_get_info_size() (even though it makes no difference
in the end, as it is aligned up to 4 bytes). Supply the correct
argument to the relevant nla_total_size() call to make it less
confusing.
Fixes: 5147dfb50832 ("mptcp: allow dumping subflow context to userspace")
Signed-off-by: Eugene Syromiatnikov <esyr@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240812065024.GA19719@asgard.redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mptcp/diag.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/mptcp/diag.c b/net/mptcp/diag.c
index 7017dd60659dc..b2199cc282384 100644
--- a/net/mptcp/diag.c
+++ b/net/mptcp/diag.c
@@ -95,7 +95,7 @@ static size_t subflow_get_info_size(const struct sock *sk)
nla_total_size(4) + /* MPTCP_SUBFLOW_ATTR_RELWRITE_SEQ */
nla_total_size_64bit(8) + /* MPTCP_SUBFLOW_ATTR_MAP_SEQ */
nla_total_size(4) + /* MPTCP_SUBFLOW_ATTR_MAP_SFSEQ */
- nla_total_size(2) + /* MPTCP_SUBFLOW_ATTR_SSN_OFFSET */
+ nla_total_size(4) + /* MPTCP_SUBFLOW_ATTR_SSN_OFFSET */
nla_total_size(2) + /* MPTCP_SUBFLOW_ATTR_MAP_DATALEN */
nla_total_size(4) + /* MPTCP_SUBFLOW_ATTR_FLAGS */
nla_total_size(1) + /* MPTCP_SUBFLOW_ATTR_ID_REM */
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 062/341] tcp: Update window clamping condition
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 061/341] mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 063/341] netfilter: allow ipv6 fragments to arrive on different devices Greg Kroah-Hartman
` (291 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Tranchetti,
Subash Abhinov Kasiviswanathan, Neal Cardwell, David S. Miller,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com>
[ Upstream commit a2cbb1603943281a604f5adc48079a148db5cb0d ]
This patch is based on the discussions between Neal Cardwell and
Eric Dumazet in the link
https://lore.kernel.org/netdev/20240726204105.1466841-1-quic_subashab@quicinc.com/
It was correctly pointed out that tp->window_clamp would not be
updated in cases where net.ipv4.tcp_moderate_rcvbuf=0 or if
(copied <= tp->rcvq_space.space). While it is expected for most
setups to leave the sysctl enabled, the latter condition may
not end up hitting depending on the TCP receive queue size and
the pattern of arriving data.
The updated check should be hit only on initial MSS update from
TCP_MIN_MSS to measured MSS value and subsequently if there was
an update to a larger value.
Fixes: 05f76b2d634e ("tcp: Adjust clamping window for applications specifying SO_RCVBUF")
Signed-off-by: Sean Tranchetti <quic_stranche@quicinc.com>
Signed-off-by: Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_input.c | 28 ++++++++++++----------------
1 file changed, 12 insertions(+), 16 deletions(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index d0364cff65c9f..24c7c955dc955 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -243,9 +243,14 @@ static void tcp_measure_rcv_mss(struct sock *sk, const struct sk_buff *skb)
*/
if (unlikely(len != icsk->icsk_ack.rcv_mss)) {
u64 val = (u64)skb->len << TCP_RMEM_TO_WIN_SCALE;
+ u8 old_ratio = tcp_sk(sk)->scaling_ratio;
do_div(val, skb->truesize);
tcp_sk(sk)->scaling_ratio = val ? val : 1;
+
+ if (old_ratio != tcp_sk(sk)->scaling_ratio)
+ WRITE_ONCE(tcp_sk(sk)->window_clamp,
+ tcp_win_from_space(sk, sk->sk_rcvbuf));
}
icsk->icsk_ack.rcv_mss = min_t(unsigned int, len,
tcp_sk(sk)->advmss);
@@ -748,7 +753,8 @@ void tcp_rcv_space_adjust(struct sock *sk)
* <prev RTT . ><current RTT .. ><next RTT .... >
*/
- if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_moderate_rcvbuf)) {
+ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_moderate_rcvbuf) &&
+ !(sk->sk_userlocks & SOCK_RCVBUF_LOCK)) {
u64 rcvwin, grow;
int rcvbuf;
@@ -764,22 +770,12 @@ void tcp_rcv_space_adjust(struct sock *sk)
rcvbuf = min_t(u64, tcp_space_from_win(sk, rcvwin),
READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2]));
- if (!(sk->sk_userlocks & SOCK_RCVBUF_LOCK)) {
- if (rcvbuf > sk->sk_rcvbuf) {
- WRITE_ONCE(sk->sk_rcvbuf, rcvbuf);
-
- /* Make the window clamp follow along. */
- WRITE_ONCE(tp->window_clamp,
- tcp_win_from_space(sk, rcvbuf));
- }
- } else {
- /* Make the window clamp follow along while being bounded
- * by SO_RCVBUF.
- */
- int clamp = tcp_win_from_space(sk, min(rcvbuf, sk->sk_rcvbuf));
+ if (rcvbuf > sk->sk_rcvbuf) {
+ WRITE_ONCE(sk->sk_rcvbuf, rcvbuf);
- if (clamp > tp->window_clamp)
- WRITE_ONCE(tp->window_clamp, clamp);
+ /* Make the window clamp follow along. */
+ WRITE_ONCE(tp->window_clamp,
+ tcp_win_from_space(sk, rcvbuf));
}
}
tp->rcvq_space.space = copied;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 063/341] netfilter: allow ipv6 fragments to arrive on different devices
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 062/341] tcp: Update window clamping condition Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 064/341] netfilter: flowtable: initialise extack before use Greg Kroah-Hartman
` (290 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Hughes, Pablo Neira Ayuso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tom Hughes <tom@compton.nu>
[ Upstream commit 3cd740b985963f874a1a094f1969e998b9d05554 ]
Commit 264640fc2c5f4 ("ipv6: distinguish frag queues by device
for multicast and link-local packets") modified the ipv6 fragment
reassembly logic to distinguish frag queues by device for multicast
and link-local packets but in fact only the main reassembly code
limits the use of the device to those address types and the netfilter
reassembly code uses the device for all packets.
This means that if fragments of a packet arrive on different interfaces
then netfilter will fail to reassemble them and the fragments will be
expired without going any further through the filters.
Fixes: 648700f76b03 ("inet: frags: use rhashtables for reassembly units")
Signed-off-by: Tom Hughes <tom@compton.nu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/netfilter/nf_conntrack_reasm.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index efbec7ee27d0a..c78b13ea5b196 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -155,6 +155,10 @@ static struct frag_queue *fq_find(struct net *net, __be32 id, u32 user,
};
struct inet_frag_queue *q;
+ if (!(ipv6_addr_type(&hdr->daddr) & (IPV6_ADDR_MULTICAST |
+ IPV6_ADDR_LINKLOCAL)))
+ key.iif = 0;
+
q = inet_frag_find(nf_frag->fqdir, &key);
if (!q)
return NULL;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 064/341] netfilter: flowtable: initialise extack before use
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 063/341] netfilter: allow ipv6 fragments to arrive on different devices Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 065/341] netfilter: nf_queue: drop packets with cloned unconfirmed conntracks Greg Kroah-Hartman
` (289 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Donald Hunter, Simon Horman,
Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Donald Hunter <donald.hunter@gmail.com>
[ Upstream commit e9767137308daf906496613fd879808a07f006a2 ]
Fix missing initialisation of extack in flow offload.
Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Donald Hunter <donald.hunter@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_flow_table_offload.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index a010b25076ca0..3d46372b538e5 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -841,8 +841,8 @@ static int nf_flow_offload_tuple(struct nf_flowtable *flowtable,
struct list_head *block_cb_list)
{
struct flow_cls_offload cls_flow = {};
+ struct netlink_ext_ack extack = {};
struct flow_block_cb *block_cb;
- struct netlink_ext_ack extack;
__be16 proto = ETH_P_ALL;
int err, i = 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 065/341] netfilter: nf_queue: drop packets with cloned unconfirmed conntracks
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 064/341] netfilter: flowtable: initialise extack before use Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 066/341] netfilter: nf_tables: Audit log dump reset after the fact Greg Kroah-Hartman
` (288 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 7d8dc1c7be8d3509e8f5164dd5df64c8e34d7eeb ]
Conntrack assumes an unconfirmed entry (not yet committed to global hash
table) has a refcount of 1 and is not visible to other cores.
With multicast forwarding this assumption breaks down because such
skbs get cloned after being picked up, i.e. ct->use refcount is > 1.
Likewise, bridge netfilter will clone broad/mutlicast frames and
all frames in case they need to be flood-forwarded during learning
phase.
For ip multicast forwarding or plain bridge flood-forward this will
"work" because packets don't leave softirq and are implicitly
serialized.
With nfqueue this no longer holds true, the packets get queued
and can be reinjected in arbitrary ways.
Disable this feature, I see no other solution.
After this patch, nfqueue cannot queue packets except the last
multicast/broadcast packet.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_netfilter_hooks.c | 6 +++++-
net/netfilter/nfnetlink_queue.c | 35 +++++++++++++++++++++++++++++++--
2 files changed, 38 insertions(+), 3 deletions(-)
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index d848c84ed030d..68d5538613032 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -618,8 +618,12 @@ static unsigned int br_nf_local_in(void *priv,
if (likely(nf_ct_is_confirmed(ct)))
return NF_ACCEPT;
+ if (WARN_ON_ONCE(refcount_read(&nfct->use) != 1)) {
+ nf_reset_ct(skb);
+ return NF_ACCEPT;
+ }
+
WARN_ON_ONCE(skb_shared(skb));
- WARN_ON_ONCE(refcount_read(&nfct->use) != 1);
/* We can't call nf_confirm here, it would create a dependency
* on nf_conntrack module.
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index dfc856b3e1fa4..09209b4952ad1 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -668,10 +668,41 @@ static bool nf_ct_drop_unconfirmed(const struct nf_queue_entry *entry)
{
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
static const unsigned long flags = IPS_CONFIRMED | IPS_DYING;
- const struct nf_conn *ct = (void *)skb_nfct(entry->skb);
+ struct nf_conn *ct = (void *)skb_nfct(entry->skb);
+ unsigned long status;
+ unsigned int use;
- if (ct && ((ct->status & flags) == IPS_DYING))
+ if (!ct)
+ return false;
+
+ status = READ_ONCE(ct->status);
+ if ((status & flags) == IPS_DYING)
return true;
+
+ if (status & IPS_CONFIRMED)
+ return false;
+
+ /* in some cases skb_clone() can occur after initial conntrack
+ * pickup, but conntrack assumes exclusive skb->_nfct ownership for
+ * unconfirmed entries.
+ *
+ * This happens for br_netfilter and with ip multicast routing.
+ * We can't be solved with serialization here because one clone could
+ * have been queued for local delivery.
+ */
+ use = refcount_read(&ct->ct_general.use);
+ if (likely(use == 1))
+ return false;
+
+ /* Can't decrement further? Exclusive ownership. */
+ if (!refcount_dec_not_one(&ct->ct_general.use))
+ return false;
+
+ skb_set_nfct(entry->skb, 0);
+ /* No nf_ct_put(): we already decremented .use and it cannot
+ * drop down to 0.
+ */
+ return true;
#endif
return false;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 066/341] netfilter: nf_tables: Audit log dump reset after the fact
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 065/341] netfilter: nf_queue: drop packets with cloned unconfirmed conntracks Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 067/341] netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj Greg Kroah-Hartman
` (287 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phil Sutter, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Sutter <phil@nwl.cc>
[ Upstream commit e0b6648b0446e59522819c75ba1dcb09e68d3e94 ]
In theory, dumpreset may fail and invalidate the preceeding log message.
Fix this and use the occasion to prepare for object reset locking, which
benefits from a few unrelated changes:
* Add an early call to nfnetlink_unicast if not resetting which
effectively skips the audit logging but also unindents it.
* Extract the table's name from the netlink attribute (which is verified
via earlier table lookup) to not rely upon validity of the looked up
table pointer.
* Do not use local variable family, it will vanish.
Fixes: 8e6cf365e1d5 ("audit: log nftables configuration change events")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 28 +++++++++++++---------------
1 file changed, 13 insertions(+), 15 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index ea139fca74cb9..c6296ffd9b91b 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7832,6 +7832,7 @@ static int nf_tables_dump_obj_done(struct netlink_callback *cb)
static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
const struct nlattr * const nla[])
{
+ const struct nftables_pernet *nft_net = nft_pernet(info->net);
struct netlink_ext_ack *extack = info->extack;
u8 genmask = nft_genmask_cur(info->net);
u8 family = info->nfmsg->nfgen_family;
@@ -7841,6 +7842,7 @@ static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
struct sk_buff *skb2;
bool reset = false;
u32 objtype;
+ char *buf;
int err;
if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
@@ -7879,27 +7881,23 @@ static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
reset = true;
- if (reset) {
- const struct nftables_pernet *nft_net;
- char *buf;
-
- nft_net = nft_pernet(net);
- buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq);
-
- audit_log_nfcfg(buf,
- family,
- 1,
- AUDIT_NFT_OP_OBJ_RESET,
- GFP_ATOMIC);
- kfree(buf);
- }
-
err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
family, table, obj, reset);
if (err < 0)
goto err_fill_obj_info;
+ if (!reset)
+ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
+
+ buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
+ nla_len(nla[NFTA_OBJ_TABLE]),
+ (char *)nla_data(nla[NFTA_OBJ_TABLE]),
+ nft_net->base_seq);
+ audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
+ AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
+ kfree(buf);
+
return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
err_fill_obj_info:
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 067/341] netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 066/341] netfilter: nf_tables: Audit log dump reset after the fact Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 068/341] netfilter: nf_tables: Unconditionally allocate nft_obj_filter Greg Kroah-Hartman
` (286 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phil Sutter, Pablo Neira Ayuso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Sutter <phil@nwl.cc>
[ Upstream commit ff16111cc10c82ee065ffbd9fa8d6210394ff8c6 ]
The code does not make use of cb->args fields past the first one, no
need to zero them.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: bd662c4218f9 ("netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index c6296ffd9b91b..d29c5803c3ff0 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7753,9 +7753,6 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
goto cont;
if (idx < s_idx)
goto cont;
- if (idx > s_idx)
- memset(&cb->args[1], 0,
- sizeof(cb->args) - sizeof(cb->args[0]));
if (filter && filter->table &&
strcmp(filter->table, table->name))
goto cont;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 068/341] netfilter: nf_tables: Unconditionally allocate nft_obj_filter
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 067/341] netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj Greg Kroah-Hartman
@ 2024-08-27 14:34 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 069/341] netfilter: nf_tables: A better name for nft_obj_filter Greg Kroah-Hartman
` (285 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phil Sutter, Pablo Neira Ayuso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Sutter <phil@nwl.cc>
[ Upstream commit 4279cc60b354d2d2b970655a70a151cbfa1d958b ]
Prep work for moving the filter into struct netlink_callback's scratch
area.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: bd662c4218f9 ("netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 36 +++++++++++++++--------------------
1 file changed, 15 insertions(+), 21 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index d29c5803c3ff0..35d5848cb3d0d 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7753,11 +7753,9 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
goto cont;
if (idx < s_idx)
goto cont;
- if (filter && filter->table &&
- strcmp(filter->table, table->name))
+ if (filter->table && strcmp(filter->table, table->name))
goto cont;
- if (filter &&
- filter->type != NFT_OBJECT_UNSPEC &&
+ if (filter->type != NFT_OBJECT_UNSPEC &&
obj->ops->type->type != filter->type)
goto cont;
@@ -7792,23 +7790,21 @@ static int nf_tables_dump_obj_start(struct netlink_callback *cb)
const struct nlattr * const *nla = cb->data;
struct nft_obj_filter *filter = NULL;
- if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
- filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
- if (!filter)
- return -ENOMEM;
+ filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
+ if (!filter)
+ return -ENOMEM;
- if (nla[NFTA_OBJ_TABLE]) {
- filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
- if (!filter->table) {
- kfree(filter);
- return -ENOMEM;
- }
+ if (nla[NFTA_OBJ_TABLE]) {
+ filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
+ if (!filter->table) {
+ kfree(filter);
+ return -ENOMEM;
}
-
- if (nla[NFTA_OBJ_TYPE])
- filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
}
+ if (nla[NFTA_OBJ_TYPE])
+ filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
+
cb->data = filter;
return 0;
}
@@ -7817,10 +7813,8 @@ static int nf_tables_dump_obj_done(struct netlink_callback *cb)
{
struct nft_obj_filter *filter = cb->data;
- if (filter) {
- kfree(filter->table);
- kfree(filter);
- }
+ kfree(filter->table);
+ kfree(filter);
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 069/341] netfilter: nf_tables: A better name for nft_obj_filter
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2024-08-27 14:34 ` [PATCH 6.6 068/341] netfilter: nf_tables: Unconditionally allocate nft_obj_filter Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 070/341] netfilter: nf_tables: Carry s_idx in nft_obj_dump_ctx Greg Kroah-Hartman
` (284 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phil Sutter, Pablo Neira Ayuso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Sutter <phil@nwl.cc>
[ Upstream commit ecf49cad807061d880bea27a5da8e0114ddc7690 ]
Name it for what it is supposed to become, a real nft_obj_dump_ctx. No
functional change intended.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: bd662c4218f9 ("netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 32 ++++++++++++++++----------------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 35d5848cb3d0d..ca5fb700d15cf 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7717,7 +7717,7 @@ static void audit_log_obj_reset(const struct nft_table *table,
kfree(buf);
}
-struct nft_obj_filter {
+struct nft_obj_dump_ctx {
char *table;
u32 type;
};
@@ -7727,7 +7727,7 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
const struct nft_table *table;
unsigned int idx = 0, s_idx = cb->args[0];
- struct nft_obj_filter *filter = cb->data;
+ struct nft_obj_dump_ctx *ctx = cb->data;
struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
struct nftables_pernet *nft_net;
@@ -7753,10 +7753,10 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
goto cont;
if (idx < s_idx)
goto cont;
- if (filter->table && strcmp(filter->table, table->name))
+ if (ctx->table && strcmp(ctx->table, table->name))
goto cont;
- if (filter->type != NFT_OBJECT_UNSPEC &&
- obj->ops->type->type != filter->type)
+ if (ctx->type != NFT_OBJECT_UNSPEC &&
+ obj->ops->type->type != ctx->type)
goto cont;
rc = nf_tables_fill_obj_info(skb, net,
@@ -7788,33 +7788,33 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
static int nf_tables_dump_obj_start(struct netlink_callback *cb)
{
const struct nlattr * const *nla = cb->data;
- struct nft_obj_filter *filter = NULL;
+ struct nft_obj_dump_ctx *ctx = NULL;
- filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
- if (!filter)
+ ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
+ if (!ctx)
return -ENOMEM;
if (nla[NFTA_OBJ_TABLE]) {
- filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
- if (!filter->table) {
- kfree(filter);
+ ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
+ if (!ctx->table) {
+ kfree(ctx);
return -ENOMEM;
}
}
if (nla[NFTA_OBJ_TYPE])
- filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
+ ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
- cb->data = filter;
+ cb->data = ctx;
return 0;
}
static int nf_tables_dump_obj_done(struct netlink_callback *cb)
{
- struct nft_obj_filter *filter = cb->data;
+ struct nft_obj_dump_ctx *ctx = cb->data;
- kfree(filter->table);
- kfree(filter);
+ kfree(ctx->table);
+ kfree(ctx);
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 070/341] netfilter: nf_tables: Carry s_idx in nft_obj_dump_ctx
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 069/341] netfilter: nf_tables: A better name for nft_obj_filter Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 071/341] netfilter: nf_tables: nft_obj_filter fits into cb->ctx Greg Kroah-Hartman
` (283 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phil Sutter, Pablo Neira Ayuso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Sutter <phil@nwl.cc>
[ Upstream commit 2eda95cfa2fc43bcb21a801dc1d16a0b7cc73860 ]
Prep work for moving the context into struct netlink_callback scratch
area.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: bd662c4218f9 ("netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index ca5fb700d15cf..7d6146923819c 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7718,6 +7718,7 @@ static void audit_log_obj_reset(const struct nft_table *table,
}
struct nft_obj_dump_ctx {
+ unsigned int s_idx;
char *table;
u32 type;
};
@@ -7725,14 +7726,14 @@ struct nft_obj_dump_ctx {
static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
{
const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
- const struct nft_table *table;
- unsigned int idx = 0, s_idx = cb->args[0];
struct nft_obj_dump_ctx *ctx = cb->data;
struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
struct nftables_pernet *nft_net;
+ const struct nft_table *table;
unsigned int entries = 0;
struct nft_object *obj;
+ unsigned int idx = 0;
bool reset = false;
int rc = 0;
@@ -7751,7 +7752,7 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
list_for_each_entry_rcu(obj, &table->objects, list) {
if (!nft_is_active(net, obj))
goto cont;
- if (idx < s_idx)
+ if (idx < ctx->s_idx)
goto cont;
if (ctx->table && strcmp(ctx->table, table->name))
goto cont;
@@ -7781,7 +7782,7 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
}
rcu_read_unlock();
- cb->args[0] = idx;
+ ctx->s_idx = idx;
return skb->len;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 071/341] netfilter: nf_tables: nft_obj_filter fits into cb->ctx
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 070/341] netfilter: nf_tables: Carry s_idx in nft_obj_dump_ctx Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 072/341] netfilter: nf_tables: Carry reset boolean in nft_obj_dump_ctx Greg Kroah-Hartman
` (282 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phil Sutter, Pablo Neira Ayuso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Sutter <phil@nwl.cc>
[ Upstream commit 5a893b9cdf6fa5758f43d323a1d7fa6d1bf489ff ]
No need to allocate it if one may just use struct netlink_callback's
scratch area for it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: bd662c4218f9 ("netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 7d6146923819c..e3e3ad532ec9f 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7726,7 +7726,7 @@ struct nft_obj_dump_ctx {
static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
{
const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
- struct nft_obj_dump_ctx *ctx = cb->data;
+ struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
struct nftables_pernet *nft_net;
@@ -7788,34 +7788,28 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
static int nf_tables_dump_obj_start(struct netlink_callback *cb)
{
+ struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
const struct nlattr * const *nla = cb->data;
- struct nft_obj_dump_ctx *ctx = NULL;
- ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
- if (!ctx)
- return -ENOMEM;
+ BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
if (nla[NFTA_OBJ_TABLE]) {
ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
- if (!ctx->table) {
- kfree(ctx);
+ if (!ctx->table)
return -ENOMEM;
- }
}
if (nla[NFTA_OBJ_TYPE])
ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
- cb->data = ctx;
return 0;
}
static int nf_tables_dump_obj_done(struct netlink_callback *cb)
{
- struct nft_obj_dump_ctx *ctx = cb->data;
+ struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
kfree(ctx->table);
- kfree(ctx);
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 072/341] netfilter: nf_tables: Carry reset boolean in nft_obj_dump_ctx
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 071/341] netfilter: nf_tables: nft_obj_filter fits into cb->ctx Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 073/341] netfilter: nf_tables: Introduce nf_tables_getobj_single Greg Kroah-Hartman
` (281 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phil Sutter, Pablo Neira Ayuso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Sutter <phil@nwl.cc>
[ Upstream commit a552339063d37b3b1133d9dfc31f851edafb27bb ]
Relieve the dump callback from having to inspect nlmsg_type upon each
call, just do it once at start of the dump.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: bd662c4218f9 ("netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index e3e3ad532ec9f..170f6f624ac16 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7721,6 +7721,7 @@ struct nft_obj_dump_ctx {
unsigned int s_idx;
char *table;
u32 type;
+ bool reset;
};
static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
@@ -7734,12 +7735,8 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
unsigned int entries = 0;
struct nft_object *obj;
unsigned int idx = 0;
- bool reset = false;
int rc = 0;
- if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
- reset = true;
-
rcu_read_lock();
nft_net = nft_pernet(net);
cb->seq = READ_ONCE(nft_net->base_seq);
@@ -7766,7 +7763,7 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
NFT_MSG_NEWOBJ,
NLM_F_MULTI | NLM_F_APPEND,
table->family, table,
- obj, reset);
+ obj, ctx->reset);
if (rc < 0)
break;
@@ -7775,7 +7772,7 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
cont:
idx++;
}
- if (reset && entries)
+ if (ctx->reset && entries)
audit_log_obj_reset(table, nft_net->base_seq, entries);
if (rc < 0)
break;
@@ -7802,6 +7799,9 @@ static int nf_tables_dump_obj_start(struct netlink_callback *cb)
if (nla[NFTA_OBJ_TYPE])
ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
+ if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
+ ctx->reset = true;
+
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 073/341] netfilter: nf_tables: Introduce nf_tables_getobj_single
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 072/341] netfilter: nf_tables: Carry reset boolean in nft_obj_dump_ctx Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 074/341] netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests Greg Kroah-Hartman
` (280 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phil Sutter, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Sutter <phil@nwl.cc>
[ Upstream commit 69fc3e9e90f1afc11f4015e6b75d18ab9acee348 ]
Outsource the reply skb preparation for non-dump getrule requests into a
distinct function. Prep work for object reset locking.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: bd662c4218f9 ("netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 75 ++++++++++++++++++++---------------
1 file changed, 44 insertions(+), 31 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 170f6f624ac16..a3ed9437e21b4 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7815,10 +7815,10 @@ static int nf_tables_dump_obj_done(struct netlink_callback *cb)
}
/* called with rcu_read_lock held */
-static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
- const struct nlattr * const nla[])
+static struct sk_buff *
+nf_tables_getobj_single(u32 portid, const struct nfnl_info *info,
+ const struct nlattr * const nla[], bool reset)
{
- const struct nftables_pernet *nft_net = nft_pernet(info->net);
struct netlink_ext_ack *extack = info->extack;
u8 genmask = nft_genmask_cur(info->net);
u8 family = info->nfmsg->nfgen_family;
@@ -7826,52 +7826,69 @@ static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
struct net *net = info->net;
struct nft_object *obj;
struct sk_buff *skb2;
- bool reset = false;
u32 objtype;
- char *buf;
int err;
- if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
- struct netlink_dump_control c = {
- .start = nf_tables_dump_obj_start,
- .dump = nf_tables_dump_obj,
- .done = nf_tables_dump_obj_done,
- .module = THIS_MODULE,
- .data = (void *)nla,
- };
-
- return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
- }
-
if (!nla[NFTA_OBJ_NAME] ||
!nla[NFTA_OBJ_TYPE])
- return -EINVAL;
+ return ERR_PTR(-EINVAL);
table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
if (IS_ERR(table)) {
NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
- return PTR_ERR(table);
+ return ERR_CAST(table);
}
objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
if (IS_ERR(obj)) {
NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
- return PTR_ERR(obj);
+ return ERR_CAST(obj);
}
skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
if (!skb2)
- return -ENOMEM;
+ return ERR_PTR(-ENOMEM);
+
+ err = nf_tables_fill_obj_info(skb2, net, portid,
+ info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
+ family, table, obj, reset);
+ if (err < 0) {
+ kfree_skb(skb2);
+ return ERR_PTR(err);
+ }
+
+ return skb2;
+}
+
+static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
+ const struct nlattr * const nla[])
+{
+ struct nftables_pernet *nft_net = nft_pernet(info->net);
+ u32 portid = NETLINK_CB(skb).portid;
+ struct net *net = info->net;
+ struct sk_buff *skb2;
+ bool reset = false;
+ char *buf;
+
+ if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
+ struct netlink_dump_control c = {
+ .start = nf_tables_dump_obj_start,
+ .dump = nf_tables_dump_obj,
+ .done = nf_tables_dump_obj_done,
+ .module = THIS_MODULE,
+ .data = (void *)nla,
+ };
+
+ return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
+ }
if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
reset = true;
- err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
- info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
- family, table, obj, reset);
- if (err < 0)
- goto err_fill_obj_info;
+ skb2 = nf_tables_getobj_single(portid, info, nla, reset);
+ if (IS_ERR(skb2))
+ return PTR_ERR(skb2);
if (!reset)
return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
@@ -7884,11 +7901,7 @@ static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
kfree(buf);
- return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
-
-err_fill_obj_info:
- kfree_skb(skb2);
- return err;
+ return nfnetlink_unicast(skb2, net, portid);
}
static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 074/341] netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 073/341] netfilter: nf_tables: Introduce nf_tables_getobj_single Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 075/341] vsock: fix recursive ->recvmsg calls Greg Kroah-Hartman
` (279 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phil Sutter, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Sutter <phil@nwl.cc>
[ Upstream commit bd662c4218f9648e888bebde9468146965f3f8a0 ]
Objects' dump callbacks are not concurrency-safe per-se with reset bit
set. If two CPUs perform a reset at the same time, at least counter and
quota objects suffer from value underrun.
Prevent this by introducing dedicated locking callbacks for nfnetlink
and the asynchronous dump handling to serialize access.
Fixes: 43da04a593d8 ("netfilter: nf_tables: atomic dump and reset for stateful objects")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 72 ++++++++++++++++++++++++++++-------
1 file changed, 59 insertions(+), 13 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index a3ed9437e21b4..fc99a5e91829d 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7783,6 +7783,19 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
return skb->len;
}
+static int nf_tables_dumpreset_obj(struct sk_buff *skb,
+ struct netlink_callback *cb)
+{
+ struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
+ int ret;
+
+ mutex_lock(&nft_net->commit_mutex);
+ ret = nf_tables_dump_obj(skb, cb);
+ mutex_unlock(&nft_net->commit_mutex);
+
+ return ret;
+}
+
static int nf_tables_dump_obj_start(struct netlink_callback *cb)
{
struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
@@ -7799,12 +7812,18 @@ static int nf_tables_dump_obj_start(struct netlink_callback *cb)
if (nla[NFTA_OBJ_TYPE])
ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
- if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
- ctx->reset = true;
-
return 0;
}
+static int nf_tables_dumpreset_obj_start(struct netlink_callback *cb)
+{
+ struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
+
+ ctx->reset = true;
+
+ return nf_tables_dump_obj_start(cb);
+}
+
static int nf_tables_dump_obj_done(struct netlink_callback *cb)
{
struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
@@ -7863,18 +7882,43 @@ nf_tables_getobj_single(u32 portid, const struct nfnl_info *info,
static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
const struct nlattr * const nla[])
+{
+ u32 portid = NETLINK_CB(skb).portid;
+ struct sk_buff *skb2;
+
+ if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
+ struct netlink_dump_control c = {
+ .start = nf_tables_dump_obj_start,
+ .dump = nf_tables_dump_obj,
+ .done = nf_tables_dump_obj_done,
+ .module = THIS_MODULE,
+ .data = (void *)nla,
+ };
+
+ return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
+ }
+
+ skb2 = nf_tables_getobj_single(portid, info, nla, false);
+ if (IS_ERR(skb2))
+ return PTR_ERR(skb2);
+
+ return nfnetlink_unicast(skb2, info->net, portid);
+}
+
+static int nf_tables_getobj_reset(struct sk_buff *skb,
+ const struct nfnl_info *info,
+ const struct nlattr * const nla[])
{
struct nftables_pernet *nft_net = nft_pernet(info->net);
u32 portid = NETLINK_CB(skb).portid;
struct net *net = info->net;
struct sk_buff *skb2;
- bool reset = false;
char *buf;
if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
struct netlink_dump_control c = {
- .start = nf_tables_dump_obj_start,
- .dump = nf_tables_dump_obj,
+ .start = nf_tables_dumpreset_obj_start,
+ .dump = nf_tables_dumpreset_obj,
.done = nf_tables_dump_obj_done,
.module = THIS_MODULE,
.data = (void *)nla,
@@ -7883,16 +7927,18 @@ static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
}
- if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
- reset = true;
+ if (!try_module_get(THIS_MODULE))
+ return -EINVAL;
+ rcu_read_unlock();
+ mutex_lock(&nft_net->commit_mutex);
+ skb2 = nf_tables_getobj_single(portid, info, nla, true);
+ mutex_unlock(&nft_net->commit_mutex);
+ rcu_read_lock();
+ module_put(THIS_MODULE);
- skb2 = nf_tables_getobj_single(portid, info, nla, reset);
if (IS_ERR(skb2))
return PTR_ERR(skb2);
- if (!reset)
- return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
-
buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
nla_len(nla[NFTA_OBJ_TABLE]),
(char *)nla_data(nla[NFTA_OBJ_TABLE]),
@@ -9179,7 +9225,7 @@ static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
.policy = nft_obj_policy,
},
[NFT_MSG_GETOBJ_RESET] = {
- .call = nf_tables_getobj,
+ .call = nf_tables_getobj_reset,
.type = NFNL_CB_RCU,
.attr_count = NFTA_OBJ_MAX,
.policy = nft_obj_policy,
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 075/341] vsock: fix recursive ->recvmsg calls
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 074/341] netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 076/341] selftests: net: lib: ignore possible errors Greg Kroah-Hartman
` (278 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+bdb4bd87b5e22058e2a4,
Bobby Eshleman, Michael S. Tsirkin, Stefano Garzarella, Cong Wang,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <cong.wang@bytedance.com>
[ Upstream commit 69139d2919dd4aa9a553c8245e7c63e82613e3fc ]
After a vsock socket has been added to a BPF sockmap, its prot->recvmsg
has been replaced with vsock_bpf_recvmsg(). Thus the following
recursiion could happen:
vsock_bpf_recvmsg()
-> __vsock_recvmsg()
-> vsock_connectible_recvmsg()
-> prot->recvmsg()
-> vsock_bpf_recvmsg() again
We need to fix it by calling the original ->recvmsg() without any BPF
sockmap logic in __vsock_recvmsg().
Fixes: 634f1a7110b4 ("vsock: support sockmap")
Reported-by: syzbot+bdb4bd87b5e22058e2a4@syzkaller.appspotmail.com
Tested-by: syzbot+bdb4bd87b5e22058e2a4@syzkaller.appspotmail.com
Cc: Bobby Eshleman <bobby.eshleman@bytedance.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Link: https://patch.msgid.link/20240812022153.86512-1-xiyou.wangcong@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/af_vsock.h | 4 ++++
net/vmw_vsock/af_vsock.c | 50 +++++++++++++++++++++++----------------
net/vmw_vsock/vsock_bpf.c | 4 ++--
3 files changed, 35 insertions(+), 23 deletions(-)
diff --git a/include/net/af_vsock.h b/include/net/af_vsock.h
index dc3cb16835b63..f8b09a82f62e1 100644
--- a/include/net/af_vsock.h
+++ b/include/net/af_vsock.h
@@ -227,8 +227,12 @@ struct vsock_tap {
int vsock_add_tap(struct vsock_tap *vt);
int vsock_remove_tap(struct vsock_tap *vt);
void vsock_deliver_tap(struct sk_buff *build_skb(void *opaque), void *opaque);
+int __vsock_connectible_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ int flags);
int vsock_connectible_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
int flags);
+int __vsock_dgram_recvmsg(struct socket *sock, struct msghdr *msg,
+ size_t len, int flags);
int vsock_dgram_recvmsg(struct socket *sock, struct msghdr *msg,
size_t len, int flags);
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 4afb6a541cf38..f5eb737a677d9 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -1270,25 +1270,28 @@ static int vsock_dgram_connect(struct socket *sock,
return err;
}
+int __vsock_dgram_recvmsg(struct socket *sock, struct msghdr *msg,
+ size_t len, int flags)
+{
+ struct sock *sk = sock->sk;
+ struct vsock_sock *vsk = vsock_sk(sk);
+
+ return vsk->transport->dgram_dequeue(vsk, msg, len, flags);
+}
+
int vsock_dgram_recvmsg(struct socket *sock, struct msghdr *msg,
size_t len, int flags)
{
#ifdef CONFIG_BPF_SYSCALL
+ struct sock *sk = sock->sk;
const struct proto *prot;
-#endif
- struct vsock_sock *vsk;
- struct sock *sk;
- sk = sock->sk;
- vsk = vsock_sk(sk);
-
-#ifdef CONFIG_BPF_SYSCALL
prot = READ_ONCE(sk->sk_prot);
if (prot != &vsock_proto)
return prot->recvmsg(sk, msg, len, flags, NULL);
#endif
- return vsk->transport->dgram_dequeue(vsk, msg, len, flags);
+ return __vsock_dgram_recvmsg(sock, msg, len, flags);
}
EXPORT_SYMBOL_GPL(vsock_dgram_recvmsg);
@@ -2124,15 +2127,12 @@ static int __vsock_seqpacket_recvmsg(struct sock *sk, struct msghdr *msg,
}
int
-vsock_connectible_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
- int flags)
+__vsock_connectible_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ int flags)
{
struct sock *sk;
struct vsock_sock *vsk;
const struct vsock_transport *transport;
-#ifdef CONFIG_BPF_SYSCALL
- const struct proto *prot;
-#endif
int err;
sk = sock->sk;
@@ -2183,14 +2183,6 @@ vsock_connectible_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
goto out;
}
-#ifdef CONFIG_BPF_SYSCALL
- prot = READ_ONCE(sk->sk_prot);
- if (prot != &vsock_proto) {
- release_sock(sk);
- return prot->recvmsg(sk, msg, len, flags, NULL);
- }
-#endif
-
if (sk->sk_type == SOCK_STREAM)
err = __vsock_stream_recvmsg(sk, msg, len, flags);
else
@@ -2200,6 +2192,22 @@ vsock_connectible_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
release_sock(sk);
return err;
}
+
+int
+vsock_connectible_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ int flags)
+{
+#ifdef CONFIG_BPF_SYSCALL
+ struct sock *sk = sock->sk;
+ const struct proto *prot;
+
+ prot = READ_ONCE(sk->sk_prot);
+ if (prot != &vsock_proto)
+ return prot->recvmsg(sk, msg, len, flags, NULL);
+#endif
+
+ return __vsock_connectible_recvmsg(sock, msg, len, flags);
+}
EXPORT_SYMBOL_GPL(vsock_connectible_recvmsg);
static int vsock_set_rcvlowat(struct sock *sk, int val)
diff --git a/net/vmw_vsock/vsock_bpf.c b/net/vmw_vsock/vsock_bpf.c
index a3c97546ab84a..c42c5cc18f324 100644
--- a/net/vmw_vsock/vsock_bpf.c
+++ b/net/vmw_vsock/vsock_bpf.c
@@ -64,9 +64,9 @@ static int __vsock_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int
int err;
if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET)
- err = vsock_connectible_recvmsg(sock, msg, len, flags);
+ err = __vsock_connectible_recvmsg(sock, msg, len, flags);
else if (sk->sk_type == SOCK_DGRAM)
- err = vsock_dgram_recvmsg(sock, msg, len, flags);
+ err = __vsock_dgram_recvmsg(sock, msg, len, flags);
else
err = -EPROTOTYPE;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 076/341] selftests: net: lib: ignore possible errors
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 075/341] vsock: fix recursive ->recvmsg calls Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 077/341] selftests: net: lib: kill PIDs before del netns Greg Kroah-Hartman
` (277 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geliang Tang, Matthieu Baerts (NGI0),
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
[ Upstream commit 7e0620bc6a5ec6b340a0be40054f294ca26c010f ]
No need to disable errexit temporary, simply ignore the only possible
and not handled error.
Reviewed-by: Geliang Tang <geliang@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://lore.kernel.org/r/20240607-upstream-net-next-20240607-selftests-mptcp-net-lib-v1-1-e36986faac94@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 7965a7f32a53 ("selftests: net: lib: kill PIDs before del netns")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/lib.sh | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)
diff --git a/tools/testing/selftests/net/lib.sh b/tools/testing/selftests/net/lib.sh
index a186490edb4ab..323a7c305ccd4 100644
--- a/tools/testing/selftests/net/lib.sh
+++ b/tools/testing/selftests/net/lib.sh
@@ -38,25 +38,17 @@ busywait()
cleanup_ns()
{
local ns=""
- local errexit=0
local ret=0
- # disable errexit temporary
- if [[ $- =~ "e" ]]; then
- errexit=1
- set +e
- fi
-
for ns in "$@"; do
[ -z "${ns}" ] && continue
- ip netns delete "${ns}" &> /dev/null
+ ip netns delete "${ns}" &> /dev/null || true
if ! busywait $BUSYWAIT_TIMEOUT ip netns list \| grep -vq "^$ns$" &> /dev/null; then
echo "Warn: Failed to remove namespace $ns"
ret=1
fi
done
- [ $errexit -eq 1 ] && set -e
return $ret
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 077/341] selftests: net: lib: kill PIDs before del netns
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 076/341] selftests: net: lib: ignore possible errors Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 078/341] net: hns3: fix wrong use of semaphore up Greg Kroah-Hartman
` (276 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Florian Westphal, Hangbin Liu,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
[ Upstream commit 7965a7f32a53d9ad807ce2c53bdda69ba104974f ]
When deleting netns, it is possible to still have some tasks running,
e.g. background tasks like tcpdump running in the background, not
stopped because the test has been interrupted.
Before deleting the netns, it is then safer to kill all attached PIDs,
if any. That should reduce some noises after the end of some tests, and
help with the debugging of some issues. That's why this modification is
seen as a "fix".
Fixes: 25ae948b4478 ("selftests/net: add lib.sh")
Acked-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Acked-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20240813-upstream-net-20240813-selftests-net-lib-kill-v1-1-27b689b248b8@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/lib.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/testing/selftests/net/lib.sh b/tools/testing/selftests/net/lib.sh
index 323a7c305ccd4..e2c35eda230af 100644
--- a/tools/testing/selftests/net/lib.sh
+++ b/tools/testing/selftests/net/lib.sh
@@ -42,6 +42,7 @@ cleanup_ns()
for ns in "$@"; do
[ -z "${ns}" ] && continue
+ ip netns pids "${ns}" 2> /dev/null | xargs -r kill || true
ip netns delete "${ns}" &> /dev/null || true
if ! busywait $BUSYWAIT_TIMEOUT ip netns list \| grep -vq "^$ns$" &> /dev/null; then
echo "Warn: Failed to remove namespace $ns"
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 078/341] net: hns3: fix wrong use of semaphore up
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 077/341] selftests: net: lib: kill PIDs before del netns Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 079/341] net: hns3: use the users cfg after reset Greg Kroah-Hartman
` (275 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jie Wang, Jijie Shao, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jie Wang <wangjie125@huawei.com>
[ Upstream commit 8445d9d3c03101859663d34fda747f6a50947556 ]
Currently, if hns3 PF or VF FLR reset failed after five times retry,
the reset done process will directly release the semaphore
which has already released in hclge_reset_prepare_general.
This will cause down operation fail.
So this patch fixes it by adding reset state judgement. The up operation is
only called after successful PF FLR reset.
Fixes: 8627bdedc435 ("net: hns3: refactor the precedure of PF FLR")
Fixes: f28368bb4542 ("net: hns3: refactor the procedure of VF FLR")
Signed-off-by: Jie Wang <wangjie125@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 4 ++--
drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
index c8059d96f64be..ad8e56234b284 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
@@ -11430,8 +11430,8 @@ static void hclge_reset_done(struct hnae3_ae_dev *ae_dev)
dev_err(&hdev->pdev->dev, "fail to rebuild, ret=%d\n", ret);
hdev->reset_type = HNAE3_NONE_RESET;
- clear_bit(HCLGE_STATE_RST_HANDLING, &hdev->state);
- up(&hdev->reset_sem);
+ if (test_and_clear_bit(HCLGE_STATE_RST_HANDLING, &hdev->state))
+ up(&hdev->reset_sem);
}
static void hclge_clear_resetting_state(struct hclge_dev *hdev)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
index 43ee20eb03d1f..affdd9d70549a 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
@@ -1710,8 +1710,8 @@ static void hclgevf_reset_done(struct hnae3_ae_dev *ae_dev)
ret);
hdev->reset_type = HNAE3_NONE_RESET;
- clear_bit(HCLGEVF_STATE_RST_HANDLING, &hdev->state);
- up(&hdev->reset_sem);
+ if (test_and_clear_bit(HCLGEVF_STATE_RST_HANDLING, &hdev->state))
+ up(&hdev->reset_sem);
}
static u32 hclgevf_get_fw_version(struct hnae3_handle *handle)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 079/341] net: hns3: use the users cfg after reset
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 078/341] net: hns3: fix wrong use of semaphore up Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 080/341] net: hns3: fix a deadlock problem when config TC during resetting Greg Kroah-Hartman
` (274 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peiyang Wang, Jijie Shao,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peiyang Wang <wangpeiyang1@huawei.com>
[ Upstream commit 30545e17eac1f50c5ef49644daf6af205100a965 ]
Consider the followed case that the user change speed and reset the net
interface. Before the hw change speed successfully, the driver get old
old speed from hw by timer task. After reset, the previous speed is config
to hw. As a result, the new speed is configed successfully but lost after
PF reset. The followed pictured shows more dirrectly.
+------+ +----+ +----+
| USER | | PF | | HW |
+---+--+ +-+--+ +-+--+
| ethtool -s 100G | |
+------------------>| set speed 100G |
| +--------------------->|
| | set successfully |
| |<---------------------+---+
| |query cfg (timer task)| |
| +--------------------->| | handle speed
| | return 200G | | changing event
| ethtool --reset |<---------------------+ | (100G)
+------------------>| cfg previous speed |<--+
| | after reset (200G) |
| +--------------------->|
| | +---+
| |query cfg (timer task)| |
| +--------------------->| | handle speed
| | return 100G | | changing event
| |<---------------------+ | (200G)
| | |<--+
| |query cfg (timer task)|
| +--------------------->|
| | return 200G |
| |<---------------------+
| | |
v v v
This patch save new speed if hw change speed successfully, which will be
used after reset successfully.
Fixes: 2d03eacc0b7e ("net: hns3: Only update mac configuation when necessary")
Signed-off-by: Peiyang Wang <wangpeiyang1@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../hisilicon/hns3/hns3pf/hclge_main.c | 24 ++++++++++++++-----
.../hisilicon/hns3/hns3pf/hclge_mdio.c | 3 +++
2 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
index ad8e56234b284..92c592c177e67 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
@@ -2598,8 +2598,17 @@ static int hclge_cfg_mac_speed_dup_h(struct hnae3_handle *handle, int speed,
{
struct hclge_vport *vport = hclge_get_vport(handle);
struct hclge_dev *hdev = vport->back;
+ int ret;
+
+ ret = hclge_cfg_mac_speed_dup(hdev, speed, duplex, lane_num);
- return hclge_cfg_mac_speed_dup(hdev, speed, duplex, lane_num);
+ if (ret)
+ return ret;
+
+ hdev->hw.mac.req_speed = speed;
+ hdev->hw.mac.req_duplex = duplex;
+
+ return 0;
}
static int hclge_set_autoneg_en(struct hclge_dev *hdev, bool enable)
@@ -2901,17 +2910,20 @@ static int hclge_mac_init(struct hclge_dev *hdev)
if (!test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state))
hdev->hw.mac.duplex = HCLGE_MAC_FULL;
- ret = hclge_cfg_mac_speed_dup_hw(hdev, hdev->hw.mac.speed,
- hdev->hw.mac.duplex, hdev->hw.mac.lane_num);
- if (ret)
- return ret;
-
if (hdev->hw.mac.support_autoneg) {
ret = hclge_set_autoneg_en(hdev, hdev->hw.mac.autoneg);
if (ret)
return ret;
}
+ if (!hdev->hw.mac.autoneg) {
+ ret = hclge_cfg_mac_speed_dup_hw(hdev, hdev->hw.mac.req_speed,
+ hdev->hw.mac.req_duplex,
+ hdev->hw.mac.lane_num);
+ if (ret)
+ return ret;
+ }
+
mac->link = 0;
if (mac->user_fec_mode & BIT(HNAE3_FEC_USER_DEF)) {
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
index 85fb11de43a12..80079657afebe 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
@@ -191,6 +191,9 @@ static void hclge_mac_adjust_link(struct net_device *netdev)
if (ret)
netdev_err(netdev, "failed to adjust link.\n");
+ hdev->hw.mac.req_speed = (u32)speed;
+ hdev->hw.mac.req_duplex = (u8)duplex;
+
ret = hclge_cfg_flowctrl(hdev);
if (ret)
netdev_err(netdev, "failed to configure flow control.\n");
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 080/341] net: hns3: fix a deadlock problem when config TC during resetting
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 079/341] net: hns3: use the users cfg after reset Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 081/341] gpio: mlxbf3: Support shutdown() function Greg Kroah-Hartman
` (273 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jie Wang, Jijie Shao, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jie Wang <wangjie125@huawei.com>
[ Upstream commit be5e816d00a506719e9dbb1a9c861c5ced30a109 ]
When config TC during the reset process, may cause a deadlock, the flow is
as below:
pf reset start
│
▼
......
setup tc │
│ ▼
▼ DOWN: napi_disable()
napi_disable()(skip) │
│ │
▼ ▼
...... ......
│ │
▼ │
napi_enable() │
▼
UINIT: netif_napi_del()
│
▼
......
│
▼
INIT: netif_napi_add()
│
▼
...... global reset start
│ │
▼ ▼
UP: napi_enable()(skip) ......
│ │
▼ ▼
...... napi_disable()
In reset process, the driver will DOWN the port and then UINIT, in this
case, the setup tc process will UP the port before UINIT, so cause the
problem. Adds a DOWN process in UINIT to fix it.
Fixes: bb6b94a896d4 ("net: hns3: Add reset interface implementation in client")
Signed-off-by: Jie Wang <wangjie125@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
index db9574e9fb7bc..14d086b535a2d 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
@@ -5729,6 +5729,9 @@ static int hns3_reset_notify_uninit_enet(struct hnae3_handle *handle)
struct net_device *netdev = handle->kinfo.netdev;
struct hns3_nic_priv *priv = netdev_priv(netdev);
+ if (!test_bit(HNS3_NIC_STATE_DOWN, &priv->state))
+ hns3_nic_net_stop(netdev);
+
if (!test_and_clear_bit(HNS3_NIC_STATE_INITED, &priv->state)) {
netdev_warn(netdev, "already uninitialized\n");
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 081/341] gpio: mlxbf3: Support shutdown() function
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 080/341] net: hns3: fix a deadlock problem when config TC during resetting Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 082/341] ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7 Greg Kroah-Hartman
` (272 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Asmaa Mnebhi, David Thompson,
Andy Shevchenko, Linus Walleij, Bartosz Golaszewski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Asmaa Mnebhi <asmaa@nvidia.com>
[ Upstream commit aad41832326723627ad8ac9ee8a543b6dca4454d ]
During Linux graceful reboot, the GPIO interrupts are not disabled.
Since the drivers are not removed during graceful reboot,
the logic to call mlxbf3_gpio_irq_disable() is not triggered.
Interrupts that remain enabled can cause issues on subsequent boots.
For example, the mlxbf-gige driver contains PHY logic to bring up the link.
If the gpio-mlxbf3 driver loads first, the mlxbf-gige driver
will use a GPIO interrupt to bring up the link.
Otherwise, it will use polling.
The next time Linux boots and loads the drivers in this order, we encounter the issue:
- mlxbf-gige loads first and uses polling while the GPIO10
interrupt is still enabled from the previous boot. So if
the interrupt triggers, there is nothing to clear it.
- gpio-mlxbf3 loads.
- i2c-mlxbf loads. The interrupt doesn't trigger for I2C
because it is shared with the GPIO interrupt line which
was not cleared.
The solution is to add a shutdown function to the GPIO driver to clear and disable
all interrupts. Also clear the interrupt after disabling it in mlxbf3_gpio_irq_disable().
Fixes: 38a700efc510 ("gpio: mlxbf3: Add gpio driver support")
Signed-off-by: Asmaa Mnebhi <asmaa@nvidia.com>
Reviewed-by: David Thompson <davthompson@nvidia.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20240611171509.22151-1-asmaa@nvidia.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-mlxbf3.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/gpio/gpio-mlxbf3.c b/drivers/gpio/gpio-mlxbf3.c
index d5906d419b0ab..10ea71273c891 100644
--- a/drivers/gpio/gpio-mlxbf3.c
+++ b/drivers/gpio/gpio-mlxbf3.c
@@ -39,6 +39,8 @@
#define MLXBF_GPIO_CAUSE_OR_EVTEN0 0x14
#define MLXBF_GPIO_CAUSE_OR_CLRCAUSE 0x18
+#define MLXBF_GPIO_CLR_ALL_INTS GENMASK(31, 0)
+
struct mlxbf3_gpio_context {
struct gpio_chip gc;
@@ -82,6 +84,8 @@ static void mlxbf3_gpio_irq_disable(struct irq_data *irqd)
val = readl(gs->gpio_cause_io + MLXBF_GPIO_CAUSE_OR_EVTEN0);
val &= ~BIT(offset);
writel(val, gs->gpio_cause_io + MLXBF_GPIO_CAUSE_OR_EVTEN0);
+
+ writel(BIT(offset), gs->gpio_cause_io + MLXBF_GPIO_CAUSE_OR_CLRCAUSE);
raw_spin_unlock_irqrestore(&gs->gc.bgpio_lock, flags);
gpiochip_disable_irq(gc, offset);
@@ -253,6 +257,15 @@ static int mlxbf3_gpio_probe(struct platform_device *pdev)
return 0;
}
+static void mlxbf3_gpio_shutdown(struct platform_device *pdev)
+{
+ struct mlxbf3_gpio_context *gs = platform_get_drvdata(pdev);
+
+ /* Disable and clear all interrupts */
+ writel(0, gs->gpio_cause_io + MLXBF_GPIO_CAUSE_OR_EVTEN0);
+ writel(MLXBF_GPIO_CLR_ALL_INTS, gs->gpio_cause_io + MLXBF_GPIO_CAUSE_OR_CLRCAUSE);
+}
+
static const struct acpi_device_id mlxbf3_gpio_acpi_match[] = {
{ "MLNXBF33", 0 },
{}
@@ -265,6 +278,7 @@ static struct platform_driver mlxbf3_gpio_driver = {
.acpi_match_table = mlxbf3_gpio_acpi_match,
},
.probe = mlxbf3_gpio_probe,
+ .shutdown = mlxbf3_gpio_shutdown,
};
module_platform_driver(mlxbf3_gpio_driver);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 082/341] ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 081/341] gpio: mlxbf3: Support shutdown() function Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 083/341] drm/amd/pm: fix error flow in sensor fetching Greg Kroah-Hartman
` (271 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Parsa Poorshikhian, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Parsa Poorshikhian <parsa.poorsh@gmail.com>
[ Upstream commit ef9718b3d54e822de294351251f3a574f8a082ce ]
Fix noise from speakers connected to AUX port when no sound is playing.
The problem occurs because the `alc_shutup_pins` function includes
a 0x10ec0257 vendor ID, which causes noise on Lenovo IdeaPad 3 15IAU7 with
Realtek ALC257 codec when no sound is playing.
Removing this vendor ID from the function fixes the bug.
Fixes: 70794b9563fe ("ALSA: hda/realtek: Add more codec ID to no shutup pins list")
Signed-off-by: Parsa Poorshikhian <parsa.poorsh@gmail.com>
Link: https://patch.msgid.link/20240810150939.330693-1-parsa.poorsh@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_realtek.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 82dcea2b78000..5736516275a34 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -585,7 +585,6 @@ static void alc_shutup_pins(struct hda_codec *codec)
switch (codec->core.vendor_id) {
case 0x10ec0236:
case 0x10ec0256:
- case 0x10ec0257:
case 0x19e58326:
case 0x10ec0283:
case 0x10ec0285:
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 083/341] drm/amd/pm: fix error flow in sensor fetching
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 082/341] ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7 Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 084/341] drm/amd/amdgpu/imu_v11_0: Increase buffer size to ensure all possible values can be stored Greg Kroah-Hartman
` (270 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivasan Shanmugam, Jiapeng Chong,
Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit a5600853167aeba5cade81f184a382a0d1b14641 ]
Sensor fetching functions should return an signed int to
handle errors properly.
Reviewed-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reported-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/amdgpu_pm.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/amdgpu_pm.c b/drivers/gpu/drm/amd/pm/amdgpu_pm.c
index 7372eae0b0ef8..babb73147adfb 100644
--- a/drivers/gpu/drm/amd/pm/amdgpu_pm.c
+++ b/drivers/gpu/drm/amd/pm/amdgpu_pm.c
@@ -1471,9 +1471,9 @@ static ssize_t amdgpu_set_pp_power_profile_mode(struct device *dev,
return -EINVAL;
}
-static unsigned int amdgpu_hwmon_get_sensor_generic(struct amdgpu_device *adev,
- enum amd_pp_sensors sensor,
- void *query)
+static int amdgpu_hwmon_get_sensor_generic(struct amdgpu_device *adev,
+ enum amd_pp_sensors sensor,
+ void *query)
{
int r, size = sizeof(uint32_t);
@@ -2787,8 +2787,8 @@ static ssize_t amdgpu_hwmon_show_vddnb_label(struct device *dev,
return sysfs_emit(buf, "vddnb\n");
}
-static unsigned int amdgpu_hwmon_get_power(struct device *dev,
- enum amd_pp_sensors sensor)
+static int amdgpu_hwmon_get_power(struct device *dev,
+ enum amd_pp_sensors sensor)
{
struct amdgpu_device *adev = dev_get_drvdata(dev);
unsigned int uw;
@@ -2809,7 +2809,7 @@ static ssize_t amdgpu_hwmon_show_power_avg(struct device *dev,
struct device_attribute *attr,
char *buf)
{
- unsigned int val;
+ int val;
val = amdgpu_hwmon_get_power(dev, AMDGPU_PP_SENSOR_GPU_AVG_POWER);
if (val < 0)
@@ -2822,7 +2822,7 @@ static ssize_t amdgpu_hwmon_show_power_input(struct device *dev,
struct device_attribute *attr,
char *buf)
{
- unsigned int val;
+ int val;
val = amdgpu_hwmon_get_power(dev, AMDGPU_PP_SENSOR_GPU_INPUT_POWER);
if (val < 0)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 084/341] drm/amd/amdgpu/imu_v11_0: Increase buffer size to ensure all possible values can be stored
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 083/341] drm/amd/pm: fix error flow in sensor fetching Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 085/341] drm/amdgpu: access RLC_SPM_MC_CNTL through MMIO in SRIOV runtime Greg Kroah-Hartman
` (269 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lee Jones, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee@kernel.org>
[ Upstream commit a728342ae4ec2a7fdab0038b11427579424f133e ]
Fixes the following W=1 kernel build warning(s):
drivers/gpu/drm/amd/amdgpu/imu_v11_0.c: In function ‘imu_v11_0_init_microcode’:
drivers/gpu/drm/amd/amdgpu/imu_v11_0.c:52:54: warning: ‘_imu.bin’ directive output may be truncated writing 8 bytes into a region of size between 4 and 33 [-Wformat-truncation=]
drivers/gpu/drm/amd/amdgpu/imu_v11_0.c:52:9: note: ‘snprintf’ output between 16 and 45 bytes into a destination of size 40
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/imu_v11_0.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/imu_v11_0.c b/drivers/gpu/drm/amd/amdgpu/imu_v11_0.c
index 4ab90c7852c3e..ca123ff553477 100644
--- a/drivers/gpu/drm/amd/amdgpu/imu_v11_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/imu_v11_0.c
@@ -39,7 +39,7 @@ MODULE_FIRMWARE("amdgpu/gc_11_0_4_imu.bin");
static int imu_v11_0_init_microcode(struct amdgpu_device *adev)
{
- char fw_name[40];
+ char fw_name[45];
char ucode_prefix[30];
int err;
const struct imu_firmware_header_v1_0 *imu_hdr;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 085/341] drm/amdgpu: access RLC_SPM_MC_CNTL through MMIO in SRIOV runtime
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 084/341] drm/amd/amdgpu/imu_v11_0: Increase buffer size to ensure all possible values can be stored Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 086/341] ssb: Fix division by zero issue in ssb_calc_clock_rate Greg Kroah-Hartman
` (268 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Deucher, ZhenGuo Yin,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhenGuo Yin <zhenguo.yin@amd.com>
[ Upstream commit 9f05cfc78c6880e06940ea78fbc43f6392710f17 ]
Register RLC_SPM_MC_CNTL is not blocked by L1 policy, VF can
directly access it through MMIO during SRIOV runtime.
v2: use SOC15 interface to access registers
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: ZhenGuo Yin <zhenguo.yin@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 13 +++----------
drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 13 +++----------
2 files changed, 6 insertions(+), 20 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
index 3560a3f2c848e..cd594b92c6129 100644
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
@@ -7892,22 +7892,15 @@ static int gfx_v10_0_update_gfx_clock_gating(struct amdgpu_device *adev,
static void gfx_v10_0_update_spm_vmid_internal(struct amdgpu_device *adev,
unsigned int vmid)
{
- u32 reg, data;
+ u32 data;
/* not for *_SOC15 */
- reg = SOC15_REG_OFFSET(GC, 0, mmRLC_SPM_MC_CNTL);
- if (amdgpu_sriov_is_pp_one_vf(adev))
- data = RREG32_NO_KIQ(reg);
- else
- data = RREG32_SOC15(GC, 0, mmRLC_SPM_MC_CNTL);
+ data = RREG32_SOC15_NO_KIQ(GC, 0, mmRLC_SPM_MC_CNTL);
data &= ~RLC_SPM_MC_CNTL__RLC_SPM_VMID_MASK;
data |= (vmid & RLC_SPM_MC_CNTL__RLC_SPM_VMID_MASK) << RLC_SPM_MC_CNTL__RLC_SPM_VMID__SHIFT;
- if (amdgpu_sriov_is_pp_one_vf(adev))
- WREG32_SOC15_NO_KIQ(GC, 0, mmRLC_SPM_MC_CNTL, data);
- else
- WREG32_SOC15(GC, 0, mmRLC_SPM_MC_CNTL, data);
+ WREG32_SOC15_NO_KIQ(GC, 0, mmRLC_SPM_MC_CNTL, data);
}
static void gfx_v10_0_update_spm_vmid(struct amdgpu_device *adev, unsigned int vmid)
diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
index daab4c7a073ac..c81e98f0d17ff 100644
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
@@ -4961,23 +4961,16 @@ static int gfx_v11_0_update_gfx_clock_gating(struct amdgpu_device *adev,
static void gfx_v11_0_update_spm_vmid(struct amdgpu_device *adev, unsigned vmid)
{
- u32 reg, data;
+ u32 data;
amdgpu_gfx_off_ctrl(adev, false);
- reg = SOC15_REG_OFFSET(GC, 0, regRLC_SPM_MC_CNTL);
- if (amdgpu_sriov_is_pp_one_vf(adev))
- data = RREG32_NO_KIQ(reg);
- else
- data = RREG32(reg);
+ data = RREG32_SOC15_NO_KIQ(GC, 0, regRLC_SPM_MC_CNTL);
data &= ~RLC_SPM_MC_CNTL__RLC_SPM_VMID_MASK;
data |= (vmid & RLC_SPM_MC_CNTL__RLC_SPM_VMID_MASK) << RLC_SPM_MC_CNTL__RLC_SPM_VMID__SHIFT;
- if (amdgpu_sriov_is_pp_one_vf(adev))
- WREG32_SOC15_NO_KIQ(GC, 0, regRLC_SPM_MC_CNTL, data);
- else
- WREG32_SOC15(GC, 0, regRLC_SPM_MC_CNTL, data);
+ WREG32_SOC15_NO_KIQ(GC, 0, regRLC_SPM_MC_CNTL, data);
amdgpu_gfx_off_ctrl(adev, true);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 086/341] ssb: Fix division by zero issue in ssb_calc_clock_rate
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 085/341] drm/amdgpu: access RLC_SPM_MC_CNTL through MMIO in SRIOV runtime Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 087/341] ASoC: cs35l45: Checks index of cs35l45_irqs[] Greg Kroah-Hartman
` (267 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rand Deeb, Larry Finger,
Michael Büsch, Kalle Valo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rand Deeb <rand.sec96@gmail.com>
[ Upstream commit e0b5127fa134fe0284d58877b6b3133939c8b3ce ]
In ssb_calc_clock_rate(), there is a potential issue where the value of
m1 could be zero due to initialization using clkfactor_f6_resolv(). This
situation raised concerns about the possibility of a division by zero
error.
We fixed it by following the suggestions provided by Larry Finger
<Larry.Finger@lwfinger.net> and Michael Büsch <m@bues.ch>. The fix
involves returning a value of 1 instead of 0 in clkfactor_f6_resolv().
This modification ensures the proper functioning of the code and
eliminates the risk of division by zero errors.
Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Acked-by: Michael Büsch <m@bues.ch>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230904232346.34991-1-rand.sec96@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ssb/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ssb/main.c b/drivers/ssb/main.c
index 0c736d51566dc..070a99a4180cc 100644
--- a/drivers/ssb/main.c
+++ b/drivers/ssb/main.c
@@ -839,7 +839,7 @@ static u32 clkfactor_f6_resolve(u32 v)
case SSB_CHIPCO_CLK_F6_7:
return 7;
}
- return 0;
+ return 1;
}
/* Calculate the speed the backplane would run at a given set of clockcontrol values */
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 087/341] ASoC: cs35l45: Checks index of cs35l45_irqs[]
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 086/341] ssb: Fix division by zero issue in ssb_calc_clock_rate Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 088/341] wifi: mac80211: lock wiphy in IP address notifier Greg Kroah-Hartman
` (266 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricardo Rivera-Matos, Vlad Karpovich,
Charles Keepax, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Rivera-Matos <rriveram@opensource.cirrus.com>
[ Upstream commit 44f37b6ce041c838cb2f49f08998c41f1ab3b08c ]
Checks the index computed by the virq offset before printing the
error condition in cs35l45_spk_safe_err() handler.
Signed-off-by: Ricardo Rivera-Matos <rriveram@opensource.cirrus.com>
Signed-off-by: Vlad Karpovich <vkarpovi@opensource.cirrus.com>
Acked-by: Ricardo Rivera-Matos <rriveram@opensource.cirrus.com>
Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://lore.kernel.org/r/20230831162042.471801-1-vkarpovi@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/cs35l45.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/sound/soc/codecs/cs35l45.c b/sound/soc/codecs/cs35l45.c
index 9b9fc2d491089..7e439c778c6b4 100644
--- a/sound/soc/codecs/cs35l45.c
+++ b/sound/soc/codecs/cs35l45.c
@@ -1067,7 +1067,10 @@ static irqreturn_t cs35l45_spk_safe_err(int irq, void *data)
i = irq - regmap_irq_get_virq(cs35l45->irq_data, 0);
- dev_err(cs35l45->dev, "%s condition detected!\n", cs35l45_irqs[i].name);
+ if (i < 0 || i >= ARRAY_SIZE(cs35l45_irqs))
+ dev_err(cs35l45->dev, "Unspecified global error condition (%d) detected!\n", irq);
+ else
+ dev_err(cs35l45->dev, "%s condition detected!\n", cs35l45_irqs[i].name);
return IRQ_HANDLED;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 088/341] wifi: mac80211: lock wiphy in IP address notifier
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 087/341] ASoC: cs35l45: Checks index of cs35l45_irqs[] Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 089/341] wifi: cfg80211: check wiphy mutex is held for wdev mutex Greg Kroah-Hartman
` (265 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 730538edc8e0eb14b02708f65100a0deaf43e6cd ]
Lock the wiphy in the IP address notifier as another
place that should have it locked before calling into
the driver. This needs a bit of attention since the
notifier can be called while the wiphy is already
locked, when we remove an interface. Handle this by
not running the notifier in this case, and instead
calling out to the driver directly.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/iface.c | 14 ++++++++++++++
net/mac80211/main.c | 22 +++++++++++++++++++++-
2 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 52b048807feae..a7c39e895b1e5 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -2315,6 +2315,20 @@ void ieee80211_remove_interfaces(struct ieee80211_local *local)
list_for_each_entry_safe(sdata, tmp, &unreg_list, list) {
bool netdev = sdata->dev;
+ /*
+ * Remove IP addresses explicitly, since the notifier will
+ * skip the callbacks if wdev->registered is false, since
+ * we can't acquire the wiphy_lock() again there if already
+ * inside this locked section.
+ */
+ sdata_lock(sdata);
+ sdata->vif.cfg.arp_addr_cnt = 0;
+ if (sdata->vif.type == NL80211_IFTYPE_STATION &&
+ sdata->u.mgd.associated)
+ ieee80211_vif_cfg_change_notify(sdata,
+ BSS_CHANGED_ARP_FILTER);
+ sdata_unlock(sdata);
+
list_del(&sdata->list);
cfg80211_unregister_wdev(&sdata->wdev);
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index e0c701c5e5f93..066424e62ff09 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -443,7 +443,7 @@ static int ieee80211_ifa_changed(struct notifier_block *nb,
if (!wdev)
return NOTIFY_DONE;
- if (wdev->wiphy != local->hw.wiphy)
+ if (wdev->wiphy != local->hw.wiphy || !wdev->registered)
return NOTIFY_DONE;
sdata = IEEE80211_DEV_TO_SUB_IF(ndev);
@@ -458,6 +458,25 @@ static int ieee80211_ifa_changed(struct notifier_block *nb,
return NOTIFY_DONE;
ifmgd = &sdata->u.mgd;
+
+ /*
+ * The nested here is needed to convince lockdep that this is
+ * all OK. Yes, we lock the wiphy mutex here while we already
+ * hold the notifier rwsem, that's the normal case. And yes,
+ * we also acquire the notifier rwsem again when unregistering
+ * a netdev while we already hold the wiphy mutex, so it does
+ * look like a typical ABBA deadlock.
+ *
+ * However, both of these things happen with the RTNL held
+ * already. Therefore, they can't actually happen, since the
+ * lock orders really are ABC and ACB, which is fine due to
+ * the RTNL (A).
+ *
+ * We still need to prevent recursion, which is accomplished
+ * by the !wdev->registered check above.
+ */
+ mutex_lock_nested(&local->hw.wiphy->mtx, 1);
+ __acquire(&local->hw.wiphy->mtx);
sdata_lock(sdata);
/* Copy the addresses to the vif config list */
@@ -476,6 +495,7 @@ static int ieee80211_ifa_changed(struct notifier_block *nb,
ieee80211_vif_cfg_change_notify(sdata, BSS_CHANGED_ARP_FILTER);
sdata_unlock(sdata);
+ wiphy_unlock(local->hw.wiphy);
return NOTIFY_OK;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 089/341] wifi: cfg80211: check wiphy mutex is held for wdev mutex
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 088/341] wifi: mac80211: lock wiphy in IP address notifier Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 090/341] wifi: mac80211: fix BA session teardown race Greg Kroah-Hartman
` (264 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 1474bc87fe57deac726cc10203f73daa6c3212f7 ]
This might seem pretty pointless rather than changing the locking
immediately, but it seems safer to run for a while with checks and
the old locking scheme, and then remove the wdev lock later.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/core.h | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/wireless/core.h b/net/wireless/core.h
index f0a3a23176385..c955be6c6daa4 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -228,6 +228,7 @@ void cfg80211_register_wdev(struct cfg80211_registered_device *rdev,
static inline void wdev_lock(struct wireless_dev *wdev)
__acquires(wdev)
{
+ lockdep_assert_held(&wdev->wiphy->mtx);
mutex_lock(&wdev->mtx);
__acquire(wdev->mtx);
}
@@ -235,11 +236,16 @@ static inline void wdev_lock(struct wireless_dev *wdev)
static inline void wdev_unlock(struct wireless_dev *wdev)
__releases(wdev)
{
+ lockdep_assert_held(&wdev->wiphy->mtx);
__release(wdev->mtx);
mutex_unlock(&wdev->mtx);
}
-#define ASSERT_WDEV_LOCK(wdev) lockdep_assert_held(&(wdev)->mtx)
+static inline void ASSERT_WDEV_LOCK(struct wireless_dev *wdev)
+{
+ lockdep_assert_held(&wdev->wiphy->mtx);
+ lockdep_assert_held(&wdev->mtx);
+}
static inline bool cfg80211_has_monitors_only(struct cfg80211_registered_device *rdev)
{
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 090/341] wifi: mac80211: fix BA session teardown race
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 089/341] wifi: cfg80211: check wiphy mutex is held for wdev mutex Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 091/341] wifi: iwlwifi: mvm: fix recovery flow in CSA Greg Kroah-Hartman
` (263 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 05f136220d17839eb7c155f015ace9152f603225 ]
As previously reported by Alexander, whose commit 69403bad97aa
("wifi: mac80211: sdata can be NULL during AMPDU start") I'm
reverting as part of this commit, there's a race between station
destruction and aggregation setup, where the aggregation setup
can happen while the station is being removed and queue the work
after ieee80211_sta_tear_down_BA_sessions() has already run in
__sta_info_destroy_part1(), and thus the worker will run with a
now freed station. In his case, this manifested in a NULL sdata
pointer, but really there's no guarantee whatsoever.
The real issue seems to be that it's possible at all to have a
situation where this occurs - we want to stop the BA sessions
when doing _part1, but we cannot be sure, and WLAN_STA_BLOCK_BA
isn't necessarily effective since we don't know that the setup
isn't concurrently running and already got past the check.
Simply call ieee80211_sta_tear_down_BA_sessions() again in the
second part of station destruction, since at that point really
nothing else can hold a reference to the station any more.
Also revert the sdata checks since those are just misleading at
this point.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/agg-tx.c | 6 +-----
net/mac80211/driver-ops.c | 3 ---
net/mac80211/sta_info.c | 14 ++++++++++++++
3 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index b6b7726858815..0a69e47f1c55f 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -497,7 +497,7 @@ void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid)
{
struct tid_ampdu_tx *tid_tx;
struct ieee80211_local *local = sta->local;
- struct ieee80211_sub_if_data *sdata;
+ struct ieee80211_sub_if_data *sdata = sta->sdata;
struct ieee80211_ampdu_params params = {
.sta = &sta->sta,
.action = IEEE80211_AMPDU_TX_START,
@@ -525,7 +525,6 @@ void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid)
*/
synchronize_net();
- sdata = sta->sdata;
params.ssn = sta->tid_seq[tid] >> 4;
ret = drv_ampdu_action(local, sdata, ¶ms);
tid_tx->ssn = params.ssn;
@@ -539,9 +538,6 @@ void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid)
*/
set_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state);
} else if (ret) {
- if (!sdata)
- return;
-
ht_dbg(sdata,
"BA request denied - HW unavailable for %pM tid %d\n",
sta->sta.addr, tid);
diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c
index f8af0c3d405ae..d6478fd00badf 100644
--- a/net/mac80211/driver-ops.c
+++ b/net/mac80211/driver-ops.c
@@ -393,9 +393,6 @@ int drv_ampdu_action(struct ieee80211_local *local,
might_sleep();
- if (!sdata)
- return -EIO;
-
sdata = get_bss_sdata(sdata);
if (!check_sdata_in_driver(sdata))
return -EIO;
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 984f8f67492fd..42ba51a9700f2 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -1402,6 +1402,20 @@ static void __sta_info_destroy_part2(struct sta_info *sta, bool recalc)
* after _part1 and before _part2!
*/
+ /*
+ * There's a potential race in _part1 where we set WLAN_STA_BLOCK_BA
+ * but someone might have just gotten past a check, and not yet into
+ * queuing the work/creating the data/etc.
+ *
+ * Do another round of destruction so that the worker is certainly
+ * canceled before we later free the station.
+ *
+ * Since this is after synchronize_rcu()/synchronize_net() we're now
+ * certain that nobody can actually hold a reference to the STA and
+ * be calling e.g. ieee80211_start_tx_ba_session().
+ */
+ ieee80211_sta_tear_down_BA_sessions(sta, AGG_STOP_DESTROY_STA);
+
might_sleep();
lockdep_assert_held(&local->sta_mtx);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 091/341] wifi: iwlwifi: mvm: fix recovery flow in CSA
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 090/341] wifi: mac80211: fix BA session teardown race Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 092/341] rcu: Dump memory object info if callback function is invalid Greg Kroah-Hartman
` (262 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emmanuel Grumbach, Gregory Greenman,
Johannes Berg, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
[ Upstream commit 828c79d9feb000acbd9c15bd1ed7e0914473b363 ]
If the firmware crashes in the de-activation / re-activation
of the link during CSA, we will not have a valid phy_ctxt
pointer in mvmvif. This is a legit case, but when mac80211
removes the station to cleanup our state during the
re-configuration, we need to make sure we clear ap_sta
otherwise we won't re-add the station after the firmware has
been restarted. Later on, we'd activate the link, try to send
a TLC command crash again on ASSERT 3508.
Fix this by properly cleaning up our state.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230913145231.2651e6f6a55a.I4cd50e88ee5c23c1c8dd5b157a800e4b4c96f236@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
index 8f49de1206e03..f973efbbc3795 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
@@ -1035,6 +1035,7 @@ static void iwl_mvm_cleanup_iterator(void *data, u8 *mac,
spin_unlock_bh(&mvm->time_event_lock);
memset(&mvmvif->bf_data, 0, sizeof(mvmvif->bf_data));
+ mvmvif->ap_sta = NULL;
for_each_mvm_vif_valid_link(mvmvif, link_id) {
mvmvif->link[link_id]->ap_sta_id = IWL_MVM_INVALID_STA;
@@ -3934,7 +3935,11 @@ int iwl_mvm_mac_sta_state_common(struct ieee80211_hw *hw,
mutex_lock(&mvm->mutex);
- /* this would be a mac80211 bug ... but don't crash */
+ /* this would be a mac80211 bug ... but don't crash, unless we had a
+ * firmware crash while we were activating a link, in which case it is
+ * legit to have phy_ctxt = NULL. Don't bother not to WARN if we are in
+ * recovery flow since we spit tons of error messages anyway.
+ */
for_each_sta_active_link(vif, sta, link_sta, link_id) {
if (WARN_ON_ONCE(!mvmvif->link[link_id]->phy_ctxt)) {
mutex_unlock(&mvm->mutex);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 092/341] rcu: Dump memory object info if callback function is invalid
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 091/341] wifi: iwlwifi: mvm: fix recovery flow in CSA Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 093/341] rcu: Eliminate rcu_gp_slow_unregister() false positive Greg Kroah-Hartman
` (261 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhen Lei, Paul E. McKenney,
Frederic Weisbecker, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhen Lei <thunder.leizhen@huawei.com>
[ Upstream commit 2cbc482d325ee58001472c4359b311958c4efdd1 ]
When a structure containing an RCU callback rhp is (incorrectly) freed
and reallocated after rhp is passed to call_rcu(), it is not unusual for
rhp->func to be set to NULL. This defeats the debugging prints used by
__call_rcu_common() in kernels built with CONFIG_DEBUG_OBJECTS_RCU_HEAD=y,
which expect to identify the offending code using the identity of this
function.
And in kernels build without CONFIG_DEBUG_OBJECTS_RCU_HEAD=y, things
are even worse, as can be seen from this splat:
Unable to handle kernel NULL pointer dereference at virtual address 0
... ...
PC is at 0x0
LR is at rcu_do_batch+0x1c0/0x3b8
... ...
(rcu_do_batch) from (rcu_core+0x1d4/0x284)
(rcu_core) from (__do_softirq+0x24c/0x344)
(__do_softirq) from (__irq_exit_rcu+0x64/0x108)
(__irq_exit_rcu) from (irq_exit+0x8/0x10)
(irq_exit) from (__handle_domain_irq+0x74/0x9c)
(__handle_domain_irq) from (gic_handle_irq+0x8c/0x98)
(gic_handle_irq) from (__irq_svc+0x5c/0x94)
(__irq_svc) from (arch_cpu_idle+0x20/0x3c)
(arch_cpu_idle) from (default_idle_call+0x4c/0x78)
(default_idle_call) from (do_idle+0xf8/0x150)
(do_idle) from (cpu_startup_entry+0x18/0x20)
(cpu_startup_entry) from (0xc01530)
This commit therefore adds calls to mem_dump_obj(rhp) to output some
information, for example:
slab kmalloc-256 start ffff410c45019900 pointer offset 0 size 256
This provides the rough size of the memory block and the offset of the
rcu_head structure, which as least provides at least a few clues to help
locate the problem. If the problem is reproducible, additional slab
debugging can be enabled, for example, CONFIG_DEBUG_SLAB=y, which can
provide significantly more information.
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rcu/rcu.h | 7 +++++++
kernel/rcu/srcutiny.c | 1 +
kernel/rcu/srcutree.c | 1 +
kernel/rcu/tasks.h | 1 +
kernel/rcu/tiny.c | 1 +
kernel/rcu/tree.c | 1 +
6 files changed, 12 insertions(+)
diff --git a/kernel/rcu/rcu.h b/kernel/rcu/rcu.h
index 3d1851f82dbb6..de0afabfbd440 100644
--- a/kernel/rcu/rcu.h
+++ b/kernel/rcu/rcu.h
@@ -10,6 +10,7 @@
#ifndef __LINUX_RCU_H
#define __LINUX_RCU_H
+#include <linux/slab.h>
#include <trace/events/rcu.h>
/*
@@ -248,6 +249,12 @@ static inline void debug_rcu_head_unqueue(struct rcu_head *head)
}
#endif /* #else !CONFIG_DEBUG_OBJECTS_RCU_HEAD */
+static inline void debug_rcu_head_callback(struct rcu_head *rhp)
+{
+ if (unlikely(!rhp->func))
+ kmem_dump_obj(rhp);
+}
+
extern int rcu_cpu_stall_suppress_at_boot;
static inline bool rcu_stall_is_suppressed_at_boot(void)
diff --git a/kernel/rcu/srcutiny.c b/kernel/rcu/srcutiny.c
index 336af24e0fe35..c38e5933a5d69 100644
--- a/kernel/rcu/srcutiny.c
+++ b/kernel/rcu/srcutiny.c
@@ -138,6 +138,7 @@ void srcu_drive_gp(struct work_struct *wp)
while (lh) {
rhp = lh;
lh = lh->next;
+ debug_rcu_head_callback(rhp);
local_bh_disable();
rhp->func(rhp);
local_bh_enable();
diff --git a/kernel/rcu/srcutree.c b/kernel/rcu/srcutree.c
index 25285893e44e7..2f770a9a2a13a 100644
--- a/kernel/rcu/srcutree.c
+++ b/kernel/rcu/srcutree.c
@@ -1735,6 +1735,7 @@ static void srcu_invoke_callbacks(struct work_struct *work)
rhp = rcu_cblist_dequeue(&ready_cbs);
for (; rhp != NULL; rhp = rcu_cblist_dequeue(&ready_cbs)) {
debug_rcu_head_unqueue(rhp);
+ debug_rcu_head_callback(rhp);
local_bh_disable();
rhp->func(rhp);
local_bh_enable();
diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h
index ff8d539ee22be..df81506cf2bde 100644
--- a/kernel/rcu/tasks.h
+++ b/kernel/rcu/tasks.h
@@ -538,6 +538,7 @@ static void rcu_tasks_invoke_cbs(struct rcu_tasks *rtp, struct rcu_tasks_percpu
raw_spin_unlock_irqrestore_rcu_node(rtpcp, flags);
len = rcl.len;
for (rhp = rcu_cblist_dequeue(&rcl); rhp; rhp = rcu_cblist_dequeue(&rcl)) {
+ debug_rcu_head_callback(rhp);
local_bh_disable();
rhp->func(rhp);
local_bh_enable();
diff --git a/kernel/rcu/tiny.c b/kernel/rcu/tiny.c
index 42f7589e51e09..fec804b790803 100644
--- a/kernel/rcu/tiny.c
+++ b/kernel/rcu/tiny.c
@@ -97,6 +97,7 @@ static inline bool rcu_reclaim_tiny(struct rcu_head *head)
trace_rcu_invoke_callback("", head);
f = head->func;
+ debug_rcu_head_callback(head);
WRITE_ONCE(head->func, (rcu_callback_t)0L);
f(head);
rcu_lock_release(&rcu_callback_map);
diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
index 583cc29080764..c7cb465e2e0c7 100644
--- a/kernel/rcu/tree.c
+++ b/kernel/rcu/tree.c
@@ -2185,6 +2185,7 @@ static void rcu_do_batch(struct rcu_data *rdp)
trace_rcu_invoke_callback(rcu_state.name, rhp);
f = rhp->func;
+ debug_rcu_head_callback(rhp);
WRITE_ONCE(rhp->func, (rcu_callback_t)0L);
f(rhp);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 093/341] rcu: Eliminate rcu_gp_slow_unregister() false positive
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 092/341] rcu: Dump memory object info if callback function is invalid Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 094/341] net: ethernet: mtk_wed: check update_wo_rx_stats in mtk_wed_update_rx_stats() Greg Kroah-Hartman
` (260 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul E. McKenney,
Frederic Weisbecker, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul E. McKenney <paulmck@kernel.org>
[ Upstream commit 0ae9942f03d0d034fdb0a4f44fc99f62a3107987 ]
When using rcutorture as a module, there are a number of conditions that
can abort the modprobe operation, for example, when attempting to run
both RCU CPU stall warning tests and forward-progress tests. This can
cause rcu_torture_cleanup() to be invoked on the unwind path out of
rcu_rcu_torture_init(), which will mean that rcu_gp_slow_unregister()
is invoked without a matching rcu_gp_slow_register(). This will cause
a splat because rcu_gp_slow_unregister() is passed rcu_fwd_cb_nodelay,
which does not match a NULL pointer.
This commit therefore forgives a mismatch involving a NULL pointer, thus
avoiding this false-positive splat.
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rcu/tree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
index c7cb465e2e0c7..8541084eeba50 100644
--- a/kernel/rcu/tree.c
+++ b/kernel/rcu/tree.c
@@ -1298,7 +1298,7 @@ EXPORT_SYMBOL_GPL(rcu_gp_slow_register);
/* Unregister a counter, with NULL for not caring which. */
void rcu_gp_slow_unregister(atomic_t *rgssp)
{
- WARN_ON_ONCE(rgssp && rgssp != rcu_gp_slow_suppress);
+ WARN_ON_ONCE(rgssp && rgssp != rcu_gp_slow_suppress && rcu_gp_slow_suppress != NULL);
WRITE_ONCE(rcu_gp_slow_suppress, NULL);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 094/341] net: ethernet: mtk_wed: check update_wo_rx_stats in mtk_wed_update_rx_stats()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 093/341] rcu: Eliminate rcu_gp_slow_unregister() false positive Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 095/341] sched/topology: Handle NUMA_NO_NODE in sched_numa_find_nth_cpu() Greg Kroah-Hartman
` (259 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Simon Horman,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 486e6ca6b48d68d7fefc99e15cc1865e2210d893 ]
Check if update_wo_rx_stats function pointer is properly set in
mtk_wed_update_rx_stats routine before accessing it.
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/b0d233386e059bccb59f18f69afb79a7806e5ded.1694507226.git.lorenzo@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mediatek/mtk_wed_mcu.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/mediatek/mtk_wed_mcu.c b/drivers/net/ethernet/mediatek/mtk_wed_mcu.c
index 071ed3dea860d..72bcdaed12a94 100644
--- a/drivers/net/ethernet/mediatek/mtk_wed_mcu.c
+++ b/drivers/net/ethernet/mediatek/mtk_wed_mcu.c
@@ -68,6 +68,9 @@ mtk_wed_update_rx_stats(struct mtk_wed_device *wed, struct sk_buff *skb)
struct mtk_wed_wo_rx_stats *stats;
int i;
+ if (!wed->wlan.update_wo_rx_stats)
+ return;
+
if (count * sizeof(*stats) > skb->len - sizeof(u32))
return;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 095/341] sched/topology: Handle NUMA_NO_NODE in sched_numa_find_nth_cpu()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 094/341] net: ethernet: mtk_wed: check update_wo_rx_stats in mtk_wed_update_rx_stats() Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 096/341] wifi: cw1200: Avoid processing an invalid TIM IE Greg Kroah-Hartman
` (258 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yury Norov, Ingo Molnar, Mel Gorman,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yury Norov <yury.norov@gmail.com>
[ Upstream commit 9ecea9ae4d3127a09fb5dfcea87f248937a39ff5 ]
sched_numa_find_nth_cpu() doesn't handle NUMA_NO_NODE properly, and
may crash kernel if passed with it. On the other hand, the only user
of sched_numa_find_nth_cpu() has to check NUMA_NO_NODE case explicitly.
It would be easier for users if this logic will get moved into
sched_numa_find_nth_cpu().
Signed-off-by: Yury Norov <yury.norov@gmail.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Mel Gorman <mgorman@suse.de>
Link: https://lore.kernel.org/r/20230819141239.287290-6-yury.norov@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/topology.c | 3 +++
lib/cpumask.c | 4 +---
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c
index 8c1e183329d97..3a13cecf17740 100644
--- a/kernel/sched/topology.c
+++ b/kernel/sched/topology.c
@@ -2126,6 +2126,9 @@ int sched_numa_find_nth_cpu(const struct cpumask *cpus, int cpu, int node)
struct cpumask ***hop_masks;
int hop, ret = nr_cpu_ids;
+ if (node == NUMA_NO_NODE)
+ return cpumask_nth_and(cpu, cpus, cpu_online_mask);
+
rcu_read_lock();
/* CPU-less node entries are uninitialized in sched_domains_numa_masks */
diff --git a/lib/cpumask.c b/lib/cpumask.c
index a7fd02b5ae264..34335c1e72653 100644
--- a/lib/cpumask.c
+++ b/lib/cpumask.c
@@ -146,9 +146,7 @@ unsigned int cpumask_local_spread(unsigned int i, int node)
/* Wrap: we always want a cpu. */
i %= num_online_cpus();
- cpu = (node == NUMA_NO_NODE) ?
- cpumask_nth(i, cpu_online_mask) :
- sched_numa_find_nth_cpu(cpu_online_mask, i, node);
+ cpu = sched_numa_find_nth_cpu(cpu_online_mask, i, node);
WARN_ON(cpu >= nr_cpu_ids);
return cpu;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 096/341] wifi: cw1200: Avoid processing an invalid TIM IE
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 095/341] sched/topology: Handle NUMA_NO_NODE in sched_numa_find_nth_cpu() Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 097/341] cgroup: Avoid extra dereference in css_populate_dir() Greg Kroah-Hartman
` (257 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Johnson, Kalle Valo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Johnson <quic_jjohnson@quicinc.com>
[ Upstream commit b7bcea9c27b3d87b54075735c870500123582145 ]
While converting struct ieee80211_tim_ie::virtual_map to be a flexible
array it was observed that the TIM IE processing in cw1200_rx_cb()
could potentially process a malformed IE in a manner that could result
in a buffer over-read. Add logic to verify that the TIM IE length is
large enough to hold a valid TIM payload before processing it.
Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230831-ieee80211_tim_ie-v3-1-e10ff584ab5d@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/st/cw1200/txrx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/st/cw1200/txrx.c b/drivers/net/wireless/st/cw1200/txrx.c
index 6894b919ff94b..e16e9ae90d204 100644
--- a/drivers/net/wireless/st/cw1200/txrx.c
+++ b/drivers/net/wireless/st/cw1200/txrx.c
@@ -1166,7 +1166,7 @@ void cw1200_rx_cb(struct cw1200_common *priv,
size_t ies_len = skb->len - (ies - (u8 *)(skb->data));
tim_ie = cfg80211_find_ie(WLAN_EID_TIM, ies, ies_len);
- if (tim_ie) {
+ if (tim_ie && tim_ie[1] >= sizeof(struct ieee80211_tim_ie)) {
struct ieee80211_tim_ie *tim =
(struct ieee80211_tim_ie *)&tim_ie[2];
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 097/341] cgroup: Avoid extra dereference in css_populate_dir()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 096/341] wifi: cw1200: Avoid processing an invalid TIM IE Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 098/341] i2c: riic: avoid potential division by zero Greg Kroah-Hartman
` (256 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kamalesh Babulal, Tejun Heo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kamalesh Babulal <kamalesh.babulal@oracle.com>
[ Upstream commit d24f05987ce8bf61e62d86fedbe47523dc5c3393 ]
Use css directly instead of dereferencing it from &cgroup->self, while
adding the cgroup v2 cft base and psi files in css_populate_dir(). Both
points to the same css, when css->ss is NULL, this avoids extra deferences
and makes code consistent in usage across the function.
Signed-off-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/cgroup/cgroup.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index d872fff901073..5eca6281d1aa6 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -1728,13 +1728,13 @@ static int css_populate_dir(struct cgroup_subsys_state *css)
if (!css->ss) {
if (cgroup_on_dfl(cgrp)) {
- ret = cgroup_addrm_files(&cgrp->self, cgrp,
+ ret = cgroup_addrm_files(css, cgrp,
cgroup_base_files, true);
if (ret < 0)
return ret;
if (cgroup_psi_enabled()) {
- ret = cgroup_addrm_files(&cgrp->self, cgrp,
+ ret = cgroup_addrm_files(css, cgrp,
cgroup_psi_files, true);
if (ret < 0)
return ret;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 098/341] i2c: riic: avoid potential division by zero
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 097/341] cgroup: Avoid extra dereference in css_populate_dir() Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 099/341] RDMA/rtrs: Fix the problem of variable not initialized fully Greg Kroah-Hartman
` (255 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Geert Uytterhoeven,
Wolfram Sang, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 7890fce6201aed46d3576e3d641f9ee5c1f0e16f ]
Value comes from DT, so it could be 0. Unlikely, but could be.
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-riic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i2c/busses/i2c-riic.c b/drivers/i2c/busses/i2c-riic.c
index f0ee8871d5ae1..e43ff483c56ec 100644
--- a/drivers/i2c/busses/i2c-riic.c
+++ b/drivers/i2c/busses/i2c-riic.c
@@ -313,7 +313,7 @@ static int riic_init_hw(struct riic_dev *riic, struct i2c_timings *t)
* frequency with only 62 clock ticks max (31 high, 31 low).
* Aim for a duty of 60% LOW, 40% HIGH.
*/
- total_ticks = DIV_ROUND_UP(rate, t->bus_freq_hz);
+ total_ticks = DIV_ROUND_UP(rate, t->bus_freq_hz ?: 1);
for (cks = 0; cks < 7; cks++) {
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 099/341] RDMA/rtrs: Fix the problem of variable not initialized fully
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 098/341] i2c: riic: avoid potential division by zero Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 100/341] s390/smp,mcck: fix early IPI handling Greg Kroah-Hartman
` (254 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhu Yanjun, Leon Romanovsky,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhu Yanjun <yanjun.zhu@linux.dev>
[ Upstream commit c5930a1aa08aafe6ffe15b5d28fe875f88f6ac86 ]
No functionality change. The variable which is not initialized fully
will introduce potential risks.
Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Link: https://lore.kernel.org/r/20230919020806.534183-1-yanjun.zhu@intel.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/ulp/rtrs/rtrs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/ulp/rtrs/rtrs.c b/drivers/infiniband/ulp/rtrs/rtrs.c
index 3696f367ff515..d80edfffd2e49 100644
--- a/drivers/infiniband/ulp/rtrs/rtrs.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs.c
@@ -255,7 +255,7 @@ static int create_cq(struct rtrs_con *con, int cq_vector, int nr_cqe,
static int create_qp(struct rtrs_con *con, struct ib_pd *pd,
u32 max_send_wr, u32 max_recv_wr, u32 max_sge)
{
- struct ib_qp_init_attr init_attr = {NULL};
+ struct ib_qp_init_attr init_attr = {};
struct rdma_cm_id *cm_id = con->cm_id;
int ret;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 100/341] s390/smp,mcck: fix early IPI handling
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 099/341] RDMA/rtrs: Fix the problem of variable not initialized fully Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 101/341] drm/bridge: tc358768: Attempt to fix DSI horizontal timings Greg Kroah-Hartman
` (253 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sven Schnelle, Alexander Gordeev,
Heiko Carstens, Vasily Gorbik, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
[ Upstream commit 4a1725281fc5b0009944b1c0e1d2c1dc311a09ec ]
Both the external call as well as the emergency signal submask bits in
control register 0 are set before any interrupt handler is registered.
Change the order and first register the interrupt handler and only then
enable the interrupts by setting the corresponding bits in control
register 0.
This prevents that the second part of the machine check handler for
early machine check handling is not executed: the machine check handler
sends an IPI to the CPU it runs on. If the corresponding interrupts are
enabled, but no interrupt handler is present, the interrupt is ignored.
Reviewed-by: Sven Schnelle <svens@linux.ibm.com>
Acked-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/kernel/early.c | 12 +++---------
arch/s390/kernel/smp.c | 4 ++--
2 files changed, 5 insertions(+), 11 deletions(-)
diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c
index 442ce0489e1a1..3a54733e4fc65 100644
--- a/arch/s390/kernel/early.c
+++ b/arch/s390/kernel/early.c
@@ -258,15 +258,9 @@ static inline void save_vector_registers(void)
#endif
}
-static inline void setup_control_registers(void)
+static inline void setup_low_address_protection(void)
{
- unsigned long reg;
-
- __ctl_store(reg, 0, 0);
- reg |= CR0_LOW_ADDRESS_PROTECTION;
- reg |= CR0_EMERGENCY_SIGNAL_SUBMASK;
- reg |= CR0_EXTERNAL_CALL_SUBMASK;
- __ctl_load(reg, 0, 0);
+ __ctl_set_bit(0, 28);
}
static inline void setup_access_registers(void)
@@ -314,7 +308,7 @@ void __init startup_init(void)
save_vector_registers();
setup_topology();
sclp_early_detect();
- setup_control_registers();
+ setup_low_address_protection();
setup_access_registers();
lockdep_on();
}
diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c
index a4edb7ea66ea7..c63be2efd6895 100644
--- a/arch/s390/kernel/smp.c
+++ b/arch/s390/kernel/smp.c
@@ -1013,12 +1013,12 @@ void __init smp_fill_possible_mask(void)
void __init smp_prepare_cpus(unsigned int max_cpus)
{
- /* request the 0x1201 emergency signal external interrupt */
if (register_external_irq(EXT_IRQ_EMERGENCY_SIG, do_ext_call_interrupt))
panic("Couldn't request external interrupt 0x1201");
- /* request the 0x1202 external call external interrupt */
+ ctl_set_bit(0, 14);
if (register_external_irq(EXT_IRQ_EXTERNAL_CALL, do_ext_call_interrupt))
panic("Couldn't request external interrupt 0x1202");
+ ctl_set_bit(0, 13);
}
void __init smp_prepare_boot_cpu(void)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 101/341] drm/bridge: tc358768: Attempt to fix DSI horizontal timings
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 100/341] s390/smp,mcck: fix early IPI handling Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 102/341] wifi: ath12k: fix WARN_ON during ath12k_mac_update_vif_chan Greg Kroah-Hartman
` (252 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Ujfalusi, Marcel Ziswiler,
Tomi Valkeinen, Robert Foss, Sasha Levin, Maxim Schwalm
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
[ Upstream commit 9fc75c40faa29df14ba16066be6bdfaea9f39ce4 ]
The DSI horizontal timing calculations done by the driver seem to often
lead to underflows or overflows, depending on the videomode.
There are two main things the current driver doesn't seem to get right:
DSI HSW and HFP, and VSDly. However, even following Toshiba's
documentation it seems we don't always get a working display.
This patch attempts to fix the horizontal timings for DSI event mode, and
on a system with a DSI->HDMI encoder, a lot of standard HDMI modes now
seem to work. The work relies on Toshiba's documentation, but also quite
a bit on empirical testing.
This also adds timing related debug prints to make it easier to improve
on this later.
The DSI pulse mode has only been tested with a fixed-resolution panel,
which limits the testing of different modes on DSI pulse mode. However,
as the VSDly calculation also affects pulse mode, so this might cause a
regression.
Reviewed-by: Peter Ujfalusi <peter.ujfalusi@gmail.com>
Tested-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Tested-by: Maxim Schwalm <maxim.schwalm@gmail.com> # Asus TF700T
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Signed-off-by: Robert Foss <rfoss@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20230906-tc358768-v4-12-31725f008a50@ideasonboard.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/bridge/tc358768.c | 213 ++++++++++++++++++++++++++----
1 file changed, 185 insertions(+), 28 deletions(-)
diff --git a/drivers/gpu/drm/bridge/tc358768.c b/drivers/gpu/drm/bridge/tc358768.c
index 6eed5c4232956..c72d5fbbb0ec4 100644
--- a/drivers/gpu/drm/bridge/tc358768.c
+++ b/drivers/gpu/drm/bridge/tc358768.c
@@ -9,6 +9,7 @@
#include <linux/gpio/consumer.h>
#include <linux/i2c.h>
#include <linux/kernel.h>
+#include <linux/math64.h>
#include <linux/media-bus-format.h>
#include <linux/minmax.h>
#include <linux/module.h>
@@ -157,6 +158,7 @@ struct tc358768_priv {
u32 frs; /* PLL Freqency range for HSCK (post divider) */
u32 dsiclk; /* pll_clk / 2 */
+ u32 pclk; /* incoming pclk rate */
};
static inline struct tc358768_priv *dsi_host_to_tc358768(struct mipi_dsi_host
@@ -380,6 +382,7 @@ static int tc358768_calc_pll(struct tc358768_priv *priv,
priv->prd = best_prd;
priv->frs = frs;
priv->dsiclk = best_pll / 2;
+ priv->pclk = mode->clock * 1000;
return 0;
}
@@ -638,6 +641,28 @@ static u32 tc358768_ps_to_ns(u32 ps)
return ps / 1000;
}
+static u32 tc358768_dpi_to_ns(u32 val, u32 pclk)
+{
+ return (u32)div_u64((u64)val * NANO, pclk);
+}
+
+/* Convert value in DPI pixel clock units to DSI byte count */
+static u32 tc358768_dpi_to_dsi_bytes(struct tc358768_priv *priv, u32 val)
+{
+ u64 m = (u64)val * priv->dsiclk / 4 * priv->dsi_lanes;
+ u64 n = priv->pclk;
+
+ return (u32)div_u64(m + n - 1, n);
+}
+
+static u32 tc358768_dsi_bytes_to_ns(struct tc358768_priv *priv, u32 val)
+{
+ u64 m = (u64)val * NANO;
+ u64 n = priv->dsiclk / 4 * priv->dsi_lanes;
+
+ return (u32)div_u64(m, n);
+}
+
static void tc358768_bridge_pre_enable(struct drm_bridge *bridge)
{
struct tc358768_priv *priv = bridge_to_tc358768(bridge);
@@ -647,11 +672,19 @@ static void tc358768_bridge_pre_enable(struct drm_bridge *bridge)
s32 raw_val;
const struct drm_display_mode *mode;
u32 hsbyteclk_ps, dsiclk_ps, ui_ps;
- u32 dsiclk, hsbyteclk, video_start;
- const u32 internal_delay = 40;
+ u32 dsiclk, hsbyteclk;
int ret, i;
struct videomode vm;
struct device *dev = priv->dev;
+ /* In pixelclock units */
+ u32 dpi_htot, dpi_data_start;
+ /* In byte units */
+ u32 dsi_dpi_htot, dsi_dpi_data_start;
+ u32 dsi_hsw, dsi_hbp, dsi_hact, dsi_hfp;
+ const u32 dsi_hss = 4; /* HSS is a short packet (4 bytes) */
+ /* In hsbyteclk units */
+ u32 dsi_vsdly;
+ const u32 internal_dly = 40;
if (mode_flags & MIPI_DSI_CLOCK_NON_CONTINUOUS) {
dev_warn_once(dev, "Non-continuous mode unimplemented, falling back to continuous\n");
@@ -686,27 +719,23 @@ static void tc358768_bridge_pre_enable(struct drm_bridge *bridge)
case MIPI_DSI_FMT_RGB888:
val |= (0x3 << 4);
hact = vm.hactive * 3;
- video_start = (vm.hsync_len + vm.hback_porch) * 3;
data_type = MIPI_DSI_PACKED_PIXEL_STREAM_24;
break;
case MIPI_DSI_FMT_RGB666:
val |= (0x4 << 4);
hact = vm.hactive * 3;
- video_start = (vm.hsync_len + vm.hback_porch) * 3;
data_type = MIPI_DSI_PACKED_PIXEL_STREAM_18;
break;
case MIPI_DSI_FMT_RGB666_PACKED:
val |= (0x4 << 4) | BIT(3);
hact = vm.hactive * 18 / 8;
- video_start = (vm.hsync_len + vm.hback_porch) * 18 / 8;
data_type = MIPI_DSI_PIXEL_STREAM_3BYTE_18;
break;
case MIPI_DSI_FMT_RGB565:
val |= (0x5 << 4);
hact = vm.hactive * 2;
- video_start = (vm.hsync_len + vm.hback_porch) * 2;
data_type = MIPI_DSI_PACKED_PIXEL_STREAM_16;
break;
default:
@@ -716,9 +745,152 @@ static void tc358768_bridge_pre_enable(struct drm_bridge *bridge)
return;
}
+ /*
+ * There are three important things to make TC358768 work correctly,
+ * which are not trivial to manage:
+ *
+ * 1. Keep the DPI line-time and the DSI line-time as close to each
+ * other as possible.
+ * 2. TC358768 goes to LP mode after each line's active area. The DSI
+ * HFP period has to be long enough for entering and exiting LP mode.
+ * But it is not clear how to calculate this.
+ * 3. VSDly (video start delay) has to be long enough to ensure that the
+ * DSI TX does not start transmitting until we have started receiving
+ * pixel data from the DPI input. It is not clear how to calculate
+ * this either.
+ */
+
+ dpi_htot = vm.hactive + vm.hfront_porch + vm.hsync_len + vm.hback_porch;
+ dpi_data_start = vm.hsync_len + vm.hback_porch;
+
+ dev_dbg(dev, "dpi horiz timing (pclk): %u + %u + %u + %u = %u\n",
+ vm.hsync_len, vm.hback_porch, vm.hactive, vm.hfront_porch,
+ dpi_htot);
+
+ dev_dbg(dev, "dpi horiz timing (ns): %u + %u + %u + %u = %u\n",
+ tc358768_dpi_to_ns(vm.hsync_len, vm.pixelclock),
+ tc358768_dpi_to_ns(vm.hback_porch, vm.pixelclock),
+ tc358768_dpi_to_ns(vm.hactive, vm.pixelclock),
+ tc358768_dpi_to_ns(vm.hfront_porch, vm.pixelclock),
+ tc358768_dpi_to_ns(dpi_htot, vm.pixelclock));
+
+ dev_dbg(dev, "dpi data start (ns): %u + %u = %u\n",
+ tc358768_dpi_to_ns(vm.hsync_len, vm.pixelclock),
+ tc358768_dpi_to_ns(vm.hback_porch, vm.pixelclock),
+ tc358768_dpi_to_ns(dpi_data_start, vm.pixelclock));
+
+ dsi_dpi_htot = tc358768_dpi_to_dsi_bytes(priv, dpi_htot);
+ dsi_dpi_data_start = tc358768_dpi_to_dsi_bytes(priv, dpi_data_start);
+
+ if (dsi_dev->mode_flags & MIPI_DSI_MODE_VIDEO_SYNC_PULSE) {
+ dsi_hsw = tc358768_dpi_to_dsi_bytes(priv, vm.hsync_len);
+ dsi_hbp = tc358768_dpi_to_dsi_bytes(priv, vm.hback_porch);
+ } else {
+ /* HBP is included in HSW in event mode */
+ dsi_hbp = 0;
+ dsi_hsw = tc358768_dpi_to_dsi_bytes(priv,
+ vm.hsync_len +
+ vm.hback_porch);
+
+ /*
+ * The pixel packet includes the actual pixel data, and:
+ * DSI packet header = 4 bytes
+ * DCS code = 1 byte
+ * DSI packet footer = 2 bytes
+ */
+ dsi_hact = hact + 4 + 1 + 2;
+
+ dsi_hfp = dsi_dpi_htot - dsi_hact - dsi_hsw - dsi_hss;
+
+ /*
+ * Here we should check if HFP is long enough for entering LP
+ * and exiting LP, but it's not clear how to calculate that.
+ * Instead, this is a naive algorithm that just adjusts the HFP
+ * and HSW so that HFP is (at least) roughly 2/3 of the total
+ * blanking time.
+ */
+ if (dsi_hfp < (dsi_hfp + dsi_hsw + dsi_hss) * 2 / 3) {
+ u32 old_hfp = dsi_hfp;
+ u32 old_hsw = dsi_hsw;
+ u32 tot = dsi_hfp + dsi_hsw + dsi_hss;
+
+ dsi_hsw = tot / 3;
+
+ /*
+ * Seems like sometimes HSW has to be divisible by num-lanes, but
+ * not always...
+ */
+ dsi_hsw = roundup(dsi_hsw, priv->dsi_lanes);
+
+ dsi_hfp = dsi_dpi_htot - dsi_hact - dsi_hsw - dsi_hss;
+
+ dev_dbg(dev,
+ "hfp too short, adjusting dsi hfp and dsi hsw from %u, %u to %u, %u\n",
+ old_hfp, old_hsw, dsi_hfp, dsi_hsw);
+ }
+
+ dev_dbg(dev,
+ "dsi horiz timing (bytes): %u, %u + %u + %u + %u = %u\n",
+ dsi_hss, dsi_hsw, dsi_hbp, dsi_hact, dsi_hfp,
+ dsi_hss + dsi_hsw + dsi_hbp + dsi_hact + dsi_hfp);
+
+ dev_dbg(dev, "dsi horiz timing (ns): %u + %u + %u + %u + %u = %u\n",
+ tc358768_dsi_bytes_to_ns(priv, dsi_hss),
+ tc358768_dsi_bytes_to_ns(priv, dsi_hsw),
+ tc358768_dsi_bytes_to_ns(priv, dsi_hbp),
+ tc358768_dsi_bytes_to_ns(priv, dsi_hact),
+ tc358768_dsi_bytes_to_ns(priv, dsi_hfp),
+ tc358768_dsi_bytes_to_ns(priv, dsi_hss + dsi_hsw +
+ dsi_hbp + dsi_hact + dsi_hfp));
+ }
+
+ /* VSDly calculation */
+
+ /* Start with the HW internal delay */
+ dsi_vsdly = internal_dly;
+
+ /* Convert to byte units as the other variables are in byte units */
+ dsi_vsdly *= priv->dsi_lanes;
+
+ /* Do we need more delay, in addition to the internal? */
+ if (dsi_dpi_data_start > dsi_vsdly + dsi_hss + dsi_hsw + dsi_hbp) {
+ dsi_vsdly = dsi_dpi_data_start - dsi_hss - dsi_hsw - dsi_hbp;
+ dsi_vsdly = roundup(dsi_vsdly, priv->dsi_lanes);
+ }
+
+ dev_dbg(dev, "dsi data start (bytes) %u + %u + %u + %u = %u\n",
+ dsi_vsdly, dsi_hss, dsi_hsw, dsi_hbp,
+ dsi_vsdly + dsi_hss + dsi_hsw + dsi_hbp);
+
+ dev_dbg(dev, "dsi data start (ns) %u + %u + %u + %u = %u\n",
+ tc358768_dsi_bytes_to_ns(priv, dsi_vsdly),
+ tc358768_dsi_bytes_to_ns(priv, dsi_hss),
+ tc358768_dsi_bytes_to_ns(priv, dsi_hsw),
+ tc358768_dsi_bytes_to_ns(priv, dsi_hbp),
+ tc358768_dsi_bytes_to_ns(priv, dsi_vsdly + dsi_hss + dsi_hsw + dsi_hbp));
+
+ /* Convert back to hsbyteclk */
+ dsi_vsdly /= priv->dsi_lanes;
+
+ /*
+ * The docs say that there is an internal delay of 40 cycles.
+ * However, we get underflows if we follow that rule. If we
+ * instead ignore the internal delay, things work. So either
+ * the docs are wrong or the calculations are wrong.
+ *
+ * As a temporary fix, add the internal delay here, to counter
+ * the subtraction when writing the register.
+ */
+ dsi_vsdly += internal_dly;
+
+ /* Clamp to the register max */
+ if (dsi_vsdly - internal_dly > 0x3ff) {
+ dev_warn(dev, "VSDly too high, underflows likely\n");
+ dsi_vsdly = 0x3ff + internal_dly;
+ }
+
/* VSDly[9:0] */
- video_start = max(video_start, internal_delay + 1) - internal_delay;
- tc358768_write(priv, TC358768_VSDLY, video_start);
+ tc358768_write(priv, TC358768_VSDLY, dsi_vsdly - internal_dly);
tc358768_write(priv, TC358768_DATAFMT, val);
tc358768_write(priv, TC358768_DSITX_DT, data_type);
@@ -826,18 +998,6 @@ static void tc358768_bridge_pre_enable(struct drm_bridge *bridge)
/* vbp */
tc358768_write(priv, TC358768_DSI_VBPR, vm.vback_porch);
-
- /* hsw * byteclk * ndl / pclk */
- val = (u32)div_u64(vm.hsync_len *
- (u64)hsbyteclk * priv->dsi_lanes,
- vm.pixelclock);
- tc358768_write(priv, TC358768_DSI_HSW, val);
-
- /* hbp * byteclk * ndl / pclk */
- val = (u32)div_u64(vm.hback_porch *
- (u64)hsbyteclk * priv->dsi_lanes,
- vm.pixelclock);
- tc358768_write(priv, TC358768_DSI_HBPR, val);
} else {
/* Set event mode */
tc358768_write(priv, TC358768_DSI_EVENT, 1);
@@ -851,16 +1011,13 @@ static void tc358768_bridge_pre_enable(struct drm_bridge *bridge)
/* vbp (not used in event mode) */
tc358768_write(priv, TC358768_DSI_VBPR, 0);
+ }
- /* (hsw + hbp) * byteclk * ndl / pclk */
- val = (u32)div_u64((vm.hsync_len + vm.hback_porch) *
- (u64)hsbyteclk * priv->dsi_lanes,
- vm.pixelclock);
- tc358768_write(priv, TC358768_DSI_HSW, val);
+ /* hsw (bytes) */
+ tc358768_write(priv, TC358768_DSI_HSW, dsi_hsw);
- /* hbp (not used in event mode) */
- tc358768_write(priv, TC358768_DSI_HBPR, 0);
- }
+ /* hbp (bytes) */
+ tc358768_write(priv, TC358768_DSI_HBPR, dsi_hbp);
/* hact (bytes) */
tc358768_write(priv, TC358768_DSI_HACT, hact);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 102/341] wifi: ath12k: fix WARN_ON during ath12k_mac_update_vif_chan
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 101/341] drm/bridge: tc358768: Attempt to fix DSI horizontal timings Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 103/341] i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out Greg Kroah-Hartman
` (251 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manish Dharanenthiran, Kalle Valo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manish Dharanenthiran <quic_mdharane@quicinc.com>
[ Upstream commit 8b8b990fe495e9be057249e1651b59b5ebacf2ef ]
Fix WARN_ON() from ath12k_mac_update_vif_chan() if vdev is not up.
Since change_chanctx can be called even before vdev_up.
Do vdev stop followed by a vdev start in case of vdev is down.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0-02903-QCAHKSWPL_SILICONZ-1
Signed-off-by: Manish Dharanenthiran <quic_mdharane@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230802085852.19821-2-quic_mdharane@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/mac.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
index 61435e4489b9f..ba6fc27f4a1a1 100644
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
@@ -6039,13 +6039,28 @@ ath12k_mac_update_vif_chan(struct ath12k *ar,
if (WARN_ON(!arvif->is_started))
continue;
- if (WARN_ON(!arvif->is_up))
- continue;
+ /* Firmware expect vdev_restart only if vdev is up.
+ * If vdev is down then it expect vdev_stop->vdev_start.
+ */
+ if (arvif->is_up) {
+ ret = ath12k_mac_vdev_restart(arvif, &vifs[i].new_ctx->def);
+ if (ret) {
+ ath12k_warn(ab, "failed to restart vdev %d: %d\n",
+ arvif->vdev_id, ret);
+ continue;
+ }
+ } else {
+ ret = ath12k_mac_vdev_stop(arvif);
+ if (ret) {
+ ath12k_warn(ab, "failed to stop vdev %d: %d\n",
+ arvif->vdev_id, ret);
+ continue;
+ }
- ret = ath12k_mac_vdev_restart(arvif, &vifs[i].new_ctx->def);
- if (ret) {
- ath12k_warn(ab, "failed to restart vdev %d: %d\n",
- arvif->vdev_id, ret);
+ ret = ath12k_mac_vdev_start(arvif, &vifs[i].new_ctx->def);
+ if (ret)
+ ath12k_warn(ab, "failed to start vdev %d: %d\n",
+ arvif->vdev_id, ret);
continue;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 103/341] i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 102/341] wifi: ath12k: fix WARN_ON during ath12k_mac_update_vif_chan Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 104/341] i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer Greg Kroah-Hartman
` (250 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jarkko Nikula, Alexandre Belloni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
[ Upstream commit 361acacaf7c706223968c8186f0d3b6e214e7403 ]
Ring Abort request will timeout in case there is an error in the Host
Controller interrupt delivery or Ring Header configuration. Using BUG()
makes hard to debug those cases.
Make it less severe and turn BUG() to WARN_ON().
Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Link: https://lore.kernel.org/r/20230921055704.1087277-6-jarkko.nikula@linux.intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/mipi-i3c-hci/dma.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/i3c/master/mipi-i3c-hci/dma.c b/drivers/i3c/master/mipi-i3c-hci/dma.c
index 71b5dbe45c45c..a28ff177022ce 100644
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -450,10 +450,9 @@ static bool hci_dma_dequeue_xfer(struct i3c_hci *hci,
/*
* We're deep in it if ever this condition is ever met.
* Hardware might still be writing to memory, etc.
- * Better suspend the world than risking silent corruption.
*/
dev_crit(&hci->master.dev, "unable to abort the ring\n");
- BUG();
+ WARN_ON(1);
}
for (i = 0; i < n; i++) {
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 104/341] i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 103/341] i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 105/341] drm/amdkfd: Move dma unmapping after TLB flush Greg Kroah-Hartman
` (249 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jarkko Nikula, Alexandre Belloni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
[ Upstream commit b8806e0c939f168237593af0056c309bf31022b0 ]
Fix following warning (with CONFIG_DMA_API_DEBUG) which happens with a
transfer without a data buffer.
DMA-API: i3c mipi-i3c-hci.0: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=0 bytes]
For those transfers the hci_dma_queue_xfer() doesn't create a mapping and
the DMA address pointer xfer->data_dma is not set.
Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Link: https://lore.kernel.org/r/20230921055704.1087277-10-jarkko.nikula@linux.intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/mipi-i3c-hci/dma.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/i3c/master/mipi-i3c-hci/dma.c b/drivers/i3c/master/mipi-i3c-hci/dma.c
index a28ff177022ce..337c95d43f3f6 100644
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -345,6 +345,8 @@ static void hci_dma_unmap_xfer(struct i3c_hci *hci,
for (i = 0; i < n; i++) {
xfer = xfer_list + i;
+ if (!xfer->data)
+ continue;
dma_unmap_single(&hci->master.dev,
xfer->data_dma, xfer->data_len,
xfer->rnw ? DMA_FROM_DEVICE : DMA_TO_DEVICE);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 105/341] drm/amdkfd: Move dma unmapping after TLB flush
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 104/341] i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 106/341] media: radio-isa: use dev_name to fill in bus_info Greg Kroah-Hartman
` (248 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Yang, Felix Kuehling,
Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philip Yang <Philip.Yang@amd.com>
[ Upstream commit 101b8104307eac734f2dfa4d3511430b0b631c73 ]
Otherwise GPU may access the stale mapping and generate IOMMU
IO_PAGE_FAULT.
Move this to inside p->mutex to prevent multiple threads mapping and
unmapping concurrently race condition.
After kfd_mem_dmaunmap_attachment is removed from unmap_bo_from_gpuvm,
kfd_mem_dmaunmap_attachment is called if failed to map to GPUs, and
before free the mem attachment in case failed to unmap from GPUs.
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 1 +
.../gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 26 ++++++++++++++++---
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 20 ++++++++------
3 files changed, 35 insertions(+), 12 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
index 2fe9860725bd9..5e4fb33b97351 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
@@ -303,6 +303,7 @@ int amdgpu_amdkfd_gpuvm_map_memory_to_gpu(struct amdgpu_device *adev,
struct kgd_mem *mem, void *drm_priv);
int amdgpu_amdkfd_gpuvm_unmap_memory_from_gpu(
struct amdgpu_device *adev, struct kgd_mem *mem, void *drm_priv);
+void amdgpu_amdkfd_gpuvm_dmaunmap_mem(struct kgd_mem *mem, void *drm_priv);
int amdgpu_amdkfd_gpuvm_sync_memory(
struct amdgpu_device *adev, struct kgd_mem *mem, bool intr);
int amdgpu_amdkfd_gpuvm_map_gtt_bo_to_kernel(struct kgd_mem *mem,
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
index 62c1dc9510a41..c2d1d57a6c668 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
@@ -733,7 +733,7 @@ kfd_mem_dmaunmap_sg_bo(struct kgd_mem *mem,
enum dma_data_direction dir;
if (unlikely(!ttm->sg)) {
- pr_err("SG Table of BO is UNEXPECTEDLY NULL");
+ pr_debug("SG Table of BO is NULL");
return;
}
@@ -1202,8 +1202,6 @@ static void unmap_bo_from_gpuvm(struct kgd_mem *mem,
amdgpu_vm_clear_freed(adev, vm, &bo_va->last_pt_update);
amdgpu_sync_fence(sync, bo_va->last_pt_update);
-
- kfd_mem_dmaunmap_attachment(mem, entry);
}
static int update_gpuvm_pte(struct kgd_mem *mem,
@@ -1258,6 +1256,7 @@ static int map_bo_to_gpuvm(struct kgd_mem *mem,
update_gpuvm_pte_failed:
unmap_bo_from_gpuvm(mem, entry, sync);
+ kfd_mem_dmaunmap_attachment(mem, entry);
return ret;
}
@@ -1862,8 +1861,10 @@ int amdgpu_amdkfd_gpuvm_free_memory_of_gpu(
mem->va + bo_size * (1 + mem->aql_queue));
/* Remove from VM internal data structures */
- list_for_each_entry_safe(entry, tmp, &mem->attachments, list)
+ list_for_each_entry_safe(entry, tmp, &mem->attachments, list) {
+ kfd_mem_dmaunmap_attachment(mem, entry);
kfd_mem_detach(entry);
+ }
ret = unreserve_bo_and_vms(&ctx, false, false);
@@ -2037,6 +2038,23 @@ int amdgpu_amdkfd_gpuvm_map_memory_to_gpu(
return ret;
}
+void amdgpu_amdkfd_gpuvm_dmaunmap_mem(struct kgd_mem *mem, void *drm_priv)
+{
+ struct kfd_mem_attachment *entry;
+ struct amdgpu_vm *vm;
+
+ vm = drm_priv_to_vm(drm_priv);
+
+ mutex_lock(&mem->lock);
+
+ list_for_each_entry(entry, &mem->attachments, list) {
+ if (entry->bo_va->base.vm == vm)
+ kfd_mem_dmaunmap_attachment(mem, entry);
+ }
+
+ mutex_unlock(&mem->lock);
+}
+
int amdgpu_amdkfd_gpuvm_unmap_memory_from_gpu(
struct amdgpu_device *adev, struct kgd_mem *mem, void *drm_priv)
{
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index d33ba4fe9ad5b..045280c2b607c 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -1432,17 +1432,21 @@ static int kfd_ioctl_unmap_memory_from_gpu(struct file *filep,
goto sync_memory_failed;
}
}
- mutex_unlock(&p->mutex);
- if (flush_tlb) {
- /* Flush TLBs after waiting for the page table updates to complete */
- for (i = 0; i < args->n_devices; i++) {
- peer_pdd = kfd_process_device_data_by_id(p, devices_arr[i]);
- if (WARN_ON_ONCE(!peer_pdd))
- continue;
+ /* Flush TLBs after waiting for the page table updates to complete */
+ for (i = 0; i < args->n_devices; i++) {
+ peer_pdd = kfd_process_device_data_by_id(p, devices_arr[i]);
+ if (WARN_ON_ONCE(!peer_pdd))
+ continue;
+ if (flush_tlb)
kfd_flush_tlb(peer_pdd, TLB_FLUSH_HEAVYWEIGHT);
- }
+
+ /* Remove dma mapping after tlb flush to avoid IO_PAGE_FAULT */
+ amdgpu_amdkfd_gpuvm_dmaunmap_mem(mem, peer_pdd->drm_priv);
}
+
+ mutex_unlock(&p->mutex);
+
kfree(devices_arr);
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 106/341] media: radio-isa: use dev_name to fill in bus_info
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 105/341] drm/amdkfd: Move dma unmapping after TLB flush Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 107/341] wifi: ath11k: fix ath11k_mac_op_remain_on_channel() stack usage Greg Kroah-Hartman
` (247 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans Verkuil, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[ Upstream commit 8b7f3cf4eb9a95940eaabad3226caeaa0d9aa59d ]
This fixes this warning:
drivers/media/radio/radio-isa.c: In function 'radio_isa_querycap':
drivers/media/radio/radio-isa.c:39:57: warning: '%s' directive output may be truncated writing up to 35 bytes into a region of size 28 [-Wformat-truncation=]
39 | snprintf(v->bus_info, sizeof(v->bus_info), "ISA:%s", isa->v4l2_dev.name);
| ^~
drivers/media/radio/radio-isa.c:39:9: note: 'snprintf' output between 5 and 40 bytes into a destination of size 32
39 | snprintf(v->bus_info, sizeof(v->bus_info), "ISA:%s", isa->v4l2_dev.name);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/radio/radio-isa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/radio/radio-isa.c b/drivers/media/radio/radio-isa.c
index c591c0851fa28..ad49151f5ff09 100644
--- a/drivers/media/radio/radio-isa.c
+++ b/drivers/media/radio/radio-isa.c
@@ -36,7 +36,7 @@ static int radio_isa_querycap(struct file *file, void *priv,
strscpy(v->driver, isa->drv->driver.driver.name, sizeof(v->driver));
strscpy(v->card, isa->drv->card, sizeof(v->card));
- snprintf(v->bus_info, sizeof(v->bus_info), "ISA:%s", isa->v4l2_dev.name);
+ snprintf(v->bus_info, sizeof(v->bus_info), "ISA:%s", dev_name(isa->v4l2_dev.dev));
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 107/341] wifi: ath11k: fix ath11k_mac_op_remain_on_channel() stack usage
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 106/341] media: radio-isa: use dev_name to fill in bus_info Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 108/341] staging: iio: resolver: ad2s1210: fix use before initialization Greg Kroah-Hartman
` (246 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Antipov, Jeff Johnson,
Kalle Valo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit 4fd15bb705d3faa7e6adab2daba2e3af80d9b6bd ]
When compiling with clang 16.0.6, I've noticed the following:
drivers/net/wireless/ath/ath11k/mac.c:8903:12: warning: stack frame
size (1032) exceeds limit (1024) in 'ath11k_mac_op_remain_on_channel'
[-Wframe-larger-than]
static int ath11k_mac_op_remain_on_channel(struct ieee80211_hw *hw,
^
68/1032 (6.59%) spills, 964/1032 (93.41%) variables
So switch to kzalloc()'ed instance of 'struct scan_req_params' like
it's done in 'ath11k_mac_op_hw_scan()'. Compile tested only.
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230926042906.13725-1-dmantipov@yandex.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/mac.c | 44 +++++++++++++++------------
1 file changed, 25 insertions(+), 19 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
index 33f2c189b4d86..4247c0f840a48 100644
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -8910,7 +8910,7 @@ static int ath11k_mac_op_remain_on_channel(struct ieee80211_hw *hw,
{
struct ath11k *ar = hw->priv;
struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif);
- struct scan_req_params arg;
+ struct scan_req_params *arg;
int ret;
u32 scan_time_msec;
@@ -8942,27 +8942,31 @@ static int ath11k_mac_op_remain_on_channel(struct ieee80211_hw *hw,
scan_time_msec = ar->hw->wiphy->max_remain_on_channel_duration * 2;
- memset(&arg, 0, sizeof(arg));
- ath11k_wmi_start_scan_init(ar, &arg);
- arg.num_chan = 1;
- arg.chan_list = kcalloc(arg.num_chan, sizeof(*arg.chan_list),
- GFP_KERNEL);
- if (!arg.chan_list) {
+ arg = kzalloc(sizeof(*arg), GFP_KERNEL);
+ if (!arg) {
ret = -ENOMEM;
goto exit;
}
+ ath11k_wmi_start_scan_init(ar, arg);
+ arg->num_chan = 1;
+ arg->chan_list = kcalloc(arg->num_chan, sizeof(*arg->chan_list),
+ GFP_KERNEL);
+ if (!arg->chan_list) {
+ ret = -ENOMEM;
+ goto free_arg;
+ }
- arg.vdev_id = arvif->vdev_id;
- arg.scan_id = ATH11K_SCAN_ID;
- arg.chan_list[0] = chan->center_freq;
- arg.dwell_time_active = scan_time_msec;
- arg.dwell_time_passive = scan_time_msec;
- arg.max_scan_time = scan_time_msec;
- arg.scan_flags |= WMI_SCAN_FLAG_PASSIVE;
- arg.scan_flags |= WMI_SCAN_FILTER_PROBE_REQ;
- arg.burst_duration = duration;
-
- ret = ath11k_start_scan(ar, &arg);
+ arg->vdev_id = arvif->vdev_id;
+ arg->scan_id = ATH11K_SCAN_ID;
+ arg->chan_list[0] = chan->center_freq;
+ arg->dwell_time_active = scan_time_msec;
+ arg->dwell_time_passive = scan_time_msec;
+ arg->max_scan_time = scan_time_msec;
+ arg->scan_flags |= WMI_SCAN_FLAG_PASSIVE;
+ arg->scan_flags |= WMI_SCAN_FILTER_PROBE_REQ;
+ arg->burst_duration = duration;
+
+ ret = ath11k_start_scan(ar, arg);
if (ret) {
ath11k_warn(ar->ab, "failed to start roc scan: %d\n", ret);
@@ -8988,7 +8992,9 @@ static int ath11k_mac_op_remain_on_channel(struct ieee80211_hw *hw,
ret = 0;
free_chan_list:
- kfree(arg.chan_list);
+ kfree(arg->chan_list);
+free_arg:
+ kfree(arg);
exit:
mutex_unlock(&ar->conf_mutex);
return ret;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 108/341] staging: iio: resolver: ad2s1210: fix use before initialization
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 107/341] wifi: ath11k: fix ath11k_mac_op_remain_on_channel() stack usage Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 109/341] wifi: mt76: fix race condition related to checking tx queue fill status Greg Kroah-Hartman
` (245 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Jonathan Cameron,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
[ Upstream commit 7fe2d05cee46b1c4d9f1efaeab08cc31a0dfff60 ]
This fixes a use before initialization in ad2s1210_probe(). The
ad2s1210_setup_gpios() function uses st->sdev but it was being called
before this field was initialized.
Signed-off-by: David Lechner <dlechner@baylibre.com>
Link: https://lore.kernel.org/r/20230929-ad2s1210-mainline-v3-2-fa4364281745@baylibre.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/iio/resolver/ad2s1210.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/iio/resolver/ad2s1210.c b/drivers/staging/iio/resolver/ad2s1210.c
index 06de5823eb8e3..d38c4674cd6d7 100644
--- a/drivers/staging/iio/resolver/ad2s1210.c
+++ b/drivers/staging/iio/resolver/ad2s1210.c
@@ -658,9 +658,6 @@ static int ad2s1210_probe(struct spi_device *spi)
if (!indio_dev)
return -ENOMEM;
st = iio_priv(indio_dev);
- ret = ad2s1210_setup_gpios(st);
- if (ret < 0)
- return ret;
spi_set_drvdata(spi, indio_dev);
@@ -671,6 +668,10 @@ static int ad2s1210_probe(struct spi_device *spi)
st->resolution = 12;
st->fexcit = AD2S1210_DEF_EXCIT;
+ ret = ad2s1210_setup_gpios(st);
+ if (ret < 0)
+ return ret;
+
indio_dev->info = &ad2s1210_info;
indio_dev->modes = INDIO_DIRECT_MODE;
indio_dev->channels = ad2s1210_channels;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 109/341] wifi: mt76: fix race condition related to checking tx queue fill status
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 108/341] staging: iio: resolver: ad2s1210: fix use before initialization Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 110/341] usb: gadget: uvc: cleanup request when not in correct state Greg Kroah-Hartman
` (244 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ryder Lee, Felix Fietkau,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Fietkau <nbd@nbd.name>
[ Upstream commit 0335c034e7265d36d956e806f33202c94a8a9860 ]
When drv_tx calls race against local tx scheduling, the queue fill status checks
can potentially race, leading to dma queue entries being overwritten.
Fix this by deferring packets from drv_tx calls to the tx worker, in order to
ensure that all regular queue tx comes from the same context.
Reported-by: Ryder Lee <Ryder.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mac80211.c | 50 +++++++-
drivers/net/wireless/mediatek/mt76/mt76.h | 24 ++--
.../net/wireless/mediatek/mt76/mt7603/main.c | 4 +-
.../net/wireless/mediatek/mt76/mt7615/main.c | 4 +-
.../net/wireless/mediatek/mt76/mt76x02_util.c | 4 +-
.../net/wireless/mediatek/mt76/mt7915/main.c | 4 +-
.../net/wireless/mediatek/mt76/mt7921/main.c | 2 +-
.../net/wireless/mediatek/mt76/mt792x_core.c | 2 +-
.../net/wireless/mediatek/mt76/mt7996/main.c | 4 +-
drivers/net/wireless/mediatek/mt76/tx.c | 108 ++++++++++++++----
10 files changed, 155 insertions(+), 51 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c
index dbab400969202..85bffcf4f6fbf 100644
--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
+++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
@@ -415,6 +415,9 @@ mt76_phy_init(struct mt76_phy *phy, struct ieee80211_hw *hw)
struct mt76_dev *dev = phy->dev;
struct wiphy *wiphy = hw->wiphy;
+ INIT_LIST_HEAD(&phy->tx_list);
+ spin_lock_init(&phy->tx_lock);
+
SET_IEEE80211_DEV(hw, dev->dev);
SET_IEEE80211_PERM_ADDR(hw, phy->macaddr);
@@ -688,6 +691,7 @@ int mt76_register_device(struct mt76_dev *dev, bool vht,
int ret;
dev_set_drvdata(dev->dev, dev);
+ mt76_wcid_init(&dev->global_wcid);
ret = mt76_phy_init(phy, hw);
if (ret)
return ret;
@@ -743,6 +747,7 @@ void mt76_unregister_device(struct mt76_dev *dev)
if (IS_ENABLED(CONFIG_MT76_LEDS))
mt76_led_cleanup(&dev->phy);
mt76_tx_status_check(dev, true);
+ mt76_wcid_cleanup(dev, &dev->global_wcid);
ieee80211_unregister_hw(hw);
}
EXPORT_SYMBOL_GPL(mt76_unregister_device);
@@ -1411,7 +1416,7 @@ mt76_sta_add(struct mt76_phy *phy, struct ieee80211_vif *vif,
wcid->phy_idx = phy->band_idx;
rcu_assign_pointer(dev->wcid[wcid->idx], wcid);
- mt76_packet_id_init(wcid);
+ mt76_wcid_init(wcid);
out:
mutex_unlock(&dev->mutex);
@@ -1430,7 +1435,7 @@ void __mt76_sta_remove(struct mt76_dev *dev, struct ieee80211_vif *vif,
if (dev->drv->sta_remove)
dev->drv->sta_remove(dev, vif, sta);
- mt76_packet_id_flush(dev, wcid);
+ mt76_wcid_cleanup(dev, wcid);
mt76_wcid_mask_clear(dev->wcid_mask, idx);
mt76_wcid_mask_clear(dev->wcid_phy_mask, idx);
@@ -1486,6 +1491,47 @@ void mt76_sta_pre_rcu_remove(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
}
EXPORT_SYMBOL_GPL(mt76_sta_pre_rcu_remove);
+void mt76_wcid_init(struct mt76_wcid *wcid)
+{
+ INIT_LIST_HEAD(&wcid->tx_list);
+ skb_queue_head_init(&wcid->tx_pending);
+
+ INIT_LIST_HEAD(&wcid->list);
+ idr_init(&wcid->pktid);
+}
+EXPORT_SYMBOL_GPL(mt76_wcid_init);
+
+void mt76_wcid_cleanup(struct mt76_dev *dev, struct mt76_wcid *wcid)
+{
+ struct mt76_phy *phy = dev->phys[wcid->phy_idx];
+ struct ieee80211_hw *hw;
+ struct sk_buff_head list;
+ struct sk_buff *skb;
+
+ mt76_tx_status_lock(dev, &list);
+ mt76_tx_status_skb_get(dev, wcid, -1, &list);
+ mt76_tx_status_unlock(dev, &list);
+
+ idr_destroy(&wcid->pktid);
+
+ spin_lock_bh(&phy->tx_lock);
+
+ if (!list_empty(&wcid->tx_list))
+ list_del_init(&wcid->tx_list);
+
+ spin_lock(&wcid->tx_pending.lock);
+ skb_queue_splice_tail_init(&wcid->tx_pending, &list);
+ spin_unlock(&wcid->tx_pending.lock);
+
+ spin_unlock_bh(&phy->tx_lock);
+
+ while ((skb = __skb_dequeue(&list)) != NULL) {
+ hw = mt76_tx_status_get_hw(dev, skb);
+ ieee80211_free_txskb(hw, skb);
+ }
+}
+EXPORT_SYMBOL_GPL(mt76_wcid_cleanup);
+
int mt76_get_txpower(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
int *dbm)
{
diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h
index 7f44736ca26f0..8b620d4fed439 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76.h
+++ b/drivers/net/wireless/mediatek/mt76/mt76.h
@@ -334,6 +334,9 @@ struct mt76_wcid {
u32 tx_info;
bool sw_iv;
+ struct list_head tx_list;
+ struct sk_buff_head tx_pending;
+
struct list_head list;
struct idr pktid;
@@ -719,6 +722,8 @@ struct mt76_phy {
unsigned long state;
u8 band_idx;
+ spinlock_t tx_lock;
+ struct list_head tx_list;
struct mt76_queue *q_tx[__MT_TXQ_MAX];
struct cfg80211_chan_def chandef;
@@ -1599,22 +1604,7 @@ mt76_token_put(struct mt76_dev *dev, int token)
return txwi;
}
-static inline void mt76_packet_id_init(struct mt76_wcid *wcid)
-{
- INIT_LIST_HEAD(&wcid->list);
- idr_init(&wcid->pktid);
-}
-
-static inline void
-mt76_packet_id_flush(struct mt76_dev *dev, struct mt76_wcid *wcid)
-{
- struct sk_buff_head list;
-
- mt76_tx_status_lock(dev, &list);
- mt76_tx_status_skb_get(dev, wcid, -1, &list);
- mt76_tx_status_unlock(dev, &list);
-
- idr_destroy(&wcid->pktid);
-}
+void mt76_wcid_init(struct mt76_wcid *wcid);
+void mt76_wcid_cleanup(struct mt76_dev *dev, struct mt76_wcid *wcid);
#endif
diff --git a/drivers/net/wireless/mediatek/mt76/mt7603/main.c b/drivers/net/wireless/mediatek/mt76/mt7603/main.c
index c213fd2a5216b..89d738deea62e 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7603/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7603/main.c
@@ -70,7 +70,7 @@ mt7603_add_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
mvif->sta.wcid.idx = idx;
mvif->sta.wcid.hw_key_idx = -1;
mvif->sta.vif = mvif;
- mt76_packet_id_init(&mvif->sta.wcid);
+ mt76_wcid_init(&mvif->sta.wcid);
eth_broadcast_addr(bc_addr);
mt7603_wtbl_init(dev, idx, mvif->idx, bc_addr);
@@ -110,7 +110,7 @@ mt7603_remove_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
dev->mt76.vif_mask &= ~BIT_ULL(mvif->idx);
mutex_unlock(&dev->mt76.mutex);
- mt76_packet_id_flush(&dev->mt76, &mvif->sta.wcid);
+ mt76_wcid_cleanup(&dev->mt76, &mvif->sta.wcid);
}
void mt7603_init_edcca(struct mt7603_dev *dev)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/main.c b/drivers/net/wireless/mediatek/mt76/mt7615/main.c
index 200b1752ca77f..dab16b5fc3861 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/main.c
@@ -226,7 +226,7 @@ static int mt7615_add_interface(struct ieee80211_hw *hw,
mvif->sta.wcid.idx = idx;
mvif->sta.wcid.phy_idx = mvif->mt76.band_idx;
mvif->sta.wcid.hw_key_idx = -1;
- mt76_packet_id_init(&mvif->sta.wcid);
+ mt76_wcid_init(&mvif->sta.wcid);
mt7615_mac_wtbl_update(dev, idx,
MT_WTBL_UPDATE_ADM_COUNT_CLEAR);
@@ -279,7 +279,7 @@ static void mt7615_remove_interface(struct ieee80211_hw *hw,
list_del_init(&msta->wcid.poll_list);
spin_unlock_bh(&dev->mt76.sta_poll_lock);
- mt76_packet_id_flush(&dev->mt76, &mvif->sta.wcid);
+ mt76_wcid_cleanup(&dev->mt76, &mvif->sta.wcid);
}
int mt7615_set_channel(struct mt7615_phy *phy)
diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_util.c b/drivers/net/wireless/mediatek/mt76/mt76x02_util.c
index dcbb5c605dfe6..8a0e8124b8940 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76x02_util.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76x02_util.c
@@ -288,7 +288,7 @@ mt76x02_vif_init(struct mt76x02_dev *dev, struct ieee80211_vif *vif,
mvif->idx = idx;
mvif->group_wcid.idx = MT_VIF_WCID(idx);
mvif->group_wcid.hw_key_idx = -1;
- mt76_packet_id_init(&mvif->group_wcid);
+ mt76_wcid_init(&mvif->group_wcid);
mtxq = (struct mt76_txq *)vif->txq->drv_priv;
rcu_assign_pointer(dev->mt76.wcid[MT_VIF_WCID(idx)], &mvif->group_wcid);
@@ -346,7 +346,7 @@ void mt76x02_remove_interface(struct ieee80211_hw *hw,
dev->mt76.vif_mask &= ~BIT_ULL(mvif->idx);
rcu_assign_pointer(dev->mt76.wcid[mvif->group_wcid.idx], NULL);
- mt76_packet_id_flush(&dev->mt76, &mvif->group_wcid);
+ mt76_wcid_cleanup(&dev->mt76, &mvif->group_wcid);
}
EXPORT_SYMBOL_GPL(mt76x02_remove_interface);
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
index 3196f56cdf4ab..260fe00d7dc6d 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
@@ -253,7 +253,7 @@ static int mt7915_add_interface(struct ieee80211_hw *hw,
mvif->sta.wcid.phy_idx = ext_phy;
mvif->sta.wcid.hw_key_idx = -1;
mvif->sta.wcid.tx_info |= MT_WCID_TX_INFO_SET;
- mt76_packet_id_init(&mvif->sta.wcid);
+ mt76_wcid_init(&mvif->sta.wcid);
mt7915_mac_wtbl_update(dev, idx,
MT_WTBL_UPDATE_ADM_COUNT_CLEAR);
@@ -314,7 +314,7 @@ static void mt7915_remove_interface(struct ieee80211_hw *hw,
list_del_init(&msta->wcid.poll_list);
spin_unlock_bh(&dev->mt76.sta_poll_lock);
- mt76_packet_id_flush(&dev->mt76, &msta->wcid);
+ mt76_wcid_cleanup(&dev->mt76, &msta->wcid);
}
int mt7915_set_channel(struct mt7915_phy *phy)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
index d8851cb5f400b..6a5c2cae087d0 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
@@ -318,7 +318,7 @@ mt7921_add_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
mvif->sta.wcid.phy_idx = mvif->mt76.band_idx;
mvif->sta.wcid.hw_key_idx = -1;
mvif->sta.wcid.tx_info |= MT_WCID_TX_INFO_SET;
- mt76_packet_id_init(&mvif->sta.wcid);
+ mt76_wcid_init(&mvif->sta.wcid);
mt7921_mac_wtbl_update(dev, idx,
MT_WTBL_UPDATE_ADM_COUNT_CLEAR);
diff --git a/drivers/net/wireless/mediatek/mt76/mt792x_core.c b/drivers/net/wireless/mediatek/mt76/mt792x_core.c
index 2fb1141e5fa96..66806ed4f942d 100644
--- a/drivers/net/wireless/mediatek/mt76/mt792x_core.c
+++ b/drivers/net/wireless/mediatek/mt76/mt792x_core.c
@@ -115,7 +115,7 @@ void mt792x_remove_interface(struct ieee80211_hw *hw,
list_del_init(&msta->wcid.poll_list);
spin_unlock_bh(&dev->mt76.sta_poll_lock);
- mt76_packet_id_flush(&dev->mt76, &msta->wcid);
+ mt76_wcid_cleanup(&dev->mt76, &msta->wcid);
}
EXPORT_SYMBOL_GPL(mt792x_remove_interface);
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
index 620880e560e00..7fea9f0d409bf 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
@@ -207,7 +207,7 @@ static int mt7996_add_interface(struct ieee80211_hw *hw,
mvif->sta.wcid.phy_idx = band_idx;
mvif->sta.wcid.hw_key_idx = -1;
mvif->sta.wcid.tx_info |= MT_WCID_TX_INFO_SET;
- mt76_packet_id_init(&mvif->sta.wcid);
+ mt76_wcid_init(&mvif->sta.wcid);
mt7996_mac_wtbl_update(dev, idx,
MT_WTBL_UPDATE_ADM_COUNT_CLEAR);
@@ -268,7 +268,7 @@ static void mt7996_remove_interface(struct ieee80211_hw *hw,
list_del_init(&msta->wcid.poll_list);
spin_unlock_bh(&dev->mt76.sta_poll_lock);
- mt76_packet_id_flush(&dev->mt76, &msta->wcid);
+ mt76_wcid_cleanup(&dev->mt76, &msta->wcid);
}
int mt7996_set_channel(struct mt7996_phy *phy)
diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c
index 6cc26cc6c5178..1809b03292c3d 100644
--- a/drivers/net/wireless/mediatek/mt76/tx.c
+++ b/drivers/net/wireless/mediatek/mt76/tx.c
@@ -329,40 +329,32 @@ void
mt76_tx(struct mt76_phy *phy, struct ieee80211_sta *sta,
struct mt76_wcid *wcid, struct sk_buff *skb)
{
- struct mt76_dev *dev = phy->dev;
struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
- struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
- struct mt76_queue *q;
- int qid = skb_get_queue_mapping(skb);
if (mt76_testmode_enabled(phy)) {
ieee80211_free_txskb(phy->hw, skb);
return;
}
- if (WARN_ON(qid >= MT_TXQ_PSD)) {
- qid = MT_TXQ_BE;
- skb_set_queue_mapping(skb, qid);
- }
-
- if ((dev->drv->drv_flags & MT_DRV_HW_MGMT_TXQ) &&
- !(info->flags & IEEE80211_TX_CTL_HW_80211_ENCAP) &&
- !ieee80211_is_data(hdr->frame_control) &&
- !ieee80211_is_bufferable_mmpdu(skb)) {
- qid = MT_TXQ_PSD;
- }
+ if (WARN_ON(skb_get_queue_mapping(skb) >= MT_TXQ_PSD))
+ skb_set_queue_mapping(skb, MT_TXQ_BE);
if (wcid && !(wcid->tx_info & MT_WCID_TX_INFO_SET))
ieee80211_get_tx_rates(info->control.vif, sta, skb,
info->control.rates, 1);
info->hw_queue |= FIELD_PREP(MT_TX_HW_QUEUE_PHY, phy->band_idx);
- q = phy->q_tx[qid];
- spin_lock_bh(&q->lock);
- __mt76_tx_queue_skb(phy, qid, skb, wcid, sta, NULL);
- dev->queue_ops->kick(dev, q);
- spin_unlock_bh(&q->lock);
+ spin_lock_bh(&wcid->tx_pending.lock);
+ __skb_queue_tail(&wcid->tx_pending, skb);
+ spin_unlock_bh(&wcid->tx_pending.lock);
+
+ spin_lock_bh(&phy->tx_lock);
+ if (list_empty(&wcid->tx_list))
+ list_add_tail(&wcid->tx_list, &phy->tx_list);
+ spin_unlock_bh(&phy->tx_lock);
+
+ mt76_worker_schedule(&phy->dev->tx_worker);
}
EXPORT_SYMBOL_GPL(mt76_tx);
@@ -593,10 +585,86 @@ void mt76_txq_schedule(struct mt76_phy *phy, enum mt76_txq_id qid)
}
EXPORT_SYMBOL_GPL(mt76_txq_schedule);
+static int
+mt76_txq_schedule_pending_wcid(struct mt76_phy *phy, struct mt76_wcid *wcid)
+{
+ struct mt76_dev *dev = phy->dev;
+ struct ieee80211_sta *sta;
+ struct mt76_queue *q;
+ struct sk_buff *skb;
+ int ret = 0;
+
+ spin_lock(&wcid->tx_pending.lock);
+ while ((skb = skb_peek(&wcid->tx_pending)) != NULL) {
+ struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
+ struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+ int qid = skb_get_queue_mapping(skb);
+
+ if ((dev->drv->drv_flags & MT_DRV_HW_MGMT_TXQ) &&
+ !(info->flags & IEEE80211_TX_CTL_HW_80211_ENCAP) &&
+ !ieee80211_is_data(hdr->frame_control) &&
+ !ieee80211_is_bufferable_mmpdu(skb))
+ qid = MT_TXQ_PSD;
+
+ q = phy->q_tx[qid];
+ if (mt76_txq_stopped(q)) {
+ ret = -1;
+ break;
+ }
+
+ __skb_unlink(skb, &wcid->tx_pending);
+ spin_unlock(&wcid->tx_pending.lock);
+
+ sta = wcid_to_sta(wcid);
+ spin_lock(&q->lock);
+ __mt76_tx_queue_skb(phy, qid, skb, wcid, sta, NULL);
+ dev->queue_ops->kick(dev, q);
+ spin_unlock(&q->lock);
+
+ spin_lock(&wcid->tx_pending.lock);
+ }
+ spin_unlock(&wcid->tx_pending.lock);
+
+ return ret;
+}
+
+static void mt76_txq_schedule_pending(struct mt76_phy *phy)
+{
+ if (list_empty(&phy->tx_list))
+ return;
+
+ local_bh_disable();
+ rcu_read_lock();
+
+ spin_lock(&phy->tx_lock);
+ while (!list_empty(&phy->tx_list)) {
+ struct mt76_wcid *wcid = NULL;
+ int ret;
+
+ wcid = list_first_entry(&phy->tx_list, struct mt76_wcid, tx_list);
+ list_del_init(&wcid->tx_list);
+
+ spin_unlock(&phy->tx_lock);
+ ret = mt76_txq_schedule_pending_wcid(phy, wcid);
+ spin_lock(&phy->tx_lock);
+
+ if (ret) {
+ if (list_empty(&wcid->tx_list))
+ list_add_tail(&wcid->tx_list, &phy->tx_list);
+ break;
+ }
+ }
+ spin_unlock(&phy->tx_lock);
+
+ rcu_read_unlock();
+ local_bh_enable();
+}
+
void mt76_txq_schedule_all(struct mt76_phy *phy)
{
int i;
+ mt76_txq_schedule_pending(phy);
for (i = 0; i <= MT_TXQ_BK; i++)
mt76_txq_schedule(phy, i);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 110/341] usb: gadget: uvc: cleanup request when not in correct state
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 109/341] wifi: mt76: fix race condition related to checking tx queue fill status Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 15:04 ` Michael Grzeschik
2024-08-27 14:35 ` [PATCH 6.6 111/341] drm/amd/display: Validate hw_points_num before using it Greg Kroah-Hartman
` (243 subsequent siblings)
353 siblings, 1 reply; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Grzeschik, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Grzeschik <m.grzeschik@pengutronix.de>
[ Upstream commit 52a39f2cf62bb5430ad1f54cd522dbfdab1d71ba ]
The uvc_video_enable function of the uvc-gadget driver is dequeing and
immediately deallocs all requests on its disable codepath. This is not
save since the dequeue function is async and does not ensure that the
requests are left unlinked in the controller driver.
By adding the ep_free_request into the completion path of the requests
we ensure that the request will be properly deallocated.
Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Link: https://lore.kernel.org/r/20230911140530.2995138-3-m.grzeschik@pengutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/uvc_video.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index 281e75027b344..678ed30ada2b7 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -259,6 +259,12 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
struct uvc_device *uvc = video->uvc;
unsigned long flags;
+ if (uvc->state == UVC_STATE_CONNECTED) {
+ usb_ep_free_request(video->ep, ureq->req);
+ ureq->req = NULL;
+ return;
+ }
+
switch (req->status) {
case 0:
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 111/341] drm/amd/display: Validate hw_points_num before using it
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 110/341] usb: gadget: uvc: cleanup request when not in correct state Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 112/341] staging: ks7010: disable bh on tx_dev_lock Greg Kroah-Hartman
` (242 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harry Wentland, Alex Hung,
Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Hung <alex.hung@amd.com>
[ Upstream commit 58c3b3341cea4f75dc8c003b89f8a6dd8ec55e50 ]
[WHAT]
hw_points_num is 0 before ogam LUT is programmed; however, function
"dwb3_program_ogam_pwl" assumes hw_points_num is always greater than 0,
i.e. substracting it by 1 as an array index.
[HOW]
Check hw_points_num is not equal to 0 before using it.
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dwb_cm.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dwb_cm.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dwb_cm.c
index 701c7d8bc038a..03a50c32fcfe1 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dwb_cm.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dwb_cm.c
@@ -243,6 +243,9 @@ static bool dwb3_program_ogam_lut(
return false;
}
+ if (params->hw_points_num == 0)
+ return false;
+
REG_SET(DWB_OGAM_CONTROL, 0, DWB_OGAM_MODE, 2);
current_mode = dwb3_get_ogam_current(dwbc30);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 112/341] staging: ks7010: disable bh on tx_dev_lock
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 111/341] drm/amd/display: Validate hw_points_num before using it Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 113/341] platform/x86/intel/ifs: Validate image size Greg Kroah-Hartman
` (241 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chengfeng Ye, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chengfeng Ye <dg573847474@gmail.com>
[ Upstream commit 058cbee52ccd7be77e373d31a4f14670cfd32018 ]
As &priv->tx_dev.tx_dev_lock is also acquired by xmit callback which
could be call from timer under softirq context, use spin_lock_bh()
on it to prevent potential deadlock.
hostif_sme_work()
--> hostif_sme_set_pmksa()
--> hostif_mib_set_request()
--> ks_wlan_hw_tx()
--> spin_lock(&priv->tx_dev.tx_dev_lock)
ks_wlan_start_xmit()
--> hostif_data_request()
--> ks_wlan_hw_tx()
--> spin_lock(&priv->tx_dev.tx_dev_lock)
Signed-off-by: Chengfeng Ye <dg573847474@gmail.com>
Link: https://lore.kernel.org/r/20230926161323.41928-1-dg573847474@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/ks7010/ks7010_sdio.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/ks7010/ks7010_sdio.c b/drivers/staging/ks7010/ks7010_sdio.c
index 9fb118e77a1f0..f1d44e4955fc6 100644
--- a/drivers/staging/ks7010/ks7010_sdio.c
+++ b/drivers/staging/ks7010/ks7010_sdio.c
@@ -395,9 +395,9 @@ int ks_wlan_hw_tx(struct ks_wlan_private *priv, void *p, unsigned long size,
priv->hostt.buff[priv->hostt.qtail] = le16_to_cpu(hdr->event);
priv->hostt.qtail = (priv->hostt.qtail + 1) % SME_EVENT_BUFF_SIZE;
- spin_lock(&priv->tx_dev.tx_dev_lock);
+ spin_lock_bh(&priv->tx_dev.tx_dev_lock);
result = enqueue_txdev(priv, p, size, complete_handler, skb);
- spin_unlock(&priv->tx_dev.tx_dev_lock);
+ spin_unlock_bh(&priv->tx_dev.tx_dev_lock);
if (txq_has_space(priv))
queue_delayed_work(priv->wq, &priv->rw_dwork, 0);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 113/341] platform/x86/intel/ifs: Validate image size
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 112/341] staging: ks7010: disable bh on tx_dev_lock Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 114/341] media: s5p-mfc: Fix potential deadlock on condlock Greg Kroah-Hartman
` (240 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jithu Joseph, Tony Luck,
Ilpo Järvinen, Pengfei Xu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jithu Joseph <jithu.joseph@intel.com>
[ Upstream commit 25a76dbb36dd58ad4df7f6a4dc43061a10b0d817 ]
Perform additional validation prior to loading IFS image.
Error out if the size of the file being loaded doesn't match the size
specified in the header.
Signed-off-by: Jithu Joseph <jithu.joseph@intel.com>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Tested-by: Pengfei Xu <pengfei.xu@intel.com>
Link: https://lore.kernel.org/r/20231005195137.3117166-6-jithu.joseph@intel.com
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel/ifs/load.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/platform/x86/intel/ifs/load.c b/drivers/platform/x86/intel/ifs/load.c
index cefd0d886cfd4..ae52de138a6ea 100644
--- a/drivers/platform/x86/intel/ifs/load.c
+++ b/drivers/platform/x86/intel/ifs/load.c
@@ -260,6 +260,7 @@ int ifs_load_firmware(struct device *dev)
{
const struct ifs_test_caps *test = ifs_get_test_caps(dev);
struct ifs_data *ifsd = ifs_get_data(dev);
+ unsigned int expected_size;
const struct firmware *fw;
char scan_path[64];
int ret = -EINVAL;
@@ -274,6 +275,13 @@ int ifs_load_firmware(struct device *dev)
goto done;
}
+ expected_size = ((struct microcode_header_intel *)fw->data)->totalsize;
+ if (fw->size != expected_size) {
+ dev_err(dev, "File size mismatch (expected %u, actual %zu). Corrupted IFS image.\n",
+ expected_size, fw->size);
+ return -EINVAL;
+ }
+
ret = image_sanity_check(dev, (struct microcode_header_intel *)fw->data);
if (ret)
goto release;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 114/341] media: s5p-mfc: Fix potential deadlock on condlock
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 113/341] platform/x86/intel/ifs: Validate image size Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 115/341] accel/habanalabs/gaudi2: unsecure tpc count registers Greg Kroah-Hartman
` (239 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chengfeng Ye, Marek Szyprowski,
Hans Verkuil, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chengfeng Ye <dg573847474@gmail.com>
[ Upstream commit 04d19e65137e3cd4a5004e624c85c762933d115c ]
As &dev->condlock is acquired under irq context along the following
call chain from s5p_mfc_irq(), other acquisition of the same lock
inside process context or softirq context should disable irq avoid double
lock. enc_post_frame_start() seems to be one such function that execute
under process context or softirq context.
<deadlock #1>
enc_post_frame_start()
--> clear_work_bit()
--> spin_loc(&dev->condlock)
<interrupt>
--> s5p_mfc_irq()
--> s5p_mfc_handle_frame()
--> clear_work_bit()
--> spin_lock(&dev->condlock)
This flaw was found by an experimental static analysis tool I am
developing for irq-related deadlock.
To prevent the potential deadlock, the patch change clear_work_bit()
inside enc_post_frame_start() to clear_work_bit_irqsave().
Signed-off-by: Chengfeng Ye <dg573847474@gmail.com>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/samsung/s5p-mfc/s5p_mfc_enc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/platform/samsung/s5p-mfc/s5p_mfc_enc.c b/drivers/media/platform/samsung/s5p-mfc/s5p_mfc_enc.c
index f62703cebb77c..4b4c129c09e70 100644
--- a/drivers/media/platform/samsung/s5p-mfc/s5p_mfc_enc.c
+++ b/drivers/media/platform/samsung/s5p-mfc/s5p_mfc_enc.c
@@ -1297,7 +1297,7 @@ static int enc_post_frame_start(struct s5p_mfc_ctx *ctx)
if (ctx->state == MFCINST_FINISHING && ctx->ref_queue_cnt == 0)
src_ready = false;
if (!src_ready || ctx->dst_queue_cnt == 0)
- clear_work_bit(ctx);
+ clear_work_bit_irqsave(ctx);
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 115/341] accel/habanalabs/gaudi2: unsecure tpc count registers
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 114/341] media: s5p-mfc: Fix potential deadlock on condlock Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 116/341] accel/habanalabs: export dma-buf only if size/offset multiples of PAGE_SIZE Greg Kroah-Hartman
` (238 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ofir Bitton, Oded Gabbay,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ofir Bitton <obitton@habana.ai>
[ Upstream commit 1e3a78270b4ec1c8c177eb310c08128d52137a69 ]
As TPC kernels now must use those registers we unsecure them.
Signed-off-by: Ofir Bitton <obitton@habana.ai>
Reviewed-by: Oded Gabbay <ogabbay@kernel.org>
Signed-off-by: Oded Gabbay <ogabbay@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/accel/habanalabs/gaudi2/gaudi2_security.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/accel/habanalabs/gaudi2/gaudi2_security.c b/drivers/accel/habanalabs/gaudi2/gaudi2_security.c
index 2742b1f801eb2..908710524dc9e 100644
--- a/drivers/accel/habanalabs/gaudi2/gaudi2_security.c
+++ b/drivers/accel/habanalabs/gaudi2/gaudi2_security.c
@@ -1601,6 +1601,7 @@ static const u32 gaudi2_pb_dcr0_tpc0_unsecured_regs[] = {
mmDCORE0_TPC0_CFG_KERNEL_SRF_30,
mmDCORE0_TPC0_CFG_KERNEL_SRF_31,
mmDCORE0_TPC0_CFG_TPC_SB_L0CD,
+ mmDCORE0_TPC0_CFG_TPC_COUNT,
mmDCORE0_TPC0_CFG_TPC_ID,
mmDCORE0_TPC0_CFG_QM_KERNEL_ID_INC,
mmDCORE0_TPC0_CFG_QM_TID_BASE_SIZE_HIGH_DIM_0,
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 116/341] accel/habanalabs: export dma-buf only if size/offset multiples of PAGE_SIZE
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 115/341] accel/habanalabs/gaudi2: unsecure tpc count registers Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 117/341] accel/habanalabs: fix bug in timestamp interrupt handling Greg Kroah-Hartman
` (237 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tomer Tayar, Oded Gabbay,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomer Tayar <ttayar@habana.ai>
[ Upstream commit 0b75cb5b240fddf181c284d415ee77ef61b418d6 ]
It is currently allowed for a user to export dma-buf with size and
offset that are not multiples of PAGE_SIZE.
The exported memory is mapped for the importer device, and there it will
be rounded to PAGE_SIZE, leading to actually exporting more than the
user intended to.
To make the user be aware of it, accept only size and offset which are
multiple of PAGE_SIZE.
Signed-off-by: Tomer Tayar <ttayar@habana.ai>
Reviewed-by: Oded Gabbay <ogabbay@kernel.org>
Signed-off-by: Oded Gabbay <ogabbay@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/accel/habanalabs/common/memory.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/accel/habanalabs/common/memory.c b/drivers/accel/habanalabs/common/memory.c
index 4fc72a07d2f59..5b7d9a351133f 100644
--- a/drivers/accel/habanalabs/common/memory.c
+++ b/drivers/accel/habanalabs/common/memory.c
@@ -1878,16 +1878,16 @@ static int export_dmabuf(struct hl_ctx *ctx,
static int validate_export_params_common(struct hl_device *hdev, u64 device_addr, u64 size)
{
- if (!IS_ALIGNED(device_addr, PAGE_SIZE)) {
+ if (!PAGE_ALIGNED(device_addr)) {
dev_dbg(hdev->dev,
- "exported device memory address 0x%llx should be aligned to 0x%lx\n",
+ "exported device memory address 0x%llx should be aligned to PAGE_SIZE 0x%lx\n",
device_addr, PAGE_SIZE);
return -EINVAL;
}
- if (size < PAGE_SIZE) {
+ if (!size || !PAGE_ALIGNED(size)) {
dev_dbg(hdev->dev,
- "exported device memory size %llu should be equal to or greater than %lu\n",
+ "exported device memory size %llu should be a multiple of PAGE_SIZE %lu\n",
size, PAGE_SIZE);
return -EINVAL;
}
@@ -1938,6 +1938,13 @@ static int validate_export_params(struct hl_device *hdev, u64 device_addr, u64 s
if (rc)
return rc;
+ if (!PAGE_ALIGNED(offset)) {
+ dev_dbg(hdev->dev,
+ "exported device memory offset %llu should be a multiple of PAGE_SIZE %lu\n",
+ offset, PAGE_SIZE);
+ return -EINVAL;
+ }
+
if ((offset + size) > phys_pg_pack->total_size) {
dev_dbg(hdev->dev, "offset %#llx and size %#llx exceed total map size %#llx\n",
offset, size, phys_pg_pack->total_size);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 117/341] accel/habanalabs: fix bug in timestamp interrupt handling
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 116/341] accel/habanalabs: export dma-buf only if size/offset multiples of PAGE_SIZE Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 118/341] md/raid5-cache: use READ_ONCE/WRITE_ONCE for conf->log Greg Kroah-Hartman
` (236 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, farah kassabri, Oded Gabbay,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: farah kassabri <fkassabri@habana.ai>
[ Upstream commit 0165994c215f321e2d055368f89b424756e340eb ]
There is a potential race between user thread seeking to re-use
a timestamp record with new interrupt id, while this record is still
in the middle of interrupt handling and it is about to be freed.
Imagine the driver set the record in_use to 0 and only then fill the
free_node information. This might lead to unpleasant scenario where
the new registration thread detects the record as free to use, and
change the cq buff address. That will cause the free_node to get
the wrong buffer address to put refcount to.
Signed-off-by: farah kassabri <fkassabri@habana.ai>
Reviewed-by: Oded Gabbay <ogabbay@kernel.org>
Signed-off-by: Oded Gabbay <ogabbay@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/accel/habanalabs/common/irq.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/accel/habanalabs/common/irq.c b/drivers/accel/habanalabs/common/irq.c
index b1010d206c2ef..813315cea4a7b 100644
--- a/drivers/accel/habanalabs/common/irq.c
+++ b/drivers/accel/habanalabs/common/irq.c
@@ -271,6 +271,9 @@ static int handle_registration_node(struct hl_device *hdev, struct hl_user_pendi
free_node->cq_cb = pend->ts_reg_info.cq_cb;
list_add(&free_node->free_objects_node, *free_list);
+ /* Mark TS record as free */
+ pend->ts_reg_info.in_use = false;
+
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 118/341] md/raid5-cache: use READ_ONCE/WRITE_ONCE for conf->log
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 117/341] accel/habanalabs: fix bug in timestamp interrupt handling Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 119/341] binfmt_misc: cleanup on filesystem umount Greg Kroah-Hartman
` (235 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yu Kuai, Song Liu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai3@huawei.com>
[ Upstream commit 06a4d0d8c642b5ea654e832b74dca12965356da0 ]
'conf->log' is set with 'reconfig_mutex' grabbed, however, readers are
not procted, hence protect it with READ_ONCE/WRITE_ONCE to prevent
reading abnormal values.
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20231010151958.145896-3-yukuai1@huaweicloud.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/raid5-cache.c | 47 +++++++++++++++++++++-------------------
1 file changed, 25 insertions(+), 22 deletions(-)
diff --git a/drivers/md/raid5-cache.c b/drivers/md/raid5-cache.c
index 518b7cfa78b9d..889bba60d6ff7 100644
--- a/drivers/md/raid5-cache.c
+++ b/drivers/md/raid5-cache.c
@@ -327,8 +327,9 @@ void r5l_wake_reclaim(struct r5l_log *log, sector_t space);
void r5c_check_stripe_cache_usage(struct r5conf *conf)
{
int total_cached;
+ struct r5l_log *log = READ_ONCE(conf->log);
- if (!r5c_is_writeback(conf->log))
+ if (!r5c_is_writeback(log))
return;
total_cached = atomic_read(&conf->r5c_cached_partial_stripes) +
@@ -344,7 +345,7 @@ void r5c_check_stripe_cache_usage(struct r5conf *conf)
*/
if (total_cached > conf->min_nr_stripes * 1 / 2 ||
atomic_read(&conf->empty_inactive_list_nr) > 0)
- r5l_wake_reclaim(conf->log, 0);
+ r5l_wake_reclaim(log, 0);
}
/*
@@ -353,7 +354,9 @@ void r5c_check_stripe_cache_usage(struct r5conf *conf)
*/
void r5c_check_cached_full_stripe(struct r5conf *conf)
{
- if (!r5c_is_writeback(conf->log))
+ struct r5l_log *log = READ_ONCE(conf->log);
+
+ if (!r5c_is_writeback(log))
return;
/*
@@ -363,7 +366,7 @@ void r5c_check_cached_full_stripe(struct r5conf *conf)
if (atomic_read(&conf->r5c_cached_full_stripes) >=
min(R5C_FULL_STRIPE_FLUSH_BATCH(conf),
conf->chunk_sectors >> RAID5_STRIPE_SHIFT(conf)))
- r5l_wake_reclaim(conf->log, 0);
+ r5l_wake_reclaim(log, 0);
}
/*
@@ -396,7 +399,7 @@ void r5c_check_cached_full_stripe(struct r5conf *conf)
*/
static sector_t r5c_log_required_to_flush_cache(struct r5conf *conf)
{
- struct r5l_log *log = conf->log;
+ struct r5l_log *log = READ_ONCE(conf->log);
if (!r5c_is_writeback(log))
return 0;
@@ -449,7 +452,7 @@ static inline void r5c_update_log_state(struct r5l_log *log)
void r5c_make_stripe_write_out(struct stripe_head *sh)
{
struct r5conf *conf = sh->raid_conf;
- struct r5l_log *log = conf->log;
+ struct r5l_log *log = READ_ONCE(conf->log);
BUG_ON(!r5c_is_writeback(log));
@@ -491,7 +494,7 @@ static void r5c_handle_parity_cached(struct stripe_head *sh)
*/
static void r5c_finish_cache_stripe(struct stripe_head *sh)
{
- struct r5l_log *log = sh->raid_conf->log;
+ struct r5l_log *log = READ_ONCE(sh->raid_conf->log);
if (log->r5c_journal_mode == R5C_JOURNAL_MODE_WRITE_THROUGH) {
BUG_ON(test_bit(STRIPE_R5C_CACHING, &sh->state));
@@ -692,7 +695,7 @@ static void r5c_disable_writeback_async(struct work_struct *work)
/* wait superblock change before suspend */
wait_event(mddev->sb_wait,
- conf->log == NULL ||
+ !READ_ONCE(conf->log) ||
(!test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags) &&
(locked = mddev_trylock(mddev))));
if (locked) {
@@ -1151,7 +1154,7 @@ static void r5l_run_no_space_stripes(struct r5l_log *log)
static sector_t r5c_calculate_new_cp(struct r5conf *conf)
{
struct stripe_head *sh;
- struct r5l_log *log = conf->log;
+ struct r5l_log *log = READ_ONCE(conf->log);
sector_t new_cp;
unsigned long flags;
@@ -1159,12 +1162,12 @@ static sector_t r5c_calculate_new_cp(struct r5conf *conf)
return log->next_checkpoint;
spin_lock_irqsave(&log->stripe_in_journal_lock, flags);
- if (list_empty(&conf->log->stripe_in_journal_list)) {
+ if (list_empty(&log->stripe_in_journal_list)) {
/* all stripes flushed */
spin_unlock_irqrestore(&log->stripe_in_journal_lock, flags);
return log->next_checkpoint;
}
- sh = list_first_entry(&conf->log->stripe_in_journal_list,
+ sh = list_first_entry(&log->stripe_in_journal_list,
struct stripe_head, r5c);
new_cp = sh->log_start;
spin_unlock_irqrestore(&log->stripe_in_journal_lock, flags);
@@ -1399,7 +1402,7 @@ void r5c_flush_cache(struct r5conf *conf, int num)
struct stripe_head *sh, *next;
lockdep_assert_held(&conf->device_lock);
- if (!conf->log)
+ if (!READ_ONCE(conf->log))
return;
count = 0;
@@ -1420,7 +1423,7 @@ void r5c_flush_cache(struct r5conf *conf, int num)
static void r5c_do_reclaim(struct r5conf *conf)
{
- struct r5l_log *log = conf->log;
+ struct r5l_log *log = READ_ONCE(conf->log);
struct stripe_head *sh;
int count = 0;
unsigned long flags;
@@ -1549,7 +1552,7 @@ static void r5l_reclaim_thread(struct md_thread *thread)
{
struct mddev *mddev = thread->mddev;
struct r5conf *conf = mddev->private;
- struct r5l_log *log = conf->log;
+ struct r5l_log *log = READ_ONCE(conf->log);
if (!log)
return;
@@ -1591,7 +1594,7 @@ void r5l_quiesce(struct r5l_log *log, int quiesce)
bool r5l_log_disk_error(struct r5conf *conf)
{
- struct r5l_log *log = conf->log;
+ struct r5l_log *log = READ_ONCE(conf->log);
/* don't allow write if journal disk is missing */
if (!log)
@@ -2635,7 +2638,7 @@ int r5c_try_caching_write(struct r5conf *conf,
struct stripe_head_state *s,
int disks)
{
- struct r5l_log *log = conf->log;
+ struct r5l_log *log = READ_ONCE(conf->log);
int i;
struct r5dev *dev;
int to_cache = 0;
@@ -2802,7 +2805,7 @@ void r5c_finish_stripe_write_out(struct r5conf *conf,
struct stripe_head *sh,
struct stripe_head_state *s)
{
- struct r5l_log *log = conf->log;
+ struct r5l_log *log = READ_ONCE(conf->log);
int i;
int do_wakeup = 0;
sector_t tree_index;
@@ -2941,7 +2944,7 @@ int r5c_cache_data(struct r5l_log *log, struct stripe_head *sh)
/* check whether this big stripe is in write back cache. */
bool r5c_big_stripe_cached(struct r5conf *conf, sector_t sect)
{
- struct r5l_log *log = conf->log;
+ struct r5l_log *log = READ_ONCE(conf->log);
sector_t tree_index;
void *slot;
@@ -3049,14 +3052,14 @@ int r5l_start(struct r5l_log *log)
void r5c_update_on_rdev_error(struct mddev *mddev, struct md_rdev *rdev)
{
struct r5conf *conf = mddev->private;
- struct r5l_log *log = conf->log;
+ struct r5l_log *log = READ_ONCE(conf->log);
if (!log)
return;
if ((raid5_calc_degraded(conf) > 0 ||
test_bit(Journal, &rdev->flags)) &&
- conf->log->r5c_journal_mode == R5C_JOURNAL_MODE_WRITE_BACK)
+ log->r5c_journal_mode == R5C_JOURNAL_MODE_WRITE_BACK)
schedule_work(&log->disable_writeback_work);
}
@@ -3145,7 +3148,7 @@ int r5l_init_log(struct r5conf *conf, struct md_rdev *rdev)
spin_lock_init(&log->stripe_in_journal_lock);
atomic_set(&log->stripe_in_journal_count, 0);
- conf->log = log;
+ WRITE_ONCE(conf->log, log);
set_bit(MD_HAS_JOURNAL, &conf->mddev->flags);
return 0;
@@ -3173,7 +3176,7 @@ void r5l_exit_log(struct r5conf *conf)
* 'reconfig_mutex' is held by caller, set 'confg->log' to NULL to
* ensure disable_writeback_work wakes up and exits.
*/
- conf->log = NULL;
+ WRITE_ONCE(conf->log, NULL);
wake_up(&conf->mddev->sb_wait);
flush_work(&log->disable_writeback_work);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 119/341] binfmt_misc: cleanup on filesystem umount
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 118/341] md/raid5-cache: use READ_ONCE/WRITE_ONCE for conf->log Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 120/341] drm/tegra: Zero-initialize iosys_map Greg Kroah-Hartman
` (234 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sargun Dhillon, Serge Hallyn,
Jann Horn, Henning Schild, Andrei Vagin, Al Viro, Laurent Vivier,
linux-fsdevel, Christian Brauner, Christian Brauner, Kees Cook,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <christian.brauner@ubuntu.com>
[ Upstream commit 1c5976ef0f7ad76319df748ccb99a4c7ba2ba464 ]
Currently, registering a new binary type pins the binfmt_misc
filesystem. Specifically, this means that as long as there is at least
one binary type registered the binfmt_misc filesystem survives all
umounts, i.e. the superblock is not destroyed. Meaning that a umount
followed by another mount will end up with the same superblock and the
same binary type handlers. This is a behavior we tend to discourage for
any new filesystems (apart from a few special filesystems such as e.g.
configfs or debugfs). A umount operation without the filesystem being
pinned - by e.g. someone holding a file descriptor to an open file -
should usually result in the destruction of the superblock and all
associated resources. This makes introspection easier and leads to
clearly defined, simple and clean semantics. An administrator can rely
on the fact that a umount will guarantee a clean slate making it
possible to reinitialize a filesystem. Right now all binary types would
need to be explicitly deleted before that can happen.
This allows us to remove the heavy-handed calls to simple_pin_fs() and
simple_release_fs() when creating and deleting binary types. This in
turn allows us to replace the current brittle pinning mechanism abusing
dget() which has caused a range of bugs judging from prior fixes in [2]
and [3]. The additional dget() in load_misc_binary() pins the dentry but
only does so for the sake to prevent ->evict_inode() from freeing the
node when a user removes the binary type and kill_node() is run. Which
would mean ->interpreter and ->interp_file would be freed causing a UAF.
This isn't really nicely documented nor is it very clean because it
relies on simple_pin_fs() pinning the filesystem as long as at least one
binary type exists. Otherwise it would cause load_misc_binary() to hold
on to a dentry belonging to a superblock that has been shutdown.
Replace that implicit pinning with a clean and simple per-node refcount
and get rid of the ugly dget() pinning. A similar mechanism exists for
e.g. binderfs (cf. [4]). All the cleanup work can now be done in
->evict_inode().
In a follow-up patch we will make it possible to use binfmt_misc in
sandboxes. We will use the cleaner semantics where a umount for the
filesystem will cause the superblock and all resources to be
deallocated. In preparation for this apply the same semantics to the
initial binfmt_misc mount. Note, that this is a user-visible change and
as such a uapi change but one that we can reasonably risk. We've
discussed this in earlier versions of this patchset (cf. [1]).
The main user and provider of binfmt_misc is systemd. Systemd provides
binfmt_misc via autofs since it is configurable as a kernel module and
is used by a few exotic packages and users. As such a binfmt_misc mount
is triggered when /proc/sys/fs/binfmt_misc is accessed and is only
provided on demand. Other autofs on demand filesystems include EFI ESP
which systemd umounts if the mountpoint stays idle for a certain amount
of time. This doesn't apply to the binfmt_misc autofs mount which isn't
touched once it is mounted meaning this change can't accidently wipe
binary type handlers without someone having explicitly unmounted
binfmt_misc. After speaking to systemd folks they don't expect this
change to affect them.
In line with our general policy, if we see a regression for systemd or
other users with this change we will switch back to the old behavior for
the initial binfmt_misc mount and have binary types pin the filesystem
again. But while we touch this code let's take the chance and let's
improve on the status quo.
[1]: https://lore.kernel.org/r/20191216091220.465626-2-laurent@vivier.eu
[2]: commit 43a4f2619038 ("exec: binfmt_misc: fix race between load_misc_binary() and kill_node()"
[3]: commit 83f918274e4b ("exec: binfmt_misc: shift filp_close(interp_file) from kill_node() to bm_evict_inode()")
[4]: commit f0fe2c0f050d ("binder: prevent UAF for binderfs devices II")
Link: https://lore.kernel.org/r/20211028103114.2849140-1-brauner@kernel.org (v1)
Cc: Sargun Dhillon <sargun@sargun.me>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: Jann Horn <jannh@google.com>
Cc: Henning Schild <henning.schild@siemens.com>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Laurent Vivier <laurent@vivier.eu>
Cc: linux-fsdevel@vger.kernel.org
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
/* v2 */
- Christian Brauner <christian.brauner@ubuntu.com>:
- Add more comments that explain what's going on.
- Rename functions while changing them to better reflect what they are
doing to make the code easier to understand.
- In the first version when a specific binary type handler was removed
either through a write to the entry's file or all binary type
handlers were removed by a write to the binfmt_misc mount's status
file all cleanup work happened during inode eviction.
That includes removal of the relevant entries from entry list. While
that works fine I disliked that model after thinking about it for a
bit. Because it means that there was a window were someone has
already removed a or all binary handlers but they could still be
safely reached from load_misc_binary() when it has managed to take
the read_lock() on the entries list while inode eviction was already
happening. Again, that perfectly benign but it's cleaner to remove
the binary handler from the list immediately meaning that ones the
write to then entry's file or the binfmt_misc status file returns
the binary type cannot be executed anymore. That gives stronger
guarantees to the user.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/binfmt_misc.c | 216 ++++++++++++++++++++++++++++++++++++-----------
1 file changed, 168 insertions(+), 48 deletions(-)
diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
index e0108d17b085c..cf5ed5cd4102d 100644
--- a/fs/binfmt_misc.c
+++ b/fs/binfmt_misc.c
@@ -60,12 +60,11 @@ typedef struct {
char *name;
struct dentry *dentry;
struct file *interp_file;
+ refcount_t users; /* sync removal with load_misc_binary() */
} Node;
static DEFINE_RWLOCK(entries_lock);
static struct file_system_type bm_fs_type;
-static struct vfsmount *bm_mnt;
-static int entry_count;
/*
* Max length of the register string. Determined by:
@@ -82,19 +81,23 @@ static int entry_count;
*/
#define MAX_REGISTER_LENGTH 1920
-/*
- * Check if we support the binfmt
- * if we do, return the node, else NULL
- * locking is done in load_misc_binary
+/**
+ * search_binfmt_handler - search for a binary handler for @bprm
+ * @misc: handle to binfmt_misc instance
+ * @bprm: binary for which we are looking for a handler
+ *
+ * Search for a binary type handler for @bprm in the list of registered binary
+ * type handlers.
+ *
+ * Return: binary type list entry on success, NULL on failure
*/
-static Node *check_file(struct linux_binprm *bprm)
+static Node *search_binfmt_handler(struct linux_binprm *bprm)
{
char *p = strrchr(bprm->interp, '.');
- struct list_head *l;
+ Node *e;
/* Walk all the registered handlers. */
- list_for_each(l, &entries) {
- Node *e = list_entry(l, Node, list);
+ list_for_each_entry(e, &entries, list) {
char *s;
int j;
@@ -123,9 +126,49 @@ static Node *check_file(struct linux_binprm *bprm)
if (j == e->size)
return e;
}
+
return NULL;
}
+/**
+ * get_binfmt_handler - try to find a binary type handler
+ * @misc: handle to binfmt_misc instance
+ * @bprm: binary for which we are looking for a handler
+ *
+ * Try to find a binfmt handler for the binary type. If one is found take a
+ * reference to protect against removal via bm_{entry,status}_write().
+ *
+ * Return: binary type list entry on success, NULL on failure
+ */
+static Node *get_binfmt_handler(struct linux_binprm *bprm)
+{
+ Node *e;
+
+ read_lock(&entries_lock);
+ e = search_binfmt_handler(bprm);
+ if (e)
+ refcount_inc(&e->users);
+ read_unlock(&entries_lock);
+ return e;
+}
+
+/**
+ * put_binfmt_handler - put binary handler node
+ * @e: node to put
+ *
+ * Free node syncing with load_misc_binary() and defer final free to
+ * load_misc_binary() in case it is using the binary type handler we were
+ * requested to remove.
+ */
+static void put_binfmt_handler(Node *e)
+{
+ if (refcount_dec_and_test(&e->users)) {
+ if (e->flags & MISC_FMT_OPEN_FILE)
+ filp_close(e->interp_file, NULL);
+ kfree(e);
+ }
+}
+
/*
* the loader itself
*/
@@ -139,12 +182,7 @@ static int load_misc_binary(struct linux_binprm *bprm)
if (!enabled)
return retval;
- /* to keep locking time low, we copy the interpreter string */
- read_lock(&entries_lock);
- fmt = check_file(bprm);
- if (fmt)
- dget(fmt->dentry);
- read_unlock(&entries_lock);
+ fmt = get_binfmt_handler(bprm);
if (!fmt)
return retval;
@@ -198,7 +236,16 @@ static int load_misc_binary(struct linux_binprm *bprm)
retval = 0;
ret:
- dput(fmt->dentry);
+
+ /*
+ * If we actually put the node here all concurrent calls to
+ * load_misc_binary() will have finished. We also know
+ * that for the refcount to be zero ->evict_inode() must have removed
+ * the node to be deleted from the list. All that is left for us is to
+ * close and free.
+ */
+ put_binfmt_handler(fmt);
+
return retval;
}
@@ -552,30 +599,90 @@ static struct inode *bm_get_inode(struct super_block *sb, int mode)
return inode;
}
+/**
+ * bm_evict_inode - cleanup data associated with @inode
+ * @inode: inode to which the data is attached
+ *
+ * Cleanup the binary type handler data associated with @inode if a binary type
+ * entry is removed or the filesystem is unmounted and the super block is
+ * shutdown.
+ *
+ * If the ->evict call was not caused by a super block shutdown but by a write
+ * to remove the entry or all entries via bm_{entry,status}_write() the entry
+ * will have already been removed from the list. We keep the list_empty() check
+ * to make that explicit.
+*/
static void bm_evict_inode(struct inode *inode)
{
Node *e = inode->i_private;
- if (e && e->flags & MISC_FMT_OPEN_FILE)
- filp_close(e->interp_file, NULL);
-
clear_inode(inode);
- kfree(e);
+
+ if (e) {
+ write_lock(&entries_lock);
+ if (!list_empty(&e->list))
+ list_del_init(&e->list);
+ write_unlock(&entries_lock);
+ put_binfmt_handler(e);
+ }
}
-static void kill_node(Node *e)
+/**
+ * unlink_binfmt_dentry - remove the dentry for the binary type handler
+ * @dentry: dentry associated with the binary type handler
+ *
+ * Do the actual filesystem work to remove a dentry for a registered binary
+ * type handler. Since binfmt_misc only allows simple files to be created
+ * directly under the root dentry of the filesystem we ensure that we are
+ * indeed passed a dentry directly beneath the root dentry, that the inode
+ * associated with the root dentry is locked, and that it is a regular file we
+ * are asked to remove.
+ */
+static void unlink_binfmt_dentry(struct dentry *dentry)
{
- struct dentry *dentry;
+ struct dentry *parent = dentry->d_parent;
+ struct inode *inode, *parent_inode;
+
+ /* All entries are immediate descendants of the root dentry. */
+ if (WARN_ON_ONCE(dentry->d_sb->s_root != parent))
+ return;
+ /* We only expect to be called on regular files. */
+ inode = d_inode(dentry);
+ if (WARN_ON_ONCE(!S_ISREG(inode->i_mode)))
+ return;
+
+ /* The parent inode must be locked. */
+ parent_inode = d_inode(parent);
+ if (WARN_ON_ONCE(!inode_is_locked(parent_inode)))
+ return;
+
+ if (simple_positive(dentry)) {
+ dget(dentry);
+ simple_unlink(parent_inode, dentry);
+ d_delete(dentry);
+ dput(dentry);
+ }
+}
+
+/**
+ * remove_binfmt_handler - remove a binary type handler
+ * @misc: handle to binfmt_misc instance
+ * @e: binary type handler to remove
+ *
+ * Remove a binary type handler from the list of binary type handlers and
+ * remove its associated dentry. This is called from
+ * binfmt_{entry,status}_write(). In the future, we might want to think about
+ * adding a proper ->unlink() method to binfmt_misc instead of forcing caller's
+ * to use writes to files in order to delete binary type handlers. But it has
+ * worked for so long that it's not a pressing issue.
+ */
+static void remove_binfmt_handler(Node *e)
+{
write_lock(&entries_lock);
list_del_init(&e->list);
write_unlock(&entries_lock);
-
- dentry = e->dentry;
- drop_nlink(d_inode(dentry));
- d_drop(dentry);
- dput(dentry);
- simple_release_fs(&bm_mnt, &entry_count);
+ unlink_binfmt_dentry(e->dentry);
}
/* /<entry> */
@@ -602,8 +709,8 @@ bm_entry_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
static ssize_t bm_entry_write(struct file *file, const char __user *buffer,
size_t count, loff_t *ppos)
{
- struct dentry *root;
- Node *e = file_inode(file)->i_private;
+ struct inode *inode = file_inode(file);
+ Node *e = inode->i_private;
int res = parse_command(buffer, count);
switch (res) {
@@ -617,13 +724,22 @@ static ssize_t bm_entry_write(struct file *file, const char __user *buffer,
break;
case 3:
/* Delete this handler. */
- root = file_inode(file)->i_sb->s_root;
- inode_lock(d_inode(root));
+ inode = d_inode(inode->i_sb->s_root);
+ inode_lock(inode);
+ /*
+ * In order to add new element or remove elements from the list
+ * via bm_{entry,register,status}_write() inode_lock() on the
+ * root inode must be held.
+ * The lock is exclusive ensuring that the list can't be
+ * modified. Only load_misc_binary() can access but does so
+ * read-only. So we only need to take the write lock when we
+ * actually remove the entry from the list.
+ */
if (!list_empty(&e->list))
- kill_node(e);
+ remove_binfmt_handler(e);
- inode_unlock(d_inode(root));
+ inode_unlock(inode);
break;
default:
return res;
@@ -682,13 +798,7 @@ static ssize_t bm_register_write(struct file *file, const char __user *buffer,
if (!inode)
goto out2;
- err = simple_pin_fs(&bm_fs_type, &bm_mnt, &entry_count);
- if (err) {
- iput(inode);
- inode = NULL;
- goto out2;
- }
-
+ refcount_set(&e->users, 1);
e->dentry = dget(dentry);
inode->i_private = e;
inode->i_fop = &bm_entry_operations;
@@ -732,7 +842,8 @@ static ssize_t bm_status_write(struct file *file, const char __user *buffer,
size_t count, loff_t *ppos)
{
int res = parse_command(buffer, count);
- struct dentry *root;
+ Node *e, *next;
+ struct inode *inode;
switch (res) {
case 1:
@@ -745,13 +856,22 @@ static ssize_t bm_status_write(struct file *file, const char __user *buffer,
break;
case 3:
/* Delete all handlers. */
- root = file_inode(file)->i_sb->s_root;
- inode_lock(d_inode(root));
+ inode = d_inode(file_inode(file)->i_sb->s_root);
+ inode_lock(inode);
- while (!list_empty(&entries))
- kill_node(list_first_entry(&entries, Node, list));
+ /*
+ * In order to add new element or remove elements from the list
+ * via bm_{entry,register,status}_write() inode_lock() on the
+ * root inode must be held.
+ * The lock is exclusive ensuring that the list can't be
+ * modified. Only load_misc_binary() can access but does so
+ * read-only. So we only need to take the write lock when we
+ * actually remove the entry from the list.
+ */
+ list_for_each_entry_safe(e, next, &entries, list)
+ remove_binfmt_handler(e);
- inode_unlock(d_inode(root));
+ inode_unlock(inode);
break;
default:
return res;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 120/341] drm/tegra: Zero-initialize iosys_map
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 119/341] binfmt_misc: cleanup on filesystem umount Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 121/341] media: qcom: venus: fix incorrect return value Greg Kroah-Hartman
` (233 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ashish Mhetre, Mikko Perttunen,
Thierry Reding, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikko Perttunen <mperttunen@nvidia.com>
[ Upstream commit 3868ff006b572cf501a3327832d36c64a9eca86a ]
UBSAN reports an invalid load for bool, as the iosys_map is read
later without being initialized. Zero-initialize it to avoid this.
Reported-by: Ashish Mhetre <amhetre@nvidia.com>
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230901115910.701518-2-cyndis@kapsi.fi
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/tegra/gem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c
index a4023163493dc..a825fbbc01af6 100644
--- a/drivers/gpu/drm/tegra/gem.c
+++ b/drivers/gpu/drm/tegra/gem.c
@@ -177,7 +177,7 @@ static void tegra_bo_unpin(struct host1x_bo_mapping *map)
static void *tegra_bo_mmap(struct host1x_bo *bo)
{
struct tegra_bo *obj = host1x_to_tegra_bo(bo);
- struct iosys_map map;
+ struct iosys_map map = { 0 };
int ret;
if (obj->vaddr) {
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 121/341] media: qcom: venus: fix incorrect return value
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 120/341] drm/tegra: Zero-initialize iosys_map Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 122/341] iommu/arm-smmu-qcom: Add SDM670 MDSS compatible Greg Kroah-Hartman
` (232 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans Verkuil, Bryan ODonoghue,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[ Upstream commit 51b74c09ac8c5862007fc2bf0d465529d06dd446 ]
'pd' can be NULL, and in that case it shouldn't be passed to
PTR_ERR. Fixes a smatch warning:
drivers/media/platform/qcom/venus/pm_helpers.c:873 vcodec_domains_get() warn: passing zero to 'PTR_ERR'
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/qcom/venus/pm_helpers.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/platform/qcom/venus/pm_helpers.c b/drivers/media/platform/qcom/venus/pm_helpers.c
index 48c9084bb4dba..a1b127caa90a7 100644
--- a/drivers/media/platform/qcom/venus/pm_helpers.c
+++ b/drivers/media/platform/qcom/venus/pm_helpers.c
@@ -870,7 +870,7 @@ static int vcodec_domains_get(struct venus_core *core)
pd = dev_pm_domain_attach_by_name(dev,
res->vcodec_pmdomains[i]);
if (IS_ERR_OR_NULL(pd))
- return PTR_ERR(pd) ? : -ENODATA;
+ return pd ? PTR_ERR(pd) : -ENODATA;
core->pmdomains[i] = pd;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 122/341] iommu/arm-smmu-qcom: Add SDM670 MDSS compatible
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 121/341] media: qcom: venus: fix incorrect return value Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 123/341] ASoC: SOF: Intel: hda-dsp: Make sure that no irq handler is pending before suspend Greg Kroah-Hartman
` (231 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Acayan, Dmitry Baryshkov,
Will Deacon, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Acayan <mailingradian@gmail.com>
[ Upstream commit 270a1470408e44619a55be1079254bf2ba0567fb ]
Add the compatible for the MDSS client on the Snapdragon 670 so it can
be properly configured by the IOMMU driver.
Otherwise, there is an unhandled context fault.
Signed-off-by: Richard Acayan <mailingradian@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/20230925234246.900351-3-mailingradian@gmail.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
index 40503376d80cc..6e6cb19c81f59 100644
--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
@@ -252,6 +252,7 @@ static const struct of_device_id qcom_smmu_client_of_match[] __maybe_unused = {
{ .compatible = "qcom,sc7280-mss-pil" },
{ .compatible = "qcom,sc8180x-mdss" },
{ .compatible = "qcom,sc8280xp-mdss" },
+ { .compatible = "qcom,sdm670-mdss" },
{ .compatible = "qcom,sdm845-mdss" },
{ .compatible = "qcom,sdm845-mss-pil" },
{ .compatible = "qcom,sm6350-mdss" },
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 123/341] ASoC: SOF: Intel: hda-dsp: Make sure that no irq handler is pending before suspend
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 122/341] iommu/arm-smmu-qcom: Add SDM670 MDSS compatible Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 124/341] scsi: spi: Fix sshdr use Greg Kroah-Hartman
` (230 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guennadi Liakhovetski,
Peter Ujfalusi, Pierre-Louis Bossart, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
[ Upstream commit 576a0b71b5b479008dacb3047a346625040f5ac6 ]
In the existing IPC support, the reply to each IPC message is handled in
an IRQ thread. The assumption is that the IRQ thread is scheduled without
significant delays.
On an experimental (iow, buggy) kernel, the IRQ thread dealing with the
reply to the last IPC message before powering-down the DSP can be delayed
by several seconds. The IRQ thread will proceed with register accesses
after the DSP is powered-down which results in a kernel crash.
While the bug which causes the delay is not in the audio stack, we must
handle such cases with defensive programming to avoid such crashes.
Call synchronize_irq() before proceeding to power down the DSP to make
sure that no irq thread is pending execution.
Closes: https://github.com/thesofproject/linux/issues/4608
Reviewed-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20231012191850.147140-3-pierre-louis.bossart@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/intel/hda-dsp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/sof/intel/hda-dsp.c b/sound/soc/sof/intel/hda-dsp.c
index e80a2a5ec56a1..1506982a56c30 100644
--- a/sound/soc/sof/intel/hda-dsp.c
+++ b/sound/soc/sof/intel/hda-dsp.c
@@ -709,6 +709,9 @@ static int hda_suspend(struct snd_sof_dev *sdev, bool runtime_suspend)
if (ret < 0)
return ret;
+ /* make sure that no irq handler is pending before shutdown */
+ synchronize_irq(sdev->ipc_irq);
+
hda_codec_jack_wake_enable(sdev, runtime_suspend);
/* power down all hda links */
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 124/341] scsi: spi: Fix sshdr use
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 123/341] ASoC: SOF: Intel: hda-dsp: Make sure that no irq handler is pending before suspend Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 125/341] wifi: mac80211: flush STA queues on unauthorization Greg Kroah-Hartman
` (229 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Christie, Christoph Hellwig,
John Garry, Martin Wilck, Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Christie <michael.christie@oracle.com>
[ Upstream commit 0b149cee836aa53989ea089af1cb9d90d7c6ac9e ]
If scsi_execute_cmd returns < 0, it doesn't initialize the sshdr, so we
shouldn't access the sshdr. If it returns 0, then the cmd executed
successfully, so there is no need to check the sshdr. This has us access
the sshdr when we get a return value > 0.
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Link: https://lore.kernel.org/r/20231004210013.5601-7-michael.christie@oracle.com
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: Martin Wilck <mwilck@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_transport_spi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/scsi_transport_spi.c b/drivers/scsi/scsi_transport_spi.c
index 2442d4d2e3f38..f668c1c0a98f2 100644
--- a/drivers/scsi/scsi_transport_spi.c
+++ b/drivers/scsi/scsi_transport_spi.c
@@ -676,10 +676,10 @@ spi_dv_device_echo_buffer(struct scsi_device *sdev, u8 *buffer,
for (r = 0; r < retries; r++) {
result = spi_execute(sdev, spi_write_buffer, REQ_OP_DRV_OUT,
buffer, len, &sshdr);
- if(result || !scsi_device_online(sdev)) {
+ if (result || !scsi_device_online(sdev)) {
scsi_device_set_state(sdev, SDEV_QUIESCE);
- if (scsi_sense_valid(&sshdr)
+ if (result > 0 && scsi_sense_valid(&sshdr)
&& sshdr.sense_key == ILLEGAL_REQUEST
/* INVALID FIELD IN CDB */
&& sshdr.asc == 0x24 && sshdr.ascq == 0x00)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 125/341] wifi: mac80211: flush STA queues on unauthorization
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 124/341] scsi: spi: Fix sshdr use Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 126/341] gfs2: setattr_chown: Add missing initialization Greg Kroah-Hartman
` (228 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Berg, Gregory Greenman,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 06d6af4e1223339bb597b02fa8ad3f979ddb5511 ]
When the station is marked as no longer authorized, we shouldn't
transmit to it any longer, but in particular we shouldn't be able
to transmit to it after removing keys, which might lead to frames
being sent out unencrypted depending on the exact hardware offload
mechanism. Thus, instead of flushing only on station destruction,
which covers only some cases, always flush on unauthorization.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230928172905.d47f528829e7.I96903652c7ee0c5c66891f8b2364383da8e45a1f@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/sta_info.c | 32 ++++++++++++++++++++------------
1 file changed, 20 insertions(+), 12 deletions(-)
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 42ba51a9700f2..5d71e8d084c45 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -1284,6 +1284,8 @@ static int _sta_info_move_state(struct sta_info *sta,
enum ieee80211_sta_state new_state,
bool recalc)
{
+ struct ieee80211_local *local = sta->local;
+
might_sleep();
if (sta->sta_state == new_state)
@@ -1359,6 +1361,24 @@ static int _sta_info_move_state(struct sta_info *sta,
} else if (sta->sta_state == IEEE80211_STA_AUTHORIZED) {
ieee80211_vif_dec_num_mcast(sta->sdata);
clear_bit(WLAN_STA_AUTHORIZED, &sta->_flags);
+
+ /*
+ * If we have encryption offload, flush (station) queues
+ * (after ensuring concurrent TX completed) so we won't
+ * transmit anything later unencrypted if/when keys are
+ * also removed, which might otherwise happen depending
+ * on how the hardware offload works.
+ */
+ if (local->ops->set_key) {
+ synchronize_net();
+ if (local->ops->flush_sta)
+ drv_flush_sta(local, sta->sdata, sta);
+ else
+ ieee80211_flush_queues(local,
+ sta->sdata,
+ false);
+ }
+
ieee80211_clear_fast_xmit(sta);
ieee80211_clear_fast_rx(sta);
}
@@ -1424,18 +1444,6 @@ static void __sta_info_destroy_part2(struct sta_info *sta, bool recalc)
WARN_ON_ONCE(ret);
}
- /* Flush queues before removing keys, as that might remove them
- * from hardware, and then depending on the offload method, any
- * frames sitting on hardware queues might be sent out without
- * any encryption at all.
- */
- if (local->ops->set_key) {
- if (local->ops->flush_sta)
- drv_flush_sta(local, sta->sdata, sta);
- else
- ieee80211_flush_queues(local, sta->sdata, false);
- }
-
/* now keys can no longer be reached */
ieee80211_free_sta_keys(local, sta);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 126/341] gfs2: setattr_chown: Add missing initialization
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 125/341] wifi: mac80211: flush STA queues on unauthorization Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 127/341] wifi: iwlwifi: abort scan when rfkill on but device enabled Greg Kroah-Hartman
` (227 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andreas Gruenbacher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit 2d8d7990619878a848b1d916c2f936d3012ee17d ]
Add a missing initialization of variable ap in setattr_chown().
Without, chown() may be able to bypass quotas.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 3de0d8ab42eaf..29085643ad104 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -1929,7 +1929,7 @@ static int setattr_chown(struct inode *inode, struct iattr *attr)
kuid_t ouid, nuid;
kgid_t ogid, ngid;
int error;
- struct gfs2_alloc_parms ap;
+ struct gfs2_alloc_parms ap = {};
ouid = inode->i_uid;
ogid = inode->i_gid;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 127/341] wifi: iwlwifi: abort scan when rfkill on but device enabled
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 126/341] gfs2: setattr_chown: Add missing initialization Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 128/341] wifi: iwlwifi: fw: Fix debugfs command sending Greg Kroah-Hartman
` (226 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miri Korenblit, Gregory Greenman,
Johannes Berg, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
[ Upstream commit 3c6a0b1f0add72e7f522bc9145222b86d0a7712a ]
In RFKILL we first set the RFKILL bit, then we abort scan
(if one exists) by waiting for the notification from FW
and notifying mac80211. And then we stop the device.
But in case we have a scan ongoing in the period of time between
rfkill on and before the device is stopped - we will not wait for the
FW notification because of the iwl_mvm_is_radio_killed() condition,
and then the scan_status and uid_status are misconfigured,
(scan_status is cleared but uid_status not)
and when the notification suddenly arrives (before stopping the device)
we will get into the assert about scan_status and uid_status mismatch.
Fix this by waiting for FW notif when rfkill is on but the device isn't
disabled yet.
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20231004123422.c43b69aa2c77.Icc7b5efb47974d6f499156ff7510b786e177993b@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
index 6ef932e6299da..9ca90c0806c0f 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
@@ -3413,7 +3413,7 @@ int iwl_mvm_scan_stop(struct iwl_mvm *mvm, int type, bool notify)
if (!(mvm->scan_status & type))
return 0;
- if (iwl_mvm_is_radio_killed(mvm)) {
+ if (!test_bit(STATUS_DEVICE_ENABLED, &mvm->trans->status)) {
ret = 0;
goto out;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 128/341] wifi: iwlwifi: fw: Fix debugfs command sending
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 127/341] wifi: iwlwifi: abort scan when rfkill on but device enabled Greg Kroah-Hartman
@ 2024-08-27 14:35 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 129/341] wifi: iwlwifi: check for kmemdup() return value in iwl_parse_tlv_firmware() Greg Kroah-Hartman
` (225 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mukesh Sisodiya, Gregory Greenman,
Johannes Berg, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mukesh Sisodiya <mukesh.sisodiya@intel.com>
[ Upstream commit 048449fc666d736a1a17d950fde0b5c5c8fd10cc ]
During debugfs command handling transport function is used directly,
this bypasses the locking used by runtime operation function
and leads to a kernel warning when two commands are
sent in parallel.
Fix it by using runtime operations function when sending
debugfs command.
Signed-off-by: Mukesh Sisodiya <mukesh.sisodiya@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20231004123422.4f80ac90658a.Ia1dfa1195c919f3002fe08db3eefbd2bfa921bbf@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/fw/debugfs.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/fw/debugfs.c b/drivers/net/wireless/intel/iwlwifi/fw/debugfs.c
index 3cdbc6ac7ae5d..3356e36e2af73 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/debugfs.c
+++ b/drivers/net/wireless/intel/iwlwifi/fw/debugfs.c
@@ -141,7 +141,11 @@ static int iwl_dbgfs_enabled_severities_write(struct iwl_fw_runtime *fwrt,
event_cfg.enabled_severities = cpu_to_le32(enabled_severities);
- ret = iwl_trans_send_cmd(fwrt->trans, &hcmd);
+ if (fwrt->ops && fwrt->ops->send_hcmd)
+ ret = fwrt->ops->send_hcmd(fwrt->ops_ctx, &hcmd);
+ else
+ ret = -EPERM;
+
IWL_INFO(fwrt,
"sent host event cfg with enabled_severities: %u, ret: %d\n",
enabled_severities, ret);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 129/341] wifi: iwlwifi: check for kmemdup() return value in iwl_parse_tlv_firmware()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2024-08-27 14:35 ` [PATCH 6.6 128/341] wifi: iwlwifi: fw: Fix debugfs command sending Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 130/341] clk: visconti: Add bounds-checking coverage for struct visconti_pll_provider Greg Kroah-Hartman
` (224 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Antipov, Gregory Greenman,
Johannes Berg, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit 3c8aaaa7557b1e33e6ef95a27a5d8a139dcd0874 ]
In 'iwl_parse_tlv_firmware()', check for 'kmemdup()' return value
when handling IWL_UCODE_TLV_CURRENT_PC and set the number of parsed
entries only if an allocation was successful (just like it does with
handling IWL_UCODE_TLV_CMD_VERSIONS above). Compile tested only.
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Acked-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20231009170453.149905-1-dmantipov@yandex.ru
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
index a56593b6135f6..47bea1855e8c8 100644
--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
@@ -1304,10 +1304,12 @@ static int iwl_parse_tlv_firmware(struct iwl_drv *drv,
case IWL_UCODE_TLV_CURRENT_PC:
if (tlv_len < sizeof(struct iwl_pc_data))
goto invalid_tlv_len;
- drv->trans->dbg.num_pc =
- tlv_len / sizeof(struct iwl_pc_data);
drv->trans->dbg.pc_data =
kmemdup(tlv_data, tlv_len, GFP_KERNEL);
+ if (!drv->trans->dbg.pc_data)
+ return -ENOMEM;
+ drv->trans->dbg.num_pc =
+ tlv_len / sizeof(struct iwl_pc_data);
break;
default:
IWL_DEBUG_INFO(drv, "unknown TLV: %d\n", tlv_type);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 130/341] clk: visconti: Add bounds-checking coverage for struct visconti_pll_provider
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 129/341] wifi: iwlwifi: check for kmemdup() return value in iwl_parse_tlv_firmware() Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 131/341] IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock Greg Kroah-Hartman
` (223 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kees Cook, Nobuhiro Iwamatsu,
Gustavo A. R. Silva, Stephen Boyd, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gustavo A. R. Silva <gustavoars@kernel.org>
[ Upstream commit 397d887c1601a71e8a8abdb6beea67d58f0472d3 ]
In order to gain the bounds-checking coverage that __counted_by provides
to flexible-array members at run-time via CONFIG_UBSAN_BOUNDS (for array
indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions),
we must make sure that the counter member, in this particular case `num`,
is updated before the first access to the flex-array member, in this
particular case array `hws`. See below:
commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with
__counted_by") introduced `__counted_by` for `struct clk_hw_onecell_data`
together with changes to relocate some of assignments of counter `num`
before `hws` is accessed:
include/linux/clk-provider.h:
1380 struct clk_hw_onecell_data {
1381 unsigned int num;
1382 struct clk_hw *hws[] __counted_by(num);
1383 };
However, this structure is used as a member in other structs, in this
case in `struct visconti_pll_provider`:
drivers/clk/visconti/pll.h:
16 struct visconti_pll_provider {
17 void __iomem *reg_base;
18 struct device_node *node;
19
20 /* Must be last */
21 struct clk_hw_onecell_data clk_data;
22 };
Hence, we need to move the assignments to `ctx->clk_data.num` after
allocation for `struct visconti_pll_provider` and before accessing the
flexible array `ctx->clk_data.hws`. And, as assignments for all members
in `struct visconti_pll_provider` are originally adjacent to each other,
relocate all assignments together, so we don't split up
`ctx->clk_data.hws = nr_plls` from the rest. :)
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Link: https://lore.kernel.org/r/e3189f3e40e8723b6d794fb2260e2e9ab6b960bd.1697492890.git.gustavoars@kernel.org
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/visconti/pll.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/clk/visconti/pll.c b/drivers/clk/visconti/pll.c
index 1f3234f226674..e9cd80e085dc3 100644
--- a/drivers/clk/visconti/pll.c
+++ b/drivers/clk/visconti/pll.c
@@ -329,12 +329,12 @@ struct visconti_pll_provider * __init visconti_init_pll(struct device_node *np,
if (!ctx)
return ERR_PTR(-ENOMEM);
- for (i = 0; i < nr_plls; ++i)
- ctx->clk_data.hws[i] = ERR_PTR(-ENOENT);
-
ctx->node = np;
ctx->reg_base = base;
ctx->clk_data.num = nr_plls;
+ for (i = 0; i < nr_plls; ++i)
+ ctx->clk_data.hws[i] = ERR_PTR(-ENOENT);
+
return ctx;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 131/341] IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 130/341] clk: visconti: Add bounds-checking coverage for struct visconti_pll_provider Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 132/341] hwmon: (ltc2992) Avoid division by zero Greg Kroah-Hartman
` (222 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chengfeng Ye, Dennis Dalessandro,
Leon Romanovsky, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chengfeng Ye <dg573847474@gmail.com>
[ Upstream commit 2f19c4b8395ccb6eb25ccafee883c8cfbe3fc193 ]
handle_receive_interrupt_napi_sp() running inside interrupt handler
could introduce inverse lock ordering between &dd->irq_src_lock
and &dd->uctxt_lock, if read_mod_write() is preempted by the isr.
[CPU0] | [CPU1]
hfi1_ipoib_dev_open() |
--> hfi1_netdev_enable_queues() |
--> enable_queues(rx) |
--> hfi1_rcvctrl() |
--> set_intr_bits() |
--> read_mod_write() |
--> spin_lock(&dd->irq_src_lock) |
| hfi1_poll()
| --> poll_next()
| --> spin_lock_irq(&dd->uctxt_lock)
|
| --> hfi1_rcvctrl()
| --> set_intr_bits()
| --> read_mod_write()
| --> spin_lock(&dd->irq_src_lock)
<interrupt> |
--> handle_receive_interrupt_napi_sp() |
--> set_all_fastpath() |
--> hfi1_rcd_get_by_index() |
--> spin_lock_irqsave(&dd->uctxt_lock) |
This flaw was found by an experimental static analysis tool I am
developing for irq-related deadlock.
To prevent the potential deadlock, the patch use spin_lock_irqsave()
on &dd->irq_src_lock inside read_mod_write() to prevent the possible
deadlock scenario.
Signed-off-by: Chengfeng Ye <dg573847474@gmail.com>
Link: https://lore.kernel.org/r/20230926101116.2797-1-dg573847474@gmail.com
Acked-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hfi1/chip.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/hfi1/chip.c b/drivers/infiniband/hw/hfi1/chip.c
index 0814291a04120..9b542f7c6c115 100644
--- a/drivers/infiniband/hw/hfi1/chip.c
+++ b/drivers/infiniband/hw/hfi1/chip.c
@@ -13185,15 +13185,16 @@ static void read_mod_write(struct hfi1_devdata *dd, u16 src, u64 bits,
{
u64 reg;
u16 idx = src / BITS_PER_REGISTER;
+ unsigned long flags;
- spin_lock(&dd->irq_src_lock);
+ spin_lock_irqsave(&dd->irq_src_lock, flags);
reg = read_csr(dd, CCE_INT_MASK + (8 * idx));
if (set)
reg |= bits;
else
reg &= ~bits;
write_csr(dd, CCE_INT_MASK + (8 * idx), reg);
- spin_unlock(&dd->irq_src_lock);
+ spin_unlock_irqrestore(&dd->irq_src_lock, flags);
}
/**
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 132/341] hwmon: (ltc2992) Avoid division by zero
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 131/341] IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 133/341] rust: work around `bindgen` 0.69.0 issue Greg Kroah-Hartman
` (221 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Guenter Roeck,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
[ Upstream commit 10b02902048737f376104bc69e5212466e65a542 ]
Do not allow setting shunt resistor to 0. This results in a division by
zero when performing current value computations based on input voltages
and connected resistor values.
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Link: https://lore.kernel.org/r/20231011135754.13508-1-antoniu.miclaus@analog.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/ltc2992.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/hwmon/ltc2992.c b/drivers/hwmon/ltc2992.c
index 589bcd07ce7f7..001799bc28ed6 100644
--- a/drivers/hwmon/ltc2992.c
+++ b/drivers/hwmon/ltc2992.c
@@ -875,8 +875,12 @@ static int ltc2992_parse_dt(struct ltc2992_state *st)
}
ret = fwnode_property_read_u32(child, "shunt-resistor-micro-ohms", &val);
- if (!ret)
+ if (!ret) {
+ if (!val)
+ return dev_err_probe(&st->client->dev, -EINVAL,
+ "shunt resistor value cannot be zero\n");
st->r_sense_uohm[addr] = val;
+ }
}
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 133/341] rust: work around `bindgen` 0.69.0 issue
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 132/341] hwmon: (ltc2992) Avoid division by zero Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 134/341] rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT Greg Kroah-Hartman
` (220 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Finn Behrens, Benno Lossin,
Andreas Hindborg, Miguel Ojeda, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miguel Ojeda <ojeda@kernel.org>
[ Upstream commit 9e98db17837093cb0f4dcfcc3524739d93249c45 ]
`bindgen` 0.69.0 contains a bug: `--version` does not work without
providing a header [1]:
error: the following required arguments were not provided:
<HEADER>
Usage: bindgen <FLAGS> <OPTIONS> <HEADER> -- <CLANG_ARGS>...
Thus, in preparation for supporting several `bindgen` versions, work
around the issue by passing a dummy argument.
Include a comment so that we can remove the workaround in the future.
Link: https://github.com/rust-lang/rust-bindgen/pull/2678 [1]
Reviewed-by: Finn Behrens <me@kloenk.dev>
Tested-by: Benno Lossin <benno.lossin@proton.me>
Tested-by: Andreas Hindborg <a.hindborg@samsung.com>
Link: https://lore.kernel.org/r/20240709160615.998336-9-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Stable-dep-of: 5ce86c6c8613 ("rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
init/Kconfig | 5 ++++-
scripts/rust_is_available.sh | 6 +++++-
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index e173364abd6c0..777113dceca55 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1921,7 +1921,10 @@ config RUSTC_VERSION_TEXT
config BINDGEN_VERSION_TEXT
string
depends on RUST
- default $(shell,command -v $(BINDGEN) >/dev/null 2>&1 && $(BINDGEN) --version || echo n)
+ # The dummy parameter `workaround-for-0.69.0` is required to support 0.69.0
+ # (https://github.com/rust-lang/rust-bindgen/pull/2678). It can be removed when
+ # the minimum version is upgraded past that (0.69.1 already fixed the issue).
+ default $(shell,command -v $(BINDGEN) >/dev/null 2>&1 && $(BINDGEN) --version workaround-for-0.69.0 || echo n)
#
# Place an empty function call at each tracepoint site. Can be
diff --git a/scripts/rust_is_available.sh b/scripts/rust_is_available.sh
index 117018946b577..a6fdcf13e0e53 100755
--- a/scripts/rust_is_available.sh
+++ b/scripts/rust_is_available.sh
@@ -129,8 +129,12 @@ fi
# Check that the Rust bindings generator is suitable.
#
# Non-stable and distributions' versions may have a version suffix, e.g. `-dev`.
+#
+# The dummy parameter `workaround-for-0.69.0` is required to support 0.69.0
+# (https://github.com/rust-lang/rust-bindgen/pull/2678). It can be removed when
+# the minimum version is upgraded past that (0.69.1 already fixed the issue).
rust_bindings_generator_output=$( \
- LC_ALL=C "$BINDGEN" --version 2>/dev/null
+ LC_ALL=C "$BINDGEN" --version workaround-for-0.69.0 2>/dev/null
) || rust_bindings_generator_code=$?
if [ -n "$rust_bindings_generator_code" ]; then
echo >&2 "***"
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 134/341] rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 133/341] rust: work around `bindgen` 0.69.0 issue Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 135/341] rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT Greg Kroah-Hartman
` (219 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masahiro Yamada, Miguel Ojeda,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masahiro Yamada <masahiroy@kernel.org>
[ Upstream commit 5ce86c6c861352c9346ebb5c96ed70cb67414aa3 ]
While this is a somewhat unusual case, I encountered odd error messages
when I ran Kconfig in a foreign architecture chroot.
$ make allmodconfig
sh: 1: rustc: not found
sh: 1: bindgen: not found
#
# configuration written to .config
#
The successful execution of 'command -v rustc' does not necessarily mean
that 'rustc --version' will succeed.
$ sh -c 'command -v rustc'
/home/masahiro/.cargo/bin/rustc
$ sh -c 'rustc --version'
sh: 1: rustc: not found
Here, 'rustc' is built for x86, and I ran it in an arm64 system.
The current code:
command -v $(RUSTC) >/dev/null 2>&1 && $(RUSTC) --version || echo n
can be turned into:
command -v $(RUSTC) >/dev/null 2>&1 && $(RUSTC) --version 2>/dev/null || echo n
However, I did not understand the necessity of 'command -v $(RUSTC)'.
I simplified it to:
$(RUSTC) --version 2>/dev/null || echo n
Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support")
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Link: https://lore.kernel.org/r/20240727140302.1806011-1-masahiroy@kernel.org
[ Rebased on top of v6.11-rc1. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
init/Kconfig | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index 777113dceca55..b5bcc863bf608 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1916,7 +1916,7 @@ config RUST
config RUSTC_VERSION_TEXT
string
depends on RUST
- default $(shell,command -v $(RUSTC) >/dev/null 2>&1 && $(RUSTC) --version || echo n)
+ default $(shell,$(RUSTC) --version 2>/dev/null || echo n)
config BINDGEN_VERSION_TEXT
string
@@ -1924,7 +1924,7 @@ config BINDGEN_VERSION_TEXT
# The dummy parameter `workaround-for-0.69.0` is required to support 0.69.0
# (https://github.com/rust-lang/rust-bindgen/pull/2678). It can be removed when
# the minimum version is upgraded past that (0.69.1 already fixed the issue).
- default $(shell,command -v $(BINDGEN) >/dev/null 2>&1 && $(BINDGEN) --version workaround-for-0.69.0 || echo n)
+ default $(shell,$(BINDGEN) --version workaround-for-0.69.0 2>/dev/null || echo n)
#
# Place an empty function call at each tracepoint site. Can be
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 135/341] rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 134/341] rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 136/341] cpu/SMT: Enable SMT only if a core is online Greg Kroah-Hartman
` (218 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masahiro Yamada, Miguel Ojeda,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masahiro Yamada <masahiroy@kernel.org>
[ Upstream commit aacf93e87f0d808ef46e621aa56caea336b4433c ]
Another oddity in these config entries is their default value can fall
back to 'n', which is a value for bool or tristate symbols.
The '|| echo n' is an incorrect workaround to avoid the syntax error.
This is not a big deal, as the entry is hidden by 'depends on RUST' in
situations where '$(RUSTC) --version' or '$(BINDGEN) --version' fails.
Anyway, it looks odd.
The default of a string type symbol should be a double-quoted string
literal. Turn it into an empty string when the version command fails.
Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support")
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Link: https://lore.kernel.org/r/20240727140302.1806011-2-masahiroy@kernel.org
[ Rebased on top of v6.11-rc1. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
init/Kconfig | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index b5bcc863bf608..6054ba684c539 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1916,7 +1916,7 @@ config RUST
config RUSTC_VERSION_TEXT
string
depends on RUST
- default $(shell,$(RUSTC) --version 2>/dev/null || echo n)
+ default "$(shell,$(RUSTC) --version 2>/dev/null)"
config BINDGEN_VERSION_TEXT
string
@@ -1924,7 +1924,7 @@ config BINDGEN_VERSION_TEXT
# The dummy parameter `workaround-for-0.69.0` is required to support 0.69.0
# (https://github.com/rust-lang/rust-bindgen/pull/2678). It can be removed when
# the minimum version is upgraded past that (0.69.1 already fixed the issue).
- default $(shell,$(BINDGEN) --version workaround-for-0.69.0 2>/dev/null || echo n)
+ default "$(shell,$(BINDGEN) --version workaround-for-0.69.0 2>/dev/null)"
#
# Place an empty function call at each tracepoint site. Can be
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 136/341] cpu/SMT: Enable SMT only if a core is online
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 135/341] rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 137/341] powerpc/topology: Check " Greg Kroah-Hartman
` (217 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tyrel Datwyler, Nysal Jan K.A,
Shrikanth Hegde, Thomas Gleixner, Michael Ellerman, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nysal Jan K.A <nysal@linux.ibm.com>
[ Upstream commit 6c17ea1f3eaa330d445ac14a9428402ce4e3055e ]
If a core is offline then enabling SMT should not online CPUs of
this core. By enabling SMT, what is intended is either changing the SMT
value from "off" to "on" or setting the SMT level (threads per core) from a
lower to higher value.
On PowerPC the ppc64_cpu utility can be used, among other things, to
perform the following functions:
ppc64_cpu --cores-on # Get the number of online cores
ppc64_cpu --cores-on=X # Put exactly X cores online
ppc64_cpu --offline-cores=X[,Y,...] # Put specified cores offline
ppc64_cpu --smt={on|off|value} # Enable, disable or change SMT level
If the user has decided to offline certain cores, enabling SMT should
not online CPUs in those cores. This patch fixes the issue and changes
the behaviour as described, by introducing an arch specific function
topology_is_core_online(). It is currently implemented only for PowerPC.
Fixes: 73c58e7e1412 ("powerpc: Add HOTPLUG_SMT support")
Reported-by: Tyrel Datwyler <tyreld@linux.ibm.com>
Closes: https://groups.google.com/g/powerpc-utils-devel/c/wrwVzAAnRlI/m/5KJSoqP4BAAJ
Signed-off-by: Nysal Jan K.A <nysal@linux.ibm.com>
Reviewed-by: Shrikanth Hegde <sshegde@linux.ibm.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240731030126.956210-2-nysal@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/ABI/testing/sysfs-devices-system-cpu | 3 ++-
kernel/cpu.c | 12 +++++++++++-
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
index 34b6f6ab47422..657bdee28d845 100644
--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
@@ -565,7 +565,8 @@ Description: Control Symmetric Multi Threading (SMT)
================ =========================================
If control status is "forceoff" or "notsupported" writes
- are rejected.
+ are rejected. Note that enabling SMT on PowerPC skips
+ offline cores.
What: /sys/devices/system/cpu/cpuX/power/energy_perf_bias
Date: March 2019
diff --git a/kernel/cpu.c b/kernel/cpu.c
index 874bfb952e6e8..0c72b94ed076a 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -2728,6 +2728,16 @@ int cpuhp_smt_disable(enum cpuhp_smt_control ctrlval)
return ret;
}
+/**
+ * Check if the core a CPU belongs to is online
+ */
+#if !defined(topology_is_core_online)
+static inline bool topology_is_core_online(unsigned int cpu)
+{
+ return true;
+}
+#endif
+
int cpuhp_smt_enable(void)
{
int cpu, ret = 0;
@@ -2738,7 +2748,7 @@ int cpuhp_smt_enable(void)
/* Skip online CPUs and CPUs on offline nodes */
if (cpu_online(cpu) || !node_online(cpu_to_node(cpu)))
continue;
- if (!cpu_smt_thread_allowed(cpu))
+ if (!cpu_smt_thread_allowed(cpu) || !topology_is_core_online(cpu))
continue;
ret = _cpu_up(cpu, 0, CPUHP_ONLINE);
if (ret)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 137/341] powerpc/topology: Check if a core is online
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 136/341] cpu/SMT: Enable SMT only if a core is online Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 138/341] arm64: Fix KASAN random tag seed initialization Greg Kroah-Hartman
` (216 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nysal Jan K.A, Shrikanth Hegde,
Michael Ellerman, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nysal Jan K.A <nysal@linux.ibm.com>
[ Upstream commit 227bbaabe64b6f9cd98aa051454c1d4a194a8c6a ]
topology_is_core_online() checks if the core a CPU belongs to
is online. The core is online if at least one of the sibling
CPUs is online. The first CPU of an online core is also online
in the common case, so this should be fairly quick.
Fixes: 73c58e7e1412 ("powerpc: Add HOTPLUG_SMT support")
Signed-off-by: Nysal Jan K.A <nysal@linux.ibm.com>
Reviewed-by: Shrikanth Hegde <sshegde@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240731030126.956210-3-nysal@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/include/asm/topology.h | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/arch/powerpc/include/asm/topology.h b/arch/powerpc/include/asm/topology.h
index f4e6f2dd04b73..16bacfe8c7a2c 100644
--- a/arch/powerpc/include/asm/topology.h
+++ b/arch/powerpc/include/asm/topology.h
@@ -145,6 +145,7 @@ static inline int cpu_to_coregroup_id(int cpu)
#ifdef CONFIG_HOTPLUG_SMT
#include <linux/cpu_smt.h>
+#include <linux/cpumask.h>
#include <asm/cputhreads.h>
static inline bool topology_is_primary_thread(unsigned int cpu)
@@ -156,6 +157,18 @@ static inline bool topology_smt_thread_allowed(unsigned int cpu)
{
return cpu_thread_in_core(cpu) < cpu_smt_num_threads;
}
+
+#define topology_is_core_online topology_is_core_online
+static inline bool topology_is_core_online(unsigned int cpu)
+{
+ int i, first_cpu = cpu_first_thread_sibling(cpu);
+
+ for (i = first_cpu; i < first_cpu + threads_per_core; ++i) {
+ if (cpu_online(i))
+ return true;
+ }
+ return false;
+}
#endif
#endif /* __KERNEL__ */
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 138/341] arm64: Fix KASAN random tag seed initialization
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 137/341] powerpc/topology: Check " Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 139/341] block: Fix lockdep warning in blk_mq_mark_tag_wait Greg Kroah-Hartman
` (215 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samuel Holland, Andrey Konovalov,
Catalin Marinas, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samuel Holland <samuel.holland@sifive.com>
[ Upstream commit f75c235565f90c4a17b125e47f1c68ef6b8c2bce ]
Currently, kasan_init_sw_tags() is called before setup_per_cpu_areas(),
so per_cpu(prng_state, cpu) accesses the same address regardless of the
value of "cpu", and the same seed value gets copied to the percpu area
for every CPU. Fix this by moving the call to smp_prepare_boot_cpu(),
which is the first architecture hook after setup_per_cpu_areas().
Fixes: 3c9e3aa11094 ("kasan: add tag related helper functions")
Fixes: 3f41b6093823 ("kasan: fix random seed generation for tag-based mode")
Signed-off-by: Samuel Holland <samuel.holland@sifive.com>
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Link: https://lore.kernel.org/r/20240814091005.969756-1-samuel.holland@sifive.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/setup.c | 3 ---
arch/arm64/kernel/smp.c | 2 ++
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
index 417a8a86b2db5..c583d1f335f8c 100644
--- a/arch/arm64/kernel/setup.c
+++ b/arch/arm64/kernel/setup.c
@@ -371,9 +371,6 @@ void __init __no_sanitize_address setup_arch(char **cmdline_p)
smp_init_cpus();
smp_build_mpidr_hash();
- /* Init percpu seeds for random tags after cpus are set up. */
- kasan_init_sw_tags();
-
#ifdef CONFIG_ARM64_SW_TTBR0_PAN
/*
* Make sure init_thread_info.ttbr0 always generates translation
diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c
index 960b98b43506d..14365ef842440 100644
--- a/arch/arm64/kernel/smp.c
+++ b/arch/arm64/kernel/smp.c
@@ -459,6 +459,8 @@ void __init smp_prepare_boot_cpu(void)
init_gic_priority_masking();
kasan_init_hw_tags();
+ /* Init percpu seeds for random tags after cpus are set up. */
+ kasan_init_sw_tags();
}
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 139/341] block: Fix lockdep warning in blk_mq_mark_tag_wait
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 138/341] arm64: Fix KASAN random tag seed initialization Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 140/341] drm/msm: Reduce fallout of fence signaling vs reclaim hangs Greg Kroah-Hartman
` (214 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Lingfeng, Ming Lei, Yu Kuai,
Bart Van Assche, Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Lingfeng <lilingfeng3@huawei.com>
[ Upstream commit b313a8c835516bdda85025500be866ac8a74e022 ]
Lockdep reported a warning in Linux version 6.6:
[ 414.344659] ================================
[ 414.345155] WARNING: inconsistent lock state
[ 414.345658] 6.6.0-07439-gba2303cacfda #6 Not tainted
[ 414.346221] --------------------------------
[ 414.346712] inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
[ 414.347545] kworker/u10:3/1152 [HC0[0]:SC0[0]:HE0:SE1] takes:
[ 414.349245] ffff88810edd1098 (&sbq->ws[i].wait){+.?.}-{2:2}, at: blk_mq_dispatch_rq_list+0x131c/0x1ee0
[ 414.351204] {IN-SOFTIRQ-W} state was registered at:
[ 414.351751] lock_acquire+0x18d/0x460
[ 414.352218] _raw_spin_lock_irqsave+0x39/0x60
[ 414.352769] __wake_up_common_lock+0x22/0x60
[ 414.353289] sbitmap_queue_wake_up+0x375/0x4f0
[ 414.353829] sbitmap_queue_clear+0xdd/0x270
[ 414.354338] blk_mq_put_tag+0xdf/0x170
[ 414.354807] __blk_mq_free_request+0x381/0x4d0
[ 414.355335] blk_mq_free_request+0x28b/0x3e0
[ 414.355847] __blk_mq_end_request+0x242/0xc30
[ 414.356367] scsi_end_request+0x2c1/0x830
[ 414.345155] WARNING: inconsistent lock state
[ 414.345658] 6.6.0-07439-gba2303cacfda #6 Not tainted
[ 414.346221] --------------------------------
[ 414.346712] inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
[ 414.347545] kworker/u10:3/1152 [HC0[0]:SC0[0]:HE0:SE1] takes:
[ 414.349245] ffff88810edd1098 (&sbq->ws[i].wait){+.?.}-{2:2}, at: blk_mq_dispatch_rq_list+0x131c/0x1ee0
[ 414.351204] {IN-SOFTIRQ-W} state was registered at:
[ 414.351751] lock_acquire+0x18d/0x460
[ 414.352218] _raw_spin_lock_irqsave+0x39/0x60
[ 414.352769] __wake_up_common_lock+0x22/0x60
[ 414.353289] sbitmap_queue_wake_up+0x375/0x4f0
[ 414.353829] sbitmap_queue_clear+0xdd/0x270
[ 414.354338] blk_mq_put_tag+0xdf/0x170
[ 414.354807] __blk_mq_free_request+0x381/0x4d0
[ 414.355335] blk_mq_free_request+0x28b/0x3e0
[ 414.355847] __blk_mq_end_request+0x242/0xc30
[ 414.356367] scsi_end_request+0x2c1/0x830
[ 414.356863] scsi_io_completion+0x177/0x1610
[ 414.357379] scsi_complete+0x12f/0x260
[ 414.357856] blk_complete_reqs+0xba/0xf0
[ 414.358338] __do_softirq+0x1b0/0x7a2
[ 414.358796] irq_exit_rcu+0x14b/0x1a0
[ 414.359262] sysvec_call_function_single+0xaf/0xc0
[ 414.359828] asm_sysvec_call_function_single+0x1a/0x20
[ 414.360426] default_idle+0x1e/0x30
[ 414.360873] default_idle_call+0x9b/0x1f0
[ 414.361390] do_idle+0x2d2/0x3e0
[ 414.361819] cpu_startup_entry+0x55/0x60
[ 414.362314] start_secondary+0x235/0x2b0
[ 414.362809] secondary_startup_64_no_verify+0x18f/0x19b
[ 414.363413] irq event stamp: 428794
[ 414.363825] hardirqs last enabled at (428793): [<ffffffff816bfd1c>] ktime_get+0x1dc/0x200
[ 414.364694] hardirqs last disabled at (428794): [<ffffffff85470177>] _raw_spin_lock_irq+0x47/0x50
[ 414.365629] softirqs last enabled at (428444): [<ffffffff85474780>] __do_softirq+0x540/0x7a2
[ 414.366522] softirqs last disabled at (428419): [<ffffffff813f65ab>] irq_exit_rcu+0x14b/0x1a0
[ 414.367425]
other info that might help us debug this:
[ 414.368194] Possible unsafe locking scenario:
[ 414.368900] CPU0
[ 414.369225] ----
[ 414.369548] lock(&sbq->ws[i].wait);
[ 414.370000] <Interrupt>
[ 414.370342] lock(&sbq->ws[i].wait);
[ 414.370802]
*** DEADLOCK ***
[ 414.371569] 5 locks held by kworker/u10:3/1152:
[ 414.372088] #0: ffff88810130e938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_scheduled_works+0x357/0x13f0
[ 414.373180] #1: ffff88810201fdb8 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x3a3/0x13f0
[ 414.374384] #2: ffffffff86ffbdc0 (rcu_read_lock){....}-{1:2}, at: blk_mq_run_hw_queue+0x637/0xa00
[ 414.375342] #3: ffff88810edd1098 (&sbq->ws[i].wait){+.?.}-{2:2}, at: blk_mq_dispatch_rq_list+0x131c/0x1ee0
[ 414.376377] #4: ffff888106205a08 (&hctx->dispatch_wait_lock){+.-.}-{2:2}, at: blk_mq_dispatch_rq_list+0x1337/0x1ee0
[ 414.378607]
stack backtrace:
[ 414.379177] CPU: 0 PID: 1152 Comm: kworker/u10:3 Not tainted 6.6.0-07439-gba2303cacfda #6
[ 414.380032] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 414.381177] Workqueue: writeback wb_workfn (flush-253:0)
[ 414.381805] Call Trace:
[ 414.382136] <TASK>
[ 414.382429] dump_stack_lvl+0x91/0xf0
[ 414.382884] mark_lock_irq+0xb3b/0x1260
[ 414.383367] ? __pfx_mark_lock_irq+0x10/0x10
[ 414.383889] ? stack_trace_save+0x8e/0xc0
[ 414.384373] ? __pfx_stack_trace_save+0x10/0x10
[ 414.384903] ? graph_lock+0xcf/0x410
[ 414.385350] ? save_trace+0x3d/0xc70
[ 414.385808] mark_lock.part.20+0x56d/0xa90
[ 414.386317] mark_held_locks+0xb0/0x110
[ 414.386791] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 414.387320] lockdep_hardirqs_on_prepare+0x297/0x3f0
[ 414.387901] ? _raw_spin_unlock_irq+0x28/0x50
[ 414.388422] trace_hardirqs_on+0x58/0x100
[ 414.388917] _raw_spin_unlock_irq+0x28/0x50
[ 414.389422] __blk_mq_tag_busy+0x1d6/0x2a0
[ 414.389920] __blk_mq_get_driver_tag+0x761/0x9f0
[ 414.390899] blk_mq_dispatch_rq_list+0x1780/0x1ee0
[ 414.391473] ? __pfx_blk_mq_dispatch_rq_list+0x10/0x10
[ 414.392070] ? sbitmap_get+0x2b8/0x450
[ 414.392533] ? __blk_mq_get_driver_tag+0x210/0x9f0
[ 414.393095] __blk_mq_sched_dispatch_requests+0xd99/0x1690
[ 414.393730] ? elv_attempt_insert_merge+0x1b1/0x420
[ 414.394302] ? __pfx___blk_mq_sched_dispatch_requests+0x10/0x10
[ 414.394970] ? lock_acquire+0x18d/0x460
[ 414.395456] ? blk_mq_run_hw_queue+0x637/0xa00
[ 414.395986] ? __pfx_lock_acquire+0x10/0x10
[ 414.396499] blk_mq_sched_dispatch_requests+0x109/0x190
[ 414.397100] blk_mq_run_hw_queue+0x66e/0xa00
[ 414.397616] blk_mq_flush_plug_list.part.17+0x614/0x2030
[ 414.398244] ? __pfx_blk_mq_flush_plug_list.part.17+0x10/0x10
[ 414.398897] ? writeback_sb_inodes+0x241/0xcc0
[ 414.399429] blk_mq_flush_plug_list+0x65/0x80
[ 414.399957] __blk_flush_plug+0x2f1/0x530
[ 414.400458] ? __pfx___blk_flush_plug+0x10/0x10
[ 414.400999] blk_finish_plug+0x59/0xa0
[ 414.401467] wb_writeback+0x7cc/0x920
[ 414.401935] ? __pfx_wb_writeback+0x10/0x10
[ 414.402442] ? mark_held_locks+0xb0/0x110
[ 414.402931] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 414.403462] ? lockdep_hardirqs_on_prepare+0x297/0x3f0
[ 414.404062] wb_workfn+0x2b3/0xcf0
[ 414.404500] ? __pfx_wb_workfn+0x10/0x10
[ 414.404989] process_scheduled_works+0x432/0x13f0
[ 414.405546] ? __pfx_process_scheduled_works+0x10/0x10
[ 414.406139] ? do_raw_spin_lock+0x101/0x2a0
[ 414.406641] ? assign_work+0x19b/0x240
[ 414.407106] ? lock_is_held_type+0x9d/0x110
[ 414.407604] worker_thread+0x6f2/0x1160
[ 414.408075] ? __kthread_parkme+0x62/0x210
[ 414.408572] ? lockdep_hardirqs_on_prepare+0x297/0x3f0
[ 414.409168] ? __kthread_parkme+0x13c/0x210
[ 414.409678] ? __pfx_worker_thread+0x10/0x10
[ 414.410191] kthread+0x33c/0x440
[ 414.410602] ? __pfx_kthread+0x10/0x10
[ 414.411068] ret_from_fork+0x4d/0x80
[ 414.411526] ? __pfx_kthread+0x10/0x10
[ 414.411993] ret_from_fork_asm+0x1b/0x30
[ 414.412489] </TASK>
When interrupt is turned on while a lock holding by spin_lock_irq it
throws a warning because of potential deadlock.
blk_mq_prep_dispatch_rq
blk_mq_get_driver_tag
__blk_mq_get_driver_tag
__blk_mq_alloc_driver_tag
blk_mq_tag_busy -> tag is already busy
// failed to get driver tag
blk_mq_mark_tag_wait
spin_lock_irq(&wq->lock) -> lock A (&sbq->ws[i].wait)
__add_wait_queue(wq, wait) -> wait queue active
blk_mq_get_driver_tag
__blk_mq_tag_busy
-> 1) tag must be idle, which means there can't be inflight IO
spin_lock_irq(&tags->lock) -> lock B (hctx->tags)
spin_unlock_irq(&tags->lock) -> unlock B, turn on interrupt accidentally
-> 2) context must be preempt by IO interrupt to trigger deadlock.
As shown above, the deadlock is not possible in theory, but the warning
still need to be fixed.
Fix it by using spin_lock_irqsave to get lockB instead of spin_lock_irq.
Fixes: 4f1731df60f9 ("blk-mq: fix potential io hang by wrong 'wake_batch'")
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://lore.kernel.org/r/20240815024736.2040971-1-lilingfeng@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-mq-tag.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c
index cc57e2dd9a0bb..2cafcf11ee8be 100644
--- a/block/blk-mq-tag.c
+++ b/block/blk-mq-tag.c
@@ -38,6 +38,7 @@ static void blk_mq_update_wake_batch(struct blk_mq_tags *tags,
void __blk_mq_tag_busy(struct blk_mq_hw_ctx *hctx)
{
unsigned int users;
+ unsigned long flags;
struct blk_mq_tags *tags = hctx->tags;
/*
@@ -56,11 +57,11 @@ void __blk_mq_tag_busy(struct blk_mq_hw_ctx *hctx)
return;
}
- spin_lock_irq(&tags->lock);
+ spin_lock_irqsave(&tags->lock, flags);
users = tags->active_queues + 1;
WRITE_ONCE(tags->active_queues, users);
blk_mq_update_wake_batch(tags, users);
- spin_unlock_irq(&tags->lock);
+ spin_unlock_irqrestore(&tags->lock, flags);
}
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 140/341] drm/msm: Reduce fallout of fence signaling vs reclaim hangs
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 139/341] block: Fix lockdep warning in blk_mq_mark_tag_wait Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 141/341] memory: tegra: Skip SID programming if SID registers arent set Greg Kroah-Hartman
` (213 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rob Clark, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robdclark@chromium.org>
[ Upstream commit 4bea53b9c7c72fd12a0ceebe88a71723c0a514b8 ]
Until various PM devfreq/QoS and interconnect patches land, we could
potentially trigger reclaim from gpu scheduler thread, and under enough
memory pressure that could trigger a sort of deadlock. Eventually the
wait will timeout and we'll move on to consider other GEM objects. But
given that there is still a potential for deadlock/stalling, we should
reduce the timeout to contain the damage.
Signed-off-by: Rob Clark <robdclark@chromium.org>
Patchwork: https://patchwork.freedesktop.org/patch/568031/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/msm_gem_shrinker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/msm_gem_shrinker.c b/drivers/gpu/drm/msm/msm_gem_shrinker.c
index f38296ad87434..0641f5bb8649a 100644
--- a/drivers/gpu/drm/msm/msm_gem_shrinker.c
+++ b/drivers/gpu/drm/msm/msm_gem_shrinker.c
@@ -76,7 +76,7 @@ static bool
wait_for_idle(struct drm_gem_object *obj)
{
enum dma_resv_usage usage = dma_resv_usage_rw(true);
- return dma_resv_wait_timeout(obj->resv, usage, false, 1000) > 0;
+ return dma_resv_wait_timeout(obj->resv, usage, false, 10) > 0;
}
static bool
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 141/341] memory: tegra: Skip SID programming if SID registers arent set
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 140/341] drm/msm: Reduce fallout of fence signaling vs reclaim hangs Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 142/341] powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu Greg Kroah-Hartman
` (212 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ashish Mhetre, Krzysztof Kozlowski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ashish Mhetre <amhetre@nvidia.com>
[ Upstream commit 0d6c918011ce4764ed277de4726a468b7ffe5fed ]
There are few MC clients where SID security and override register
offsets are not specified like "sw_cluster0" in tegra234. Don't program
SID override for such clients because it leads to access to invalid
addresses.
Signed-off-by: Ashish Mhetre <amhetre@nvidia.com>
Link: https://lore.kernel.org/r/20231107112713.21399-2-amhetre@nvidia.com
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/memory/tegra/tegra186.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/memory/tegra/tegra186.c b/drivers/memory/tegra/tegra186.c
index 533f85a4b2bdb..7633481e547d2 100644
--- a/drivers/memory/tegra/tegra186.c
+++ b/drivers/memory/tegra/tegra186.c
@@ -75,6 +75,9 @@ static void tegra186_mc_client_sid_override(struct tegra_mc *mc,
{
u32 value, old;
+ if (client->regs.sid.security == 0 && client->regs.sid.override == 0)
+ return;
+
value = readl(mc->regs + client->regs.sid.security);
if ((value & MC_SID_STREAMID_SECURITY_OVERRIDE) == 0) {
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 142/341] powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 141/341] memory: tegra: Skip SID programming if SID registers arent set Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 143/341] ASoC: SOF: ipc4: check return value of snd_sof_ipc_msg_data Greg Kroah-Hartman
` (211 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kunwu Chan, Michael Ellerman,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kunwu Chan <chentao@kylinos.cn>
[ Upstream commit 45b1ba7e5d1f6881050d558baf9bc74a2ae13930 ]
kasprintf() returns a pointer to dynamically allocated memory
which can be NULL upon failure. Ensure the allocation was successful
by checking the pointer validity.
Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20231122030651.3818-1-chentao@kylinos.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/sysdev/xics/icp-native.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/powerpc/sysdev/xics/icp-native.c b/arch/powerpc/sysdev/xics/icp-native.c
index f6ec6dba92dcb..700b67476a7d8 100644
--- a/arch/powerpc/sysdev/xics/icp-native.c
+++ b/arch/powerpc/sysdev/xics/icp-native.c
@@ -236,6 +236,8 @@ static int __init icp_native_map_one_cpu(int hw_id, unsigned long addr,
rname = kasprintf(GFP_KERNEL, "CPU %d [0x%x] Interrupt Presentation",
cpu, hw_id);
+ if (!rname)
+ return -ENOMEM;
if (!request_mem_region(addr, size, rname)) {
pr_warn("icp_native: Could not reserve ICP MMIO for CPU %d, interrupt server #0x%x\n",
cpu, hw_id);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 143/341] ASoC: SOF: ipc4: check return value of snd_sof_ipc_msg_data
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 142/341] powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 144/341] hwmon: (pc87360) Bounds check data->innr usage Greg Kroah-Hartman
` (210 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bard Liao, Péter Ujfalusi,
Pierre-Louis Bossart, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bard Liao <yung-chuan.liao@linux.intel.com>
[ Upstream commit 2bd512626f8ea3957c981cadd2ebf75feff737dd ]
snd_sof_ipc_msg_data could return error.
Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://lore.kernel.org/r/20231129122021.679-1-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/ipc4.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/sound/soc/sof/ipc4.c b/sound/soc/sof/ipc4.c
index 1b09496733fb8..81d1ce4b5f0cd 100644
--- a/sound/soc/sof/ipc4.c
+++ b/sound/soc/sof/ipc4.c
@@ -629,7 +629,14 @@ static void sof_ipc4_rx_msg(struct snd_sof_dev *sdev)
return;
ipc4_msg->data_size = data_size;
- snd_sof_ipc_msg_data(sdev, NULL, ipc4_msg->data_ptr, ipc4_msg->data_size);
+ err = snd_sof_ipc_msg_data(sdev, NULL, ipc4_msg->data_ptr, ipc4_msg->data_size);
+ if (err < 0) {
+ dev_err(sdev->dev, "failed to read IPC notification data: %d\n", err);
+ kfree(ipc4_msg->data_ptr);
+ ipc4_msg->data_ptr = NULL;
+ ipc4_msg->data_size = 0;
+ return;
+ }
}
sof_ipc4_log_header(sdev->dev, "ipc rx done ", ipc4_msg, true);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 144/341] hwmon: (pc87360) Bounds check data->innr usage
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 143/341] ASoC: SOF: ipc4: check return value of snd_sof_ipc_msg_data Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 145/341] powerpc/pseries/papr-sysparm: Validate buffer object lengths Greg Kroah-Hartman
` (209 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Cromie, Jean Delvare,
Guenter Roeck, linux-hwmon, Kees Cook, Gustavo A. R. Silva,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 4265eb062a7303e537ab3792ade31f424c3c5189 ]
Without visibility into the initializers for data->innr, GCC suspects
using it as an index could walk off the end of the various 14-element
arrays in data. Perform an explicit clamp to the array size. Silences
the following warning with GCC 12+:
../drivers/hwmon/pc87360.c: In function 'pc87360_update_device':
../drivers/hwmon/pc87360.c:341:49: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=]
341 | data->in_max[i] = pc87360_read_value(data,
| ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~
342 | LD_IN, i,
| ~~~~~~~~~
343 | PC87365_REG_IN_MAX);
| ~~~~~~~~~~~~~~~~~~~
../drivers/hwmon/pc87360.c:209:12: note: at offset 255 into destination object 'in_max' of size 14
209 | u8 in_max[14]; /* Register value */
| ^~~~~~
Cc: Jim Cromie <jim.cromie@gmail.com>
Cc: Jean Delvare <jdelvare@suse.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: linux-hwmon@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Link: https://lore.kernel.org/r/20231130200207.work.679-kees@kernel.org
[groeck: Added comment into code clarifying context]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/pc87360.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/hwmon/pc87360.c b/drivers/hwmon/pc87360.c
index a4adc8bd531ff..534a6072036c9 100644
--- a/drivers/hwmon/pc87360.c
+++ b/drivers/hwmon/pc87360.c
@@ -323,7 +323,11 @@ static struct pc87360_data *pc87360_update_device(struct device *dev)
}
/* Voltages */
- for (i = 0; i < data->innr; i++) {
+ /*
+ * The min() below does not have any practical meaning and is
+ * only needed to silence a warning observed with gcc 12+.
+ */
+ for (i = 0; i < min(data->innr, ARRAY_SIZE(data->in)); i++) {
data->in_status[i] = pc87360_read_value(data, LD_IN, i,
PC87365_REG_IN_STATUS);
/* Clear bits */
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 145/341] powerpc/pseries/papr-sysparm: Validate buffer object lengths
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 144/341] hwmon: (pc87360) Bounds check data->innr usage Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 146/341] ionic: prevent pci disable of already disabled device Greg Kroah-Hartman
` (208 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Lynch, Michael Ellerman,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Lynch <nathanl@linux.ibm.com>
[ Upstream commit 35aae182bd7b422be3cefc08c12207bf2b973364 ]
The ability to get and set system parameters will be exposed to user
space, so let's get a little more strict about malformed
papr_sysparm_buf objects.
* Create accessors for the length field of struct papr_sysparm_buf.
The length is always stored in MSB order and this is better than
spreading the necessary conversions all over.
* Reject attempts to submit invalid buffers to RTAS.
* Warn if RTAS returns a buffer with an invalid length, clamping the
returned length to a safe value that won't overrun the buffer.
These are meant as precautionary measures to mitigate both firmware
and kernel bugs in this area, should they arise, but I am not aware of
any.
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20231212-papr-sys_rtas-vs-lockdown-v6-10-e9eafd0c8c6c@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/pseries/papr-sysparm.c | 47 +++++++++++++++++++
1 file changed, 47 insertions(+)
diff --git a/arch/powerpc/platforms/pseries/papr-sysparm.c b/arch/powerpc/platforms/pseries/papr-sysparm.c
index fedc61599e6cc..a1e7aeac74161 100644
--- a/arch/powerpc/platforms/pseries/papr-sysparm.c
+++ b/arch/powerpc/platforms/pseries/papr-sysparm.c
@@ -23,6 +23,46 @@ void papr_sysparm_buf_free(struct papr_sysparm_buf *buf)
kfree(buf);
}
+static size_t papr_sysparm_buf_get_length(const struct papr_sysparm_buf *buf)
+{
+ return be16_to_cpu(buf->len);
+}
+
+static void papr_sysparm_buf_set_length(struct papr_sysparm_buf *buf, size_t length)
+{
+ WARN_ONCE(length > sizeof(buf->val),
+ "bogus length %zu, clamping to safe value", length);
+ length = min(sizeof(buf->val), length);
+ buf->len = cpu_to_be16(length);
+}
+
+/*
+ * For use on buffers returned from ibm,get-system-parameter before
+ * returning them to callers. Ensures the encoded length of valid data
+ * cannot overrun buf->val[].
+ */
+static void papr_sysparm_buf_clamp_length(struct papr_sysparm_buf *buf)
+{
+ papr_sysparm_buf_set_length(buf, papr_sysparm_buf_get_length(buf));
+}
+
+/*
+ * Perform some basic diligence on the system parameter buffer before
+ * submitting it to RTAS.
+ */
+static bool papr_sysparm_buf_can_submit(const struct papr_sysparm_buf *buf)
+{
+ /*
+ * Firmware ought to reject buffer lengths that exceed the
+ * maximum specified in PAPR, but there's no reason for the
+ * kernel to allow them either.
+ */
+ if (papr_sysparm_buf_get_length(buf) > sizeof(buf->val))
+ return false;
+
+ return true;
+}
+
/**
* papr_sysparm_get() - Retrieve the value of a PAPR system parameter.
* @param: PAPR system parameter token as described in
@@ -63,6 +103,9 @@ int papr_sysparm_get(papr_sysparm_t param, struct papr_sysparm_buf *buf)
if (token == RTAS_UNKNOWN_SERVICE)
return -ENOENT;
+ if (!papr_sysparm_buf_can_submit(buf))
+ return -EINVAL;
+
work_area = rtas_work_area_alloc(sizeof(*buf));
memcpy(rtas_work_area_raw_buf(work_area), buf, sizeof(*buf));
@@ -77,6 +120,7 @@ int papr_sysparm_get(papr_sysparm_t param, struct papr_sysparm_buf *buf)
case 0:
ret = 0;
memcpy(buf, rtas_work_area_raw_buf(work_area), sizeof(*buf));
+ papr_sysparm_buf_clamp_length(buf);
break;
case -3: /* parameter not implemented */
ret = -EOPNOTSUPP;
@@ -115,6 +159,9 @@ int papr_sysparm_set(papr_sysparm_t param, const struct papr_sysparm_buf *buf)
if (token == RTAS_UNKNOWN_SERVICE)
return -ENOENT;
+ if (!papr_sysparm_buf_can_submit(buf))
+ return -EINVAL;
+
work_area = rtas_work_area_alloc(sizeof(*buf));
memcpy(rtas_work_area_raw_buf(work_area), buf, sizeof(*buf));
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 146/341] ionic: prevent pci disable of already disabled device
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 145/341] powerpc/pseries/papr-sysparm: Validate buffer object lengths Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 147/341] ionic: no fw read when PCI reset failed Greg Kroah-Hartman
` (207 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shannon Nelson, Brett Creeley,
David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shannon Nelson <shannon.nelson@amd.com>
[ Upstream commit 13943d6c82730a2a4e40e05d6deaca26a8de0a4d ]
If a reset fails, the PCI device is left in a disabled
state, so don't try to disable it again on driver remove.
This prevents a scary looking WARN trace in the kernel log.
ionic 0000:2b:00.0: disabling already-disabled device
Signed-off-by: Shannon Nelson <shannon.nelson@amd.com>
Reviewed-by: Brett Creeley <brett.creeley@amd.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c b/drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c
index fa4237c27e061..f0a7fde8f7fff 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c
@@ -217,7 +217,9 @@ static void ionic_clear_pci(struct ionic *ionic)
{
ionic_unmap_bars(ionic);
pci_release_regions(ionic->pdev);
- pci_disable_device(ionic->pdev);
+
+ if (atomic_read(&ionic->pdev->enable_cnt) > 0)
+ pci_disable_device(ionic->pdev);
}
static int ionic_setup_one(struct ionic *ionic)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 147/341] ionic: no fw read when PCI reset failed
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 146/341] ionic: prevent pci disable of already disabled device Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 148/341] drm/rockchip: vop2: clear afbc en and transform bit for cluster window at linear mode Greg Kroah-Hartman
` (206 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shannon Nelson, Brett Creeley,
David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shannon Nelson <shannon.nelson@amd.com>
[ Upstream commit 219e183272b4a566650a37264aff90a8c613d9b5 ]
If there was a failed attempt to reset the PCI connection,
don't later try to read from PCI as the space is unmapped
and will cause a paging request crash. When clearing the PCI
setup we can clear the dev_info register pointer, and check
it before using it in the fw_running test.
Signed-off-by: Shannon Nelson <shannon.nelson@amd.com>
Reviewed-by: Brett Creeley <brett.creeley@amd.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/pensando/ionic/ionic_bus_pci.c | 5 ++++
.../net/ethernet/pensando/ionic/ionic_dev.c | 23 +++++++++++++++----
2 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c b/drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c
index f0a7fde8f7fff..a5fa49fd21390 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c
@@ -215,6 +215,11 @@ static int ionic_sriov_configure(struct pci_dev *pdev, int num_vfs)
static void ionic_clear_pci(struct ionic *ionic)
{
+ ionic->idev.dev_info_regs = NULL;
+ ionic->idev.dev_cmd_regs = NULL;
+ ionic->idev.intr_status = NULL;
+ ionic->idev.intr_ctrl = NULL;
+
ionic_unmap_bars(ionic);
pci_release_regions(ionic->pdev);
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_dev.c b/drivers/net/ethernet/pensando/ionic/ionic_dev.c
index 22ab0a44fa8c7..b4e0fb25b96d7 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_dev.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_dev.c
@@ -165,9 +165,19 @@ void ionic_dev_teardown(struct ionic *ionic)
}
/* Devcmd Interface */
-bool ionic_is_fw_running(struct ionic_dev *idev)
+static bool __ionic_is_fw_running(struct ionic_dev *idev, u8 *status_ptr)
{
- u8 fw_status = ioread8(&idev->dev_info_regs->fw_status);
+ u8 fw_status;
+
+ if (!idev->dev_info_regs) {
+ if (status_ptr)
+ *status_ptr = 0xff;
+ return false;
+ }
+
+ fw_status = ioread8(&idev->dev_info_regs->fw_status);
+ if (status_ptr)
+ *status_ptr = fw_status;
/* firmware is useful only if the running bit is set and
* fw_status != 0xff (bad PCI read)
@@ -175,6 +185,11 @@ bool ionic_is_fw_running(struct ionic_dev *idev)
return (fw_status != 0xff) && (fw_status & IONIC_FW_STS_F_RUNNING);
}
+bool ionic_is_fw_running(struct ionic_dev *idev)
+{
+ return __ionic_is_fw_running(idev, NULL);
+}
+
int ionic_heartbeat_check(struct ionic *ionic)
{
unsigned long check_time, last_check_time;
@@ -199,10 +214,8 @@ int ionic_heartbeat_check(struct ionic *ionic)
goto do_check_time;
}
- fw_status = ioread8(&idev->dev_info_regs->fw_status);
-
/* If fw_status is not ready don't bother with the generation */
- if (!ionic_is_fw_running(idev)) {
+ if (!__ionic_is_fw_running(idev, &fw_status)) {
fw_status_ready = false;
} else {
fw_generation = fw_status & IONIC_FW_STS_F_GENERATION;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 148/341] drm/rockchip: vop2: clear afbc en and transform bit for cluster window at linear mode
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 147/341] ionic: no fw read when PCI reset failed Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 149/341] evm: dont copy up security.evm xattr Greg Kroah-Hartman
` (205 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Yan, Sascha Hauer,
Heiko Stuebner, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Yan <andy.yan@rock-chips.com>
[ Upstream commit 20529a68307feed00dd3d431d3fff0572616b0f2 ]
The enable bit and transform offset of cluster windows should be
cleared when it work at linear mode, or we may have a iommu fault
issue on rk3588 which cluster windows switch between afbc and linear
mode.
As the cluster windows of rk3568 only supports afbc format
so is therefore not affected.
Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
Reviewed-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20231211115741.1784954-1-andyshrk@163.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
index f2a956f973613..d1de12e850e74 100644
--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
+++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
@@ -1260,6 +1260,11 @@ static void vop2_plane_atomic_update(struct drm_plane *plane,
vop2_win_write(win, VOP2_WIN_AFBC_ROTATE_270, rotate_270);
vop2_win_write(win, VOP2_WIN_AFBC_ROTATE_90, rotate_90);
} else {
+ if (vop2_cluster_window(win)) {
+ vop2_win_write(win, VOP2_WIN_AFBC_ENABLE, 0);
+ vop2_win_write(win, VOP2_WIN_AFBC_TRANSFORM_OFFSET, 0);
+ }
+
vop2_win_write(win, VOP2_WIN_YRGB_VIR, DIV_ROUND_UP(fb->pitches[0], 4));
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 149/341] evm: dont copy up security.evm xattr
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 148/341] drm/rockchip: vop2: clear afbc en and transform bit for cluster window at linear mode Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 150/341] Bluetooth: hci_conn: Check non NULL function before calling for HFP offload Greg Kroah-Hartman
` (204 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amir Goldstein, Christian Brauner,
Mimi Zohar, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mimi Zohar <zohar@linux.ibm.com>
[ Upstream commit 40ca4ee3136d2d09977d1cab8c0c0e1582c3359d ]
The security.evm HMAC and the original file signatures contain
filesystem specific data. As a result, the HMAC and signature
are not the same on the stacked and backing filesystems.
Don't copy up 'security.evm'.
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Reviewed-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/evm.h | 6 ++++++
security/integrity/evm/evm_main.c | 7 +++++++
security/security.c | 2 +-
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/include/linux/evm.h b/include/linux/evm.h
index 01fc495a83e27..36ec884320d9f 100644
--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -31,6 +31,7 @@ extern void evm_inode_post_setxattr(struct dentry *dentry,
const char *xattr_name,
const void *xattr_value,
size_t xattr_value_len);
+extern int evm_inode_copy_up_xattr(const char *name);
extern int evm_inode_removexattr(struct mnt_idmap *idmap,
struct dentry *dentry, const char *xattr_name);
extern void evm_inode_post_removexattr(struct dentry *dentry,
@@ -117,6 +118,11 @@ static inline void evm_inode_post_setxattr(struct dentry *dentry,
return;
}
+static inline int evm_inode_copy_up_xattr(const char *name)
+{
+ return 0;
+}
+
static inline int evm_inode_removexattr(struct mnt_idmap *idmap,
struct dentry *dentry,
const char *xattr_name)
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index ff9a939dad8e4..2393230c03aa3 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -864,6 +864,13 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
evm_update_evmxattr(dentry, NULL, NULL, 0);
}
+int evm_inode_copy_up_xattr(const char *name)
+{
+ if (strcmp(name, XATTR_NAME_EVM) == 0)
+ return 1; /* Discard */
+ return -EOPNOTSUPP;
+}
+
/*
* evm_inode_init_security - initializes security.evm HMAC value
*/
diff --git a/security/security.c b/security/security.c
index dd26f21b2244b..b6144833c7a8e 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2539,7 +2539,7 @@ int security_inode_copy_up_xattr(const char *name)
return rc;
}
- return LSM_RET_DEFAULT(inode_copy_up_xattr);
+ return evm_inode_copy_up_xattr(name);
}
EXPORT_SYMBOL(security_inode_copy_up_xattr);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 150/341] Bluetooth: hci_conn: Check non NULL function before calling for HFP offload
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 149/341] evm: dont copy up security.evm xattr Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 151/341] gfs2: Refcounting fix in gfs2_thaw_super Greg Kroah-Hartman
` (203 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zijun Hu, Luiz Augusto von Dentz,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
[ Upstream commit 132d0fd0b8418094c9e269e5bc33bf5b864f4a65 ]
For some controllers such as QCA2066, it does not need to send
HCI_Configure_Data_Path to configure non-HCI data transport path to support
HFP offload, their device drivers may set hdev->get_codec_config_data as
NULL, so Explicitly add this non NULL checking before calling the function.
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_conn.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 9c670348fac42..dc1c07c7d4ff9 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -299,6 +299,13 @@ static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec)
__u8 vnd_len, *vnd_data = NULL;
struct hci_op_configure_data_path *cmd = NULL;
+ if (!codec->data_path || !hdev->get_codec_config_data)
+ return 0;
+
+ /* Do not take me as error */
+ if (!hdev->get_codec_config_data)
+ return 0;
+
err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len,
&vnd_data);
if (err < 0)
@@ -344,9 +351,7 @@ static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
bt_dev_dbg(hdev, "hcon %p", conn);
- /* for offload use case, codec needs to configured before opening SCO */
- if (conn->codec.data_path)
- configure_datapath_sync(hdev, &conn->codec);
+ configure_datapath_sync(hdev, &conn->codec);
conn->state = BT_CONNECT;
conn->out = true;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 151/341] gfs2: Refcounting fix in gfs2_thaw_super
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 150/341] Bluetooth: hci_conn: Check non NULL function before calling for HFP offload Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 152/341] EDAC/skx_common: Filter out the invalid address Greg Kroah-Hartman
` (202 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andreas Gruenbacher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit 4e58543e7da4859c4ba61d15493e3522b6ad71fd ]
It turns out that the .freeze_super and .thaw_super operations require
the filesystem to manage the superblock refcount itself. We are using
the freeze_super() and thaw_super() helpers to mostly take care of that
for us, but this means that the superblock may no longer be around by
when thaw_super() returns, and gfs2_thaw_super() will then access freed
memory. Take an extra superblock reference in gfs2_thaw_super() to fix
that.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/super.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c
index 8b34c6cf9293f..1200cb8059995 100644
--- a/fs/gfs2/super.c
+++ b/fs/gfs2/super.c
@@ -819,6 +819,7 @@ static int gfs2_thaw_super(struct super_block *sb, enum freeze_holder who)
if (!test_bit(SDF_FREEZE_INITIATOR, &sdp->sd_flags))
goto out;
+ atomic_inc(&sb->s_active);
gfs2_freeze_unlock(&sdp->sd_freeze_gh);
error = gfs2_do_thaw(sdp);
@@ -829,6 +830,7 @@ static int gfs2_thaw_super(struct super_block *sb, enum freeze_holder who)
}
out:
mutex_unlock(&sdp->sd_freeze_mutex);
+ deactivate_super(sb);
return error;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 152/341] EDAC/skx_common: Filter out the invalid address
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 151/341] gfs2: Refcounting fix in gfs2_thaw_super Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 153/341] nvmet-trace: avoid dereferencing pointer too early Greg Kroah-Hartman
` (201 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tony Luck, Qiuxu Zhuo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
[ Upstream commit 1e92af09fab1b5589f3a7ae68109e3c6a5ca6c6e ]
Decoding an invalid address with certain firmware decoders could
cause a #PF (Page Fault) in the EFI runtime context, which could
subsequently hang the system. To make {i10nm,skx}_edac more robust
against such bogus firmware decoders, filter out invalid addresses
before allowing the firmware decoder to process them.
Suggested-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Link: https://lore.kernel.org/r/20231207014512.78564-1-qiuxu.zhuo@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/edac/skx_common.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/edac/skx_common.c b/drivers/edac/skx_common.c
index 03d7a74ca22dc..f4b192420be47 100644
--- a/drivers/edac/skx_common.c
+++ b/drivers/edac/skx_common.c
@@ -659,6 +659,10 @@ int skx_mce_check_error(struct notifier_block *nb, unsigned long val,
memset(&res, 0, sizeof(res));
res.mce = mce;
res.addr = mce->addr & MCI_ADDR_PHYSADDR;
+ if (!pfn_to_online_page(res.addr >> PAGE_SHIFT)) {
+ pr_err("Invalid address 0x%llx in IA32_MC%d_ADDR\n", mce->addr, mce->bank);
+ return NOTIFY_DONE;
+ }
/* Try driver decoder first */
if (!(driver_decode && driver_decode(&res))) {
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 153/341] nvmet-trace: avoid dereferencing pointer too early
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 152/341] EDAC/skx_common: Filter out the invalid address Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 154/341] ext4: do not trim the group with corrupted block bitmap Greg Kroah-Hartman
` (200 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hannes Reinecke, Daniel Wagner,
Christoph Hellwig, Keith Busch, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Wagner <dwagner@suse.de>
[ Upstream commit 0e716cec6fb11a14c220ee17c404b67962e902f7 ]
The first command issued from the host to the target is the fabrics
connect command. At this point, neither the target queue nor the
controller have been allocated. But we already try to trace this command
in nvmet_req_init.
Reported by KASAN.
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Daniel Wagner <dwagner@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/trace.c | 6 +++---
drivers/nvme/target/trace.h | 28 +++++++++++++++++-----------
2 files changed, 20 insertions(+), 14 deletions(-)
diff --git a/drivers/nvme/target/trace.c b/drivers/nvme/target/trace.c
index bff454d46255b..6ee1f3db81d04 100644
--- a/drivers/nvme/target/trace.c
+++ b/drivers/nvme/target/trace.c
@@ -211,7 +211,7 @@ const char *nvmet_trace_disk_name(struct trace_seq *p, char *name)
return ret;
}
-const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl)
+const char *nvmet_trace_ctrl_id(struct trace_seq *p, u16 ctrl_id)
{
const char *ret = trace_seq_buffer_ptr(p);
@@ -224,8 +224,8 @@ const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl)
* If we can know the extra data of the connect command in this stage,
* we can update this print statement later.
*/
- if (ctrl)
- trace_seq_printf(p, "%d", ctrl->cntlid);
+ if (ctrl_id)
+ trace_seq_printf(p, "%d", ctrl_id);
else
trace_seq_printf(p, "_");
trace_seq_putc(p, 0);
diff --git a/drivers/nvme/target/trace.h b/drivers/nvme/target/trace.h
index 974d99d47f514..7f7ebf9558e50 100644
--- a/drivers/nvme/target/trace.h
+++ b/drivers/nvme/target/trace.h
@@ -32,18 +32,24 @@ const char *nvmet_trace_parse_fabrics_cmd(struct trace_seq *p, u8 fctype,
nvmet_trace_parse_nvm_cmd(p, opcode, cdw10) : \
nvmet_trace_parse_admin_cmd(p, opcode, cdw10)))
-const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl);
-#define __print_ctrl_name(ctrl) \
- nvmet_trace_ctrl_name(p, ctrl)
+const char *nvmet_trace_ctrl_id(struct trace_seq *p, u16 ctrl_id);
+#define __print_ctrl_id(ctrl_id) \
+ nvmet_trace_ctrl_id(p, ctrl_id)
const char *nvmet_trace_disk_name(struct trace_seq *p, char *name);
#define __print_disk_name(name) \
nvmet_trace_disk_name(p, name)
#ifndef TRACE_HEADER_MULTI_READ
-static inline struct nvmet_ctrl *nvmet_req_to_ctrl(struct nvmet_req *req)
+static inline u16 nvmet_req_to_ctrl_id(struct nvmet_req *req)
{
- return req->sq->ctrl;
+ /*
+ * The queue and controller pointers are not valid until an association
+ * has been established.
+ */
+ if (!req->sq || !req->sq->ctrl)
+ return 0;
+ return req->sq->ctrl->cntlid;
}
static inline void __assign_req_name(char *name, struct nvmet_req *req)
@@ -62,7 +68,7 @@ TRACE_EVENT(nvmet_req_init,
TP_ARGS(req, cmd),
TP_STRUCT__entry(
__field(struct nvme_command *, cmd)
- __field(struct nvmet_ctrl *, ctrl)
+ __field(u16, ctrl_id)
__array(char, disk, DISK_NAME_LEN)
__field(int, qid)
__field(u16, cid)
@@ -75,7 +81,7 @@ TRACE_EVENT(nvmet_req_init,
),
TP_fast_assign(
__entry->cmd = cmd;
- __entry->ctrl = nvmet_req_to_ctrl(req);
+ __entry->ctrl_id = nvmet_req_to_ctrl_id(req);
__assign_req_name(__entry->disk, req);
__entry->qid = req->sq->qid;
__entry->cid = cmd->common.command_id;
@@ -89,7 +95,7 @@ TRACE_EVENT(nvmet_req_init,
),
TP_printk("nvmet%s: %sqid=%d, cmdid=%u, nsid=%u, flags=%#x, "
"meta=%#llx, cmd=(%s, %s)",
- __print_ctrl_name(__entry->ctrl),
+ __print_ctrl_id(__entry->ctrl_id),
__print_disk_name(__entry->disk),
__entry->qid, __entry->cid, __entry->nsid,
__entry->flags, __entry->metadata,
@@ -103,7 +109,7 @@ TRACE_EVENT(nvmet_req_complete,
TP_PROTO(struct nvmet_req *req),
TP_ARGS(req),
TP_STRUCT__entry(
- __field(struct nvmet_ctrl *, ctrl)
+ __field(u16, ctrl_id)
__array(char, disk, DISK_NAME_LEN)
__field(int, qid)
__field(int, cid)
@@ -111,7 +117,7 @@ TRACE_EVENT(nvmet_req_complete,
__field(u16, status)
),
TP_fast_assign(
- __entry->ctrl = nvmet_req_to_ctrl(req);
+ __entry->ctrl_id = nvmet_req_to_ctrl_id(req);
__entry->qid = req->cq->qid;
__entry->cid = req->cqe->command_id;
__entry->result = le64_to_cpu(req->cqe->result.u64);
@@ -119,7 +125,7 @@ TRACE_EVENT(nvmet_req_complete,
__assign_req_name(__entry->disk, req);
),
TP_printk("nvmet%s: %sqid=%d, cmdid=%u, res=%#llx, status=%#x",
- __print_ctrl_name(__entry->ctrl),
+ __print_ctrl_id(__entry->ctrl_id),
__print_disk_name(__entry->disk),
__entry->qid, __entry->cid, __entry->result, __entry->status)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 154/341] ext4: do not trim the group with corrupted block bitmap
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 153/341] nvmet-trace: avoid dereferencing pointer too early Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 155/341] btrfs: zlib: fix and simplify the inline extent decompression Greg Kroah-Hartman
` (199 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Theodore Tso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit 172202152a125955367393956acf5f4ffd092e0d ]
Otherwise operating on an incorrupted block bitmap can lead to all sorts
of unknown problems.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20240104142040.2835097-3-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index f55ab800a7539..870397f3de559 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -6953,6 +6953,9 @@ __releases(ext4_group_lock_ptr(sb, e4b->bd_group))
bool set_trimmed = false;
void *bitmap;
+ if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info)))
+ return 0;
+
last = ext4_last_grp_cluster(sb, e4b->bd_group);
bitmap = e4b->bd_bitmap;
if (start == 0 && max >= last)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 155/341] btrfs: zlib: fix and simplify the inline extent decompression
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 154/341] ext4: do not trim the group with corrupted block bitmap Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 156/341] afs: fix __afs_break_callback() / afs_drop_open_mmap() race Greg Kroah-Hartman
` (198 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit 2c25716dcc25a0420c4ad49d6e6bf61e60a21434 ]
[BUG]
If we have a filesystem with 4k sectorsize, and an inlined compressed
extent created like this:
item 4 key (257 INODE_ITEM 0) itemoff 15863 itemsize 160
generation 8 transid 8 size 4096 nbytes 4096
block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0
sequence 1 flags 0x0(none)
item 5 key (257 INODE_REF 256) itemoff 15839 itemsize 24
index 2 namelen 14 name: source_inlined
item 6 key (257 EXTENT_DATA 0) itemoff 15770 itemsize 69
generation 8 type 0 (inline)
inline extent data size 48 ram_bytes 4096 compression 1 (zlib)
Which has an inline compressed extent at file offset 0, and its
decompressed size is 4K, allowing us to reflink that 4K range to another
location (which will not be compressed).
If we do such reflink on a subpage system, it would fail like this:
# xfs_io -f -c "reflink $mnt/source_inlined 0 60k 4k" $mnt/dest
XFS_IOC_CLONE_RANGE: Input/output error
[CAUSE]
In zlib_decompress(), we didn't treat @start_byte as just a page offset,
but also use it as an indicator on whether we should switch our output
buffer.
In reality, for subpage cases, although @start_byte can be non-zero,
we should never switch input/output buffer, since the whole input/output
buffer should never exceed one sector.
Note: The above assumption is only not true if we're going to support
multi-page sectorsize.
Thus the current code using @start_byte as a condition to switch
input/output buffer or finish the decompression is completely incorrect.
[FIX]
The fix involves several modifications:
- Rename @start_byte to @dest_pgoff to properly express its meaning
- Add an extra ASSERT() inside btrfs_decompress() to make sure the
input/output size never exceeds one sector.
- Use Z_FINISH flag to make sure the decompression happens in one go
- Remove the loop needed to switch input/output buffers
- Use correct destination offset inside the destination page
- Consider early end as an error
After the fix, even on 64K page sized aarch64, above reflink now
works as expected:
# xfs_io -f -c "reflink $mnt/source_inlined 0 60k 4k" $mnt/dest
linked 4096/4096 bytes at offset 61440
And resulted a correct file layout:
item 9 key (258 INODE_ITEM 0) itemoff 15542 itemsize 160
generation 10 transid 10 size 65536 nbytes 4096
block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0
sequence 1 flags 0x0(none)
item 10 key (258 INODE_REF 256) itemoff 15528 itemsize 14
index 3 namelen 4 name: dest
item 11 key (258 XATTR_ITEM 3817753667) itemoff 15445 itemsize 83
location key (0 UNKNOWN.0 0) type XATTR
transid 10 data_len 37 name_len 16
name: security.selinux
data unconfined_u:object_r:unlabeled_t:s0
item 12 key (258 EXTENT_DATA 61440) itemoff 15392 itemsize 53
generation 10 type 1 (regular)
extent data disk byte 13631488 nr 4096
extent data offset 0 nr 4096 ram 4096
extent compression 0 (none)
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/compression.c | 23 +++++++++----
fs/btrfs/compression.h | 2 +-
fs/btrfs/zlib.c | 73 +++++++++++-------------------------------
3 files changed, 36 insertions(+), 62 deletions(-)
diff --git a/fs/btrfs/compression.c b/fs/btrfs/compression.c
index a815ce9cfb518..e6acf09a1507c 100644
--- a/fs/btrfs/compression.c
+++ b/fs/btrfs/compression.c
@@ -140,16 +140,16 @@ static int compression_decompress_bio(struct list_head *ws,
}
static int compression_decompress(int type, struct list_head *ws,
- const u8 *data_in, struct page *dest_page,
- unsigned long start_byte, size_t srclen, size_t destlen)
+ const u8 *data_in, struct page *dest_page,
+ unsigned long dest_pgoff, size_t srclen, size_t destlen)
{
switch (type) {
case BTRFS_COMPRESS_ZLIB: return zlib_decompress(ws, data_in, dest_page,
- start_byte, srclen, destlen);
+ dest_pgoff, srclen, destlen);
case BTRFS_COMPRESS_LZO: return lzo_decompress(ws, data_in, dest_page,
- start_byte, srclen, destlen);
+ dest_pgoff, srclen, destlen);
case BTRFS_COMPRESS_ZSTD: return zstd_decompress(ws, data_in, dest_page,
- start_byte, srclen, destlen);
+ dest_pgoff, srclen, destlen);
case BTRFS_COMPRESS_NONE:
default:
/*
@@ -941,14 +941,23 @@ static int btrfs_decompress_bio(struct compressed_bio *cb)
* start_byte tells us the offset into the compressed data we're interested in
*/
int btrfs_decompress(int type, const u8 *data_in, struct page *dest_page,
- unsigned long start_byte, size_t srclen, size_t destlen)
+ unsigned long dest_pgoff, size_t srclen, size_t destlen)
{
+ struct btrfs_fs_info *fs_info = btrfs_sb(dest_page->mapping->host->i_sb);
struct list_head *workspace;
+ const u32 sectorsize = fs_info->sectorsize;
int ret;
+ /*
+ * The full destination page range should not exceed the page size.
+ * And the @destlen should not exceed sectorsize, as this is only called for
+ * inline file extents, which should not exceed sectorsize.
+ */
+ ASSERT(dest_pgoff + destlen <= PAGE_SIZE && destlen <= sectorsize);
+
workspace = get_workspace(type, 0);
ret = compression_decompress(type, workspace, data_in, dest_page,
- start_byte, srclen, destlen);
+ dest_pgoff, srclen, destlen);
put_workspace(type, workspace);
return ret;
diff --git a/fs/btrfs/compression.h b/fs/btrfs/compression.h
index 03bb9d143fa75..609865c940658 100644
--- a/fs/btrfs/compression.h
+++ b/fs/btrfs/compression.h
@@ -143,7 +143,7 @@ int zlib_compress_pages(struct list_head *ws, struct address_space *mapping,
unsigned long *total_in, unsigned long *total_out);
int zlib_decompress_bio(struct list_head *ws, struct compressed_bio *cb);
int zlib_decompress(struct list_head *ws, const u8 *data_in,
- struct page *dest_page, unsigned long start_byte, size_t srclen,
+ struct page *dest_page, unsigned long dest_pgoff, size_t srclen,
size_t destlen);
struct list_head *zlib_alloc_workspace(unsigned int level);
void zlib_free_workspace(struct list_head *ws);
diff --git a/fs/btrfs/zlib.c b/fs/btrfs/zlib.c
index 6c231a116a29c..9f60d0bbd5306 100644
--- a/fs/btrfs/zlib.c
+++ b/fs/btrfs/zlib.c
@@ -354,18 +354,13 @@ int zlib_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
}
int zlib_decompress(struct list_head *ws, const u8 *data_in,
- struct page *dest_page, unsigned long start_byte, size_t srclen,
+ struct page *dest_page, unsigned long dest_pgoff, size_t srclen,
size_t destlen)
{
struct workspace *workspace = list_entry(ws, struct workspace, list);
int ret = 0;
int wbits = MAX_WBITS;
- unsigned long bytes_left;
- unsigned long total_out = 0;
- unsigned long pg_offset = 0;
-
- destlen = min_t(unsigned long, destlen, PAGE_SIZE);
- bytes_left = destlen;
+ unsigned long to_copy;
workspace->strm.next_in = data_in;
workspace->strm.avail_in = srclen;
@@ -390,60 +385,30 @@ int zlib_decompress(struct list_head *ws, const u8 *data_in,
return -EIO;
}
- while (bytes_left > 0) {
- unsigned long buf_start;
- unsigned long buf_offset;
- unsigned long bytes;
-
- ret = zlib_inflate(&workspace->strm, Z_NO_FLUSH);
- if (ret != Z_OK && ret != Z_STREAM_END)
- break;
-
- buf_start = total_out;
- total_out = workspace->strm.total_out;
-
- if (total_out == buf_start) {
- ret = -EIO;
- break;
- }
-
- if (total_out <= start_byte)
- goto next;
-
- if (total_out > start_byte && buf_start < start_byte)
- buf_offset = start_byte - buf_start;
- else
- buf_offset = 0;
-
- bytes = min(PAGE_SIZE - pg_offset,
- PAGE_SIZE - (buf_offset % PAGE_SIZE));
- bytes = min(bytes, bytes_left);
+ /*
+ * Everything (in/out buf) should be at most one sector, there should
+ * be no need to switch any input/output buffer.
+ */
+ ret = zlib_inflate(&workspace->strm, Z_FINISH);
+ to_copy = min(workspace->strm.total_out, destlen);
+ if (ret != Z_STREAM_END)
+ goto out;
- memcpy_to_page(dest_page, pg_offset,
- workspace->buf + buf_offset, bytes);
+ memcpy_to_page(dest_page, dest_pgoff, workspace->buf, to_copy);
- pg_offset += bytes;
- bytes_left -= bytes;
-next:
- workspace->strm.next_out = workspace->buf;
- workspace->strm.avail_out = workspace->buf_size;
- }
-
- if (ret != Z_STREAM_END && bytes_left != 0)
+out:
+ if (unlikely(to_copy != destlen)) {
+ pr_warn_ratelimited("BTRFS: infalte failed, decompressed=%lu expected=%zu\n",
+ to_copy, destlen);
ret = -EIO;
- else
+ } else {
ret = 0;
+ }
zlib_inflateEnd(&workspace->strm);
- /*
- * this should only happen if zlib returned fewer bytes than we
- * expected. btrfs_get_block is responsible for zeroing from the
- * end of the inline extent (destlen) to the end of the page
- */
- if (pg_offset < destlen) {
- memzero_page(dest_page, pg_offset, destlen - pg_offset);
- }
+ if (unlikely(to_copy < destlen))
+ memzero_page(dest_page, dest_pgoff + to_copy, destlen - to_copy);
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 156/341] afs: fix __afs_break_callback() / afs_drop_open_mmap() race
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 155/341] btrfs: zlib: fix and simplify the inline extent decompression Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 157/341] fuse: fix UAF in rcu pathwalks Greg Kroah-Hartman
` (197 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Brauner, Al Viro,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 275655d3207b9e65d1561bf21c06a622d9ec1d43 ]
In __afs_break_callback() we might check ->cb_nr_mmap and if it's non-zero
do queue_work(&vnode->cb_work). In afs_drop_open_mmap() we decrement
->cb_nr_mmap and do flush_work(&vnode->cb_work) if it reaches zero.
The trouble is, there's nothing to prevent __afs_break_callback() from
seeing ->cb_nr_mmap before the decrement and do queue_work() after both
the decrement and flush_work(). If that happens, we might be in trouble -
vnode might get freed before the queued work runs.
__afs_break_callback() is always done under ->cb_lock, so let's make
sure that ->cb_nr_mmap can change from non-zero to zero while holding
->cb_lock (the spinlock component of it - it's a seqlock and we don't
need to mess with the counter).
Acked-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/afs/file.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/fs/afs/file.c b/fs/afs/file.c
index d37dd201752ba..0012ea300eb53 100644
--- a/fs/afs/file.c
+++ b/fs/afs/file.c
@@ -529,13 +529,17 @@ static void afs_add_open_mmap(struct afs_vnode *vnode)
static void afs_drop_open_mmap(struct afs_vnode *vnode)
{
- if (!atomic_dec_and_test(&vnode->cb_nr_mmap))
+ if (atomic_add_unless(&vnode->cb_nr_mmap, -1, 1))
return;
down_write(&vnode->volume->cell->fs_open_mmaps_lock);
- if (atomic_read(&vnode->cb_nr_mmap) == 0)
+ read_seqlock_excl(&vnode->cb_lock);
+ // the only place where ->cb_nr_mmap may hit 0
+ // see __afs_break_callback() for the other side...
+ if (atomic_dec_and_test(&vnode->cb_nr_mmap))
list_del_init(&vnode->cb_mmap_link);
+ read_sequnlock_excl(&vnode->cb_lock);
up_write(&vnode->volume->cell->fs_open_mmaps_lock);
flush_work(&vnode->cb_work);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 157/341] fuse: fix UAF in rcu pathwalks
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 156/341] afs: fix __afs_break_callback() / afs_drop_open_mmap() race Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 158/341] wifi: ath12k: Add missing qmi_txn_cancel() calls Greg Kroah-Hartman
` (196 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Al Viro, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 053fc4f755ad43cf35210677bcba798ccdc48d0c ]
->permission(), ->get_link() and ->inode_get_acl() might dereference
->s_fs_info (and, in case of ->permission(), ->s_fs_info->fc->user_ns
as well) when called from rcu pathwalk.
Freeing ->s_fs_info->fc is rcu-delayed; we need to make freeing ->s_fs_info
and dropping ->user_ns rcu-delayed too.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/cuse.c | 3 +--
fs/fuse/fuse_i.h | 1 +
fs/fuse/inode.c | 15 +++++++++++----
3 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
index 91e89e68177ee..b6cad106c37e4 100644
--- a/fs/fuse/cuse.c
+++ b/fs/fuse/cuse.c
@@ -474,8 +474,7 @@ static int cuse_send_init(struct cuse_conn *cc)
static void cuse_fc_release(struct fuse_conn *fc)
{
- struct cuse_conn *cc = fc_to_cc(fc);
- kfree_rcu(cc, fc.rcu);
+ kfree(fc_to_cc(fc));
}
/**
diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
index 3e65cdc946316..4ce1a6fdc94f0 100644
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -888,6 +888,7 @@ struct fuse_mount {
/* Entry on fc->mounts */
struct list_head fc_entry;
+ struct rcu_head rcu;
};
static inline struct fuse_mount *get_fuse_mount_super(struct super_block *sb)
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 04c7ba3ea03a2..735abf426a064 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -952,6 +952,14 @@ void fuse_conn_init(struct fuse_conn *fc, struct fuse_mount *fm,
}
EXPORT_SYMBOL_GPL(fuse_conn_init);
+static void delayed_release(struct rcu_head *p)
+{
+ struct fuse_conn *fc = container_of(p, struct fuse_conn, rcu);
+
+ put_user_ns(fc->user_ns);
+ fc->release(fc);
+}
+
void fuse_conn_put(struct fuse_conn *fc)
{
if (refcount_dec_and_test(&fc->count)) {
@@ -963,13 +971,12 @@ void fuse_conn_put(struct fuse_conn *fc)
if (fiq->ops->release)
fiq->ops->release(fiq);
put_pid_ns(fc->pid_ns);
- put_user_ns(fc->user_ns);
bucket = rcu_dereference_protected(fc->curr_bucket, 1);
if (bucket) {
WARN_ON(atomic_read(&bucket->count) != 1);
kfree(bucket);
}
- fc->release(fc);
+ call_rcu(&fc->rcu, delayed_release);
}
}
EXPORT_SYMBOL_GPL(fuse_conn_put);
@@ -1387,7 +1394,7 @@ EXPORT_SYMBOL_GPL(fuse_send_init);
void fuse_free_conn(struct fuse_conn *fc)
{
WARN_ON(!list_empty(&fc->devices));
- kfree_rcu(fc, rcu);
+ kfree(fc);
}
EXPORT_SYMBOL_GPL(fuse_free_conn);
@@ -1921,7 +1928,7 @@ static void fuse_sb_destroy(struct super_block *sb)
void fuse_mount_destroy(struct fuse_mount *fm)
{
fuse_conn_put(fm->fc);
- kfree(fm);
+ kfree_rcu(fm, rcu);
}
EXPORT_SYMBOL(fuse_mount_destroy);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 158/341] wifi: ath12k: Add missing qmi_txn_cancel() calls
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 157/341] fuse: fix UAF in rcu pathwalks Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 159/341] quota: Remove BUG_ON from dqget() Greg Kroah-Hartman
` (195 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Johnson, Kalle Valo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Johnson <quic_jjohnson@quicinc.com>
[ Upstream commit 2e82b5f09a97f1b98b885470c81c1248bec103af ]
Per the QMI documentation "A client calling qmi_txn_init() must call
either qmi_txn_wait() or qmi_txn_cancel() to free up the allocated
resources."
Unfortunately, in most of the ath12k messaging functions, when
qmi_send_request() fails, the function returns without performing the
necessary cleanup. So update those functions to call qmi_txn_cancel()
when qmi_send_request() fails.
No functional changes, compile tested only.
Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://msgid.link/20240111-qmi-cleanup-v2-2-53343af953d5@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/qmi.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/wireless/ath/ath12k/qmi.c b/drivers/net/wireless/ath/ath12k/qmi.c
index e68accbc837f4..f1379a5e60cdd 100644
--- a/drivers/net/wireless/ath/ath12k/qmi.c
+++ b/drivers/net/wireless/ath/ath12k/qmi.c
@@ -1977,6 +1977,7 @@ static int ath12k_qmi_host_cap_send(struct ath12k_base *ab)
QMI_WLANFW_HOST_CAP_REQ_MSG_V01_MAX_LEN,
qmi_wlanfw_host_cap_req_msg_v01_ei, &req);
if (ret < 0) {
+ qmi_txn_cancel(&txn);
ath12k_warn(ab, "Failed to send host capability request,err = %d\n", ret);
goto out;
}
@@ -2040,6 +2041,7 @@ static int ath12k_qmi_fw_ind_register_send(struct ath12k_base *ab)
QMI_WLANFW_IND_REGISTER_REQ_MSG_V01_MAX_LEN,
qmi_wlanfw_ind_register_req_msg_v01_ei, req);
if (ret < 0) {
+ qmi_txn_cancel(&txn);
ath12k_warn(ab, "Failed to send indication register request, err = %d\n",
ret);
goto out;
@@ -2114,6 +2116,7 @@ static int ath12k_qmi_respond_fw_mem_request(struct ath12k_base *ab)
QMI_WLANFW_RESPOND_MEM_REQ_MSG_V01_MAX_LEN,
qmi_wlanfw_respond_mem_req_msg_v01_ei, req);
if (ret < 0) {
+ qmi_txn_cancel(&txn);
ath12k_warn(ab, "qmi failed to respond memory request, err = %d\n",
ret);
goto out;
@@ -2228,6 +2231,7 @@ static int ath12k_qmi_request_target_cap(struct ath12k_base *ab)
QMI_WLANFW_CAP_REQ_MSG_V01_MAX_LEN,
qmi_wlanfw_cap_req_msg_v01_ei, &req);
if (ret < 0) {
+ qmi_txn_cancel(&txn);
ath12k_warn(ab, "qmi failed to send target cap request, err = %d\n",
ret);
goto out;
@@ -2567,6 +2571,7 @@ static int ath12k_qmi_wlanfw_m3_info_send(struct ath12k_base *ab)
QMI_WLANFW_M3_INFO_REQ_MSG_V01_MAX_MSG_LEN,
qmi_wlanfw_m3_info_req_msg_v01_ei, &req);
if (ret < 0) {
+ qmi_txn_cancel(&txn);
ath12k_warn(ab, "qmi failed to send M3 information request, err = %d\n",
ret);
goto out;
@@ -2613,6 +2618,7 @@ static int ath12k_qmi_wlanfw_mode_send(struct ath12k_base *ab,
QMI_WLANFW_WLAN_MODE_REQ_MSG_V01_MAX_LEN,
qmi_wlanfw_wlan_mode_req_msg_v01_ei, &req);
if (ret < 0) {
+ qmi_txn_cancel(&txn);
ath12k_warn(ab, "qmi failed to send mode request, mode: %d, err = %d\n",
mode, ret);
goto out;
@@ -2704,6 +2710,7 @@ static int ath12k_qmi_wlanfw_wlan_cfg_send(struct ath12k_base *ab)
QMI_WLANFW_WLAN_CFG_REQ_MSG_V01_MAX_LEN,
qmi_wlanfw_wlan_cfg_req_msg_v01_ei, req);
if (ret < 0) {
+ qmi_txn_cancel(&txn);
ath12k_warn(ab, "qmi failed to send wlan config request, err = %d\n",
ret);
goto out;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 159/341] quota: Remove BUG_ON from dqget()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 158/341] wifi: ath12k: Add missing qmi_txn_cancel() calls Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 160/341] riscv: blacklist assembly symbols for kprobe Greg Kroah-Hartman
` (194 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
[ Upstream commit 249f374eb9b6b969c64212dd860cc1439674c4a8 ]
dqget() checks whether dquot->dq_sb is set when returning it using
BUG_ON. Firstly this doesn't work as an invalidation check for quite
some time (we release dquot with dq_sb set these days), secondly using
BUG_ON is quite harsh. Use WARN_ON_ONCE and check whether dquot is still
hashed instead.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/quota/dquot.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
index 7a2c9b153be6e..23dbde1de2520 100644
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -995,9 +995,8 @@ struct dquot *dqget(struct super_block *sb, struct kqid qid)
* smp_mb__before_atomic() in dquot_acquire().
*/
smp_rmb();
-#ifdef CONFIG_QUOTA_DEBUG
- BUG_ON(!dquot->dq_sb); /* Has somebody invalidated entry under us? */
-#endif
+ /* Has somebody invalidated entry under us? */
+ WARN_ON_ONCE(hlist_unhashed(&dquot->dq_hash));
out:
if (empty)
do_destroy_dquot(empty);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 160/341] riscv: blacklist assembly symbols for kprobe
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 159/341] quota: Remove BUG_ON from dqget() Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 161/341] kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files Greg Kroah-Hartman
` (193 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Clément Léger,
Charlie Jenkins, Palmer Dabbelt, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Clément Léger <cleger@rivosinc.com>
[ Upstream commit 5014396af9bbac0f28d9afee7eae405206d01ee7 ]
Adding kprobes on some assembly functions (mainly exception handling)
will result in crashes (either recursive trap or panic). To avoid such
errors, add ASM_NOKPROBE() macro which allow adding specific symbols
into the __kprobe_blacklist section and use to blacklist the following
symbols that showed to be problematic:
- handle_exception()
- ret_from_exception()
- handle_kernel_stack_overflow()
Signed-off-by: Clément Léger <cleger@rivosinc.com>
Reviewed-by: Charlie Jenkins <charlie@rivosinc.com>
Link: https://lore.kernel.org/r/20231004131009.409193-1-cleger@rivosinc.com
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/include/asm/asm.h | 10 ++++++++++
arch/riscv/kernel/entry.S | 3 +++
2 files changed, 13 insertions(+)
diff --git a/arch/riscv/include/asm/asm.h b/arch/riscv/include/asm/asm.h
index bfb4c26f113c4..b5b84c6be01e1 100644
--- a/arch/riscv/include/asm/asm.h
+++ b/arch/riscv/include/asm/asm.h
@@ -164,6 +164,16 @@
REG_L x31, PT_T6(sp)
.endm
+/* Annotate a function as being unsuitable for kprobes. */
+#ifdef CONFIG_KPROBES
+#define ASM_NOKPROBE(name) \
+ .pushsection "_kprobe_blacklist", "aw"; \
+ RISCV_PTR name; \
+ .popsection
+#else
+#define ASM_NOKPROBE(name)
+#endif
+
#endif /* __ASSEMBLY__ */
#endif /* _ASM_RISCV_ASM_H */
diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S
index 278d01d2911fd..ed7baf2cf7e87 100644
--- a/arch/riscv/kernel/entry.S
+++ b/arch/riscv/kernel/entry.S
@@ -105,6 +105,7 @@ _save_context:
1:
tail do_trap_unknown
SYM_CODE_END(handle_exception)
+ASM_NOKPROBE(handle_exception)
/*
* The ret_from_exception must be called with interrupt disabled. Here is the
@@ -171,6 +172,7 @@ SYM_CODE_START_NOALIGN(ret_from_exception)
sret
#endif
SYM_CODE_END(ret_from_exception)
+ASM_NOKPROBE(ret_from_exception)
#ifdef CONFIG_VMAP_STACK
SYM_CODE_START_LOCAL(handle_kernel_stack_overflow)
@@ -206,6 +208,7 @@ SYM_CODE_START_LOCAL(handle_kernel_stack_overflow)
move a0, sp
tail handle_bad_stack
SYM_CODE_END(handle_kernel_stack_overflow)
+ASM_NOKPROBE(handle_kernel_stack_overflow)
#endif
SYM_CODE_START(ret_from_fork)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 161/341] kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 160/341] riscv: blacklist assembly symbols for kprobe Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 162/341] media: pci: cx23885: check cx23885_vdev_init() return Greg Kroah-Hartman
` (192 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Neel Natu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neel Natu <neelnatu@google.com>
[ Upstream commit 05d8f255867e3196565bb31a911a437697fab094 ]
Prior to this change 'on->nr_mmapped' tracked the total number of
mmaps across all of its associated open files via kernfs_fop_mmap().
Thus if the file descriptor associated with a kernfs_open_file was
mmapped 10 times then we would have: 'of->mmapped = true' and
'of_on(of)->nr_mmapped = 10'.
The problem is that closing or draining a 'of->mmapped' file would
only decrement one from the 'of_on(of)->nr_mmapped' counter.
For e.g. we have this from kernfs_unlink_open_file():
if (of->mmapped)
on->nr_mmapped--;
The WARN_ON_ONCE(on->nr_mmapped) in kernfs_drain_open_files() is
easy to reproduce by:
1. opening a (mmap-able) kernfs file.
2. mmap-ing that file more than once (mapping just once masks the issue).
3. trigger a drain of that kernfs file.
Modulo out-of-tree patches I was able to trigger this reliably by
identifying pci device nodes in sysfs that have resource regions
that are mmap-able and that don't have any driver attached to them
(steps 1 and 2). For step 3 we can "echo 1 > remove" to trigger a
kernfs_drain.
Signed-off-by: Neel Natu <neelnatu@google.com>
Link: https://lore.kernel.org/r/20240127234636.609265-1-neelnatu@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/kernfs/file.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c
index 180906c36f515..332d08d2fe0d5 100644
--- a/fs/kernfs/file.c
+++ b/fs/kernfs/file.c
@@ -532,9 +532,11 @@ static int kernfs_fop_mmap(struct file *file, struct vm_area_struct *vma)
goto out_put;
rc = 0;
- of->mmapped = true;
- of_on(of)->nr_mmapped++;
- of->vm_ops = vma->vm_ops;
+ if (!of->mmapped) {
+ of->mmapped = true;
+ of_on(of)->nr_mmapped++;
+ of->vm_ops = vma->vm_ops;
+ }
vma->vm_ops = &kernfs_vm_ops;
out_put:
kernfs_put_active(of->kn);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 162/341] media: pci: cx23885: check cx23885_vdev_init() return
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 161/341] kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 163/341] fs: binfmt_elf_efpic: dont use missing interpreters properties Greg Kroah-Hartman
` (191 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans Verkuil, Sicong Huang,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[ Upstream commit 15126b916e39b0cb67026b0af3c014bfeb1f76b3 ]
cx23885_vdev_init() can return a NULL pointer, but that pointer
is used in the next line without a check.
Add a NULL pointer check and go to the error unwind if it is NULL.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reported-by: Sicong Huang <huangsicong@iie.ac.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/cx23885/cx23885-video.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/media/pci/cx23885/cx23885-video.c b/drivers/media/pci/cx23885/cx23885-video.c
index 9af2c5596121c..51d7d720ec48b 100644
--- a/drivers/media/pci/cx23885/cx23885-video.c
+++ b/drivers/media/pci/cx23885/cx23885-video.c
@@ -1354,6 +1354,10 @@ int cx23885_video_register(struct cx23885_dev *dev)
/* register Video device */
dev->video_dev = cx23885_vdev_init(dev, dev->pci,
&cx23885_video_template, "video");
+ if (!dev->video_dev) {
+ err = -ENOMEM;
+ goto fail_unreg;
+ }
dev->video_dev->queue = &dev->vb2_vidq;
dev->video_dev->device_caps = V4L2_CAP_READWRITE | V4L2_CAP_STREAMING |
V4L2_CAP_AUDIO | V4L2_CAP_VIDEO_CAPTURE;
@@ -1382,6 +1386,10 @@ int cx23885_video_register(struct cx23885_dev *dev)
/* register VBI device */
dev->vbi_dev = cx23885_vdev_init(dev, dev->pci,
&cx23885_vbi_template, "vbi");
+ if (!dev->vbi_dev) {
+ err = -ENOMEM;
+ goto fail_unreg;
+ }
dev->vbi_dev->queue = &dev->vb2_vbiq;
dev->vbi_dev->device_caps = V4L2_CAP_READWRITE | V4L2_CAP_STREAMING |
V4L2_CAP_AUDIO | V4L2_CAP_VBI_CAPTURE;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 163/341] fs: binfmt_elf_efpic: dont use missing interpreters properties
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 162/341] media: pci: cx23885: check cx23885_vdev_init() return Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 164/341] scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list() Greg Kroah-Hartman
` (190 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Max Filippov, Kees Cook, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Filippov <jcmvbkbc@gmail.com>
[ Upstream commit 15fd1dc3dadb4268207fa6797e753541aca09a2a ]
Static FDPIC executable may get an executable stack even when it has
non-executable GNU_STACK segment. This happens when STACK segment has rw
permissions, but does not specify stack size. In that case FDPIC loader
uses permissions of the interpreter's stack, and for static executables
with no interpreter it results in choosing the arch-default permissions
for the stack.
Fix that by using the interpreter's properties only when the interpreter
is actually used.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Link: https://lore.kernel.org/r/20240118150637.660461-1-jcmvbkbc@gmail.com
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/binfmt_elf_fdpic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
index 206812ce544ae..96a8b13b57d96 100644
--- a/fs/binfmt_elf_fdpic.c
+++ b/fs/binfmt_elf_fdpic.c
@@ -320,7 +320,7 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm)
else
executable_stack = EXSTACK_DEFAULT;
- if (stack_size == 0) {
+ if (stack_size == 0 && interp_params.flags & ELF_FDPIC_FLAG_PRESENT) {
stack_size = interp_params.stack_size;
if (interp_params.flags & ELF_FDPIC_FLAG_EXEC_STACK)
executable_stack = EXSTACK_ENABLE_X;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 164/341] scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 163/341] fs: binfmt_elf_efpic: dont use missing interpreters properties Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 165/341] media: drivers/media/dvb-core: copy user arrays safely Greg Kroah-Hartman
` (189 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Tee, Himanshu Madhani,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Tee <justin.tee@broadcom.com>
[ Upstream commit 3d0f9342ae200aa1ddc4d6e7a573c6f8f068d994 ]
A static code analyzer tool indicates that the local variable called status
in the lpfc_sli4_repost_sgl_list() routine could be used to print garbage
uninitialized values in the routine's log message.
Fix by initializing to zero.
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Link: https://lore.kernel.org/r/20240131185112.149731-2-justintee8345@gmail.com
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_sli.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index 5af669b930193..9cd22588c8eb3 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -7577,7 +7577,7 @@ lpfc_sli4_repost_sgl_list(struct lpfc_hba *phba,
struct lpfc_sglq *sglq_entry = NULL;
struct lpfc_sglq *sglq_entry_next = NULL;
struct lpfc_sglq *sglq_entry_first = NULL;
- int status, total_cnt;
+ int status = 0, total_cnt;
int post_cnt = 0, num_posted = 0, block_cnt = 0;
int last_xritag = NO_XRI;
LIST_HEAD(prep_sgl_list);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 165/341] media: drivers/media/dvb-core: copy user arrays safely
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 164/341] scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list() Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 166/341] wifi: iwlwifi: mvm: avoid garbage iPN Greg Kroah-Hartman
` (188 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Airlie, Philipp Stanner,
Mauro Carvalho Chehab, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philipp Stanner <pstanner@redhat.com>
[ Upstream commit 102fb77c2deb0df3683ef8ff7a6f4cf91dc456e2 ]
At several positions in dvb_frontend.c, memdup_user() is utilized to
copy userspace arrays. This is done without overflow checks.
Use the new wrapper memdup_array_user() to copy the arrays more safely.
Link: https://lore.kernel.org/linux-media/20231102191633.52592-2-pstanner@redhat.com
Suggested-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/dvb-core/dvb_frontend.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
index 9293b058ab997..93d3378a0df4b 100644
--- a/drivers/media/dvb-core/dvb_frontend.c
+++ b/drivers/media/dvb-core/dvb_frontend.c
@@ -2168,7 +2168,8 @@ static int dvb_frontend_handle_compat_ioctl(struct file *file, unsigned int cmd,
if (!tvps->num || (tvps->num > DTV_IOCTL_MAX_MSGS))
return -EINVAL;
- tvp = memdup_user(compat_ptr(tvps->props), tvps->num * sizeof(*tvp));
+ tvp = memdup_array_user(compat_ptr(tvps->props),
+ tvps->num, sizeof(*tvp));
if (IS_ERR(tvp))
return PTR_ERR(tvp);
@@ -2199,7 +2200,8 @@ static int dvb_frontend_handle_compat_ioctl(struct file *file, unsigned int cmd,
if (!tvps->num || (tvps->num > DTV_IOCTL_MAX_MSGS))
return -EINVAL;
- tvp = memdup_user(compat_ptr(tvps->props), tvps->num * sizeof(*tvp));
+ tvp = memdup_array_user(compat_ptr(tvps->props),
+ tvps->num, sizeof(*tvp));
if (IS_ERR(tvp))
return PTR_ERR(tvp);
@@ -2379,7 +2381,8 @@ static int dvb_get_property(struct dvb_frontend *fe, struct file *file,
if (!tvps->num || tvps->num > DTV_IOCTL_MAX_MSGS)
return -EINVAL;
- tvp = memdup_user((void __user *)tvps->props, tvps->num * sizeof(*tvp));
+ tvp = memdup_array_user((void __user *)tvps->props,
+ tvps->num, sizeof(*tvp));
if (IS_ERR(tvp))
return PTR_ERR(tvp);
@@ -2457,7 +2460,8 @@ static int dvb_frontend_handle_ioctl(struct file *file,
if (!tvps->num || (tvps->num > DTV_IOCTL_MAX_MSGS))
return -EINVAL;
- tvp = memdup_user((void __user *)tvps->props, tvps->num * sizeof(*tvp));
+ tvp = memdup_array_user((void __user *)tvps->props,
+ tvps->num, sizeof(*tvp));
if (IS_ERR(tvp))
return PTR_ERR(tvp);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 166/341] wifi: iwlwifi: mvm: avoid garbage iPN
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 165/341] media: drivers/media/dvb-core: copy user arrays safely Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 167/341] net/sun3_82586: Avoid reading past buffer in debug output Greg Kroah-Hartman
` (187 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shaul Triebitz, Miri Korenblit,
Johannes Berg, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shaul Triebitz <shaul.triebitz@intel.com>
[ Upstream commit 0c1c91604f3e3fc41f4d77dcfc3753860a9a32c9 ]
After waking from D3, we set the iPN given by the firmware.
For some reason, CIPHER_SUITE_AES_CMAC was missed.
That caused copying garbage to the iPN - causing false replays.
(since 'seq' is on the stack, and the iPN from the firmware
was not copied into it, it contains garbage which later is
copied to the iPN key).
Signed-off-by: Shaul Triebitz <shaul.triebitz@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20240205211151.2be5b35be30f.I99db8700d01092d22a6d76f1fc1bd5916c9df784@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
index 9c89f0dd69c86..08d1fab7f53c3 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
@@ -1849,9 +1849,12 @@ iwl_mvm_d3_set_igtk_bigtk_ipn(const struct iwl_multicast_key_data *key,
memcpy(seq->aes_gmac.pn, key->ipn, sizeof(seq->aes_gmac.pn));
break;
case WLAN_CIPHER_SUITE_BIP_CMAC_256:
+ case WLAN_CIPHER_SUITE_AES_CMAC:
BUILD_BUG_ON(sizeof(seq->aes_cmac.pn) != sizeof(key->ipn));
memcpy(seq->aes_cmac.pn, key->ipn, sizeof(seq->aes_cmac.pn));
break;
+ default:
+ WARN_ON(1);
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 167/341] net/sun3_82586: Avoid reading past buffer in debug output
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 166/341] wifi: iwlwifi: mvm: avoid garbage iPN Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 168/341] drm/lima: set gp bus_stop bit before hard reset Greg Kroah-Hartman
` (186 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sam Creasey, Kees Cook, Simon Horman,
Gustavo A. R. Silva, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 4bea747f3fbec33c16d369b2f51e55981d7c78d0 ]
Since NUM_XMIT_BUFFS is always 1, building m68k with sun3_defconfig and
-Warraybounds, this build warning is visible[1]:
drivers/net/ethernet/i825xx/sun3_82586.c: In function 'sun3_82586_timeout':
drivers/net/ethernet/i825xx/sun3_82586.c:990:122: warning: array subscript 1 is above array bounds of 'volatile struct transmit_cmd_struct *[1]' [-Warray-bounds=]
990 | printk("%s: command-stats: %04x %04x\n",dev->name,swab16(p->xmit_cmds[0]->cmd_status),swab16(p->xmit_cmds[1]->cmd_status));
| ~~~~~~~~~~~~^~~
...
drivers/net/ethernet/i825xx/sun3_82586.c:156:46: note: while referencing 'xmit_cmds'
156 | volatile struct transmit_cmd_struct *xmit_cmds[NUM_XMIT_BUFFS];
Avoid accessing index 1 since it doesn't exist.
Link: https://github.com/KSPP/linux/issues/325 [1]
Cc: Sam Creasey <sammy@sammy.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Simon Horman <horms@kernel.org> # build-tested
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Link: https://lore.kernel.org/r/20240206161651.work.876-kees@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/i825xx/sun3_82586.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/i825xx/sun3_82586.c b/drivers/net/ethernet/i825xx/sun3_82586.c
index 5e27470c6b1ef..f2d4669c81cf2 100644
--- a/drivers/net/ethernet/i825xx/sun3_82586.c
+++ b/drivers/net/ethernet/i825xx/sun3_82586.c
@@ -987,7 +987,7 @@ static void sun3_82586_timeout(struct net_device *dev, unsigned int txqueue)
{
#ifdef DEBUG
printk("%s: xmitter timed out, try to restart! stat: %02x\n",dev->name,p->scb->cus);
- printk("%s: command-stats: %04x %04x\n",dev->name,swab16(p->xmit_cmds[0]->cmd_status),swab16(p->xmit_cmds[1]->cmd_status));
+ printk("%s: command-stats: %04x\n", dev->name, swab16(p->xmit_cmds[0]->cmd_status));
printk("%s: check, whether you set the right interrupt number!\n",dev->name);
#endif
sun3_82586_close(dev);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 168/341] drm/lima: set gp bus_stop bit before hard reset
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 167/341] net/sun3_82586: Avoid reading past buffer in debug output Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 169/341] gpio: sysfs: extend the critical section for unregistering sysfs devices Greg Kroah-Hartman
` (185 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Erico Nunes, Qiang Yu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erico Nunes <nunes.erico@gmail.com>
[ Upstream commit 27aa58ec85f973d98d336df7b7941149308db80f ]
This is required for reliable hard resets. Otherwise, doing a hard reset
while a task is still running (such as a task which is being stopped by
the drm_sched timeout handler) may result in random mmu write timeouts
or lockups which cause the entire gpu to hang.
Signed-off-by: Erico Nunes <nunes.erico@gmail.com>
Signed-off-by: Qiang Yu <yuq825@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240124025947.2110659-5-nunes.erico@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/lima/lima_gp.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/gpu/drm/lima/lima_gp.c b/drivers/gpu/drm/lima/lima_gp.c
index ca3842f719842..82071835ec9ed 100644
--- a/drivers/gpu/drm/lima/lima_gp.c
+++ b/drivers/gpu/drm/lima/lima_gp.c
@@ -166,6 +166,11 @@ static void lima_gp_task_run(struct lima_sched_pipe *pipe,
gp_write(LIMA_GP_CMD, cmd);
}
+static int lima_gp_bus_stop_poll(struct lima_ip *ip)
+{
+ return !!(gp_read(LIMA_GP_STATUS) & LIMA_GP_STATUS_BUS_STOPPED);
+}
+
static int lima_gp_hard_reset_poll(struct lima_ip *ip)
{
gp_write(LIMA_GP_PERF_CNT_0_LIMIT, 0xC01A0000);
@@ -179,6 +184,13 @@ static int lima_gp_hard_reset(struct lima_ip *ip)
gp_write(LIMA_GP_PERF_CNT_0_LIMIT, 0xC0FFE000);
gp_write(LIMA_GP_INT_MASK, 0);
+
+ gp_write(LIMA_GP_CMD, LIMA_GP_CMD_STOP_BUS);
+ ret = lima_poll_timeout(ip, lima_gp_bus_stop_poll, 10, 100);
+ if (ret) {
+ dev_err(dev->dev, "%s bus stop timeout\n", lima_ip_name(ip));
+ return ret;
+ }
gp_write(LIMA_GP_CMD, LIMA_GP_CMD_RESET);
ret = lima_poll_timeout(ip, lima_gp_hard_reset_poll, 10, 100);
if (ret) {
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 169/341] gpio: sysfs: extend the critical section for unregistering sysfs devices
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 168/341] drm/lima: set gp bus_stop bit before hard reset Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 170/341] hrtimer: Select housekeeping CPU during migration Greg Kroah-Hartman
` (184 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Linus Walleij,
Andy Shevchenko, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
[ Upstream commit 59cba4a0e6ca1058fbf88fec22530a4e2841802a ]
Checking the gdev->mockdev pointer for NULL must be part of the critical
section.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib-sysfs.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/drivers/gpio/gpiolib-sysfs.c b/drivers/gpio/gpiolib-sysfs.c
index 12d853845bb80..6c27312c62788 100644
--- a/drivers/gpio/gpiolib-sysfs.c
+++ b/drivers/gpio/gpiolib-sysfs.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0
#include <linux/bitops.h>
+#include <linux/cleanup.h>
#include <linux/device.h>
#include <linux/idr.h>
#include <linux/init.h>
@@ -774,15 +775,15 @@ void gpiochip_sysfs_unregister(struct gpio_device *gdev)
struct gpio_desc *desc;
struct gpio_chip *chip = gdev->chip;
- if (!gdev->mockdev)
- return;
+ scoped_guard(mutex, &sysfs_lock) {
+ if (!gdev->mockdev)
+ return;
- device_unregister(gdev->mockdev);
+ device_unregister(gdev->mockdev);
- /* prevent further gpiod exports */
- mutex_lock(&sysfs_lock);
- gdev->mockdev = NULL;
- mutex_unlock(&sysfs_lock);
+ /* prevent further gpiod exports */
+ gdev->mockdev = NULL;
+ }
/* unregister gpiod class devices owned by sysfs */
for_each_gpio_desc_with_flag(chip, desc, FLAG_SYSFS) {
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 170/341] hrtimer: Select housekeeping CPU during migration
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 169/341] gpio: sysfs: extend the critical section for unregistering sysfs devices Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 171/341] virtiofs: forbid newlines in tags Greg Kroah-Hartman
` (183 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Waiman Long, Costa Shulyupin,
Thomas Gleixner, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Costa Shulyupin <costa.shul@redhat.com>
[ Upstream commit 56c2cb10120894be40c40a9bf0ce798da14c50f6 ]
During CPU-down hotplug, hrtimers may migrate to isolated CPUs,
compromising CPU isolation.
Address this issue by masking valid CPUs for hrtimers using
housekeeping_cpumask(HK_TYPE_TIMER).
Suggested-by: Waiman Long <longman@redhat.com>
Signed-off-by: Costa Shulyupin <costa.shul@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Waiman Long <longman@redhat.com>
Link: https://lore.kernel.org/r/20240222200856.569036-1-costa.shul@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/hrtimer.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index edb0f821dceaa..6057fe2e179b0 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -38,6 +38,7 @@
#include <linux/sched/deadline.h>
#include <linux/sched/nohz.h>
#include <linux/sched/debug.h>
+#include <linux/sched/isolation.h>
#include <linux/timer.h>
#include <linux/freezer.h>
#include <linux/compat.h>
@@ -2223,8 +2224,8 @@ static void migrate_hrtimer_list(struct hrtimer_clock_base *old_base,
int hrtimers_cpu_dying(unsigned int dying_cpu)
{
+ int i, ncpu = cpumask_any_and(cpu_active_mask, housekeeping_cpumask(HK_TYPE_TIMER));
struct hrtimer_cpu_base *old_base, *new_base;
- int i, ncpu = cpumask_first(cpu_active_mask);
tick_cancel_sched_timer(dying_cpu);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 171/341] virtiofs: forbid newlines in tags
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 170/341] hrtimer: Select housekeeping CPU during migration Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 172/341] accel/habanalabs: fix debugfs files permissions Greg Kroah-Hartman
` (182 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Hajnoczi, Vivek Goyal,
Miklos Szeredi, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Hajnoczi <stefanha@redhat.com>
[ Upstream commit 40488cc16f7ea0d193a4e248f0d809c25cc377db ]
Newlines in virtiofs tags are awkward for users and potential vectors
for string injection attacks.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/virtio_fs.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c
index 5f1be1da92ce9..d84dacbdce2c9 100644
--- a/fs/fuse/virtio_fs.c
+++ b/fs/fuse/virtio_fs.c
@@ -323,6 +323,16 @@ static int virtio_fs_read_tag(struct virtio_device *vdev, struct virtio_fs *fs)
return -ENOMEM;
memcpy(fs->tag, tag_buf, len);
fs->tag[len] = '\0';
+
+ /* While the VIRTIO specification allows any character, newlines are
+ * awkward on mount(8) command-lines and cause problems in the sysfs
+ * "tag" attr and uevent TAG= properties. Forbid them.
+ */
+ if (strchr(fs->tag, '\n')) {
+ dev_dbg(&vdev->dev, "refusing virtiofs tag with newline character\n");
+ return -EINVAL;
+ }
+
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 172/341] accel/habanalabs: fix debugfs files permissions
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 171/341] virtiofs: forbid newlines in tags Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 173/341] clocksource/drivers/arm_global_timer: Guard against division by zero Greg Kroah-Hartman
` (181 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Avri Kehat, Oded Gabbay,
Carl Vanderlip, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Avri Kehat <akehat@habana.ai>
[ Upstream commit 0b105a2a7225f2736bd07aca0538cd67f09bfa20 ]
debugfs files are created with permissions that don't align
with the access requirements.
Signed-off-by: Avri Kehat <akehat@habana.ai>
Reviewed-by: Oded Gabbay <ogabbay@kernel.org>
Reviewed-by: Carl Vanderlip <quic_carlv@quicinc.com>
Signed-off-by: Oded Gabbay <ogabbay@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/accel/habanalabs/common/debugfs.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/accel/habanalabs/common/debugfs.c b/drivers/accel/habanalabs/common/debugfs.c
index 9e84a47a21dcf..7d733e4d50611 100644
--- a/drivers/accel/habanalabs/common/debugfs.c
+++ b/drivers/accel/habanalabs/common/debugfs.c
@@ -1645,19 +1645,19 @@ static void add_files_to_device(struct hl_device *hdev, struct hl_dbg_device_ent
&hl_data64b_fops);
debugfs_create_file("set_power_state",
- 0200,
+ 0644,
root,
dev_entry,
&hl_power_fops);
debugfs_create_file("device",
- 0200,
+ 0644,
root,
dev_entry,
&hl_device_fops);
debugfs_create_file("clk_gate",
- 0200,
+ 0644,
root,
dev_entry,
&hl_clk_gate_fops);
@@ -1669,13 +1669,13 @@ static void add_files_to_device(struct hl_device *hdev, struct hl_dbg_device_ent
&hl_stop_on_err_fops);
debugfs_create_file("dump_security_violations",
- 0644,
+ 0400,
root,
dev_entry,
&hl_security_violations_fops);
debugfs_create_file("dump_razwi_events",
- 0644,
+ 0400,
root,
dev_entry,
&hl_razwi_check_fops);
@@ -1708,7 +1708,7 @@ static void add_files_to_device(struct hl_device *hdev, struct hl_dbg_device_ent
&hdev->reset_info.skip_reset_on_timeout);
debugfs_create_file("state_dump",
- 0600,
+ 0644,
root,
dev_entry,
&hl_state_dump_fops);
@@ -1726,7 +1726,7 @@ static void add_files_to_device(struct hl_device *hdev, struct hl_dbg_device_ent
for (i = 0, entry = dev_entry->entry_arr ; i < count ; i++, entry++) {
debugfs_create_file(hl_debugfs_list[i].name,
- 0444,
+ 0644,
root,
entry,
&hl_debugfs_fops);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 173/341] clocksource/drivers/arm_global_timer: Guard against division by zero
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 172/341] accel/habanalabs: fix debugfs files permissions Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 174/341] tick: Move got_idle_tick away from common flags Greg Kroah-Hartman
` (180 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Blumenstingl, Daniel Lezcano,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
[ Upstream commit e651f2fae33634175fae956d896277cf916f5d09 ]
The result of the division of new_rate by gt_target_rate can be zero (if
new_rate is smaller than gt_target_rate). Using that result as divisor
without checking can result in a division by zero error. Guard against
this by checking for a zero value earlier.
While here, also change the psv variable to an unsigned long to make
sure we don't overflow the datatype as all other types involved are also
unsiged long.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Link: https://lore.kernel.org/r/20240225151336.2728533-3-martin.blumenstingl@googlemail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clocksource/arm_global_timer.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/clocksource/arm_global_timer.c b/drivers/clocksource/arm_global_timer.c
index e1c773bb55359..22a58d35a41fa 100644
--- a/drivers/clocksource/arm_global_timer.c
+++ b/drivers/clocksource/arm_global_timer.c
@@ -290,18 +290,17 @@ static int gt_clk_rate_change_cb(struct notifier_block *nb,
switch (event) {
case PRE_RATE_CHANGE:
{
- int psv;
+ unsigned long psv;
- psv = DIV_ROUND_CLOSEST(ndata->new_rate,
- gt_target_rate);
-
- if (abs(gt_target_rate - (ndata->new_rate / psv)) > MAX_F_ERR)
+ psv = DIV_ROUND_CLOSEST(ndata->new_rate, gt_target_rate);
+ if (!psv ||
+ abs(gt_target_rate - (ndata->new_rate / psv)) > MAX_F_ERR)
return NOTIFY_BAD;
psv--;
/* prescaler within legal range? */
- if (psv < 0 || psv > GT_CONTROL_PRESCALER_MAX)
+ if (psv > GT_CONTROL_PRESCALER_MAX)
return NOTIFY_BAD;
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 174/341] tick: Move got_idle_tick away from common flags
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 173/341] clocksource/drivers/arm_global_timer: Guard against division by zero Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 175/341] netlink: hold nlk->cb_mutex longer in __netlink_dump_start() Greg Kroah-Hartman
` (179 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frederic Weisbecker, Thomas Gleixner,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frederic Weisbecker <frederic@kernel.org>
[ Upstream commit 3ce74f1a8566dbbc9774f85fb0ce781fe290fd32 ]
tick_nohz_idle_got_tick() is called by cpuidle_reflect() within the idle
loop with interrupts enabled. This function modifies the struct
tick_sched's bitfield "got_idle_tick". However this bitfield is stored
within the same mask as other bitfields that can be modified from
interrupts.
Fortunately so far it looks like the only race that can happen is while
writing ->got_idle_tick to 0, an interrupt fires and writes the
->idle_active field to 0. It's then possible that the interrupted write
to ->got_idle_tick writes back the old value of ->idle_active back to 1.
However if that happens, the worst possible outcome is that the time
spent between that interrupt and the upcoming call to
tick_nohz_idle_exit() is accounted as idle, which is negligible quantity.
Still all the bitfield writes within this struct tick_sched's shadow
mask should be IRQ-safe. Therefore move this bitfield out to its own
storage to avoid further suprises.
Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20240225225508.11587-12-frederic@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/tick-sched.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/time/tick-sched.h b/kernel/time/tick-sched.h
index 5ed5a9d41d5a7..03a586e12cf89 100644
--- a/kernel/time/tick-sched.h
+++ b/kernel/time/tick-sched.h
@@ -61,7 +61,6 @@ struct tick_sched {
unsigned int tick_stopped : 1;
unsigned int idle_active : 1;
unsigned int do_timer_last : 1;
- unsigned int got_idle_tick : 1;
/* Tick handling: jiffies stall check */
unsigned int stalled_jiffies;
@@ -73,6 +72,7 @@ struct tick_sched {
ktime_t next_tick;
unsigned long idle_jiffies;
ktime_t idle_waketime;
+ unsigned int got_idle_tick;
/* Idle entry */
seqcount_t idle_sleeptime_seq;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 175/341] netlink: hold nlk->cb_mutex longer in __netlink_dump_start()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 174/341] tick: Move got_idle_tick away from common flags Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 176/341] md: clean up invalid BUG_ON in md_ioctl Greg Kroah-Hartman
` (178 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jiri Pirko,
David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit b5590270068c4324dac4a2b5a4a156e02e21339f ]
__netlink_dump_start() releases nlk->cb_mutex right before
calling netlink_dump() which grabs it again.
This seems dangerous, even if KASAN did not bother yet.
Add a @lock_taken parameter to netlink_dump() to let it
grab the mutex if called from netlink_recvmsg() only.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlink/af_netlink.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 6ae782efb1ee3..db49fc4d42cf7 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -130,7 +130,7 @@ static const char *const nlk_cb_mutex_key_strings[MAX_LINKS + 1] = {
"nlk_cb_mutex-MAX_LINKS"
};
-static int netlink_dump(struct sock *sk);
+static int netlink_dump(struct sock *sk, bool lock_taken);
/* nl_table locking explained:
* Lookup and traversal are protected with an RCU read-side lock. Insertion
@@ -1989,7 +1989,7 @@ static int netlink_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
if (READ_ONCE(nlk->cb_running) &&
atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) {
- ret = netlink_dump(sk);
+ ret = netlink_dump(sk, false);
if (ret) {
WRITE_ONCE(sk->sk_err, -ret);
sk_error_report(sk);
@@ -2198,7 +2198,7 @@ static int netlink_dump_done(struct netlink_sock *nlk, struct sk_buff *skb,
return 0;
}
-static int netlink_dump(struct sock *sk)
+static int netlink_dump(struct sock *sk, bool lock_taken)
{
struct netlink_sock *nlk = nlk_sk(sk);
struct netlink_ext_ack extack = {};
@@ -2210,7 +2210,8 @@ static int netlink_dump(struct sock *sk)
int alloc_min_size;
int alloc_size;
- mutex_lock(nlk->cb_mutex);
+ if (!lock_taken)
+ mutex_lock(nlk->cb_mutex);
if (!nlk->cb_running) {
err = -EINVAL;
goto errout_skb;
@@ -2367,9 +2368,7 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
WRITE_ONCE(nlk->cb_running, true);
nlk->dump_done_errno = INT_MAX;
- mutex_unlock(nlk->cb_mutex);
-
- ret = netlink_dump(sk);
+ ret = netlink_dump(sk, true);
sock_put(sk);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 176/341] md: clean up invalid BUG_ON in md_ioctl
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 175/341] netlink: hold nlk->cb_mutex longer in __netlink_dump_start() Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 177/341] x86: Increase brk randomness entropy for 64-bit systems Greg Kroah-Hartman
` (177 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Nan, Yu Kuai, Song Liu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Nan <linan122@huawei.com>
[ Upstream commit 9dd8702e7cd28ebf076ff838933f29cf671165ec ]
'disk->private_data' is set to mddev in md_alloc() and never set to NULL,
and users need to open mddev before submitting ioctl. So mddev must not
have been freed during ioctl, and there is no need to check mddev here.
Clean up it.
Signed-off-by: Li Nan <linan122@huawei.com>
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20240226031444.3606764-4-linan666@huaweicloud.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/md.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 35b003b83ef1b..d1f6770c5cc09 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -7652,11 +7652,6 @@ static int md_ioctl(struct block_device *bdev, blk_mode_t mode,
mddev = bdev->bd_disk->private_data;
- if (!mddev) {
- BUG();
- goto out;
- }
-
/* Some actions do not requires the mutex */
switch (cmd) {
case GET_ARRAY_INFO:
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 177/341] x86: Increase brk randomness entropy for 64-bit systems
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 176/341] md: clean up invalid BUG_ON in md_ioctl Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 178/341] memory: stm32-fmc2-ebi: check regmap_read return value Greg Kroah-Hartman
` (176 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, y0un9n132, Kees Cook,
Thomas Gleixner, Jiri Kosina, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 44c76825d6eefee9eb7ce06c38e1a6632ac7eb7d ]
In commit c1d171a00294 ("x86: randomize brk"), arch_randomize_brk() was
defined to use a 32MB range (13 bits of entropy), but was never increased
when moving to 64-bit. The default arch_randomize_brk() uses 32MB for
32-bit tasks, and 1GB (18 bits of entropy) for 64-bit tasks.
Update x86_64 to match the entropy used by arm64 and other 64-bit
architectures.
Reported-by: y0un9n132@gmail.com
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Jiri Kosina <jkosina@suse.com>
Closes: https://lore.kernel.org/linux-hardening/CA+2EKTVLvc8hDZc+2Yhwmus=dzOUG5E4gV7ayCbu0MPJTZzWkw@mail.gmail.com/
Link: https://lore.kernel.org/r/20240217062545.1631668-1-keescook@chromium.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/process.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index b6f4e8399fca2..5351f293f770b 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -1030,7 +1030,10 @@ unsigned long arch_align_stack(unsigned long sp)
unsigned long arch_randomize_brk(struct mm_struct *mm)
{
- return randomize_page(mm->brk, 0x02000000);
+ if (mmap_is_ia32())
+ return randomize_page(mm->brk, SZ_32M);
+
+ return randomize_page(mm->brk, SZ_1G);
}
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 178/341] memory: stm32-fmc2-ebi: check regmap_read return value
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 177/341] x86: Increase brk randomness entropy for 64-bit systems Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 179/341] parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367 Greg Kroah-Hartman
` (175 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Kerello,
Krzysztof Kozlowski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Kerello <christophe.kerello@foss.st.com>
[ Upstream commit 722463f73bcf65a8c818752a38c14ee672c77da1 ]
Check regmap_read return value to avoid to use uninitialized local
variables.
Signed-off-by: Christophe Kerello <christophe.kerello@foss.st.com>
Link: https://lore.kernel.org/r/20240226101428.37791-3-christophe.kerello@foss.st.com
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/memory/stm32-fmc2-ebi.c | 122 +++++++++++++++++++++++---------
1 file changed, 88 insertions(+), 34 deletions(-)
diff --git a/drivers/memory/stm32-fmc2-ebi.c b/drivers/memory/stm32-fmc2-ebi.c
index 9015e8277dc8a..871f3de69102e 100644
--- a/drivers/memory/stm32-fmc2-ebi.c
+++ b/drivers/memory/stm32-fmc2-ebi.c
@@ -181,8 +181,11 @@ static int stm32_fmc2_ebi_check_mux(struct stm32_fmc2_ebi *ebi,
int cs)
{
u32 bcr;
+ int ret;
- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+ if (ret)
+ return ret;
if (bcr & FMC2_BCR_MTYP)
return 0;
@@ -195,8 +198,11 @@ static int stm32_fmc2_ebi_check_waitcfg(struct stm32_fmc2_ebi *ebi,
int cs)
{
u32 bcr, val = FIELD_PREP(FMC2_BCR_MTYP, FMC2_BCR_MTYP_NOR);
+ int ret;
- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+ if (ret)
+ return ret;
if ((bcr & FMC2_BCR_MTYP) == val && bcr & FMC2_BCR_BURSTEN)
return 0;
@@ -209,8 +215,11 @@ static int stm32_fmc2_ebi_check_sync_trans(struct stm32_fmc2_ebi *ebi,
int cs)
{
u32 bcr;
+ int ret;
- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+ if (ret)
+ return ret;
if (bcr & FMC2_BCR_BURSTEN)
return 0;
@@ -223,8 +232,11 @@ static int stm32_fmc2_ebi_check_async_trans(struct stm32_fmc2_ebi *ebi,
int cs)
{
u32 bcr;
+ int ret;
- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+ if (ret)
+ return ret;
if (!(bcr & FMC2_BCR_BURSTEN) || !(bcr & FMC2_BCR_CBURSTRW))
return 0;
@@ -237,8 +249,11 @@ static int stm32_fmc2_ebi_check_cpsize(struct stm32_fmc2_ebi *ebi,
int cs)
{
u32 bcr, val = FIELD_PREP(FMC2_BCR_MTYP, FMC2_BCR_MTYP_PSRAM);
+ int ret;
- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+ if (ret)
+ return ret;
if ((bcr & FMC2_BCR_MTYP) == val && bcr & FMC2_BCR_BURSTEN)
return 0;
@@ -251,12 +266,18 @@ static int stm32_fmc2_ebi_check_address_hold(struct stm32_fmc2_ebi *ebi,
int cs)
{
u32 bcr, bxtr, val = FIELD_PREP(FMC2_BXTR_ACCMOD, FMC2_BXTR_EXTMOD_D);
+ int ret;
+
+ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+ if (ret)
+ return ret;
- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
if (prop->reg_type == FMC2_REG_BWTR)
- regmap_read(ebi->regmap, FMC2_BWTR(cs), &bxtr);
+ ret = regmap_read(ebi->regmap, FMC2_BWTR(cs), &bxtr);
else
- regmap_read(ebi->regmap, FMC2_BTR(cs), &bxtr);
+ ret = regmap_read(ebi->regmap, FMC2_BTR(cs), &bxtr);
+ if (ret)
+ return ret;
if ((!(bcr & FMC2_BCR_BURSTEN) || !(bcr & FMC2_BCR_CBURSTRW)) &&
((bxtr & FMC2_BXTR_ACCMOD) == val || bcr & FMC2_BCR_MUXEN))
@@ -270,12 +291,19 @@ static int stm32_fmc2_ebi_check_clk_period(struct stm32_fmc2_ebi *ebi,
int cs)
{
u32 bcr, bcr1;
+ int ret;
- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
- if (cs)
- regmap_read(ebi->regmap, FMC2_BCR1, &bcr1);
- else
+ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+ if (ret)
+ return ret;
+
+ if (cs) {
+ ret = regmap_read(ebi->regmap, FMC2_BCR1, &bcr1);
+ if (ret)
+ return ret;
+ } else {
bcr1 = bcr;
+ }
if (bcr & FMC2_BCR_BURSTEN && (!cs || !(bcr1 & FMC2_BCR1_CCLKEN)))
return 0;
@@ -307,12 +335,18 @@ static u32 stm32_fmc2_ebi_ns_to_clk_period(struct stm32_fmc2_ebi *ebi,
{
u32 nb_clk_cycles = stm32_fmc2_ebi_ns_to_clock_cycles(ebi, cs, setup);
u32 bcr, btr, clk_period;
+ int ret;
+
+ ret = regmap_read(ebi->regmap, FMC2_BCR1, &bcr);
+ if (ret)
+ return ret;
- regmap_read(ebi->regmap, FMC2_BCR1, &bcr);
if (bcr & FMC2_BCR1_CCLKEN || !cs)
- regmap_read(ebi->regmap, FMC2_BTR1, &btr);
+ ret = regmap_read(ebi->regmap, FMC2_BTR1, &btr);
else
- regmap_read(ebi->regmap, FMC2_BTR(cs), &btr);
+ ret = regmap_read(ebi->regmap, FMC2_BTR(cs), &btr);
+ if (ret)
+ return ret;
clk_period = FIELD_GET(FMC2_BTR_CLKDIV, btr) + 1;
@@ -571,11 +605,16 @@ static int stm32_fmc2_ebi_set_address_setup(struct stm32_fmc2_ebi *ebi,
if (ret)
return ret;
- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+ if (ret)
+ return ret;
+
if (prop->reg_type == FMC2_REG_BWTR)
- regmap_read(ebi->regmap, FMC2_BWTR(cs), &bxtr);
+ ret = regmap_read(ebi->regmap, FMC2_BWTR(cs), &bxtr);
else
- regmap_read(ebi->regmap, FMC2_BTR(cs), &bxtr);
+ ret = regmap_read(ebi->regmap, FMC2_BTR(cs), &bxtr);
+ if (ret)
+ return ret;
if ((bxtr & FMC2_BXTR_ACCMOD) == val || bcr & FMC2_BCR_MUXEN)
val = clamp_val(setup, 1, FMC2_BXTR_ADDSET_MAX);
@@ -693,11 +732,14 @@ static int stm32_fmc2_ebi_set_max_low_pulse(struct stm32_fmc2_ebi *ebi,
int cs, u32 setup)
{
u32 old_val, new_val, pcscntr;
+ int ret;
if (setup < 1)
return 0;
- regmap_read(ebi->regmap, FMC2_PCSCNTR, &pcscntr);
+ ret = regmap_read(ebi->regmap, FMC2_PCSCNTR, &pcscntr);
+ if (ret)
+ return ret;
/* Enable counter for the bank */
regmap_update_bits(ebi->regmap, FMC2_PCSCNTR,
@@ -944,17 +986,20 @@ static void stm32_fmc2_ebi_disable_bank(struct stm32_fmc2_ebi *ebi, int cs)
regmap_update_bits(ebi->regmap, FMC2_BCR(cs), FMC2_BCR_MBKEN, 0);
}
-static void stm32_fmc2_ebi_save_setup(struct stm32_fmc2_ebi *ebi)
+static int stm32_fmc2_ebi_save_setup(struct stm32_fmc2_ebi *ebi)
{
unsigned int cs;
+ int ret;
for (cs = 0; cs < FMC2_MAX_EBI_CE; cs++) {
- regmap_read(ebi->regmap, FMC2_BCR(cs), &ebi->bcr[cs]);
- regmap_read(ebi->regmap, FMC2_BTR(cs), &ebi->btr[cs]);
- regmap_read(ebi->regmap, FMC2_BWTR(cs), &ebi->bwtr[cs]);
+ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &ebi->bcr[cs]);
+ ret |= regmap_read(ebi->regmap, FMC2_BTR(cs), &ebi->btr[cs]);
+ ret |= regmap_read(ebi->regmap, FMC2_BWTR(cs), &ebi->bwtr[cs]);
+ if (ret)
+ return ret;
}
- regmap_read(ebi->regmap, FMC2_PCSCNTR, &ebi->pcscntr);
+ return regmap_read(ebi->regmap, FMC2_PCSCNTR, &ebi->pcscntr);
}
static void stm32_fmc2_ebi_set_setup(struct stm32_fmc2_ebi *ebi)
@@ -983,22 +1028,29 @@ static void stm32_fmc2_ebi_disable_banks(struct stm32_fmc2_ebi *ebi)
}
/* NWAIT signal can not be connected to EBI controller and NAND controller */
-static bool stm32_fmc2_ebi_nwait_used_by_ctrls(struct stm32_fmc2_ebi *ebi)
+static int stm32_fmc2_ebi_nwait_used_by_ctrls(struct stm32_fmc2_ebi *ebi)
{
+ struct device *dev = ebi->dev;
unsigned int cs;
u32 bcr;
+ int ret;
for (cs = 0; cs < FMC2_MAX_EBI_CE; cs++) {
if (!(ebi->bank_assigned & BIT(cs)))
continue;
- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+ if (ret)
+ return ret;
+
if ((bcr & FMC2_BCR_WAITEN || bcr & FMC2_BCR_ASYNCWAIT) &&
- ebi->bank_assigned & BIT(FMC2_NAND))
- return true;
+ ebi->bank_assigned & BIT(FMC2_NAND)) {
+ dev_err(dev, "NWAIT signal connected to EBI and NAND controllers\n");
+ return -EINVAL;
+ }
}
- return false;
+ return 0;
}
static void stm32_fmc2_ebi_enable(struct stm32_fmc2_ebi *ebi)
@@ -1085,10 +1137,9 @@ static int stm32_fmc2_ebi_parse_dt(struct stm32_fmc2_ebi *ebi)
return -ENODEV;
}
- if (stm32_fmc2_ebi_nwait_used_by_ctrls(ebi)) {
- dev_err(dev, "NWAIT signal connected to EBI and NAND controllers\n");
- return -EINVAL;
- }
+ ret = stm32_fmc2_ebi_nwait_used_by_ctrls(ebi);
+ if (ret)
+ return ret;
stm32_fmc2_ebi_enable(ebi);
@@ -1133,7 +1184,10 @@ static int stm32_fmc2_ebi_probe(struct platform_device *pdev)
if (ret)
goto err_release;
- stm32_fmc2_ebi_save_setup(ebi);
+ ret = stm32_fmc2_ebi_save_setup(ebi);
+ if (ret)
+ goto err_release;
+
platform_set_drvdata(pdev, ebi);
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 179/341] parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 178/341] memory: stm32-fmc2-ebi: check regmap_read return value Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 180/341] rxrpc: Dont pick values out of the wire header when setting up security Greg Kroah-Hartman
` (174 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
[ Upstream commit 73cb4a2d8d7e0259f94046116727084f21e4599f ]
Use irq*_rcu() functions to fix this kernel warning:
WARNING: CPU: 0 PID: 0 at kernel/context_tracking.c:367 ct_irq_enter+0xa0/0xd0
Modules linked in:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.7.0-rc3-64bit+ #1037
Hardware name: 9000/785/C3700
IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000412cd758 00000000412cd75c
IIR: 03ffe01f ISR: 0000000000000000 IOR: 0000000043c20c20
CPU: 0 CR30: 0000000041caa000 CR31: 0000000000000000
ORIG_R28: 0000000000000005
IAOQ[0]: ct_irq_enter+0xa0/0xd0
IAOQ[1]: ct_irq_enter+0xa4/0xd0
RP(r2): irq_enter+0x34/0x68
Backtrace:
[<000000004034a3ec>] irq_enter+0x34/0x68
[<000000004030dc48>] do_cpu_irq_mask+0xc0/0x450
[<0000000040303070>] intr_return+0x0/0xc
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/parisc/kernel/irq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/parisc/kernel/irq.c b/arch/parisc/kernel/irq.c
index 2f81bfd4f15e1..dff66be65d290 100644
--- a/arch/parisc/kernel/irq.c
+++ b/arch/parisc/kernel/irq.c
@@ -498,7 +498,7 @@ asmlinkage void do_cpu_irq_mask(struct pt_regs *regs)
old_regs = set_irq_regs(regs);
local_irq_disable();
- irq_enter();
+ irq_enter_rcu();
eirr_val = mfctl(23) & cpu_eiem & per_cpu(local_ack_eiem, cpu);
if (!eirr_val)
@@ -533,7 +533,7 @@ asmlinkage void do_cpu_irq_mask(struct pt_regs *regs)
#endif /* CONFIG_IRQSTACKS */
out:
- irq_exit();
+ irq_exit_rcu();
set_irq_regs(old_regs);
return;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 180/341] rxrpc: Dont pick values out of the wire header when setting up security
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 179/341] parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367 Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 181/341] f2fs: stop checkpoint when get a out-of-bounds segment Greg Kroah-Hartman
` (173 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Marc Dionne,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
linux-afs, netdev, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit a1c9af4d4467354132417c2d8db10d6e928a7f77 ]
Don't pick values out of the wire header in rxkad when setting up DATA
packet security, but rather use other sources. This makes it easier to get
rid of txb->wire.
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Eric Dumazet <edumazet@google.com>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: linux-afs@lists.infradead.org
cc: netdev@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rxrpc/rxkad.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c
index 6b32d61d4cdc4..ad6c57a9f27c7 100644
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -259,7 +259,7 @@ static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
_enter("");
- check = txb->seq ^ ntohl(txb->wire.callNumber);
+ check = txb->seq ^ call->call_id;
hdr->data_size = htonl((u32)check << 16 | txb->len);
txb->len += sizeof(struct rxkad_level1_hdr);
@@ -302,7 +302,7 @@ static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
_enter("");
- check = txb->seq ^ ntohl(txb->wire.callNumber);
+ check = txb->seq ^ call->call_id;
rxkhdr->data_size = htonl(txb->len | (u32)check << 16);
rxkhdr->checksum = 0;
@@ -362,9 +362,9 @@ static int rxkad_secure_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb)
memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
/* calculate the security checksum */
- x = (ntohl(txb->wire.cid) & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
+ x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
x |= txb->seq & 0x3fffffff;
- crypto.buf[0] = txb->wire.callNumber;
+ crypto.buf[0] = htonl(call->call_id);
crypto.buf[1] = htonl(x);
sg_init_one(&sg, crypto.buf, 8);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 181/341] f2fs: stop checkpoint when get a out-of-bounds segment
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 180/341] rxrpc: Dont pick values out of the wire header when setting up security Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 182/341] powerpc/boot: Handle allocation failure in simple_realloc() Greg Kroah-Hartman
` (172 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhiguo Niu, Chao Yu, Jaegeuk Kim,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhiguo Niu <zhiguo.niu@unisoc.com>
[ Upstream commit f9e28904e6442019043a8e94ec6747a064d06003 ]
There is low probability that an out-of-bounds segment will be got
on a small-capacity device. In order to prevent subsequent write requests
allocating block address from this invalid segment, which may cause
unexpected issue, stop checkpoint should be performed.
Also introduce a new stop cp reason: STOP_CP_REASON_NO_SEGMENT.
Note, f2fs_stop_checkpoint(, false) is complex and it may sleep, so we should
move it outside segmap_lock spinlock coverage in get_new_segment().
Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/segment.c | 12 +++++++++++-
include/linux/f2fs_fs.h | 1 +
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
index 804958c6de34c..50c7537eb2250 100644
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -2646,6 +2646,7 @@ static void get_new_segment(struct f2fs_sb_info *sbi,
unsigned int old_zoneno = GET_ZONE_FROM_SEG(sbi, *newseg);
bool init = true;
int i;
+ int ret = 0;
spin_lock(&free_i->segmap_lock);
@@ -2670,7 +2671,10 @@ static void get_new_segment(struct f2fs_sb_info *sbi,
if (secno >= MAIN_SECS(sbi)) {
secno = find_first_zero_bit(free_i->free_secmap,
MAIN_SECS(sbi));
- f2fs_bug_on(sbi, secno >= MAIN_SECS(sbi));
+ if (secno >= MAIN_SECS(sbi)) {
+ ret = -ENOSPC;
+ goto out_unlock;
+ }
}
segno = GET_SEG_FROM_SEC(sbi, secno);
zoneno = GET_ZONE_FROM_SEC(sbi, secno);
@@ -2700,7 +2704,13 @@ static void get_new_segment(struct f2fs_sb_info *sbi,
f2fs_bug_on(sbi, test_bit(segno, free_i->free_segmap));
__set_inuse(sbi, segno);
*newseg = segno;
+out_unlock:
spin_unlock(&free_i->segmap_lock);
+
+ if (ret) {
+ f2fs_stop_checkpoint(sbi, false, STOP_CP_REASON_NO_SEGMENT);
+ f2fs_bug_on(sbi, 1);
+ }
}
static void reset_curseg(struct f2fs_sb_info *sbi, int type, int modified)
diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h
index 3b04657787d09..1352a24d72ef4 100644
--- a/include/linux/f2fs_fs.h
+++ b/include/linux/f2fs_fs.h
@@ -76,6 +76,7 @@ enum stop_cp_reason {
STOP_CP_REASON_CORRUPTED_SUMMARY,
STOP_CP_REASON_UPDATE_INODE,
STOP_CP_REASON_FLUSH_FAIL,
+ STOP_CP_REASON_NO_SEGMENT,
STOP_CP_REASON_MAX,
};
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 182/341] powerpc/boot: Handle allocation failure in simple_realloc()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 181/341] f2fs: stop checkpoint when get a out-of-bounds segment Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 183/341] powerpc/boot: Only free if realloc() succeeds Greg Kroah-Hartman
` (171 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li zeming, Michael Ellerman,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li zeming <zeming@nfschina.com>
[ Upstream commit 69b0194ccec033c208b071e019032c1919c2822d ]
simple_malloc() will return NULL when there is not enough memory left.
Check pointer 'new' before using it to copy the old data.
Signed-off-by: Li zeming <zeming@nfschina.com>
[mpe: Reword subject, use change log from Christophe]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20221219021816.3012-1-zeming@nfschina.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/boot/simple_alloc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/boot/simple_alloc.c b/arch/powerpc/boot/simple_alloc.c
index 267d6524caac4..db9aaa5face3f 100644
--- a/arch/powerpc/boot/simple_alloc.c
+++ b/arch/powerpc/boot/simple_alloc.c
@@ -112,7 +112,9 @@ static void *simple_realloc(void *ptr, unsigned long size)
return ptr;
new = simple_malloc(size);
- memcpy(new, ptr, p->size);
+ if (new)
+ memcpy(new, ptr, p->size);
+
simple_free(ptr);
return new;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 183/341] powerpc/boot: Only free if realloc() succeeds
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 182/341] powerpc/boot: Handle allocation failure in simple_realloc() Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 184/341] btrfs: delayed-inode: drop pointless BUG_ON in __btrfs_remove_delayed_item() Greg Kroah-Hartman
` (170 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Ellerman, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Ellerman <mpe@ellerman.id.au>
[ Upstream commit f2d5bccaca3e8c09c9b9c8485375f7bdbb2631d2 ]
simple_realloc() frees the original buffer (ptr) even if the
reallocation failed.
Fix it to behave like standard realloc() and only free the original
buffer if the reallocation succeeded.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240229115149.749264-1-mpe@ellerman.id.au
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/boot/simple_alloc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/boot/simple_alloc.c b/arch/powerpc/boot/simple_alloc.c
index db9aaa5face3f..d07796fdf91aa 100644
--- a/arch/powerpc/boot/simple_alloc.c
+++ b/arch/powerpc/boot/simple_alloc.c
@@ -112,10 +112,11 @@ static void *simple_realloc(void *ptr, unsigned long size)
return ptr;
new = simple_malloc(size);
- if (new)
+ if (new) {
memcpy(new, ptr, p->size);
+ simple_free(ptr);
+ }
- simple_free(ptr);
return new;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 184/341] btrfs: delayed-inode: drop pointless BUG_ON in __btrfs_remove_delayed_item()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 183/341] powerpc/boot: Only free if realloc() succeeds Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 185/341] btrfs: defrag: change BUG_ON to assertion in btrfs_defrag_leaves() Greg Kroah-Hartman
` (169 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josef Bacik, Anand Jain,
David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
[ Upstream commit 778e618b8bfedcc39354373c1b072c5fe044fa7b ]
There's a BUG_ON checking for a valid pointer of fs_info::delayed_root
but it is valid since init_mount_fs_info() and has the same lifetime as
fs_info.
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/delayed-inode.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
index 6d562f18d3f80..12ff91d6f570f 100644
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -425,8 +425,6 @@ static void __btrfs_remove_delayed_item(struct btrfs_delayed_item *delayed_item)
delayed_root = delayed_node->root->fs_info->delayed_root;
- BUG_ON(!delayed_root);
-
if (delayed_item->type == BTRFS_DELAYED_INSERTION_ITEM)
root = &delayed_node->ins_root;
else
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 185/341] btrfs: defrag: change BUG_ON to assertion in btrfs_defrag_leaves()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 184/341] btrfs: delayed-inode: drop pointless BUG_ON in __btrfs_remove_delayed_item() Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 186/341] btrfs: change BUG_ON to assertion when checking for delayed_node root Greg Kroah-Hartman
` (168 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josef Bacik, Anand Jain,
David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
[ Upstream commit 51d4be540054be32d7ce28b63ea9b84ac6ff1db2 ]
The BUG_ON verifies a condition that should be guaranteed by the correct
use of the path search (with keep_locks and lowest_level set), an
assertion is the suitable check.
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/defrag.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/btrfs/defrag.c b/fs/btrfs/defrag.c
index a2e614cf3c19c..e1475dfdf7a8b 100644
--- a/fs/btrfs/defrag.c
+++ b/fs/btrfs/defrag.c
@@ -416,7 +416,7 @@ int btrfs_defrag_leaves(struct btrfs_trans_handle *trans,
* keep_locks set and lowest_level is 1, regardless of the value of
* path->slots[1].
*/
- BUG_ON(path->locks[1] == 0);
+ ASSERT(path->locks[1] != 0);
ret = btrfs_realloc_node(trans, root,
path->nodes[1], 0,
&last_ret,
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 186/341] btrfs: change BUG_ON to assertion when checking for delayed_node root
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 185/341] btrfs: defrag: change BUG_ON to assertion in btrfs_defrag_leaves() Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 187/341] btrfs: tests: allocate dummy fs_info and root in test_find_delalloc() Greg Kroah-Hartman
` (167 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josef Bacik, Anand Jain,
David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
[ Upstream commit be73f4448b607e6b7ce41cd8ef2214fdf6e7986f ]
The pointer to root is initialized in btrfs_init_delayed_node(), no need
to check for it again. Change the BUG_ON to assertion.
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/delayed-inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
index 12ff91d6f570f..32c5f5a8a0e93 100644
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -973,7 +973,7 @@ static void btrfs_release_delayed_inode(struct btrfs_delayed_node *delayed_node)
if (delayed_node &&
test_bit(BTRFS_DELAYED_NODE_INODE_DIRTY, &delayed_node->flags)) {
- BUG_ON(!delayed_node->root);
+ ASSERT(delayed_node->root);
clear_bit(BTRFS_DELAYED_NODE_INODE_DIRTY, &delayed_node->flags);
delayed_node->count--;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 187/341] btrfs: tests: allocate dummy fs_info and root in test_find_delalloc()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 186/341] btrfs: change BUG_ON to assertion when checking for delayed_node root Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 188/341] btrfs: push errors up from add_async_extent() Greg Kroah-Hartman
` (166 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
[ Upstream commit b2136cc288fce2f24a92f3d656531b2d50ebec5a ]
Allocate fs_info and root to have a valid fs_info pointer in case it's
dereferenced by a helper outside of tests, like find_lock_delalloc_range().
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/tests/extent-io-tests.c | 28 ++++++++++++++++++++++++----
1 file changed, 24 insertions(+), 4 deletions(-)
diff --git a/fs/btrfs/tests/extent-io-tests.c b/fs/btrfs/tests/extent-io-tests.c
index 1cc86af97dc6e..f4fd3fb7c887b 100644
--- a/fs/btrfs/tests/extent-io-tests.c
+++ b/fs/btrfs/tests/extent-io-tests.c
@@ -11,6 +11,7 @@
#include "btrfs-tests.h"
#include "../ctree.h"
#include "../extent_io.h"
+#include "../disk-io.h"
#include "../btrfs_inode.h"
#define PROCESS_UNLOCK (1 << 0)
@@ -105,9 +106,11 @@ static void dump_extent_io_tree(const struct extent_io_tree *tree)
}
}
-static int test_find_delalloc(u32 sectorsize)
+static int test_find_delalloc(u32 sectorsize, u32 nodesize)
{
- struct inode *inode;
+ struct btrfs_fs_info *fs_info;
+ struct btrfs_root *root = NULL;
+ struct inode *inode = NULL;
struct extent_io_tree *tmp;
struct page *page;
struct page *locked_page = NULL;
@@ -121,12 +124,27 @@ static int test_find_delalloc(u32 sectorsize)
test_msg("running find delalloc tests");
+ fs_info = btrfs_alloc_dummy_fs_info(nodesize, sectorsize);
+ if (!fs_info) {
+ test_std_err(TEST_ALLOC_FS_INFO);
+ return -ENOMEM;
+ }
+
+ root = btrfs_alloc_dummy_root(fs_info);
+ if (IS_ERR(root)) {
+ test_std_err(TEST_ALLOC_ROOT);
+ ret = PTR_ERR(root);
+ goto out;
+ }
+
inode = btrfs_new_test_inode();
if (!inode) {
test_std_err(TEST_ALLOC_INODE);
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto out;
}
tmp = &BTRFS_I(inode)->io_tree;
+ BTRFS_I(inode)->root = root;
/*
* Passing NULL as we don't have fs_info but tracepoints are not used
@@ -316,6 +334,8 @@ static int test_find_delalloc(u32 sectorsize)
process_page_range(inode, 0, total_dirty - 1,
PROCESS_UNLOCK | PROCESS_RELEASE);
iput(inode);
+ btrfs_free_dummy_root(root);
+ btrfs_free_dummy_fs_info(fs_info);
return ret;
}
@@ -794,7 +814,7 @@ int btrfs_test_extent_io(u32 sectorsize, u32 nodesize)
test_msg("running extent I/O tests");
- ret = test_find_delalloc(sectorsize);
+ ret = test_find_delalloc(sectorsize, nodesize);
if (ret)
goto out;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 188/341] btrfs: push errors up from add_async_extent()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 187/341] btrfs: tests: allocate dummy fs_info and root in test_find_delalloc() Greg Kroah-Hartman
@ 2024-08-27 14:36 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 189/341] btrfs: handle invalid root reference found in may_destroy_subvol() Greg Kroah-Hartman
` (165 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
[ Upstream commit dbe6cda68f0e1be269e6509c8bf3d8d89089c1c4 ]
The memory allocation error in add_async_extent() is not handled
properly, return an error and push the BUG_ON to the caller. Handling it
there is not trivial so at least make it visible.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/inode.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 5ddee801a8303..dff47ba858a0a 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -730,7 +730,8 @@ static noinline int add_async_extent(struct async_chunk *cow,
struct async_extent *async_extent;
async_extent = kmalloc(sizeof(*async_extent), GFP_NOFS);
- BUG_ON(!async_extent); /* -ENOMEM */
+ if (!async_extent)
+ return -ENOMEM;
async_extent->start = start;
async_extent->ram_size = ram_size;
async_extent->compressed_size = compressed_size;
@@ -1017,8 +1018,9 @@ static void compress_file_range(struct btrfs_work *work)
* The async work queues will take care of doing actual allocation on
* disk for these compressed pages, and will submit the bios.
*/
- add_async_extent(async_chunk, start, total_in, total_compressed, pages,
- nr_pages, compress_type);
+ ret = add_async_extent(async_chunk, start, total_in, total_compressed, pages,
+ nr_pages, compress_type);
+ BUG_ON(ret);
if (start + total_in < end) {
start += total_in;
cond_resched();
@@ -1030,8 +1032,9 @@ static void compress_file_range(struct btrfs_work *work)
if (!btrfs_test_opt(fs_info, FORCE_COMPRESS) && !inode->prop_compress)
inode->flags |= BTRFS_INODE_NOCOMPRESS;
cleanup_and_bail_uncompressed:
- add_async_extent(async_chunk, start, end - start + 1, 0, NULL, 0,
- BTRFS_COMPRESS_NONE);
+ ret = add_async_extent(async_chunk, start, end - start + 1, 0, NULL, 0,
+ BTRFS_COMPRESS_NONE);
+ BUG_ON(ret);
free_pages:
if (pages) {
for (i = 0; i < nr_pages; i++) {
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 189/341] btrfs: handle invalid root reference found in may_destroy_subvol()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2024-08-27 14:36 ` [PATCH 6.6 188/341] btrfs: push errors up from add_async_extent() Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 190/341] btrfs: send: handle unexpected data in header buffer in begin_cmd() Greg Kroah-Hartman
` (164 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
[ Upstream commit 6fbc6f4ac1f4907da4fc674251527e7dc79ffbf6 ]
The may_destroy_subvol() looks up a root by a key, allowing to do an
inexact search when key->offset is -1. It's never expected to find such
item, as it would break the allowed range of a root id.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/inode.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index dff47ba858a0a..7071a58e5b9d4 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4374,7 +4374,14 @@ static noinline int may_destroy_subvol(struct btrfs_root *root)
ret = btrfs_search_slot(NULL, fs_info->tree_root, &key, path, 0, 0);
if (ret < 0)
goto out;
- BUG_ON(ret == 0);
+ if (ret == 0) {
+ /*
+ * Key with offset -1 found, there would have to exist a root
+ * with such id, but this is out of valid range.
+ */
+ ret = -EUCLEAN;
+ goto out;
+ }
ret = 0;
if (path->slots[0] > 0) {
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 190/341] btrfs: send: handle unexpected data in header buffer in begin_cmd()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 189/341] btrfs: handle invalid root reference found in may_destroy_subvol() Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 191/341] btrfs: send: handle unexpected inode in header process_recorded_refs() Greg Kroah-Hartman
` (163 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
[ Upstream commit e80e3f732cf53c64b0d811e1581470d67f6c3228 ]
Change BUG_ON to a proper error handling in the unlikely case of seeing
data when the command is started. This is supposed to be reset when the
command is finished (send_cmd, send_encoded_extent).
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/send.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 651f0865bb0df..b153f6a96fc8c 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -777,7 +777,12 @@ static int begin_cmd(struct send_ctx *sctx, int cmd)
if (WARN_ON(!sctx->send_buf))
return -EINVAL;
- BUG_ON(sctx->send_size);
+ if (unlikely(sctx->send_size != 0)) {
+ btrfs_err(sctx->send_root->fs_info,
+ "send: command header buffer not empty cmd %d offset %llu",
+ cmd, sctx->send_off);
+ return -EINVAL;
+ }
sctx->send_size += sizeof(*hdr);
hdr = (struct btrfs_cmd_header *)sctx->send_buf;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 191/341] btrfs: send: handle unexpected inode in header process_recorded_refs()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 190/341] btrfs: send: handle unexpected data in header buffer in begin_cmd() Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 192/341] btrfs: change BUG_ON to assertion in tree_move_down() Greg Kroah-Hartman
` (162 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
[ Upstream commit 5d2288711ccc483feca73151c46ee835bda17839 ]
Change BUG_ON to proper error handling when an unexpected inode number
is encountered. As the comment says this should never happen.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/send.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index b153f6a96fc8c..9da3c72eb6153 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -4195,7 +4195,13 @@ static int process_recorded_refs(struct send_ctx *sctx, int *pending_move)
* This should never happen as the root dir always has the same ref
* which is always '..'
*/
- BUG_ON(sctx->cur_ino <= BTRFS_FIRST_FREE_OBJECTID);
+ if (unlikely(sctx->cur_ino <= BTRFS_FIRST_FREE_OBJECTID)) {
+ btrfs_err(fs_info,
+ "send: unexpected inode %llu in process_recorded_refs()",
+ sctx->cur_ino);
+ ret = -EINVAL;
+ goto out;
+ }
valid_path = fs_path_alloc();
if (!valid_path) {
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 192/341] btrfs: change BUG_ON to assertion in tree_move_down()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 191/341] btrfs: send: handle unexpected inode in header process_recorded_refs() Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 193/341] btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent() Greg Kroah-Hartman
` (161 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
[ Upstream commit 56f335e043ae73c32dbb70ba95488845dc0f1e6e ]
There's only one caller of tree_move_down() that does not pass level 0
so the assertion is better suited here.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/send.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 9da3c72eb6153..163f36eb7491a 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -7448,8 +7448,8 @@ static int tree_move_down(struct btrfs_path *path, int *level, u64 reada_min_gen
u64 reada_done = 0;
lockdep_assert_held_read(&parent->fs_info->commit_root_sem);
+ ASSERT(*level != 0);
- BUG_ON(*level == 0);
eb = btrfs_read_node_slot(parent, slot);
if (IS_ERR(eb))
return PTR_ERR(eb);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 193/341] btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 192/341] btrfs: change BUG_ON to assertion in tree_move_down() Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 194/341] f2fs: fix to do sanity check in update_sit_entry Greg Kroah-Hartman
` (160 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
[ Upstream commit f40a3ea94881f668084f68f6b9931486b1606db0 ]
The BUG_ON is deep in the qgroup code where we can expect that it
exists. A NULL pointer would cause a crash.
It was added long ago in 550d7a2ed5db35 ("btrfs: qgroup: Add new qgroup
calculation function btrfs_qgroup_account_extents()."). It maybe made
sense back then as the quota enable/disable state machine was not that
robust as it is nowadays, so we can just delete it.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/qgroup.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
index 223dfbf009938..efe84be65a440 100644
--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -2725,8 +2725,6 @@ int btrfs_qgroup_account_extent(struct btrfs_trans_handle *trans, u64 bytenr,
if (nr_old_roots == 0 && nr_new_roots == 0)
goto out_free;
- BUG_ON(!fs_info->quota_root);
-
trace_btrfs_qgroup_account_extent(fs_info, trans->transid, bytenr,
num_bytes, nr_old_roots, nr_new_roots);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 194/341] f2fs: fix to do sanity check in update_sit_entry
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 193/341] btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent() Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 195/341] usb: gadget: fsl: Increase size of name buffer for endpoints Greg Kroah-Hartman
` (159 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhiguo Niu, Chao Yu, Jaegeuk Kim,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhiguo Niu <zhiguo.niu@unisoc.com>
[ Upstream commit 36959d18c3cf09b3c12157c6950e18652067de77 ]
If GET_SEGNO return NULL_SEGNO for some unecpected case,
update_sit_entry will access invalid memory address,
cause system crash. It is better to do sanity check about
GET_SEGNO just like update_segment_mtime & locate_dirty_segment.
Also remove some redundant judgment code.
Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/segment.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
index 50c7537eb2250..e3e2c0b2f4959 100644
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -2398,6 +2398,8 @@ static void update_sit_entry(struct f2fs_sb_info *sbi, block_t blkaddr, int del)
#endif
segno = GET_SEGNO(sbi, blkaddr);
+ if (segno == NULL_SEGNO)
+ return;
se = get_seg_entry(sbi, segno);
new_vblocks = se->valid_blocks + del;
@@ -3481,8 +3483,7 @@ void f2fs_allocate_data_block(struct f2fs_sb_info *sbi, struct page *page,
* since SSR needs latest valid block information.
*/
update_sit_entry(sbi, *new_blkaddr, 1);
- if (GET_SEGNO(sbi, old_blkaddr) != NULL_SEGNO)
- update_sit_entry(sbi, old_blkaddr, -1);
+ update_sit_entry(sbi, old_blkaddr, -1);
/*
* If the current segment is full, flush it out and replace it with a
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 195/341] usb: gadget: fsl: Increase size of name buffer for endpoints
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 194/341] f2fs: fix to do sanity check in update_sit_entry Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 196/341] nvme: clear caller pointer on identify failure Greg Kroah-Hartman
` (158 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 87850f6cc20911e35eafcbc1d56b0d649ae9162d ]
This fixes a W=1 warning about sprintf writing up to 16 bytes into a
buffer of size 14. There is no practical relevance because there are not
more than 32 endpoints.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/6754df25c56aae04f8110594fad2cd2452b1862a.1708709120.git.u.kleine-koenig@pengutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/udc/fsl_udc_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/udc/fsl_udc_core.c b/drivers/usb/gadget/udc/fsl_udc_core.c
index ee5705d336e3d..10a82527626eb 100644
--- a/drivers/usb/gadget/udc/fsl_udc_core.c
+++ b/drivers/usb/gadget/udc/fsl_udc_core.c
@@ -2486,7 +2486,7 @@ static int fsl_udc_probe(struct platform_device *pdev)
/* setup the udc->eps[] for non-control endpoints and link
* to gadget.ep_list */
for (i = 1; i < (int)(udc_controller->max_ep / 2); i++) {
- char name[14];
+ char name[16];
sprintf(name, "ep%dout", i);
struct_ep_setup(udc_controller, i * 2, name, 1);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 196/341] nvme: clear caller pointer on identify failure
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 195/341] usb: gadget: fsl: Increase size of name buffer for endpoints Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 197/341] Bluetooth: bnep: Fix out-of-bound access Greg Kroah-Hartman
` (157 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Keith Busch,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit 7e80eb792bd7377a20f204943ac31c77d859be89 ]
The memory allocated for the identification is freed on failure. Set
it to NULL so the caller doesn't have a pointer to that freed address.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index e969da0a681b4..4e39a58a00458 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -1313,8 +1313,10 @@ static int nvme_identify_ctrl(struct nvme_ctrl *dev, struct nvme_id_ctrl **id)
error = nvme_submit_sync_cmd(dev->admin_q, &c, *id,
sizeof(struct nvme_id_ctrl));
- if (error)
+ if (error) {
kfree(*id);
+ *id = NULL;
+ }
return error;
}
@@ -1443,6 +1445,7 @@ static int nvme_identify_ns(struct nvme_ctrl *ctrl, unsigned nsid,
if (error) {
dev_warn(ctrl->device, "Identify namespace failed (%d)\n", error);
kfree(*id);
+ *id = NULL;
}
return error;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 197/341] Bluetooth: bnep: Fix out-of-bound access
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 196/341] nvme: clear caller pointer on identify failure Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 198/341] firmware: cirrus: cs_dsp: Initialize debugfs_root to invalid Greg Kroah-Hartman
` (156 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 0f0639b4d6f649338ce29c62da3ec0787fa08cd1 ]
This fixes attempting to access past ethhdr.h_source, although it seems
intentional to copy also the contents of h_proto this triggers
out-of-bound access problems with the likes of static analyzer, so this
instead just copy ETH_ALEN and then proceed to use put_unaligned to copy
h_proto separetely.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/bnep/core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index 5a6a49885ab66..a660c428e2207 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -385,7 +385,8 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
case BNEP_COMPRESSED_DST_ONLY:
__skb_put_data(nskb, skb_mac_header(skb), ETH_ALEN);
- __skb_put_data(nskb, s->eh.h_source, ETH_ALEN + 2);
+ __skb_put_data(nskb, s->eh.h_source, ETH_ALEN);
+ put_unaligned(s->eh.h_proto, (__be16 *)__skb_put(nskb, 2));
break;
case BNEP_GENERAL:
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 198/341] firmware: cirrus: cs_dsp: Initialize debugfs_root to invalid
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 197/341] Bluetooth: bnep: Fix out-of-bound access Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 199/341] rtc: nct3018y: fix possible NULL dereference Greg Kroah-Hartman
` (155 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Fitzgerald, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Fitzgerald <rf@opensource.cirrus.com>
[ Upstream commit 66626b15636b5f5cf3d7f6104799f77462748974 ]
Initialize debugfs_root to -ENODEV so that if the client never sets a
valid debugfs root the debugfs files will not be created.
A NULL pointer passed to any of the debugfs_create_*() functions means
"create in the root of debugfs". It doesn't mean "ignore".
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Link: https://msgid.link/r/20240307105353.40067-1-rf@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/cirrus/cs_dsp.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/cirrus/cs_dsp.c b/drivers/firmware/cirrus/cs_dsp.c
index bd1651e709365..a1da7581adb03 100644
--- a/drivers/firmware/cirrus/cs_dsp.c
+++ b/drivers/firmware/cirrus/cs_dsp.c
@@ -522,7 +522,7 @@ void cs_dsp_cleanup_debugfs(struct cs_dsp *dsp)
{
cs_dsp_debugfs_clear(dsp);
debugfs_remove_recursive(dsp->debugfs_root);
- dsp->debugfs_root = NULL;
+ dsp->debugfs_root = ERR_PTR(-ENODEV);
}
EXPORT_SYMBOL_NS_GPL(cs_dsp_cleanup_debugfs, FW_CS_DSP);
#else
@@ -2343,6 +2343,11 @@ static int cs_dsp_common_init(struct cs_dsp *dsp)
mutex_init(&dsp->pwr_lock);
+#ifdef CONFIG_DEBUG_FS
+ /* Ensure this is invalid if client never provides a debugfs root */
+ dsp->debugfs_root = ERR_PTR(-ENODEV);
+#endif
+
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 199/341] rtc: nct3018y: fix possible NULL dereference
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 198/341] firmware: cirrus: cs_dsp: Initialize debugfs_root to invalid Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 200/341] net: hns3: add checking for vf id of mailbox Greg Kroah-Hartman
` (154 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Alexandre Belloni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Belloni <alexandre.belloni@bootlin.com>
[ Upstream commit babfeb9cbe7ebc657bd5b3e4f9fde79f560b6acc ]
alarm_enable and alarm_flag are allowed to be NULL but will be dereferenced
later by the dev_dbg call.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202305180042.DEzW1pSd-lkp@intel.com/
Link: https://lore.kernel.org/r/20240229222127.1878176-1-alexandre.belloni@bootlin.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-nct3018y.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/rtc/rtc-nct3018y.c b/drivers/rtc/rtc-nct3018y.c
index ed4e606be8e58..c4533c0f53896 100644
--- a/drivers/rtc/rtc-nct3018y.c
+++ b/drivers/rtc/rtc-nct3018y.c
@@ -99,6 +99,8 @@ static int nct3018y_get_alarm_mode(struct i2c_client *client, unsigned char *ala
if (flags < 0)
return flags;
*alarm_enable = flags & NCT3018Y_BIT_AIE;
+ dev_dbg(&client->dev, "%s:alarm_enable:%x\n", __func__, *alarm_enable);
+
}
if (alarm_flag) {
@@ -107,11 +109,9 @@ static int nct3018y_get_alarm_mode(struct i2c_client *client, unsigned char *ala
if (flags < 0)
return flags;
*alarm_flag = flags & NCT3018Y_BIT_AF;
+ dev_dbg(&client->dev, "%s:alarm_flag:%x\n", __func__, *alarm_flag);
}
- dev_dbg(&client->dev, "%s:alarm_enable:%x alarm_flag:%x\n",
- __func__, *alarm_enable, *alarm_flag);
-
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 200/341] net: hns3: add checking for vf id of mailbox
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 199/341] rtc: nct3018y: fix possible NULL dereference Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 201/341] nvmet-tcp: do not continue for invalid icreq Greg Kroah-Hartman
` (153 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Shen, Jijie Shao, Sunil Goutham,
David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Shen <shenjian15@huawei.com>
[ Upstream commit 4e2969a0d6a7549bc0bc1ebc990588b622c4443d ]
Add checking for vf id of mailbox, in order to avoid array
out-of-bounds risk.
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Sunil Goutham <sgoutham@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
index 877feee53804f..61e155c4d441e 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
@@ -1124,10 +1124,11 @@ void hclge_mbx_handler(struct hclge_dev *hdev)
req = (struct hclge_mbx_vf_to_pf_cmd *)desc->data;
flag = le16_to_cpu(crq->desc[crq->next_to_use].flag);
- if (unlikely(!hnae3_get_bit(flag, HCLGE_CMDQ_RX_OUTVLD_B))) {
+ if (unlikely(!hnae3_get_bit(flag, HCLGE_CMDQ_RX_OUTVLD_B) ||
+ req->mbx_src_vfid > hdev->num_req_vfs)) {
dev_warn(&hdev->pdev->dev,
- "dropped invalid mailbox message, code = %u\n",
- req->msg.code);
+ "dropped invalid mailbox message, code = %u, vfid = %u\n",
+ req->msg.code, req->mbx_src_vfid);
/* dropping/not processing this invalid message */
crq->desc[crq->next_to_use].flag = 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 201/341] nvmet-tcp: do not continue for invalid icreq
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 200/341] net: hns3: add checking for vf id of mailbox Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 202/341] NFS: avoid infinite loop in pnfs_update_layout Greg Kroah-Hartman
` (152 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hannes Reinecke, Christoph Hellwig,
Sagi Grimberg, Keith Busch, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hannes Reinecke <hare@suse.de>
[ Upstream commit 0889d13b9e1cbef49e802ae09f3b516911ad82a1 ]
When the length check for an icreq sqe fails we should not
continue processing but rather return immediately as all
other contents of that sqe cannot be relied on.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/tcp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
index 3d302815c6f36..c65a1f4421f60 100644
--- a/drivers/nvme/target/tcp.c
+++ b/drivers/nvme/target/tcp.c
@@ -875,6 +875,7 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue)
pr_err("bad nvme-tcp pdu length (%d)\n",
le32_to_cpu(icreq->hdr.plen));
nvmet_tcp_fatal_error(queue);
+ return -EPROTO;
}
if (icreq->pfv != NVME_TCP_PFV_1_0) {
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 202/341] NFS: avoid infinite loop in pnfs_update_layout.
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 201/341] nvmet-tcp: do not continue for invalid icreq Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 203/341] openrisc: Call setup_memory() earlier in the init sequence Greg Kroah-Hartman
` (151 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, NeilBrown, Trond Myklebust,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neilb@suse.de>
[ Upstream commit 2fdbc20036acda9e5694db74a032d3c605323005 ]
If pnfsd_update_layout() is called on a file for which recovery has
failed it will enter a tight infinite loop.
NFS_LAYOUT_INVALID_STID will be set, nfs4_select_rw_stateid() will
return -EIO, and nfs4_schedule_stateid_recovery() will do nothing, so
nfs4_client_recover_expired_lease() will not wait. So the code will
loop indefinitely.
Break the loop by testing the validity of the open stateid at the top of
the loop.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/pnfs.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index 9084f156d67bf..664d3128e730c 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -1997,6 +1997,14 @@ pnfs_update_layout(struct inode *ino,
}
lookup_again:
+ if (!nfs4_valid_open_stateid(ctx->state)) {
+ trace_pnfs_update_layout(ino, pos, count,
+ iomode, lo, lseg,
+ PNFS_UPDATE_LAYOUT_INVALID_OPEN);
+ lseg = ERR_PTR(-EIO);
+ goto out;
+ }
+
lseg = ERR_PTR(nfs4_client_recover_expired_lease(clp));
if (IS_ERR(lseg))
goto out;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 203/341] openrisc: Call setup_memory() earlier in the init sequence
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 202/341] NFS: avoid infinite loop in pnfs_update_layout Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 204/341] s390/iucv: fix receive buffer virtual vs physical address confusion Greg Kroah-Hartman
` (150 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oreoluwa Babatunde, Stafford Horne,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oreoluwa Babatunde <quic_obabatun@quicinc.com>
[ Upstream commit 7b432bf376c9c198a7ff48f1ed14a14c0ffbe1fe ]
The unflatten_and_copy_device_tree() function contains a call to
memblock_alloc(). This means that memblock is allocating memory before
any of the reserved memory regions are set aside in the setup_memory()
function which calls early_init_fdt_scan_reserved_mem(). Therefore,
there is a possibility for memblock to allocate from any of the
reserved memory regions.
Hence, move the call to setup_memory() to be earlier in the init
sequence so that the reserved memory regions are set aside before any
allocations are done using memblock.
Signed-off-by: Oreoluwa Babatunde <quic_obabatun@quicinc.com>
Signed-off-by: Stafford Horne <shorne@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/openrisc/kernel/setup.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/openrisc/kernel/setup.c b/arch/openrisc/kernel/setup.c
index 9cf7fb60441f8..be56eaafc8b95 100644
--- a/arch/openrisc/kernel/setup.c
+++ b/arch/openrisc/kernel/setup.c
@@ -255,6 +255,9 @@ void calibrate_delay(void)
void __init setup_arch(char **cmdline_p)
{
+ /* setup memblock allocator */
+ setup_memory();
+
unflatten_and_copy_device_tree();
setup_cpuinfo();
@@ -278,9 +281,6 @@ void __init setup_arch(char **cmdline_p)
}
#endif
- /* setup memblock allocator */
- setup_memory();
-
/* paging_init() sets up the MMU and marks all pages as reserved */
paging_init();
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 204/341] s390/iucv: fix receive buffer virtual vs physical address confusion
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 203/341] openrisc: Call setup_memory() earlier in the init sequence Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 205/341] irqchip/renesas-rzg2l: Do not set TIEN and TINT source at the same time Greg Kroah-Hartman
` (149 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Gordeev, Alexandra Winter,
Heiko Carstens, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Gordeev <agordeev@linux.ibm.com>
[ Upstream commit 4e8477aeb46dfe74e829c06ea588dd00ba20c8cc ]
Fix IUCV_IPBUFLST-type buffers virtual vs physical address confusion.
This does not fix a bug since virtual and physical address spaces are
currently the same.
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/iucv/iucv.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
index db41eb2d977f2..038e1ba9aec27 100644
--- a/net/iucv/iucv.c
+++ b/net/iucv/iucv.c
@@ -1090,8 +1090,7 @@ static int iucv_message_receive_iprmdata(struct iucv_path *path,
size = (size < 8) ? size : 8;
for (array = buffer; size > 0; array++) {
copy = min_t(size_t, size, array->length);
- memcpy((u8 *)(addr_t) array->address,
- rmmsg, copy);
+ memcpy(phys_to_virt(array->address), rmmsg, copy);
rmmsg += copy;
size -= copy;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 205/341] irqchip/renesas-rzg2l: Do not set TIEN and TINT source at the same time
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 204/341] s390/iucv: fix receive buffer virtual vs physical address confusion Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 206/341] clocksource: Make watchdog and suspend-timing multiplication overflow safe Greg Kroah-Hartman
` (148 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Biju Das, Thomas Gleixner,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biju Das <biju.das.jz@bp.renesas.com>
[ Upstream commit dce0919c83c325ac9dec5bc8838d5de6d32c01b1 ]
As per the hardware team, TIEN and TINT source should not set at the same
time due to a possible hardware race leading to spurious IRQ.
Currently on some scenarios hardware settings for TINT detection is not in
sync with TINT source as the enable/disable overrides source setting value
leading to hardware inconsistent state. For eg: consider the case GPIOINT0
is used as TINT interrupt and configuring GPIOINT5 as edge type. During
rzg2l_irq_set_type(), TINT source for GPIOINT5 is set. On disable(),
clearing of the entire bytes of TINT source selection for GPIOINT5 is same
as GPIOINT0 with TIEN disabled. Apart from this during enable(), the
setting of GPIOINT5 with TIEN results in spurious IRQ as due to a HW race,
it is possible that IP can use the TIEN with previous source value
(GPIOINT0).
So, just update TIEN during enable/disable as TINT source is already set
during rzg2l_irq_set_type(). This will make the consistent hardware
settings for detection method tied with TINT source and allows to simplify
the code.
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-renesas-rzg2l.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c
index 02ab6a944539f..ea4b921e5e158 100644
--- a/drivers/irqchip/irq-renesas-rzg2l.c
+++ b/drivers/irqchip/irq-renesas-rzg2l.c
@@ -132,7 +132,7 @@ static void rzg2l_irqc_irq_disable(struct irq_data *d)
raw_spin_lock(&priv->lock);
reg = readl_relaxed(priv->base + TSSR(tssr_index));
- reg &= ~(TSSEL_MASK << TSSEL_SHIFT(tssr_offset));
+ reg &= ~(TIEN << TSSEL_SHIFT(tssr_offset));
writel_relaxed(reg, priv->base + TSSR(tssr_index));
raw_spin_unlock(&priv->lock);
}
@@ -144,7 +144,6 @@ static void rzg2l_irqc_irq_enable(struct irq_data *d)
unsigned int hw_irq = irqd_to_hwirq(d);
if (hw_irq >= IRQC_TINT_START && hw_irq < IRQC_NUM_IRQ) {
- unsigned long tint = (uintptr_t)irq_data_get_irq_chip_data(d);
struct rzg2l_irqc_priv *priv = irq_data_to_priv(d);
u32 offset = hw_irq - IRQC_TINT_START;
u32 tssr_offset = TSSR_OFFSET(offset);
@@ -153,7 +152,7 @@ static void rzg2l_irqc_irq_enable(struct irq_data *d)
raw_spin_lock(&priv->lock);
reg = readl_relaxed(priv->base + TSSR(tssr_index));
- reg |= (TIEN | tint) << TSSEL_SHIFT(tssr_offset);
+ reg |= TIEN << TSSEL_SHIFT(tssr_offset);
writel_relaxed(reg, priv->base + TSSR(tssr_index));
raw_spin_unlock(&priv->lock);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 206/341] clocksource: Make watchdog and suspend-timing multiplication overflow safe
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 205/341] irqchip/renesas-rzg2l: Do not set TIEN and TINT source at the same time Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 207/341] platform/x86: lg-laptop: fix %s null argument warning Greg Kroah-Hartman
` (147 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner, Adrian Hunter,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
[ Upstream commit d0304569fb019d1bcfbbbce1ce6df6b96f04079b ]
Kernel timekeeping is designed to keep the change in cycles (since the last
timer interrupt) below max_cycles, which prevents multiplication overflow
when converting cycles to nanoseconds. However, if timer interrupts stop,
the clocksource_cyc2ns() calculation will eventually overflow.
Add protection against that. Simplify by folding together
clocksource_delta() and clocksource_cyc2ns() into cycles_to_nsec_safe().
Check against max_cycles, falling back to a slower higher precision
calculation.
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20240325064023.2997-20-adrian.hunter@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/clocksource.c | 42 +++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 22 deletions(-)
diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
index 3260bbe98894b..aa864999dc21b 100644
--- a/kernel/time/clocksource.c
+++ b/kernel/time/clocksource.c
@@ -20,6 +20,16 @@
#include "tick-internal.h"
#include "timekeeping_internal.h"
+static noinline u64 cycles_to_nsec_safe(struct clocksource *cs, u64 start, u64 end)
+{
+ u64 delta = clocksource_delta(end, start, cs->mask);
+
+ if (likely(delta < cs->max_cycles))
+ return clocksource_cyc2ns(delta, cs->mult, cs->shift);
+
+ return mul_u64_u32_shr(delta, cs->mult, cs->shift);
+}
+
/**
* clocks_calc_mult_shift - calculate mult/shift factors for scaled math of clocks
* @mult: pointer to mult variable
@@ -222,8 +232,8 @@ enum wd_read_status {
static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow, u64 *wdnow)
{
unsigned int nretries, max_retries;
- u64 wd_end, wd_end2, wd_delta;
int64_t wd_delay, wd_seq_delay;
+ u64 wd_end, wd_end2;
max_retries = clocksource_get_max_watchdog_retry();
for (nretries = 0; nretries <= max_retries; nretries++) {
@@ -234,9 +244,7 @@ static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow,
wd_end2 = watchdog->read(watchdog);
local_irq_enable();
- wd_delta = clocksource_delta(wd_end, *wdnow, watchdog->mask);
- wd_delay = clocksource_cyc2ns(wd_delta, watchdog->mult,
- watchdog->shift);
+ wd_delay = cycles_to_nsec_safe(watchdog, *wdnow, wd_end);
if (wd_delay <= WATCHDOG_MAX_SKEW) {
if (nretries > 1 && nretries >= max_retries) {
pr_warn("timekeeping watchdog on CPU%d: %s retried %d times before success\n",
@@ -254,8 +262,7 @@ static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow,
* report system busy, reinit the watchdog and skip the current
* watchdog test.
*/
- wd_delta = clocksource_delta(wd_end2, wd_end, watchdog->mask);
- wd_seq_delay = clocksource_cyc2ns(wd_delta, watchdog->mult, watchdog->shift);
+ wd_seq_delay = cycles_to_nsec_safe(watchdog, wd_end, wd_end2);
if (wd_seq_delay > WATCHDOG_MAX_SKEW/2)
goto skip_test;
}
@@ -366,8 +373,7 @@ void clocksource_verify_percpu(struct clocksource *cs)
delta = (csnow_end - csnow_mid) & cs->mask;
if (delta < 0)
cpumask_set_cpu(cpu, &cpus_ahead);
- delta = clocksource_delta(csnow_end, csnow_begin, cs->mask);
- cs_nsec = clocksource_cyc2ns(delta, cs->mult, cs->shift);
+ cs_nsec = cycles_to_nsec_safe(cs, csnow_begin, csnow_end);
if (cs_nsec > cs_nsec_max)
cs_nsec_max = cs_nsec;
if (cs_nsec < cs_nsec_min)
@@ -398,8 +404,8 @@ static inline void clocksource_reset_watchdog(void)
static void clocksource_watchdog(struct timer_list *unused)
{
- u64 csnow, wdnow, cslast, wdlast, delta;
int64_t wd_nsec, cs_nsec, interval;
+ u64 csnow, wdnow, cslast, wdlast;
int next_cpu, reset_pending;
struct clocksource *cs;
enum wd_read_status read_ret;
@@ -456,12 +462,8 @@ static void clocksource_watchdog(struct timer_list *unused)
continue;
}
- delta = clocksource_delta(wdnow, cs->wd_last, watchdog->mask);
- wd_nsec = clocksource_cyc2ns(delta, watchdog->mult,
- watchdog->shift);
-
- delta = clocksource_delta(csnow, cs->cs_last, cs->mask);
- cs_nsec = clocksource_cyc2ns(delta, cs->mult, cs->shift);
+ wd_nsec = cycles_to_nsec_safe(watchdog, cs->wd_last, wdnow);
+ cs_nsec = cycles_to_nsec_safe(cs, cs->cs_last, csnow);
wdlast = cs->wd_last; /* save these in case we print them */
cslast = cs->cs_last;
cs->cs_last = csnow;
@@ -832,7 +834,7 @@ void clocksource_start_suspend_timing(struct clocksource *cs, u64 start_cycles)
*/
u64 clocksource_stop_suspend_timing(struct clocksource *cs, u64 cycle_now)
{
- u64 now, delta, nsec = 0;
+ u64 now, nsec = 0;
if (!suspend_clocksource)
return 0;
@@ -847,12 +849,8 @@ u64 clocksource_stop_suspend_timing(struct clocksource *cs, u64 cycle_now)
else
now = suspend_clocksource->read(suspend_clocksource);
- if (now > suspend_start) {
- delta = clocksource_delta(now, suspend_start,
- suspend_clocksource->mask);
- nsec = mul_u64_u32_shr(delta, suspend_clocksource->mult,
- suspend_clocksource->shift);
- }
+ if (now > suspend_start)
+ nsec = cycles_to_nsec_safe(suspend_clocksource, suspend_start, now);
/*
* Disable the suspend timer to save power if current clocksource is
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 207/341] platform/x86: lg-laptop: fix %s null argument warning
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 206/341] clocksource: Make watchdog and suspend-timing multiplication overflow safe Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 208/341] usb: dwc3: core: Skip setting event buffers for host only controllers Greg Kroah-Hartman
` (146 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gergo Koteles,
Kuppuswamy Sathyanarayanan, Ilpo Järvinen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gergo Koteles <soyer@irl.hu>
[ Upstream commit e71c8481692582c70cdfd0996c20cdcc71e425d3 ]
W=1 warns about null argument to kprintf:
warning: ‘%s’ directive argument is null [-Wformat-overflow=]
pr_info("product: %s year: %d\n", product, year);
Use "unknown" instead of NULL.
Signed-off-by: Gergo Koteles <soyer@irl.hu>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Link: https://lore.kernel.org/r/33d40e976f08f82b9227d0ecae38c787fcc0c0b2.1712154684.git.soyer@irl.hu
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/lg-laptop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/platform/x86/lg-laptop.c b/drivers/platform/x86/lg-laptop.c
index a1e27334cdf54..78c48a1f9c68a 100644
--- a/drivers/platform/x86/lg-laptop.c
+++ b/drivers/platform/x86/lg-laptop.c
@@ -715,7 +715,7 @@ static int acpi_add(struct acpi_device *device)
default:
year = 2019;
}
- pr_info("product: %s year: %d\n", product, year);
+ pr_info("product: %s year: %d\n", product ?: "unknown", year);
if (year >= 2019)
battery_limit_use_wmbb = 1;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 208/341] usb: dwc3: core: Skip setting event buffers for host only controllers
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 207/341] platform/x86: lg-laptop: fix %s null argument warning Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 209/341] irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc Greg Kroah-Hartman
` (145 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Krishna Kurapati,
Thinh Nguyen, Johan Hovold, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krishna Kurapati <quic_kriskura@quicinc.com>
[ Upstream commit 89d7f962994604a3e3d480832788d06179abefc5 ]
On some SoC's like SA8295P where the tertiary controller is host-only
capable, GEVTADDRHI/LO, GEVTSIZ, GEVTCOUNT registers are not accessible.
Trying to access them leads to a crash.
For DRD/Peripheral supported controllers, event buffer setup is done
again in gadget_pullup. Skip setup or cleanup of event buffers if
controller is host-only capable.
Suggested-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20240420044901.884098-4-quic_kriskura@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc3/core.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
index 674467b7638ea..5ce276cb39d0d 100644
--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -506,6 +506,13 @@ static void dwc3_free_event_buffers(struct dwc3 *dwc)
static int dwc3_alloc_event_buffers(struct dwc3 *dwc, unsigned int length)
{
struct dwc3_event_buffer *evt;
+ unsigned int hw_mode;
+
+ hw_mode = DWC3_GHWPARAMS0_MODE(dwc->hwparams.hwparams0);
+ if (hw_mode == DWC3_GHWPARAMS0_MODE_HOST) {
+ dwc->ev_buf = NULL;
+ return 0;
+ }
evt = dwc3_alloc_one_event_buffer(dwc, length);
if (IS_ERR(evt)) {
@@ -527,6 +534,9 @@ int dwc3_event_buffers_setup(struct dwc3 *dwc)
{
struct dwc3_event_buffer *evt;
+ if (!dwc->ev_buf)
+ return 0;
+
evt = dwc->ev_buf;
evt->lpos = 0;
dwc3_writel(dwc->regs, DWC3_GEVNTADRLO(0),
@@ -544,6 +554,9 @@ void dwc3_event_buffers_cleanup(struct dwc3 *dwc)
{
struct dwc3_event_buffer *evt;
+ if (!dwc->ev_buf)
+ return;
+
evt = dwc->ev_buf;
evt->lpos = 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 209/341] irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 208/341] usb: dwc3: core: Skip setting event buffers for host only controllers Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 210/341] ext4: set the type of max_zeroout to unsigned int to avoid overflow Greg Kroah-Hartman
` (144 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guanrui Huang, Thomas Gleixner,
Zenghui Yu, Marc Zyngier, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guanrui Huang <guanrui.huang@linux.alibaba.com>
[ Upstream commit 382d2ffe86efb1e2fa803d2cf17e5bfc34e574f3 ]
This BUG_ON() is useless, because the same effect will be obtained
by letting the code run its course and vm being dereferenced,
triggering an exception.
So just remove this check.
Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20240418061053.96803-3-guanrui.huang@linux.alibaba.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-gic-v3-its.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
index c7d6e6987166f..350abbb36e04b 100644
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -4501,8 +4501,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
struct page *vprop_page;
int base, nr_ids, i, err = 0;
- BUG_ON(!vm);
-
bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids);
if (!bitmap)
return -ENOMEM;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 210/341] ext4: set the type of max_zeroout to unsigned int to avoid overflow
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 209/341] irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 211/341] nvmet-rdma: fix possible bad dereference when freeing rsps Greg Kroah-Hartman
` (143 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Theodore Tso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit 261341a932d9244cbcd372a3659428c8723e5a49 ]
The max_zeroout is of type int and the s_extent_max_zeroout_kb is of
type uint, and the s_extent_max_zeroout_kb can be freely modified via
the sysfs interface. When the block size is 1024, max_zeroout may
overflow, so declare it as unsigned int to avoid overflow.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20240319113325.3110393-9-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index d393df22431a0..448e0ea49b31d 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3402,9 +3402,10 @@ static int ext4_ext_convert_to_initialized(handle_t *handle,
struct ext4_extent *ex, *abut_ex;
ext4_lblk_t ee_block, eof_block;
unsigned int ee_len, depth, map_len = map->m_len;
- int allocated = 0, max_zeroout = 0;
int err = 0;
int split_flag = EXT4_EXT_DATA_VALID2;
+ int allocated = 0;
+ unsigned int max_zeroout = 0;
ext_debug(inode, "logical block %llu, max_blocks %u\n",
(unsigned long long)map->m_lblk, map_len);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 211/341] nvmet-rdma: fix possible bad dereference when freeing rsps
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 210/341] ext4: set the type of max_zeroout to unsigned int to avoid overflow Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 212/341] selftests/bpf: Fix a few tests for GCC related warnings Greg Kroah-Hartman
` (142 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sagi Grimberg, Christoph Hellwig,
Keith Busch, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sagi Grimberg <sagi@grimberg.me>
[ Upstream commit 73964c1d07c054376f1b32a62548571795159148 ]
It is possible that the host connected and saw a cm established
event and started sending nvme capsules on the qp, however the
ctrl did not yet see an established event. This is why the
rsp_wait_list exists (for async handling of these cmds, we move
them to a pending list).
Furthermore, it is possible that the ctrl cm times out, resulting
in a connect-error cm event. in this case we hit a bad deref [1]
because in nvmet_rdma_free_rsps we assume that all the responses
are in the free list.
We are freeing the cmds array anyways, so don't even bother to
remove the rsp from the free_list. It is also guaranteed that we
are not racing anything when we are releasing the queue so no
other context accessing this array should be running.
[1]:
--
Workqueue: nvmet-free-wq nvmet_rdma_free_queue_work [nvmet_rdma]
[...]
pc : nvmet_rdma_free_rsps+0x78/0xb8 [nvmet_rdma]
lr : nvmet_rdma_free_queue_work+0x88/0x120 [nvmet_rdma]
Call trace:
nvmet_rdma_free_rsps+0x78/0xb8 [nvmet_rdma]
nvmet_rdma_free_queue_work+0x88/0x120 [nvmet_rdma]
process_one_work+0x1ec/0x4a0
worker_thread+0x48/0x490
kthread+0x158/0x160
ret_from_fork+0x10/0x18
--
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/rdma.c | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c
index 4597bca43a6d8..a6d55ebb82382 100644
--- a/drivers/nvme/target/rdma.c
+++ b/drivers/nvme/target/rdma.c
@@ -473,12 +473,8 @@ nvmet_rdma_alloc_rsps(struct nvmet_rdma_queue *queue)
return 0;
out_free:
- while (--i >= 0) {
- struct nvmet_rdma_rsp *rsp = &queue->rsps[i];
-
- list_del(&rsp->free_list);
- nvmet_rdma_free_rsp(ndev, rsp);
- }
+ while (--i >= 0)
+ nvmet_rdma_free_rsp(ndev, &queue->rsps[i]);
kfree(queue->rsps);
out:
return ret;
@@ -489,12 +485,8 @@ static void nvmet_rdma_free_rsps(struct nvmet_rdma_queue *queue)
struct nvmet_rdma_device *ndev = queue->dev;
int i, nr_rsps = queue->recv_queue_size * 2;
- for (i = 0; i < nr_rsps; i++) {
- struct nvmet_rdma_rsp *rsp = &queue->rsps[i];
-
- list_del(&rsp->free_list);
- nvmet_rdma_free_rsp(ndev, rsp);
- }
+ for (i = 0; i < nr_rsps; i++)
+ nvmet_rdma_free_rsp(ndev, &queue->rsps[i]);
kfree(queue->rsps);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 212/341] selftests/bpf: Fix a few tests for GCC related warnings.
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 211/341] nvmet-rdma: fix possible bad dereference when freeing rsps Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 213/341] Revert "bpf, sockmap: Prevent lock inversion deadlock in map delete elem" Greg Kroah-Hartman
` (141 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cupertino Miranda, jose.marchesi,
david.faust, Yonghong Song, Eduard Zingerman, Andrii Nakryiko,
Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cupertino Miranda <cupertino.miranda@oracle.com>
[ Upstream commit 5ddafcc377f98778acc08f660dee6400aece6a62 ]
This patch corrects a few warnings to allow selftests to compile for
GCC.
-- progs/cpumask_failure.c --
progs/bpf_misc.h:136:22: error: ‘cpumask’ is used uninitialized
[-Werror=uninitialized]
136 | #define __sink(expr) asm volatile("" : "+g"(expr))
| ^~~
progs/cpumask_failure.c:68:9: note: in expansion of macro ‘__sink’
68 | __sink(cpumask);
The macro __sink(cpumask) with the '+' contraint modifier forces the
the compiler to expect a read and write from cpumask. GCC detects
that cpumask is never initialized and reports an error.
This patch removes the spurious non required definitions of cpumask.
-- progs/dynptr_fail.c --
progs/dynptr_fail.c:1444:9: error: ‘ptr1’ may be used uninitialized
[-Werror=maybe-uninitialized]
1444 | bpf_dynptr_clone(&ptr1, &ptr2);
Many of the tests in the file are related to the detection of
uninitialized pointers by the verifier. GCC is able to detect possible
uninitialized values, and reports this as an error.
The patch initializes all of the previous uninitialized structs.
-- progs/test_tunnel_kern.c --
progs/test_tunnel_kern.c:590:9: error: array subscript 1 is outside
array bounds of ‘struct geneve_opt[1]’ [-Werror=array-bounds=]
590 | *(int *) &gopt.opt_data = bpf_htonl(0xdeadbeef);
| ^~~~~~~~~~~~~~~~~~~~~~~
progs/test_tunnel_kern.c:575:27: note: at offset 4 into object ‘gopt’ of
size 4
575 | struct geneve_opt gopt;
This tests accesses beyond the defined data for the struct geneve_opt
which contains as last field "u8 opt_data[0]" which clearly does not get
reserved space (in stack) in the function header. This pattern is
repeated in ip6geneve_set_tunnel and geneve_set_tunnel functions.
GCC is able to see this and emits a warning.
The patch introduces a local struct that allocates enough space to
safely allow the write to opt_data field.
-- progs/jeq_infer_not_null_fail.c --
progs/jeq_infer_not_null_fail.c:21:40: error: array subscript ‘struct
bpf_map[0]’ is partly outside array bounds of ‘struct <anonymous>[1]’
[-Werror=array-bounds=]
21 | struct bpf_map *inner_map = map->inner_map_meta;
| ^~
progs/jeq_infer_not_null_fail.c:14:3: note: object ‘m_hash’ of size 32
14 | } m_hash SEC(".maps");
This example defines m_hash in the context of the compilation unit and
casts it to struct bpf_map which is much smaller than the size of struct
bpf_map. It errors out in GCC when it attempts to access an element that
would be defined in struct bpf_map outsize of the defined limits for
m_hash.
This patch disables the warning through a GCC pragma.
This changes were tested in bpf-next master selftests without any
regressions.
Signed-off-by: Cupertino Miranda <cupertino.miranda@oracle.com>
Cc: jose.marchesi@oracle.com
Cc: david.faust@oracle.com
Cc: Yonghong Song <yonghong.song@linux.dev>
Cc: Eduard Zingerman <eddyz87@gmail.com>
Cc: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Link: https://lore.kernel.org/r/20240510183850.286661-2-cupertino.miranda@oracle.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../selftests/bpf/progs/cpumask_failure.c | 3 --
.../testing/selftests/bpf/progs/dynptr_fail.c | 12 ++---
.../bpf/progs/jeq_infer_not_null_fail.c | 4 ++
.../selftests/bpf/progs/test_tunnel_kern.c | 47 +++++++++++--------
4 files changed, 37 insertions(+), 29 deletions(-)
diff --git a/tools/testing/selftests/bpf/progs/cpumask_failure.c b/tools/testing/selftests/bpf/progs/cpumask_failure.c
index a9bf6ea336cf6..a988d2823b528 100644
--- a/tools/testing/selftests/bpf/progs/cpumask_failure.c
+++ b/tools/testing/selftests/bpf/progs/cpumask_failure.c
@@ -61,11 +61,8 @@ SEC("tp_btf/task_newtask")
__failure __msg("bpf_cpumask_set_cpu args#1 expected pointer to STRUCT bpf_cpumask")
int BPF_PROG(test_mutate_cpumask, struct task_struct *task, u64 clone_flags)
{
- struct bpf_cpumask *cpumask;
-
/* Can't set the CPU of a non-struct bpf_cpumask. */
bpf_cpumask_set_cpu(0, (struct bpf_cpumask *)task->cpus_ptr);
- __sink(cpumask);
return 0;
}
diff --git a/tools/testing/selftests/bpf/progs/dynptr_fail.c b/tools/testing/selftests/bpf/progs/dynptr_fail.c
index 7ce7e827d5f01..66a60bfb58672 100644
--- a/tools/testing/selftests/bpf/progs/dynptr_fail.c
+++ b/tools/testing/selftests/bpf/progs/dynptr_fail.c
@@ -80,7 +80,7 @@ SEC("?raw_tp")
__failure __msg("Unreleased reference id=2")
int ringbuf_missing_release1(void *ctx)
{
- struct bpf_dynptr ptr;
+ struct bpf_dynptr ptr = {};
bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr);
@@ -1385,7 +1385,7 @@ SEC("?raw_tp")
__failure __msg("Expected an initialized dynptr as arg #1")
int dynptr_adjust_invalid(void *ctx)
{
- struct bpf_dynptr ptr;
+ struct bpf_dynptr ptr = {};
/* this should fail */
bpf_dynptr_adjust(&ptr, 1, 2);
@@ -1398,7 +1398,7 @@ SEC("?raw_tp")
__failure __msg("Expected an initialized dynptr as arg #1")
int dynptr_is_null_invalid(void *ctx)
{
- struct bpf_dynptr ptr;
+ struct bpf_dynptr ptr = {};
/* this should fail */
bpf_dynptr_is_null(&ptr);
@@ -1411,7 +1411,7 @@ SEC("?raw_tp")
__failure __msg("Expected an initialized dynptr as arg #1")
int dynptr_is_rdonly_invalid(void *ctx)
{
- struct bpf_dynptr ptr;
+ struct bpf_dynptr ptr = {};
/* this should fail */
bpf_dynptr_is_rdonly(&ptr);
@@ -1424,7 +1424,7 @@ SEC("?raw_tp")
__failure __msg("Expected an initialized dynptr as arg #1")
int dynptr_size_invalid(void *ctx)
{
- struct bpf_dynptr ptr;
+ struct bpf_dynptr ptr = {};
/* this should fail */
bpf_dynptr_size(&ptr);
@@ -1437,7 +1437,7 @@ SEC("?raw_tp")
__failure __msg("Expected an initialized dynptr as arg #1")
int clone_invalid1(void *ctx)
{
- struct bpf_dynptr ptr1;
+ struct bpf_dynptr ptr1 = {};
struct bpf_dynptr ptr2;
/* this should fail */
diff --git a/tools/testing/selftests/bpf/progs/jeq_infer_not_null_fail.c b/tools/testing/selftests/bpf/progs/jeq_infer_not_null_fail.c
index f46965053acb2..4d619bea9c758 100644
--- a/tools/testing/selftests/bpf/progs/jeq_infer_not_null_fail.c
+++ b/tools/testing/selftests/bpf/progs/jeq_infer_not_null_fail.c
@@ -4,6 +4,10 @@
#include <bpf/bpf_helpers.h>
#include "bpf_misc.h"
+#ifndef __clang__
+#pragma GCC diagnostic ignored "-Warray-bounds"
+#endif
+
char _license[] SEC("license") = "GPL";
struct {
diff --git a/tools/testing/selftests/bpf/progs/test_tunnel_kern.c b/tools/testing/selftests/bpf/progs/test_tunnel_kern.c
index f66af753bbbb8..e68da33d7631d 100644
--- a/tools/testing/selftests/bpf/progs/test_tunnel_kern.c
+++ b/tools/testing/selftests/bpf/progs/test_tunnel_kern.c
@@ -597,12 +597,18 @@ int ip6vxlan_get_tunnel_src(struct __sk_buff *skb)
return TC_ACT_OK;
}
+struct local_geneve_opt {
+ struct geneve_opt gopt;
+ int data;
+};
+
SEC("tc")
int geneve_set_tunnel(struct __sk_buff *skb)
{
int ret;
struct bpf_tunnel_key key;
- struct geneve_opt gopt;
+ struct local_geneve_opt local_gopt;
+ struct geneve_opt *gopt = (struct geneve_opt *) &local_gopt;
__builtin_memset(&key, 0x0, sizeof(key));
key.remote_ipv4 = 0xac100164; /* 172.16.1.100 */
@@ -610,14 +616,14 @@ int geneve_set_tunnel(struct __sk_buff *skb)
key.tunnel_tos = 0;
key.tunnel_ttl = 64;
- __builtin_memset(&gopt, 0x0, sizeof(gopt));
- gopt.opt_class = bpf_htons(0x102); /* Open Virtual Networking (OVN) */
- gopt.type = 0x08;
- gopt.r1 = 0;
- gopt.r2 = 0;
- gopt.r3 = 0;
- gopt.length = 2; /* 4-byte multiple */
- *(int *) &gopt.opt_data = bpf_htonl(0xdeadbeef);
+ __builtin_memset(gopt, 0x0, sizeof(local_gopt));
+ gopt->opt_class = bpf_htons(0x102); /* Open Virtual Networking (OVN) */
+ gopt->type = 0x08;
+ gopt->r1 = 0;
+ gopt->r2 = 0;
+ gopt->r3 = 0;
+ gopt->length = 2; /* 4-byte multiple */
+ *(int *) &gopt->opt_data = bpf_htonl(0xdeadbeef);
ret = bpf_skb_set_tunnel_key(skb, &key, sizeof(key),
BPF_F_ZERO_CSUM_TX);
@@ -626,7 +632,7 @@ int geneve_set_tunnel(struct __sk_buff *skb)
return TC_ACT_SHOT;
}
- ret = bpf_skb_set_tunnel_opt(skb, &gopt, sizeof(gopt));
+ ret = bpf_skb_set_tunnel_opt(skb, gopt, sizeof(local_gopt));
if (ret < 0) {
log_err(ret);
return TC_ACT_SHOT;
@@ -661,7 +667,8 @@ SEC("tc")
int ip6geneve_set_tunnel(struct __sk_buff *skb)
{
struct bpf_tunnel_key key;
- struct geneve_opt gopt;
+ struct local_geneve_opt local_gopt;
+ struct geneve_opt *gopt = (struct geneve_opt *) &local_gopt;
int ret;
__builtin_memset(&key, 0x0, sizeof(key));
@@ -677,16 +684,16 @@ int ip6geneve_set_tunnel(struct __sk_buff *skb)
return TC_ACT_SHOT;
}
- __builtin_memset(&gopt, 0x0, sizeof(gopt));
- gopt.opt_class = bpf_htons(0x102); /* Open Virtual Networking (OVN) */
- gopt.type = 0x08;
- gopt.r1 = 0;
- gopt.r2 = 0;
- gopt.r3 = 0;
- gopt.length = 2; /* 4-byte multiple */
- *(int *) &gopt.opt_data = bpf_htonl(0xfeedbeef);
+ __builtin_memset(gopt, 0x0, sizeof(local_gopt));
+ gopt->opt_class = bpf_htons(0x102); /* Open Virtual Networking (OVN) */
+ gopt->type = 0x08;
+ gopt->r1 = 0;
+ gopt->r2 = 0;
+ gopt->r3 = 0;
+ gopt->length = 2; /* 4-byte multiple */
+ *(int *) &gopt->opt_data = bpf_htonl(0xfeedbeef);
- ret = bpf_skb_set_tunnel_opt(skb, &gopt, sizeof(gopt));
+ ret = bpf_skb_set_tunnel_opt(skb, gopt, sizeof(gopt));
if (ret < 0) {
log_err(ret);
return TC_ACT_SHOT;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 213/341] Revert "bpf, sockmap: Prevent lock inversion deadlock in map delete elem"
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 212/341] selftests/bpf: Fix a few tests for GCC related warnings Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 214/341] nvme: use srcu for iterating namespace list Greg Kroah-Hartman
` (140 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Sitnicki, Daniel Borkmann,
John Fastabend, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Sitnicki <jakub@cloudflare.com>
[ Upstream commit 3b9ce0491a43e9af7f108b2f1bced7cd35931660 ]
This reverts commit ff91059932401894e6c86341915615c5eb0eca48.
This check is no longer needed. BPF programs attached to tracepoints are
now rejected by the verifier when they attempt to delete from a
sockmap/sockhash maps.
Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/bpf/20240527-sockmap-verify-deletes-v1-2-944b372f2101@cloudflare.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/sock_map.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index 01be07b485fad..a37143d181f95 100644
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -411,9 +411,6 @@ static int __sock_map_delete(struct bpf_stab *stab, struct sock *sk_test,
struct sock *sk;
int err = 0;
- if (irqs_disabled())
- return -EOPNOTSUPP; /* locks here are hardirq-unsafe */
-
spin_lock_bh(&stab->lock);
sk = *psk;
if (!sk_test || sk_test == sk)
@@ -936,9 +933,6 @@ static long sock_hash_delete_elem(struct bpf_map *map, void *key)
struct bpf_shtab_elem *elem;
int ret = -ENOENT;
- if (irqs_disabled())
- return -EOPNOTSUPP; /* locks here are hardirq-unsafe */
-
hash = sock_hash_bucket_hash(key, key_size);
bucket = sock_hash_select_bucket(htab, hash);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 214/341] nvme: use srcu for iterating namespace list
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 213/341] Revert "bpf, sockmap: Prevent lock inversion deadlock in map delete elem" Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 215/341] drm/amdgpu: fix dereference null return value for the function amdgpu_vm_pt_parent Greg Kroah-Hartman
` (139 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shinichiro Kawasaki, Sagi Grimberg,
Christoph Hellwig, Keith Busch, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit be647e2c76b27f409cdd520f66c95be888b553a3 ]
The nvme pci driver synchronizes with all the namespace queues during a
reset to ensure that there's no pending timeout work.
Meanwhile the timeout work potentially iterates those same namespaces to
freeze their queues.
Each of those namespace iterations use the same read lock. If a write
lock should somehow get between the synchronize and freeze steps, then
forward progress is deadlocked.
We had been relying on the nvme controller state machine to ensure the
reset work wouldn't conflict with timeout work. That guarantee may be a
bit fragile to rely on, so iterate the namespace lists without taking
potentially circular locks, as reported by lockdep.
Link: https://lore.kernel.org/all/20220930001943.zdbvolc3gkekfmcv@shindev/
Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Tested-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/core.c | 99 +++++++++++++++++++++--------------
drivers/nvme/host/ioctl.c | 15 +++---
drivers/nvme/host/multipath.c | 21 ++++----
drivers/nvme/host/nvme.h | 4 +-
4 files changed, 83 insertions(+), 56 deletions(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 4e39a58a00458..2a1b555406dff 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -632,7 +632,7 @@ static void nvme_free_ns(struct kref *kref)
kfree(ns);
}
-static inline bool nvme_get_ns(struct nvme_ns *ns)
+bool nvme_get_ns(struct nvme_ns *ns)
{
return kref_get_unless_zero(&ns->kref);
}
@@ -3542,9 +3542,10 @@ static int nvme_init_ns_head(struct nvme_ns *ns, struct nvme_ns_info *info)
struct nvme_ns *nvme_find_get_ns(struct nvme_ctrl *ctrl, unsigned nsid)
{
struct nvme_ns *ns, *ret = NULL;
+ int srcu_idx;
- down_read(&ctrl->namespaces_rwsem);
- list_for_each_entry(ns, &ctrl->namespaces, list) {
+ srcu_idx = srcu_read_lock(&ctrl->srcu);
+ list_for_each_entry_rcu(ns, &ctrl->namespaces, list) {
if (ns->head->ns_id == nsid) {
if (!nvme_get_ns(ns))
continue;
@@ -3554,7 +3555,7 @@ struct nvme_ns *nvme_find_get_ns(struct nvme_ctrl *ctrl, unsigned nsid)
if (ns->head->ns_id > nsid)
break;
}
- up_read(&ctrl->namespaces_rwsem);
+ srcu_read_unlock(&ctrl->srcu, srcu_idx);
return ret;
}
EXPORT_SYMBOL_NS_GPL(nvme_find_get_ns, NVME_TARGET_PASSTHRU);
@@ -3568,7 +3569,7 @@ static void nvme_ns_add_to_ctrl_list(struct nvme_ns *ns)
list_for_each_entry_reverse(tmp, &ns->ctrl->namespaces, list) {
if (tmp->head->ns_id < ns->head->ns_id) {
- list_add(&ns->list, &tmp->list);
+ list_add_rcu(&ns->list, &tmp->list);
return;
}
}
@@ -3634,17 +3635,18 @@ static void nvme_alloc_ns(struct nvme_ctrl *ctrl, struct nvme_ns_info *info)
if (nvme_update_ns_info(ns, info))
goto out_unlink_ns;
- down_write(&ctrl->namespaces_rwsem);
+ mutex_lock(&ctrl->namespaces_lock);
/*
* Ensure that no namespaces are added to the ctrl list after the queues
* are frozen, thereby avoiding a deadlock between scan and reset.
*/
if (test_bit(NVME_CTRL_FROZEN, &ctrl->flags)) {
- up_write(&ctrl->namespaces_rwsem);
+ mutex_unlock(&ctrl->namespaces_lock);
goto out_unlink_ns;
}
nvme_ns_add_to_ctrl_list(ns);
- up_write(&ctrl->namespaces_rwsem);
+ mutex_unlock(&ctrl->namespaces_lock);
+ synchronize_srcu(&ctrl->srcu);
nvme_get_ctrl(ctrl);
if (device_add_disk(ctrl->device, ns->disk, nvme_ns_id_attr_groups))
@@ -3660,9 +3662,10 @@ static void nvme_alloc_ns(struct nvme_ctrl *ctrl, struct nvme_ns_info *info)
out_cleanup_ns_from_list:
nvme_put_ctrl(ctrl);
- down_write(&ctrl->namespaces_rwsem);
- list_del_init(&ns->list);
- up_write(&ctrl->namespaces_rwsem);
+ mutex_lock(&ctrl->namespaces_lock);
+ list_del_rcu(&ns->list);
+ mutex_unlock(&ctrl->namespaces_lock);
+ synchronize_srcu(&ctrl->srcu);
out_unlink_ns:
mutex_lock(&ctrl->subsys->lock);
list_del_rcu(&ns->siblings);
@@ -3712,9 +3715,10 @@ static void nvme_ns_remove(struct nvme_ns *ns)
nvme_cdev_del(&ns->cdev, &ns->cdev_device);
del_gendisk(ns->disk);
- down_write(&ns->ctrl->namespaces_rwsem);
- list_del_init(&ns->list);
- up_write(&ns->ctrl->namespaces_rwsem);
+ mutex_lock(&ns->ctrl->namespaces_lock);
+ list_del_rcu(&ns->list);
+ mutex_unlock(&ns->ctrl->namespaces_lock);
+ synchronize_srcu(&ns->ctrl->srcu);
if (last_path)
nvme_mpath_shutdown_disk(ns->head);
@@ -3804,16 +3808,17 @@ static void nvme_remove_invalid_namespaces(struct nvme_ctrl *ctrl,
struct nvme_ns *ns, *next;
LIST_HEAD(rm_list);
- down_write(&ctrl->namespaces_rwsem);
+ mutex_lock(&ctrl->namespaces_lock);
list_for_each_entry_safe(ns, next, &ctrl->namespaces, list) {
if (ns->head->ns_id > nsid)
- list_move_tail(&ns->list, &rm_list);
+ list_splice_init_rcu(&ns->list, &rm_list,
+ synchronize_rcu);
}
- up_write(&ctrl->namespaces_rwsem);
+ mutex_unlock(&ctrl->namespaces_lock);
+ synchronize_srcu(&ctrl->srcu);
list_for_each_entry_safe(ns, next, &rm_list, list)
nvme_ns_remove(ns);
-
}
static int nvme_scan_ns_list(struct nvme_ctrl *ctrl)
@@ -3983,9 +3988,10 @@ void nvme_remove_namespaces(struct nvme_ctrl *ctrl)
/* this is a no-op when called from the controller reset handler */
nvme_change_ctrl_state(ctrl, NVME_CTRL_DELETING_NOIO);
- down_write(&ctrl->namespaces_rwsem);
- list_splice_init(&ctrl->namespaces, &ns_list);
- up_write(&ctrl->namespaces_rwsem);
+ mutex_lock(&ctrl->namespaces_lock);
+ list_splice_init_rcu(&ctrl->namespaces, &ns_list, synchronize_rcu);
+ mutex_unlock(&ctrl->namespaces_lock);
+ synchronize_srcu(&ctrl->srcu);
list_for_each_entry_safe(ns, next, &ns_list, list)
nvme_ns_remove(ns);
@@ -4418,6 +4424,7 @@ static void nvme_free_ctrl(struct device *dev)
nvme_free_cels(ctrl);
nvme_mpath_uninit(ctrl);
+ cleanup_srcu_struct(&ctrl->srcu);
nvme_auth_stop(ctrl);
nvme_auth_free(ctrl);
__free_page(ctrl->discard_page);
@@ -4449,10 +4456,15 @@ int nvme_init_ctrl(struct nvme_ctrl *ctrl, struct device *dev,
WRITE_ONCE(ctrl->state, NVME_CTRL_NEW);
clear_bit(NVME_CTRL_FAILFAST_EXPIRED, &ctrl->flags);
spin_lock_init(&ctrl->lock);
+ mutex_init(&ctrl->namespaces_lock);
+
+ ret = init_srcu_struct(&ctrl->srcu);
+ if (ret)
+ return ret;
+
mutex_init(&ctrl->scan_lock);
INIT_LIST_HEAD(&ctrl->namespaces);
xa_init(&ctrl->cels);
- init_rwsem(&ctrl->namespaces_rwsem);
ctrl->dev = dev;
ctrl->ops = ops;
ctrl->quirks = quirks;
@@ -4531,6 +4543,7 @@ int nvme_init_ctrl(struct nvme_ctrl *ctrl, struct device *dev,
out:
if (ctrl->discard_page)
__free_page(ctrl->discard_page);
+ cleanup_srcu_struct(&ctrl->srcu);
return ret;
}
EXPORT_SYMBOL_GPL(nvme_init_ctrl);
@@ -4539,22 +4552,24 @@ EXPORT_SYMBOL_GPL(nvme_init_ctrl);
void nvme_mark_namespaces_dead(struct nvme_ctrl *ctrl)
{
struct nvme_ns *ns;
+ int srcu_idx;
- down_read(&ctrl->namespaces_rwsem);
- list_for_each_entry(ns, &ctrl->namespaces, list)
+ srcu_idx = srcu_read_lock(&ctrl->srcu);
+ list_for_each_entry_rcu(ns, &ctrl->namespaces, list)
blk_mark_disk_dead(ns->disk);
- up_read(&ctrl->namespaces_rwsem);
+ srcu_read_unlock(&ctrl->srcu, srcu_idx);
}
EXPORT_SYMBOL_GPL(nvme_mark_namespaces_dead);
void nvme_unfreeze(struct nvme_ctrl *ctrl)
{
struct nvme_ns *ns;
+ int srcu_idx;
- down_read(&ctrl->namespaces_rwsem);
- list_for_each_entry(ns, &ctrl->namespaces, list)
+ srcu_idx = srcu_read_lock(&ctrl->srcu);
+ list_for_each_entry_rcu(ns, &ctrl->namespaces, list)
blk_mq_unfreeze_queue(ns->queue);
- up_read(&ctrl->namespaces_rwsem);
+ srcu_read_unlock(&ctrl->srcu, srcu_idx);
clear_bit(NVME_CTRL_FROZEN, &ctrl->flags);
}
EXPORT_SYMBOL_GPL(nvme_unfreeze);
@@ -4562,14 +4577,15 @@ EXPORT_SYMBOL_GPL(nvme_unfreeze);
int nvme_wait_freeze_timeout(struct nvme_ctrl *ctrl, long timeout)
{
struct nvme_ns *ns;
+ int srcu_idx;
- down_read(&ctrl->namespaces_rwsem);
- list_for_each_entry(ns, &ctrl->namespaces, list) {
+ srcu_idx = srcu_read_lock(&ctrl->srcu);
+ list_for_each_entry_rcu(ns, &ctrl->namespaces, list) {
timeout = blk_mq_freeze_queue_wait_timeout(ns->queue, timeout);
if (timeout <= 0)
break;
}
- up_read(&ctrl->namespaces_rwsem);
+ srcu_read_unlock(&ctrl->srcu, srcu_idx);
return timeout;
}
EXPORT_SYMBOL_GPL(nvme_wait_freeze_timeout);
@@ -4577,23 +4593,25 @@ EXPORT_SYMBOL_GPL(nvme_wait_freeze_timeout);
void nvme_wait_freeze(struct nvme_ctrl *ctrl)
{
struct nvme_ns *ns;
+ int srcu_idx;
- down_read(&ctrl->namespaces_rwsem);
- list_for_each_entry(ns, &ctrl->namespaces, list)
+ srcu_idx = srcu_read_lock(&ctrl->srcu);
+ list_for_each_entry_rcu(ns, &ctrl->namespaces, list)
blk_mq_freeze_queue_wait(ns->queue);
- up_read(&ctrl->namespaces_rwsem);
+ srcu_read_unlock(&ctrl->srcu, srcu_idx);
}
EXPORT_SYMBOL_GPL(nvme_wait_freeze);
void nvme_start_freeze(struct nvme_ctrl *ctrl)
{
struct nvme_ns *ns;
+ int srcu_idx;
set_bit(NVME_CTRL_FROZEN, &ctrl->flags);
- down_read(&ctrl->namespaces_rwsem);
- list_for_each_entry(ns, &ctrl->namespaces, list)
+ srcu_idx = srcu_read_lock(&ctrl->srcu);
+ list_for_each_entry_rcu(ns, &ctrl->namespaces, list)
blk_freeze_queue_start(ns->queue);
- up_read(&ctrl->namespaces_rwsem);
+ srcu_read_unlock(&ctrl->srcu, srcu_idx);
}
EXPORT_SYMBOL_GPL(nvme_start_freeze);
@@ -4636,11 +4654,12 @@ EXPORT_SYMBOL_GPL(nvme_unquiesce_admin_queue);
void nvme_sync_io_queues(struct nvme_ctrl *ctrl)
{
struct nvme_ns *ns;
+ int srcu_idx;
- down_read(&ctrl->namespaces_rwsem);
- list_for_each_entry(ns, &ctrl->namespaces, list)
+ srcu_idx = srcu_read_lock(&ctrl->srcu);
+ list_for_each_entry_rcu(ns, &ctrl->namespaces, list)
blk_sync_queue(ns->queue);
- up_read(&ctrl->namespaces_rwsem);
+ srcu_read_unlock(&ctrl->srcu, srcu_idx);
}
EXPORT_SYMBOL_GPL(nvme_sync_io_queues);
diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
index 4939ed35638f1..875dee6ecd408 100644
--- a/drivers/nvme/host/ioctl.c
+++ b/drivers/nvme/host/ioctl.c
@@ -921,15 +921,15 @@ static int nvme_dev_user_cmd(struct nvme_ctrl *ctrl, void __user *argp,
bool open_for_write)
{
struct nvme_ns *ns;
- int ret;
+ int ret, srcu_idx;
- down_read(&ctrl->namespaces_rwsem);
+ srcu_idx = srcu_read_lock(&ctrl->srcu);
if (list_empty(&ctrl->namespaces)) {
ret = -ENOTTY;
goto out_unlock;
}
- ns = list_first_entry(&ctrl->namespaces, struct nvme_ns, list);
+ ns = list_first_or_null_rcu(&ctrl->namespaces, struct nvme_ns, list);
if (ns != list_last_entry(&ctrl->namespaces, struct nvme_ns, list)) {
dev_warn(ctrl->device,
"NVME_IOCTL_IO_CMD not supported when multiple namespaces present!\n");
@@ -939,15 +939,18 @@ static int nvme_dev_user_cmd(struct nvme_ctrl *ctrl, void __user *argp,
dev_warn(ctrl->device,
"using deprecated NVME_IOCTL_IO_CMD ioctl on the char device!\n");
- kref_get(&ns->kref);
- up_read(&ctrl->namespaces_rwsem);
+ if (!nvme_get_ns(ns)) {
+ ret = -ENXIO;
+ goto out_unlock;
+ }
+ srcu_read_unlock(&ctrl->srcu, srcu_idx);
ret = nvme_user_cmd(ctrl, ns, argp, 0, open_for_write);
nvme_put_ns(ns);
return ret;
out_unlock:
- up_read(&ctrl->namespaces_rwsem);
+ srcu_read_unlock(&ctrl->srcu, srcu_idx);
return ret;
}
diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
index 6515fa537ee53..645a6b1322205 100644
--- a/drivers/nvme/host/multipath.c
+++ b/drivers/nvme/host/multipath.c
@@ -151,16 +151,17 @@ void nvme_mpath_end_request(struct request *rq)
void nvme_kick_requeue_lists(struct nvme_ctrl *ctrl)
{
struct nvme_ns *ns;
+ int srcu_idx;
- down_read(&ctrl->namespaces_rwsem);
- list_for_each_entry(ns, &ctrl->namespaces, list) {
+ srcu_idx = srcu_read_lock(&ctrl->srcu);
+ list_for_each_entry_rcu(ns, &ctrl->namespaces, list) {
if (!ns->head->disk)
continue;
kblockd_schedule_work(&ns->head->requeue_work);
if (ctrl->state == NVME_CTRL_LIVE)
disk_uevent(ns->head->disk, KOBJ_CHANGE);
}
- up_read(&ctrl->namespaces_rwsem);
+ srcu_read_unlock(&ctrl->srcu, srcu_idx);
}
static const char *nvme_ana_state_names[] = {
@@ -194,13 +195,14 @@ bool nvme_mpath_clear_current_path(struct nvme_ns *ns)
void nvme_mpath_clear_ctrl_paths(struct nvme_ctrl *ctrl)
{
struct nvme_ns *ns;
+ int srcu_idx;
- down_read(&ctrl->namespaces_rwsem);
- list_for_each_entry(ns, &ctrl->namespaces, list) {
+ srcu_idx = srcu_read_lock(&ctrl->srcu);
+ list_for_each_entry_rcu(ns, &ctrl->namespaces, list) {
nvme_mpath_clear_current_path(ns);
kblockd_schedule_work(&ns->head->requeue_work);
}
- up_read(&ctrl->namespaces_rwsem);
+ srcu_read_unlock(&ctrl->srcu, srcu_idx);
}
void nvme_mpath_revalidate_paths(struct nvme_ns *ns)
@@ -679,6 +681,7 @@ static int nvme_update_ana_state(struct nvme_ctrl *ctrl,
u32 nr_nsids = le32_to_cpu(desc->nnsids), n = 0;
unsigned *nr_change_groups = data;
struct nvme_ns *ns;
+ int srcu_idx;
dev_dbg(ctrl->device, "ANA group %d: %s.\n",
le32_to_cpu(desc->grpid),
@@ -690,8 +693,8 @@ static int nvme_update_ana_state(struct nvme_ctrl *ctrl,
if (!nr_nsids)
return 0;
- down_read(&ctrl->namespaces_rwsem);
- list_for_each_entry(ns, &ctrl->namespaces, list) {
+ srcu_idx = srcu_read_lock(&ctrl->srcu);
+ list_for_each_entry_rcu(ns, &ctrl->namespaces, list) {
unsigned nsid;
again:
nsid = le32_to_cpu(desc->nsids[n]);
@@ -704,7 +707,7 @@ static int nvme_update_ana_state(struct nvme_ctrl *ctrl,
if (ns->head->ns_id > nsid)
goto again;
}
- up_read(&ctrl->namespaces_rwsem);
+ srcu_read_unlock(&ctrl->srcu, srcu_idx);
return 0;
}
diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
index 21c24cd8b1e8a..d2b6975e71fbc 100644
--- a/drivers/nvme/host/nvme.h
+++ b/drivers/nvme/host/nvme.h
@@ -280,7 +280,8 @@ struct nvme_ctrl {
struct blk_mq_tag_set *tagset;
struct blk_mq_tag_set *admin_tagset;
struct list_head namespaces;
- struct rw_semaphore namespaces_rwsem;
+ struct mutex namespaces_lock;
+ struct srcu_struct srcu;
struct device ctrl_device;
struct device *device; /* char device */
#ifdef CONFIG_NVME_HWMON
@@ -1126,6 +1127,7 @@ void nvme_passthru_end(struct nvme_ctrl *ctrl, struct nvme_ns *ns, u32 effects,
struct nvme_command *cmd, int status);
struct nvme_ctrl *nvme_ctrl_from_file(struct file *file);
struct nvme_ns *nvme_find_get_ns(struct nvme_ctrl *ctrl, unsigned nsid);
+bool nvme_get_ns(struct nvme_ns *ns);
void nvme_put_ns(struct nvme_ns *ns);
static inline bool nvme_multi_css(struct nvme_ctrl *ctrl)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 215/341] drm/amdgpu: fix dereference null return value for the function amdgpu_vm_pt_parent
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 214/341] nvme: use srcu for iterating namespace list Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 216/341] hrtimer: Prevent queuing of hrtimer without a function callback Greg Kroah-Hartman
` (138 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jesse Zhang, Christian König,
Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jesse Zhang <jesse.zhang@amd.com>
[ Upstream commit 511a623fb46a6cf578c61d4f2755783c48807c77 ]
The pointer parent may be NULLed by the function amdgpu_vm_pt_parent.
To make the code more robust, check the pointer parent.
Signed-off-by: Jesse Zhang <Jesse.Zhang@amd.com>
Suggested-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c
index 0d51222f6f8eb..026a3db947298 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c
@@ -766,11 +766,15 @@ int amdgpu_vm_pde_update(struct amdgpu_vm_update_params *params,
struct amdgpu_vm_bo_base *entry)
{
struct amdgpu_vm_bo_base *parent = amdgpu_vm_pt_parent(entry);
- struct amdgpu_bo *bo = parent->bo, *pbo;
+ struct amdgpu_bo *bo, *pbo;
struct amdgpu_vm *vm = params->vm;
uint64_t pde, pt, flags;
unsigned int level;
+ if (WARN_ON(!parent))
+ return -EINVAL;
+
+ bo = parent->bo;
for (level = 0, pbo = bo->parent; pbo; ++level)
pbo = pbo->parent;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 216/341] hrtimer: Prevent queuing of hrtimer without a function callback
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 215/341] drm/amdgpu: fix dereference null return value for the function amdgpu_vm_pt_parent Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 217/341] ionic: use pci_is_enabled not open code Greg Kroah-Hartman
` (137 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phil Chang, Anna-Maria Behnsen,
Thomas Gleixner, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Chang <phil.chang@mediatek.com>
[ Upstream commit 5a830bbce3af16833fe0092dec47b6dd30279825 ]
The hrtimer function callback must not be NULL. It has to be specified by
the call side but it is not validated by the hrtimer code. When a hrtimer
is queued without a function callback, the kernel crashes with a null
pointer dereference when trying to execute the callback in __run_hrtimer().
Introduce a validation before queuing the hrtimer in
hrtimer_start_range_ns().
[anna-maria: Rephrase commit message]
Signed-off-by: Phil Chang <phil.chang@mediatek.com>
Signed-off-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/hrtimer.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 6057fe2e179b0..57e5cb36f1bc9 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -1288,6 +1288,8 @@ void hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
struct hrtimer_clock_base *base;
unsigned long flags;
+ if (WARN_ON_ONCE(!timer->function))
+ return;
/*
* Check whether the HRTIMER_MODE_SOFT bit and hrtimer.is_soft
* match on CONFIG_PREEMPT_RT = n. With PREEMPT_RT check the hard
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 217/341] ionic: use pci_is_enabled not open code
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 216/341] hrtimer: Prevent queuing of hrtimer without a function callback Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 218/341] ionic: check cmd_regs before copying in or out Greg Kroah-Hartman
` (136 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brett Creeley, Shannon Nelson,
David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shannon Nelson <shannon.nelson@amd.com>
[ Upstream commit 121e4dcba3700b30e63f25203d09ddfccbab4a09 ]
Since there is a utility available for this, use
the API rather than open code.
Fixes: 13943d6c8273 ("ionic: prevent pci disable of already disabled device")
Reviewed-by: Brett Creeley <brett.creeley@amd.com>
Signed-off-by: Shannon Nelson <shannon.nelson@amd.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c b/drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c
index a5fa49fd21390..35099ad5eccc8 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c
@@ -223,7 +223,7 @@ static void ionic_clear_pci(struct ionic *ionic)
ionic_unmap_bars(ionic);
pci_release_regions(ionic->pdev);
- if (atomic_read(&ionic->pdev->enable_cnt) > 0)
+ if (pci_is_enabled(ionic->pdev))
pci_disable_device(ionic->pdev);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 218/341] ionic: check cmd_regs before copying in or out
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 217/341] ionic: use pci_is_enabled not open code Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 219/341] EDAC/skx_common: Allow decoding of SGX addresses Greg Kroah-Hartman
` (135 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brett Creeley, Shannon Nelson,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shannon Nelson <shannon.nelson@amd.com>
[ Upstream commit 7662fad348ac54120e9e6443cb0bbe4f3b582219 ]
Since we now have potential cases of NULL cmd_regs and info_regs
during a reset recovery, and left NULL if a reset recovery has
failed, we need to check that they exist before we use them.
Most of the cases were covered in the original patch where we
verify before doing the ioreadb() for health or cmd status.
However, we need to protect a few uses of io mem that could
be hit in error recovery or asynchronous threads calls as well
(e.g. ethtool or devlink handlers).
Fixes: 219e183272b4 ("ionic: no fw read when PCI reset failed")
Reviewed-by: Brett Creeley <brett.creeley@amd.com>
Signed-off-by: Shannon Nelson <shannon.nelson@amd.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/pensando/ionic/ionic_dev.c | 10 ++++++++++
drivers/net/ethernet/pensando/ionic/ionic_ethtool.c | 7 ++++++-
drivers/net/ethernet/pensando/ionic/ionic_fw.c | 5 +++++
drivers/net/ethernet/pensando/ionic/ionic_main.c | 3 +++
4 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_dev.c b/drivers/net/ethernet/pensando/ionic/ionic_dev.c
index b4e0fb25b96d7..e242166f0afe7 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_dev.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_dev.c
@@ -319,22 +319,32 @@ int ionic_heartbeat_check(struct ionic *ionic)
u8 ionic_dev_cmd_status(struct ionic_dev *idev)
{
+ if (!idev->dev_cmd_regs)
+ return (u8)PCI_ERROR_RESPONSE;
return ioread8(&idev->dev_cmd_regs->comp.comp.status);
}
bool ionic_dev_cmd_done(struct ionic_dev *idev)
{
+ if (!idev->dev_cmd_regs)
+ return false;
return ioread32(&idev->dev_cmd_regs->done) & IONIC_DEV_CMD_DONE;
}
void ionic_dev_cmd_comp(struct ionic_dev *idev, union ionic_dev_cmd_comp *comp)
{
+ if (!idev->dev_cmd_regs)
+ return;
memcpy_fromio(comp, &idev->dev_cmd_regs->comp, sizeof(*comp));
}
void ionic_dev_cmd_go(struct ionic_dev *idev, union ionic_dev_cmd *cmd)
{
idev->opcode = cmd->cmd.opcode;
+
+ if (!idev->dev_cmd_regs)
+ return;
+
memcpy_toio(&idev->dev_cmd_regs->cmd, cmd, sizeof(*cmd));
iowrite32(0, &idev->dev_cmd_regs->done);
iowrite32(1, &idev->dev_cmd_regs->doorbell);
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c b/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c
index 3a6b0a9bc2414..35829a2851fa7 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c
@@ -90,18 +90,23 @@ static void ionic_get_regs(struct net_device *netdev, struct ethtool_regs *regs,
void *p)
{
struct ionic_lif *lif = netdev_priv(netdev);
+ struct ionic_dev *idev;
unsigned int offset;
unsigned int size;
regs->version = IONIC_DEV_CMD_REG_VERSION;
+ idev = &lif->ionic->idev;
+ if (!idev->dev_info_regs)
+ return;
+
offset = 0;
size = IONIC_DEV_INFO_REG_COUNT * sizeof(u32);
memcpy_fromio(p + offset, lif->ionic->idev.dev_info_regs->words, size);
offset += size;
size = IONIC_DEV_CMD_REG_COUNT * sizeof(u32);
- memcpy_fromio(p + offset, lif->ionic->idev.dev_cmd_regs->words, size);
+ memcpy_fromio(p + offset, idev->dev_cmd_regs->words, size);
}
static void ionic_get_link_ext_stats(struct net_device *netdev,
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_fw.c b/drivers/net/ethernet/pensando/ionic/ionic_fw.c
index 5f40324cd243f..3c209c1a23373 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_fw.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_fw.c
@@ -109,6 +109,11 @@ int ionic_firmware_update(struct ionic_lif *lif, const struct firmware *fw,
dl = priv_to_devlink(ionic);
devlink_flash_update_status_notify(dl, "Preparing to flash", NULL, 0, 0);
+ if (!idev->dev_cmd_regs) {
+ err = -ENXIO;
+ goto err_out;
+ }
+
buf_sz = sizeof(idev->dev_cmd_regs->data);
netdev_dbg(netdev,
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_main.c b/drivers/net/ethernet/pensando/ionic/ionic_main.c
index f019277fec572..3ca6893d1bf26 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_main.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_main.c
@@ -438,6 +438,9 @@ static void ionic_dev_cmd_clean(struct ionic *ionic)
{
struct ionic_dev *idev = &ionic->idev;
+ if (!idev->dev_cmd_regs)
+ return;
+
iowrite32(0, &idev->dev_cmd_regs->doorbell);
memset_io(&idev->dev_cmd_regs->cmd, 0, sizeof(idev->dev_cmd_regs->cmd));
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 219/341] EDAC/skx_common: Allow decoding of SGX addresses
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 218/341] ionic: check cmd_regs before copying in or out Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 220/341] nvme: fix namespace removal list Greg Kroah-Hartman
` (134 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qiuxu Zhuo, Tony Luck, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
[ Upstream commit e0d335077831196bffe6a634ffe385fc684192ca ]
There are no "struct page" associations with SGX pages, causing the check
pfn_to_online_page() to fail. This results in the inability to decode the
SGX addresses and warning messages like:
Invalid address 0x34cc9a98840 in IA32_MC17_ADDR
Add an additional check to allow the decoding of the error address and to
skip the warning message, if the error address is an SGX address.
Fixes: 1e92af09fab1 ("EDAC/skx_common: Filter out the invalid address")
Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Link: https://lore.kernel.org/r/20240408120419.50234-1-qiuxu.zhuo@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/edac/skx_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/edac/skx_common.c b/drivers/edac/skx_common.c
index f4b192420be47..8d18099fd528c 100644
--- a/drivers/edac/skx_common.c
+++ b/drivers/edac/skx_common.c
@@ -659,7 +659,7 @@ int skx_mce_check_error(struct notifier_block *nb, unsigned long val,
memset(&res, 0, sizeof(res));
res.mce = mce;
res.addr = mce->addr & MCI_ADDR_PHYSADDR;
- if (!pfn_to_online_page(res.addr >> PAGE_SHIFT)) {
+ if (!pfn_to_online_page(res.addr >> PAGE_SHIFT) && !arch_is_platform_page(res.addr)) {
pr_err("Invalid address 0x%llx in IA32_MC%d_ADDR\n", mce->addr, mce->bank);
return NOTIFY_DONE;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 220/341] nvme: fix namespace removal list
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 219/341] EDAC/skx_common: Allow decoding of SGX addresses Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 221/341] gtp: pull network headers in gtp_dev_xmit() Greg Kroah-Hartman
` (133 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Venkat Rao Bagalkote, Keith Busch,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit ff0ffe5b7c3c12c6e0cca16652905963ae817b44 ]
This function wants to move a subset of a list from one element to the
tail into another list. It also needs to use the srcu synchronize
instead of the regular rcu version. Do this one element at a time
because that's the only to do it.
Fixes: be647e2c76b27f4 ("nvme: use srcu for iterating namespace list")
Reported-by: Venkat Rao Bagalkote <venkat88@linux.vnet.ibm.com>
Tested-by: Venkat Rao Bagalkote <venkat88@linux.vnet.ibm.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/core.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 2a1b555406dff..82509f3679373 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -3810,12 +3810,13 @@ static void nvme_remove_invalid_namespaces(struct nvme_ctrl *ctrl,
mutex_lock(&ctrl->namespaces_lock);
list_for_each_entry_safe(ns, next, &ctrl->namespaces, list) {
- if (ns->head->ns_id > nsid)
- list_splice_init_rcu(&ns->list, &rm_list,
- synchronize_rcu);
+ if (ns->head->ns_id > nsid) {
+ list_del_rcu(&ns->list);
+ synchronize_srcu(&ctrl->srcu);
+ list_add_tail_rcu(&ns->list, &rm_list);
+ }
}
mutex_unlock(&ctrl->namespaces_lock);
- synchronize_srcu(&ctrl->srcu);
list_for_each_entry_safe(ns, next, &rm_list, list)
nvme_ns_remove(ns);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 221/341] gtp: pull network headers in gtp_dev_xmit()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 220/341] nvme: fix namespace removal list Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 222/341] jfs: define xtree root and page independently Greg Kroah-Hartman
` (132 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Harald Welte,
Pablo Neira Ayuso, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 3a3be7ff9224f424e485287b54be00d2c6bd9c40 upstream.
syzbot/KMSAN reported use of uninit-value in get_dev_xmit() [1]
We must make sure the IPv4 or Ipv6 header is pulled in skb->head
before accessing fields in them.
Use pskb_inet_may_pull() to fix this issue.
[1]
BUG: KMSAN: uninit-value in ipv6_pdp_find drivers/net/gtp.c:220 [inline]
BUG: KMSAN: uninit-value in gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]
BUG: KMSAN: uninit-value in gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281
ipv6_pdp_find drivers/net/gtp.c:220 [inline]
gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]
gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281
__netdev_start_xmit include/linux/netdevice.h:4913 [inline]
netdev_start_xmit include/linux/netdevice.h:4922 [inline]
xmit_one net/core/dev.c:3580 [inline]
dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3596
__dev_queue_xmit+0x358c/0x5610 net/core/dev.c:4423
dev_queue_xmit include/linux/netdevice.h:3105 [inline]
packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3145 [inline]
packet_sendmsg+0x90e3/0xa3a0 net/packet/af_packet.c:3177
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:745
__sys_sendto+0x685/0x830 net/socket.c:2204
__do_sys_sendto net/socket.c:2216 [inline]
__se_sys_sendto net/socket.c:2212 [inline]
__x64_sys_sendto+0x125/0x1d0 net/socket.c:2212
x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3994 [inline]
slab_alloc_node mm/slub.c:4037 [inline]
kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4080
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583
__alloc_skb+0x363/0x7b0 net/core/skbuff.c:674
alloc_skb include/linux/skbuff.h:1320 [inline]
alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6526
sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2815
packet_alloc_skb net/packet/af_packet.c:2994 [inline]
packet_snd net/packet/af_packet.c:3088 [inline]
packet_sendmsg+0x749c/0xa3a0 net/packet/af_packet.c:3177
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:745
__sys_sendto+0x685/0x830 net/socket.c:2204
__do_sys_sendto net/socket.c:2216 [inline]
__se_sys_sendto net/socket.c:2212 [inline]
__x64_sys_sendto+0x125/0x1d0 net/socket.c:2212
x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 0 UID: 0 PID: 7115 Comm: syz.1.515 Not tainted 6.11.0-rc1-syzkaller-00043-g94ede2a3e913 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Fixes: 999cb275c807 ("gtp: add IPv6 support")
Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Harald Welte <laforge@gnumonks.org>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Link: https://patch.msgid.link/20240808132455.3413916-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/gtp.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/gtp.c
+++ b/drivers/net/gtp.c
@@ -901,6 +901,9 @@ static netdev_tx_t gtp_dev_xmit(struct s
if (skb_cow_head(skb, dev->needed_headroom))
goto tx_err;
+ if (!pskb_inet_may_pull(skb))
+ goto tx_err;
+
skb_reset_inner_headers(skb);
/* PDP context lookups in gtp_build_skb_*() need rcu read-side lock. */
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 222/341] jfs: define xtree root and page independently
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 221/341] gtp: pull network headers in gtp_dev_xmit() Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 223/341] i2c: stm32f7: Add atomic_xfer method to driver Greg Kroah-Hartman
` (131 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dave Kleikamp, Manas Ghandat
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Kleikamp <dave.kleikamp@oracle.com>
commit a779ed754e52d582b8c0e17959df063108bd0656 upstream.
In order to make array bounds checking sane, provide a separate
definition of the in-inode xtree root and the external xtree page.
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Tested-by: Manas Ghandat <ghandatmanas@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jfs/jfs_dinode.h | 2 +-
fs/jfs/jfs_imap.c | 6 +++---
fs/jfs/jfs_incore.h | 2 +-
fs/jfs/jfs_txnmgr.c | 4 ++--
fs/jfs/jfs_xtree.c | 4 ++--
fs/jfs/jfs_xtree.h | 37 +++++++++++++++++++++++--------------
6 files changed, 32 insertions(+), 23 deletions(-)
--- a/fs/jfs/jfs_dinode.h
+++ b/fs/jfs/jfs_dinode.h
@@ -96,7 +96,7 @@ struct dinode {
#define di_gengen u._file._u1._imap._gengen
union {
- xtpage_t _xtroot;
+ xtroot_t _xtroot;
struct {
u8 unused[16]; /* 16: */
dxd_t _dxd; /* 16: */
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -673,7 +673,7 @@ int diWrite(tid_t tid, struct inode *ip)
* This is the special xtree inside the directory for storing
* the directory table
*/
- xtpage_t *p, *xp;
+ xtroot_t *p, *xp;
xad_t *xad;
jfs_ip->xtlid = 0;
@@ -687,7 +687,7 @@ int diWrite(tid_t tid, struct inode *ip)
* copy xtree root from inode to dinode:
*/
p = &jfs_ip->i_xtroot;
- xp = (xtpage_t *) &dp->di_dirtable;
+ xp = (xtroot_t *) &dp->di_dirtable;
lv = ilinelock->lv;
for (n = 0; n < ilinelock->index; n++, lv++) {
memcpy(&xp->xad[lv->offset], &p->xad[lv->offset],
@@ -716,7 +716,7 @@ int diWrite(tid_t tid, struct inode *ip)
* regular file: 16 byte (XAD slot) granularity
*/
if (type & tlckXTREE) {
- xtpage_t *p, *xp;
+ xtroot_t *p, *xp;
xad_t *xad;
/*
--- a/fs/jfs/jfs_incore.h
+++ b/fs/jfs/jfs_incore.h
@@ -66,7 +66,7 @@ struct jfs_inode_info {
lid_t xtlid; /* lid of xtree lock on directory */
union {
struct {
- xtpage_t _xtroot; /* 288: xtree root */
+ xtroot_t _xtroot; /* 288: xtree root */
struct inomap *_imap; /* 4: inode map header */
} file;
struct {
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -783,7 +783,7 @@ struct tlock *txLock(tid_t tid, struct i
if (mp->xflag & COMMIT_PAGE)
p = (xtpage_t *) mp->data;
else
- p = &jfs_ip->i_xtroot;
+ p = (xtpage_t *) &jfs_ip->i_xtroot;
xtlck->lwm.offset =
le16_to_cpu(p->header.nextindex);
}
@@ -1676,7 +1676,7 @@ static void xtLog(struct jfs_log * log,
if (tlck->type & tlckBTROOT) {
lrd->log.redopage.type |= cpu_to_le16(LOG_BTROOT);
- p = &JFS_IP(ip)->i_xtroot;
+ p = (xtpage_t *) &JFS_IP(ip)->i_xtroot;
if (S_ISDIR(ip->i_mode))
lrd->log.redopage.type |=
cpu_to_le16(LOG_DIR_XTREE);
--- a/fs/jfs/jfs_xtree.c
+++ b/fs/jfs/jfs_xtree.c
@@ -1213,7 +1213,7 @@ xtSplitRoot(tid_t tid,
struct xtlock *xtlck;
int rc;
- sp = &JFS_IP(ip)->i_xtroot;
+ sp = (xtpage_t *) &JFS_IP(ip)->i_xtroot;
INCREMENT(xtStat.split);
@@ -2098,7 +2098,7 @@ int xtAppend(tid_t tid, /* transaction
*/
void xtInitRoot(tid_t tid, struct inode *ip)
{
- xtpage_t *p;
+ xtroot_t *p;
/*
* acquire a transaction lock on the root
--- a/fs/jfs/jfs_xtree.h
+++ b/fs/jfs/jfs_xtree.h
@@ -65,24 +65,33 @@ struct xadlist {
#define XTPAGEMAXSLOT 256
#define XTENTRYSTART 2
+struct xtheader {
+ __le64 next; /* 8: */
+ __le64 prev; /* 8: */
+
+ u8 flag; /* 1: */
+ u8 rsrvd1; /* 1: */
+ __le16 nextindex; /* 2: next index = number of entries */
+ __le16 maxentry; /* 2: max number of entries */
+ __le16 rsrvd2; /* 2: */
+
+ pxd_t self; /* 8: self */
+};
+
/*
- * xtree page:
+ * xtree root (in inode):
*/
typedef union {
- struct xtheader {
- __le64 next; /* 8: */
- __le64 prev; /* 8: */
-
- u8 flag; /* 1: */
- u8 rsrvd1; /* 1: */
- __le16 nextindex; /* 2: next index = number of entries */
- __le16 maxentry; /* 2: max number of entries */
- __le16 rsrvd2; /* 2: */
-
- pxd_t self; /* 8: self */
- } header; /* (32) */
-
+ struct xtheader header;
xad_t xad[XTROOTMAXSLOT]; /* 16 * maxentry: xad array */
+} xtroot_t;
+
+/*
+ * xtree page:
+ */
+typedef union {
+ struct xtheader header;
+ xad_t xad[XTPAGEMAXSLOT]; /* 16 * maxentry: xad array */
} xtpage_t;
/*
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 223/341] i2c: stm32f7: Add atomic_xfer method to driver
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 222/341] jfs: define xtree root and page independently Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 224/341] riscv: entry: always initialize regs->a0 to -ENOSYS Greg Kroah-Hartman
` (130 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Nyekjaer, Andi Shyti,
Wolfram Sang, Christoph Niedermaier
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Nyekjaer <sean@geanix.com>
commit 470a662688563d8f5e0fb164930d6f5507a883e4 upstream.
Add an atomic_xfer method to the driver so that it behaves correctly
when controlling a PMIC that is responsible for device shutdown.
The atomic_xfer method added is similar to the one from the i2c-mv64xxx
driver. When running an atomic_xfer a bool flag in the driver data is
set, the interrupt is not unmasked on transfer start, and the IRQ
handler is manually invoked while waiting for pending transfers to
complete.
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Acked-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Cc: Christoph Niedermaier <cniedermaier@dh-electronics.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-stm32f7.c | 51 +++++++++++++++++++++++++++++++++++----
1 file changed, 47 insertions(+), 4 deletions(-)
--- a/drivers/i2c/busses/i2c-stm32f7.c
+++ b/drivers/i2c/busses/i2c-stm32f7.c
@@ -357,6 +357,7 @@ struct stm32f7_i2c_dev {
u32 dnf_dt;
u32 dnf;
struct stm32f7_i2c_alert *alert;
+ bool atomic;
};
/*
@@ -915,7 +916,8 @@ static void stm32f7_i2c_xfer_msg(struct
/* Configure DMA or enable RX/TX interrupt */
i2c_dev->use_dma = false;
- if (i2c_dev->dma && f7_msg->count >= STM32F7_I2C_DMA_LEN_MIN) {
+ if (i2c_dev->dma && f7_msg->count >= STM32F7_I2C_DMA_LEN_MIN
+ && !i2c_dev->atomic) {
ret = stm32_i2c_prep_dma_xfer(i2c_dev->dev, i2c_dev->dma,
msg->flags & I2C_M_RD,
f7_msg->count, f7_msg->buf,
@@ -939,6 +941,9 @@ static void stm32f7_i2c_xfer_msg(struct
cr1 |= STM32F7_I2C_CR1_TXDMAEN;
}
+ if (i2c_dev->atomic)
+ cr1 &= ~STM32F7_I2C_ALL_IRQ_MASK; /* Disable all interrupts */
+
/* Configure Start/Repeated Start */
cr2 |= STM32F7_I2C_CR2_START;
@@ -1673,7 +1678,22 @@ static irqreturn_t stm32f7_i2c_isr_error
return IRQ_HANDLED;
}
-static int stm32f7_i2c_xfer(struct i2c_adapter *i2c_adap,
+static int stm32f7_i2c_wait_polling(struct stm32f7_i2c_dev *i2c_dev)
+{
+ ktime_t timeout = ktime_add_ms(ktime_get(), i2c_dev->adap.timeout);
+
+ while (ktime_compare(ktime_get(), timeout) < 0) {
+ udelay(5);
+ stm32f7_i2c_isr_event(0, i2c_dev);
+
+ if (completion_done(&i2c_dev->complete))
+ return 1;
+ }
+
+ return 0;
+}
+
+static int stm32f7_i2c_xfer_core(struct i2c_adapter *i2c_adap,
struct i2c_msg msgs[], int num)
{
struct stm32f7_i2c_dev *i2c_dev = i2c_get_adapdata(i2c_adap);
@@ -1697,8 +1717,12 @@ static int stm32f7_i2c_xfer(struct i2c_a
stm32f7_i2c_xfer_msg(i2c_dev, msgs);
- time_left = wait_for_completion_timeout(&i2c_dev->complete,
- i2c_dev->adap.timeout);
+ if (!i2c_dev->atomic)
+ time_left = wait_for_completion_timeout(&i2c_dev->complete,
+ i2c_dev->adap.timeout);
+ else
+ time_left = stm32f7_i2c_wait_polling(i2c_dev);
+
ret = f7_msg->result;
if (ret) {
if (i2c_dev->use_dma)
@@ -1730,6 +1754,24 @@ pm_free:
return (ret < 0) ? ret : num;
}
+static int stm32f7_i2c_xfer(struct i2c_adapter *i2c_adap,
+ struct i2c_msg msgs[], int num)
+{
+ struct stm32f7_i2c_dev *i2c_dev = i2c_get_adapdata(i2c_adap);
+
+ i2c_dev->atomic = false;
+ return stm32f7_i2c_xfer_core(i2c_adap, msgs, num);
+}
+
+static int stm32f7_i2c_xfer_atomic(struct i2c_adapter *i2c_adap,
+ struct i2c_msg msgs[], int num)
+{
+ struct stm32f7_i2c_dev *i2c_dev = i2c_get_adapdata(i2c_adap);
+
+ i2c_dev->atomic = true;
+ return stm32f7_i2c_xfer_core(i2c_adap, msgs, num);
+}
+
static int stm32f7_i2c_smbus_xfer(struct i2c_adapter *adapter, u16 addr,
unsigned short flags, char read_write,
u8 command, int size,
@@ -2098,6 +2140,7 @@ static u32 stm32f7_i2c_func(struct i2c_a
static const struct i2c_algorithm stm32f7_i2c_algo = {
.master_xfer = stm32f7_i2c_xfer,
+ .master_xfer_atomic = stm32f7_i2c_xfer_atomic,
.smbus_xfer = stm32f7_i2c_smbus_xfer,
.functionality = stm32f7_i2c_func,
.reg_slave = stm32f7_i2c_reg_slave,
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 224/341] riscv: entry: always initialize regs->a0 to -ENOSYS
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 223/341] i2c: stm32f7: Add atomic_xfer method to driver Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 225/341] dm suspend: return -ERESTARTSYS instead of -EINTR Greg Kroah-Hartman
` (129 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry V. Levin,
Björn Töpel, Celeste Liu, Palmer Dabbelt, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Celeste Liu <coelacanthushex@gmail.com>
[ Upstream commit 61119394631f219e23ce98bcc3eb993a64a8ea64 ]
Otherwise when the tracer changes syscall number to -1, the kernel fails
to initialize a0 with -ENOSYS and subsequently fails to return the error
code of the failed syscall to userspace. For example, it will break
strace syscall tampering.
Fixes: 52449c17bdd1 ("riscv: entry: set a0 = -ENOSYS only when syscall != -1")
Reported-by: "Dmitry V. Levin" <ldv@strace.io>
Reviewed-by: Björn Töpel <bjorn@rivosinc.com>
Cc: stable@vger.kernel.org
Signed-off-by: Celeste Liu <CoelacanthusHex@gmail.com>
Link: https://lore.kernel.org/r/20240627142338.5114-2-CoelacanthusHex@gmail.com
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/kernel/traps.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
index 67d0073fb624d..2158b7a65d74f 100644
--- a/arch/riscv/kernel/traps.c
+++ b/arch/riscv/kernel/traps.c
@@ -311,6 +311,7 @@ asmlinkage __visible __trap_section void do_trap_ecall_u(struct pt_regs *regs)
regs->epc += 4;
regs->orig_a0 = regs->a0;
+ regs->a0 = -ENOSYS;
riscv_v_vstate_discard(regs);
@@ -318,8 +319,6 @@ asmlinkage __visible __trap_section void do_trap_ecall_u(struct pt_regs *regs)
if (syscall >= 0 && syscall < NR_syscalls)
syscall_handler(regs, syscall);
- else if (syscall != -1)
- regs->a0 = -ENOSYS;
syscall_exit_to_user_mode(regs);
} else {
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 225/341] dm suspend: return -ERESTARTSYS instead of -EINTR
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 224/341] riscv: entry: always initialize regs->a0 to -ENOSYS Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 226/341] mm: fix endless reclaim on machines with unaccepted memory Greg Kroah-Hartman
` (128 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
[ Upstream commit 1e1fd567d32fcf7544c6e09e0e5bc6c650da6e23 ]
This commit changes device mapper, so that it returns -ERESTARTSYS
instead of -EINTR when it is interrupted by a signal (so that the ioctl
can be restarted).
The manpage signal(7) says that the ioctl function should be restarted if
the signal was handled with SA_RESTART.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index f945ee453457b..8ec0a263744a5 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -2531,7 +2531,7 @@ static int dm_wait_for_bios_completion(struct mapped_device *md, unsigned int ta
break;
if (signal_pending_state(task_state, current)) {
- r = -EINTR;
+ r = -ERESTARTSYS;
break;
}
@@ -2556,7 +2556,7 @@ static int dm_wait_for_completion(struct mapped_device *md, unsigned int task_st
break;
if (signal_pending_state(task_state, current)) {
- r = -EINTR;
+ r = -ERESTARTSYS;
break;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 226/341] mm: fix endless reclaim on machines with unaccepted memory
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 225/341] dm suspend: return -ERESTARTSYS instead of -EINTR Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 227/341] tools/testing/selftests/mm/run_vmtests.sh: lower the ptrace permissions Greg Kroah-Hartman
` (127 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kirill A. Shutemov, Jianxiong Gao,
David Hildenbrand, Borislav Petkov, Johannes Weiner,
Matthew Wilcox, Mel Gorman, Mike Rapoport (Microsoft),
Tom Lendacky, Vlastimil Babka, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
[ Upstream commit 807174a93d24c456503692dc3f5af322ee0b640a ]
Unaccepted memory is considered unusable free memory, which is not counted
as free on the zone watermark check. This causes get_page_from_freelist()
to accept more memory to hit the high watermark, but it creates problems
in the reclaim path.
The reclaim path encounters a failed zone watermark check and attempts to
reclaim memory. This is usually successful, but if there is little or no
reclaimable memory, it can result in endless reclaim with little to no
progress. This can occur early in the boot process, just after start of
the init process when the only reclaimable memory is the page cache of the
init executable and its libraries.
Make unaccepted memory free from watermark check point of view. This way
unaccepted memory will never be the trigger of memory reclaim. Accept
more memory in the get_page_from_freelist() if needed.
Link: https://lkml.kernel.org/r/20240809114854.3745464-2-kirill.shutemov@linux.intel.com
Fixes: dcdfdd40fa82 ("mm: Add support for unaccepted memory")
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Jianxiong Gao <jxgao@google.com>
Acked-by: David Hildenbrand <david@redhat.com>
Tested-by: Jianxiong Gao <jxgao@google.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org> [6.5+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/page_alloc.c | 42 ++++++++++++++++++++----------------------
1 file changed, 20 insertions(+), 22 deletions(-)
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 39bdbfb5313fb..edb32635037f4 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -302,7 +302,7 @@ EXPORT_SYMBOL(nr_online_nodes);
static bool page_contains_unaccepted(struct page *page, unsigned int order);
static void accept_page(struct page *page, unsigned int order);
-static bool try_to_accept_memory(struct zone *zone, unsigned int order);
+static bool cond_accept_memory(struct zone *zone, unsigned int order);
static inline bool has_unaccepted_memory(void);
static bool __free_unaccepted(struct page *page);
@@ -2830,9 +2830,6 @@ static inline long __zone_watermark_unusable_free(struct zone *z,
if (!(alloc_flags & ALLOC_CMA))
unusable_free += zone_page_state(z, NR_FREE_CMA_PAGES);
#endif
-#ifdef CONFIG_UNACCEPTED_MEMORY
- unusable_free += zone_page_state(z, NR_UNACCEPTED);
-#endif
return unusable_free;
}
@@ -3126,16 +3123,16 @@ get_page_from_freelist(gfp_t gfp_mask, unsigned int order, int alloc_flags,
}
}
+ cond_accept_memory(zone, order);
+
mark = wmark_pages(zone, alloc_flags & ALLOC_WMARK_MASK);
if (!zone_watermark_fast(zone, order, mark,
ac->highest_zoneidx, alloc_flags,
gfp_mask)) {
int ret;
- if (has_unaccepted_memory()) {
- if (try_to_accept_memory(zone, order))
- goto try_this_zone;
- }
+ if (cond_accept_memory(zone, order))
+ goto try_this_zone;
#ifdef CONFIG_DEFERRED_STRUCT_PAGE_INIT
/*
@@ -3189,10 +3186,8 @@ get_page_from_freelist(gfp_t gfp_mask, unsigned int order, int alloc_flags,
return page;
} else {
- if (has_unaccepted_memory()) {
- if (try_to_accept_memory(zone, order))
- goto try_this_zone;
- }
+ if (cond_accept_memory(zone, order))
+ goto try_this_zone;
#ifdef CONFIG_DEFERRED_STRUCT_PAGE_INIT
/* Try again if zone has deferred pages */
@@ -6619,9 +6614,6 @@ static bool try_to_accept_memory_one(struct zone *zone)
struct page *page;
bool last;
- if (list_empty(&zone->unaccepted_pages))
- return false;
-
spin_lock_irqsave(&zone->lock, flags);
page = list_first_entry_or_null(&zone->unaccepted_pages,
struct page, lru);
@@ -6647,23 +6639,29 @@ static bool try_to_accept_memory_one(struct zone *zone)
return true;
}
-static bool try_to_accept_memory(struct zone *zone, unsigned int order)
+static bool cond_accept_memory(struct zone *zone, unsigned int order)
{
long to_accept;
- int ret = false;
+ bool ret = false;
+
+ if (!has_unaccepted_memory())
+ return false;
+
+ if (list_empty(&zone->unaccepted_pages))
+ return false;
/* How much to accept to get to high watermark? */
to_accept = high_wmark_pages(zone) -
(zone_page_state(zone, NR_FREE_PAGES) -
- __zone_watermark_unusable_free(zone, order, 0));
+ __zone_watermark_unusable_free(zone, order, 0) -
+ zone_page_state(zone, NR_UNACCEPTED));
- /* Accept at least one page */
- do {
+ while (to_accept > 0) {
if (!try_to_accept_memory_one(zone))
break;
ret = true;
to_accept -= MAX_ORDER_NR_PAGES;
- } while (to_accept > 0);
+ }
return ret;
}
@@ -6706,7 +6704,7 @@ static void accept_page(struct page *page, unsigned int order)
{
}
-static bool try_to_accept_memory(struct zone *zone, unsigned int order)
+static bool cond_accept_memory(struct zone *zone, unsigned int order)
{
return false;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 227/341] tools/testing/selftests/mm/run_vmtests.sh: lower the ptrace permissions
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 226/341] mm: fix endless reclaim on machines with unaccepted memory Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 228/341] selftests/mm: log run_vmtests.sh results in TAP format Greg Kroah-Hartman
` (126 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Itaru Kitayama, Shuah Khan,
Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Itaru Kitayama <itaru.kitayama@linux.dev>
[ Upstream commit 2ffc27b15b11c9584ac46335c2ed2248d2aa4137 ]
On Ubuntu and probably other distros, ptrace permissions are tightend a
bit by default; i.e., /proc/sys/kernel/yama/ptrace_score is set to 1.
This cases memfd_secret's ptrace attach test fails with a permission
error. Set it to 0 piror to running the program.
Link: https://lkml.kernel.org/r/20231030-selftest-v1-1-743df68bb996@linux.dev
Signed-off-by: Itaru Kitayama <itaru.kitayama@linux.dev>
Cc: Shuah Khan <shuah@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 7c5e8d212d7d ("selftests: memfd_secret: don't build memfd_secret test on unsupported arches")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/mm/run_vmtests.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/testing/selftests/mm/run_vmtests.sh b/tools/testing/selftests/mm/run_vmtests.sh
index 3e2bc818d566f..7d31718ce8343 100755
--- a/tools/testing/selftests/mm/run_vmtests.sh
+++ b/tools/testing/selftests/mm/run_vmtests.sh
@@ -303,6 +303,7 @@ CATEGORY="hmm" run_test bash ./test_hmm.sh smoke
# MADV_POPULATE_READ and MADV_POPULATE_WRITE tests
CATEGORY="madv_populate" run_test ./madv_populate
+echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
CATEGORY="memfd_secret" run_test ./memfd_secret
# KSM KSM_MERGE_TIME_HUGE_PAGES test with size of 100
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 228/341] selftests/mm: log run_vmtests.sh results in TAP format
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 227/341] tools/testing/selftests/mm/run_vmtests.sh: lower the ptrace permissions Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 229/341] selftests: memfd_secret: dont build memfd_secret test on unsupported arches Greg Kroah-Hartman
` (125 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryan Roberts, Mark Brown,
John Hubbard, Aishwarya TCV, Peter Xu, Shuah Khan, Andrew Morton,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryan Roberts <ryan.roberts@arm.com>
[ Upstream commit a3c5cc5129ef55ac6c69f468e5ee6e4b0cd8179c ]
When running tests on a CI system (e.g. LAVA) it is useful to output test
results in TAP (Test Anything Protocol) format so that the CI can parse
the fine-grained results to show regressions. Many of the mm selftest
binaries already output using the TAP format. And the kselftests runner
(run_kselftest.sh) also uses the format. CI systems such as LAVA can
already handle nested TAP reports. However, with the mm selftests we have
3 levels of nesting (run_kselftest.sh -> run_vmtests.sh -> individual test
binaries) and the middle level did not previously support TAP, which
breaks the parser.
Let's fix that by teaching run_vmtests.sh to output using the TAP format.
Ideally this would be opt-in via a command line argument to avoid the
possibility of breaking anyone's existing scripts that might scrape the
output. However, it is not possible to pass arguments to tests invoked
via run_kselftest.sh. So I've implemented an opt-out option (-n), which
will revert to the existing output format.
Future changes to this file should be aware of 2 new conventions:
- output that is part of the TAP reporting is piped through tap_output
- general output is piped through tap_prefix
Link: https://lkml.kernel.org/r/20231214162434.3580009-1-ryan.roberts@arm.com
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Reviewed-by: Mark Brown <broonie@kernel.org>
Tested-by: John Hubbard <jhubbard@nvidia.com>
Cc: Aishwarya TCV <aishwarya.tcv@arm.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Shuah Khan <shuah@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 7c5e8d212d7d ("selftests: memfd_secret: don't build memfd_secret test on unsupported arches")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/mm/run_vmtests.sh | 51 +++++++++++++++++------
1 file changed, 39 insertions(+), 12 deletions(-)
diff --git a/tools/testing/selftests/mm/run_vmtests.sh b/tools/testing/selftests/mm/run_vmtests.sh
index 7d31718ce8343..7fae86e482613 100755
--- a/tools/testing/selftests/mm/run_vmtests.sh
+++ b/tools/testing/selftests/mm/run_vmtests.sh
@@ -5,6 +5,7 @@
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
+count_total=0
count_pass=0
count_fail=0
count_skip=0
@@ -17,6 +18,7 @@ usage: ${BASH_SOURCE[0]:-$0} [ options ]
-a: run all tests, including extra ones
-t: specify specific categories to tests to run
-h: display this message
+ -n: disable TAP output
The default behavior is to run required tests only. If -a is specified,
will run all tests.
@@ -75,12 +77,14 @@ EOF
}
RUN_ALL=false
+TAP_PREFIX="# "
-while getopts "aht:" OPT; do
+while getopts "aht:n" OPT; do
case ${OPT} in
"a") RUN_ALL=true ;;
"h") usage ;;
"t") VM_SELFTEST_ITEMS=${OPTARG} ;;
+ "n") TAP_PREFIX= ;;
esac
done
shift $((OPTIND -1))
@@ -182,30 +186,52 @@ fi
VADDR64=0
echo "$ARCH64STR" | grep "$ARCH" &>/dev/null && VADDR64=1
+tap_prefix() {
+ sed -e "s/^/${TAP_PREFIX}/"
+}
+
+tap_output() {
+ if [[ ! -z "$TAP_PREFIX" ]]; then
+ read str
+ echo $str
+ fi
+}
+
+pretty_name() {
+ echo "$*" | sed -e 's/^\(bash \)\?\.\///'
+}
+
# Usage: run_test [test binary] [arbitrary test arguments...]
run_test() {
if test_selected ${CATEGORY}; then
+ local test=$(pretty_name "$*")
local title="running $*"
local sep=$(echo -n "$title" | tr "[:graph:][:space:]" -)
- printf "%s\n%s\n%s\n" "$sep" "$title" "$sep"
+ printf "%s\n%s\n%s\n" "$sep" "$title" "$sep" | tap_prefix
- "$@"
- local ret=$?
+ ("$@" 2>&1) | tap_prefix
+ local ret=${PIPESTATUS[0]}
+ count_total=$(( count_total + 1 ))
if [ $ret -eq 0 ]; then
count_pass=$(( count_pass + 1 ))
- echo "[PASS]"
+ echo "[PASS]" | tap_prefix
+ echo "ok ${count_total} ${test}" | tap_output
elif [ $ret -eq $ksft_skip ]; then
count_skip=$(( count_skip + 1 ))
- echo "[SKIP]"
+ echo "[SKIP]" | tap_prefix
+ echo "ok ${count_total} ${test} # SKIP" | tap_output
exitcode=$ksft_skip
else
count_fail=$(( count_fail + 1 ))
- echo "[FAIL]"
+ echo "[FAIL]" | tap_prefix
+ echo "not ok ${count_total} ${test} # exit=$ret" | tap_output
exitcode=1
fi
fi # test_selected
}
+echo "TAP version 13" | tap_output
+
CATEGORY="hugetlb" run_test ./hugepage-mmap
shmmax=$(cat /proc/sys/kernel/shmmax)
@@ -222,9 +248,9 @@ CATEGORY="hugetlb" run_test ./hugepage-vmemmap
CATEGORY="hugetlb" run_test ./hugetlb-madvise
if test_selected "hugetlb"; then
- echo "NOTE: These hugetlb tests provide minimal coverage. Use"
- echo " https://github.com/libhugetlbfs/libhugetlbfs.git for"
- echo " hugetlb regression testing."
+ echo "NOTE: These hugetlb tests provide minimal coverage. Use" | tap_prefix
+ echo " https://github.com/libhugetlbfs/libhugetlbfs.git for" | tap_prefix
+ echo " hugetlb regression testing." | tap_prefix
fi
CATEGORY="mmap" run_test ./map_fixed_noreplace
@@ -303,7 +329,7 @@ CATEGORY="hmm" run_test bash ./test_hmm.sh smoke
# MADV_POPULATE_READ and MADV_POPULATE_WRITE tests
CATEGORY="madv_populate" run_test ./madv_populate
-echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
+(echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope 2>&1) | tap_prefix
CATEGORY="memfd_secret" run_test ./memfd_secret
# KSM KSM_MERGE_TIME_HUGE_PAGES test with size of 100
@@ -358,6 +384,7 @@ CATEGORY="mkdirty" run_test ./mkdirty
CATEGORY="mdwe" run_test ./mdwe_test
-echo "SUMMARY: PASS=${count_pass} SKIP=${count_skip} FAIL=${count_fail}"
+echo "SUMMARY: PASS=${count_pass} SKIP=${count_skip} FAIL=${count_fail}" | tap_prefix
+echo "1..${count_total}" | tap_output
exit $exitcode
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 229/341] selftests: memfd_secret: dont build memfd_secret test on unsupported arches
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 228/341] selftests/mm: log run_vmtests.sh results in TAP format Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 230/341] change alloc_pages name in dma_map_ops to avoid name conflicts Greg Kroah-Hartman
` (124 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Muhammad Usama Anjum, Shuah Khan,
Mike Rapoport (Microsoft), Albert Ou, James Bottomley,
Palmer Dabbelt, Paul Walmsley, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Usama Anjum <usama.anjum@collabora.com>
[ Upstream commit 7c5e8d212d7d81991a580e7de3904ea213d9a852 ]
[1] mentions that memfd_secret is only supported on arm64, riscv, x86 and
x86_64 for now. It doesn't support other architectures. I found the
build error on arm and decided to send the fix as it was creating noise on
KernelCI:
memfd_secret.c: In function 'memfd_secret':
memfd_secret.c:42:24: error: '__NR_memfd_secret' undeclared (first use in this function);
did you mean 'memfd_secret'?
42 | return syscall(__NR_memfd_secret, flags);
| ^~~~~~~~~~~~~~~~~
| memfd_secret
Hence I'm adding condition that memfd_secret should only be compiled on
supported architectures.
Also check in run_vmtests script if memfd_secret binary is present before
executing it.
Link: https://lkml.kernel.org/r/20240812061522.1933054-1-usama.anjum@collabora.com
Link: https://lore.kernel.org/all/20210518072034.31572-7-rppt@kernel.org/ [1]
Link: https://lkml.kernel.org/r/20240809075642.403247-1-usama.anjum@collabora.com
Fixes: 76fe17ef588a ("secretmem: test: add basic selftest for memfd_secret(2)")
Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Albert Ou <aou@eecs.berkeley.edu>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Paul Walmsley <paul.walmsley@sifive.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/mm/Makefile | 2 ++
tools/testing/selftests/mm/run_vmtests.sh | 3 +++
2 files changed, 5 insertions(+)
diff --git a/tools/testing/selftests/mm/Makefile b/tools/testing/selftests/mm/Makefile
index 8b2b9bb8bad10..c9fcbc6e5121e 100644
--- a/tools/testing/selftests/mm/Makefile
+++ b/tools/testing/selftests/mm/Makefile
@@ -51,7 +51,9 @@ TEST_GEN_FILES += madv_populate
TEST_GEN_FILES += map_fixed_noreplace
TEST_GEN_FILES += map_hugetlb
TEST_GEN_FILES += map_populate
+ifneq (,$(filter $(ARCH),arm64 riscv riscv64 x86 x86_64))
TEST_GEN_FILES += memfd_secret
+endif
TEST_GEN_FILES += migration
TEST_GEN_FILES += mkdirty
TEST_GEN_FILES += mlock-random-test
diff --git a/tools/testing/selftests/mm/run_vmtests.sh b/tools/testing/selftests/mm/run_vmtests.sh
index 7fae86e482613..d7b2c9d07eec5 100755
--- a/tools/testing/selftests/mm/run_vmtests.sh
+++ b/tools/testing/selftests/mm/run_vmtests.sh
@@ -329,8 +329,11 @@ CATEGORY="hmm" run_test bash ./test_hmm.sh smoke
# MADV_POPULATE_READ and MADV_POPULATE_WRITE tests
CATEGORY="madv_populate" run_test ./madv_populate
+if [ -x ./memfd_secret ]
+then
(echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope 2>&1) | tap_prefix
CATEGORY="memfd_secret" run_test ./memfd_secret
+fi
# KSM KSM_MERGE_TIME_HUGE_PAGES test with size of 100
CATEGORY="ksm" run_test ./ksm_tests -H -s 100
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 230/341] change alloc_pages name in dma_map_ops to avoid name conflicts
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 229/341] selftests: memfd_secret: dont build memfd_secret test on unsupported arches Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-30 22:12 ` Nathan Chancellor
2024-08-27 14:37 ` [PATCH 6.6 231/341] mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 Greg Kroah-Hartman
` (123 subsequent siblings)
353 siblings, 1 reply; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suren Baghdasaryan, Kees Cook,
Alexander Viro, Alex Gaynor, Alice Ryhl, Andreas Hindborg,
Benno Lossin, Björn Roy Baron, Boqun Feng, Christoph Lameter,
Dennis Zhou, Gary Guo, Kent Overstreet, Miguel Ojeda,
Pasha Tatashin, Peter Zijlstra, Tejun Heo, Vlastimil Babka,
Wedson Almeida Filho, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suren Baghdasaryan <surenb@google.com>
[ Upstream commit 8a2f11878771da65b8ac135c73b47dae13afbd62 ]
After redefining alloc_pages, all uses of that name are being replaced.
Change the conflicting names to prevent preprocessor from replacing them
when it's not intended.
Link: https://lkml.kernel.org/r/20240321163705.3067592-18-surenb@google.com
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Tested-by: Kees Cook <keescook@chromium.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Alice Ryhl <aliceryhl@google.com>
Cc: Andreas Hindborg <a.hindborg@samsung.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: "Björn Roy Baron" <bjorn3_gh@protonmail.com>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Dennis Zhou <dennis@kernel.org>
Cc: Gary Guo <gary@garyguo.net>
Cc: Kent Overstreet <kent.overstreet@linux.dev>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Pasha Tatashin <pasha.tatashin@soleen.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Tejun Heo <tj@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Wedson Almeida Filho <wedsonaf@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 61ebe5a747da ("mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/alpha/kernel/pci_iommu.c | 2 +-
arch/mips/jazz/jazzdma.c | 2 +-
arch/powerpc/kernel/dma-iommu.c | 2 +-
arch/powerpc/platforms/ps3/system-bus.c | 4 ++--
arch/powerpc/platforms/pseries/vio.c | 2 +-
arch/x86/kernel/amd_gart_64.c | 2 +-
drivers/iommu/dma-iommu.c | 2 +-
drivers/parisc/ccio-dma.c | 2 +-
drivers/parisc/sba_iommu.c | 2 +-
drivers/xen/grant-dma-ops.c | 2 +-
drivers/xen/swiotlb-xen.c | 2 +-
include/linux/dma-map-ops.h | 2 +-
kernel/dma/mapping.c | 4 ++--
13 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/arch/alpha/kernel/pci_iommu.c b/arch/alpha/kernel/pci_iommu.c
index c81183935e970..7fcf3e9b71030 100644
--- a/arch/alpha/kernel/pci_iommu.c
+++ b/arch/alpha/kernel/pci_iommu.c
@@ -929,7 +929,7 @@ const struct dma_map_ops alpha_pci_ops = {
.dma_supported = alpha_pci_supported,
.mmap = dma_common_mmap,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages = dma_common_alloc_pages,
+ .alloc_pages_op = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
};
EXPORT_SYMBOL(alpha_pci_ops);
diff --git a/arch/mips/jazz/jazzdma.c b/arch/mips/jazz/jazzdma.c
index eabddb89d221f..c97b089b99029 100644
--- a/arch/mips/jazz/jazzdma.c
+++ b/arch/mips/jazz/jazzdma.c
@@ -617,7 +617,7 @@ const struct dma_map_ops jazz_dma_ops = {
.sync_sg_for_device = jazz_dma_sync_sg_for_device,
.mmap = dma_common_mmap,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages = dma_common_alloc_pages,
+ .alloc_pages_op = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
};
EXPORT_SYMBOL(jazz_dma_ops);
diff --git a/arch/powerpc/kernel/dma-iommu.c b/arch/powerpc/kernel/dma-iommu.c
index 8920862ffd791..f0ae39e77e374 100644
--- a/arch/powerpc/kernel/dma-iommu.c
+++ b/arch/powerpc/kernel/dma-iommu.c
@@ -216,6 +216,6 @@ const struct dma_map_ops dma_iommu_ops = {
.get_required_mask = dma_iommu_get_required_mask,
.mmap = dma_common_mmap,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages = dma_common_alloc_pages,
+ .alloc_pages_op = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
};
diff --git a/arch/powerpc/platforms/ps3/system-bus.c b/arch/powerpc/platforms/ps3/system-bus.c
index d6b5f5ecd5152..56dc6b29a3e76 100644
--- a/arch/powerpc/platforms/ps3/system-bus.c
+++ b/arch/powerpc/platforms/ps3/system-bus.c
@@ -695,7 +695,7 @@ static const struct dma_map_ops ps3_sb_dma_ops = {
.unmap_page = ps3_unmap_page,
.mmap = dma_common_mmap,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages = dma_common_alloc_pages,
+ .alloc_pages_op = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
};
@@ -709,7 +709,7 @@ static const struct dma_map_ops ps3_ioc0_dma_ops = {
.unmap_page = ps3_unmap_page,
.mmap = dma_common_mmap,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages = dma_common_alloc_pages,
+ .alloc_pages_op = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
};
diff --git a/arch/powerpc/platforms/pseries/vio.c b/arch/powerpc/platforms/pseries/vio.c
index 2dc9cbc4bcd8f..0c90fc4c37963 100644
--- a/arch/powerpc/platforms/pseries/vio.c
+++ b/arch/powerpc/platforms/pseries/vio.c
@@ -611,7 +611,7 @@ static const struct dma_map_ops vio_dma_mapping_ops = {
.get_required_mask = dma_iommu_get_required_mask,
.mmap = dma_common_mmap,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages = dma_common_alloc_pages,
+ .alloc_pages_op = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
};
diff --git a/arch/x86/kernel/amd_gart_64.c b/arch/x86/kernel/amd_gart_64.c
index 56a917df410d3..842a0ec5eaa9e 100644
--- a/arch/x86/kernel/amd_gart_64.c
+++ b/arch/x86/kernel/amd_gart_64.c
@@ -676,7 +676,7 @@ static const struct dma_map_ops gart_dma_ops = {
.get_sgtable = dma_common_get_sgtable,
.dma_supported = dma_direct_supported,
.get_required_mask = dma_direct_get_required_mask,
- .alloc_pages = dma_direct_alloc_pages,
+ .alloc_pages_op = dma_direct_alloc_pages,
.free_pages = dma_direct_free_pages,
};
diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
index 2da969fc89900..f5eb97726d1bb 100644
--- a/drivers/iommu/dma-iommu.c
+++ b/drivers/iommu/dma-iommu.c
@@ -1614,7 +1614,7 @@ static const struct dma_map_ops iommu_dma_ops = {
.flags = DMA_F_PCI_P2PDMA_SUPPORTED,
.alloc = iommu_dma_alloc,
.free = iommu_dma_free,
- .alloc_pages = dma_common_alloc_pages,
+ .alloc_pages_op = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
.alloc_noncontiguous = iommu_dma_alloc_noncontiguous,
.free_noncontiguous = iommu_dma_free_noncontiguous,
diff --git a/drivers/parisc/ccio-dma.c b/drivers/parisc/ccio-dma.c
index 9ce0d20a6c581..feef537257d05 100644
--- a/drivers/parisc/ccio-dma.c
+++ b/drivers/parisc/ccio-dma.c
@@ -1022,7 +1022,7 @@ static const struct dma_map_ops ccio_ops = {
.map_sg = ccio_map_sg,
.unmap_sg = ccio_unmap_sg,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages = dma_common_alloc_pages,
+ .alloc_pages_op = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
};
diff --git a/drivers/parisc/sba_iommu.c b/drivers/parisc/sba_iommu.c
index 05e7103d1d407..6f5b919280ff0 100644
--- a/drivers/parisc/sba_iommu.c
+++ b/drivers/parisc/sba_iommu.c
@@ -1090,7 +1090,7 @@ static const struct dma_map_ops sba_ops = {
.map_sg = sba_map_sg,
.unmap_sg = sba_unmap_sg,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages = dma_common_alloc_pages,
+ .alloc_pages_op = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
};
diff --git a/drivers/xen/grant-dma-ops.c b/drivers/xen/grant-dma-ops.c
index 76f6f26265a3b..29257d2639dbf 100644
--- a/drivers/xen/grant-dma-ops.c
+++ b/drivers/xen/grant-dma-ops.c
@@ -282,7 +282,7 @@ static int xen_grant_dma_supported(struct device *dev, u64 mask)
static const struct dma_map_ops xen_grant_dma_ops = {
.alloc = xen_grant_dma_alloc,
.free = xen_grant_dma_free,
- .alloc_pages = xen_grant_dma_alloc_pages,
+ .alloc_pages_op = xen_grant_dma_alloc_pages,
.free_pages = xen_grant_dma_free_pages,
.mmap = dma_common_mmap,
.get_sgtable = dma_common_get_sgtable,
diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
index 0e6c6c25d154f..1c4ef5111651d 100644
--- a/drivers/xen/swiotlb-xen.c
+++ b/drivers/xen/swiotlb-xen.c
@@ -403,7 +403,7 @@ const struct dma_map_ops xen_swiotlb_dma_ops = {
.dma_supported = xen_swiotlb_dma_supported,
.mmap = dma_common_mmap,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages = dma_common_alloc_pages,
+ .alloc_pages_op = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
.max_mapping_size = swiotlb_max_mapping_size,
};
diff --git a/include/linux/dma-map-ops.h b/include/linux/dma-map-ops.h
index f2fc203fb8a1a..3a8a015fdd2ed 100644
--- a/include/linux/dma-map-ops.h
+++ b/include/linux/dma-map-ops.h
@@ -28,7 +28,7 @@ struct dma_map_ops {
unsigned long attrs);
void (*free)(struct device *dev, size_t size, void *vaddr,
dma_addr_t dma_handle, unsigned long attrs);
- struct page *(*alloc_pages)(struct device *dev, size_t size,
+ struct page *(*alloc_pages_op)(struct device *dev, size_t size,
dma_addr_t *dma_handle, enum dma_data_direction dir,
gfp_t gfp);
void (*free_pages)(struct device *dev, size_t size, struct page *vaddr,
diff --git a/kernel/dma/mapping.c b/kernel/dma/mapping.c
index f1d9f01b283d7..2923f3b2dd2c7 100644
--- a/kernel/dma/mapping.c
+++ b/kernel/dma/mapping.c
@@ -570,9 +570,9 @@ static struct page *__dma_alloc_pages(struct device *dev, size_t size,
size = PAGE_ALIGN(size);
if (dma_alloc_direct(dev, ops))
return dma_direct_alloc_pages(dev, size, dma_handle, dir, gfp);
- if (!ops->alloc_pages)
+ if (!ops->alloc_pages_op)
return NULL;
- return ops->alloc_pages(dev, size, dma_handle, dir, gfp);
+ return ops->alloc_pages_op(dev, size, dma_handle, dir, gfp);
}
struct page *dma_alloc_pages(struct device *dev, size_t size,
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 231/341] mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 230/341] change alloc_pages name in dma_map_ops to avoid name conflicts Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 232/341] btrfs: replace sb::s_blocksize by fs_info::sectorsize Greg Kroah-Hartman
` (122 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hailong Liu, Tangquan Zheng,
Baoquan He, Uladzislau Rezki (Sony), Barry Song, Michal Hocko,
Matthew Wilcox, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hailong Liu <hailong.liu@oppo.com>
[ Upstream commit 61ebe5a747da649057c37be1c37eb934b4af79ca ]
The __vmap_pages_range_noflush() assumes its argument pages** contains
pages with the same page shift. However, since commit e9c3cda4d86e ("mm,
vmalloc: fix high order __GFP_NOFAIL allocations"), if gfp_flags includes
__GFP_NOFAIL with high order in vm_area_alloc_pages() and page allocation
failed for high order, the pages** may contain two different page shifts
(high order and order-0). This could lead __vmap_pages_range_noflush() to
perform incorrect mappings, potentially resulting in memory corruption.
Users might encounter this as follows (vmap_allow_huge = true, 2M is for
PMD_SIZE):
kvmalloc(2M, __GFP_NOFAIL|GFP_X)
__vmalloc_node_range_noprof(vm_flags=VM_ALLOW_HUGE_VMAP)
vm_area_alloc_pages(order=9) ---> order-9 allocation failed and fallback to order-0
vmap_pages_range()
vmap_pages_range_noflush()
__vmap_pages_range_noflush(page_shift = 21) ----> wrong mapping happens
We can remove the fallback code because if a high-order allocation fails,
__vmalloc_node_range_noprof() will retry with order-0. Therefore, it is
unnecessary to fallback to order-0 here. Therefore, fix this by removing
the fallback code.
Link: https://lkml.kernel.org/r/20240808122019.3361-1-hailong.liu@oppo.com
Fixes: e9c3cda4d86e ("mm, vmalloc: fix high order __GFP_NOFAIL allocations")
Signed-off-by: Hailong Liu <hailong.liu@oppo.com>
Reported-by: Tangquan Zheng <zhengtangquan@oppo.com>
Reviewed-by: Baoquan He <bhe@redhat.com>
Reviewed-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Acked-by: Barry Song <baohua@kernel.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/vmalloc.c | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index 078f6b53f8d50..732ff66d1b513 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -3079,15 +3079,8 @@ vm_area_alloc_pages(gfp_t gfp, int nid,
page = alloc_pages(alloc_gfp, order);
else
page = alloc_pages_node(nid, alloc_gfp, order);
- if (unlikely(!page)) {
- if (!nofail)
- break;
-
- /* fall back to the zero order allocations */
- alloc_gfp |= __GFP_NOFAIL;
- order = 0;
- continue;
- }
+ if (unlikely(!page))
+ break;
/*
* Higher order allocations must be able to be treated as
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 232/341] btrfs: replace sb::s_blocksize by fs_info::sectorsize
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 231/341] mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 233/341] btrfs: send: allow cloning non-aligned extent if it ends at i_size Greg Kroah-Hartman
` (121 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josef Bacik, Anand Jain,
David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
[ Upstream commit 4e00422ee62663e31e611d7de4d2c4aa3f8555f2 ]
The block size stored in the super block is used by subsystems outside
of btrfs and it's a copy of fs_info::sectorsize. Unify that to always
use our sectorsize, with the exception of mount where we first need to
use fixed values (4K) until we read the super block and can set the
sectorsize.
Replace all uses, in most cases it's fewer pointer indirections.
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: 46a6e10a1ab1 ("btrfs: send: allow cloning non-aligned extent if it ends at i_size")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/disk-io.c | 2 ++
fs/btrfs/extent_io.c | 4 ++--
fs/btrfs/inode.c | 2 +-
fs/btrfs/ioctl.c | 2 +-
fs/btrfs/reflink.c | 6 +++---
fs/btrfs/send.c | 2 +-
fs/btrfs/super.c | 2 +-
7 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 1cc7e36c64c49..caedd4460d994 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -2800,6 +2800,7 @@ static int init_mount_fs_info(struct btrfs_fs_info *fs_info, struct super_block
int ret;
fs_info->sb = sb;
+ /* Temporary fixed values for block size until we read the superblock. */
sb->s_blocksize = BTRFS_BDEV_BLOCKSIZE;
sb->s_blocksize_bits = blksize_bits(BTRFS_BDEV_BLOCKSIZE);
@@ -3339,6 +3340,7 @@ int __cold open_ctree(struct super_block *sb, struct btrfs_fs_devices *fs_device
sb->s_bdi->ra_pages *= btrfs_super_num_devices(disk_super);
sb->s_bdi->ra_pages = max(sb->s_bdi->ra_pages, SZ_4M / PAGE_SIZE);
+ /* Update the values for the current filesystem. */
sb->s_blocksize = sectorsize;
sb->s_blocksize_bits = blksize_bits(sectorsize);
memcpy(&sb->s_uuid, fs_info->fs_devices->fsid, BTRFS_FSID_SIZE);
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index c6a95dfa59c81..b2ae50dcca0fe 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -974,7 +974,7 @@ static int btrfs_do_readpage(struct page *page, struct extent_map **em_cached,
int ret = 0;
size_t pg_offset = 0;
size_t iosize;
- size_t blocksize = inode->i_sb->s_blocksize;
+ size_t blocksize = fs_info->sectorsize;
struct extent_io_tree *tree = &BTRFS_I(inode)->io_tree;
ret = set_page_extent_mapped(page);
@@ -2254,7 +2254,7 @@ int extent_invalidate_folio(struct extent_io_tree *tree,
struct extent_state *cached_state = NULL;
u64 start = folio_pos(folio);
u64 end = start + folio_size(folio) - 1;
- size_t blocksize = folio->mapping->host->i_sb->s_blocksize;
+ size_t blocksize = btrfs_sb(folio->mapping->host->i_sb)->sectorsize;
/* This function is only called for the btree inode */
ASSERT(tree->owner == IO_TREE_BTREE_INODE_IO);
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 7071a58e5b9d4..18ce5353092d7 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -8695,7 +8695,7 @@ static int btrfs_getattr(struct mnt_idmap *idmap,
u64 delalloc_bytes;
u64 inode_bytes;
struct inode *inode = d_inode(path->dentry);
- u32 blocksize = inode->i_sb->s_blocksize;
+ u32 blocksize = btrfs_sb(inode->i_sb)->sectorsize;
u32 bi_flags = BTRFS_I(inode)->flags;
u32 bi_ro_flags = BTRFS_I(inode)->ro_flags;
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 3f43a08613d8a..d5297523d4977 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -528,7 +528,7 @@ static noinline int btrfs_ioctl_fitrim(struct btrfs_fs_info *fs_info,
* block group is in the logical address space, which can be any
* sectorsize aligned bytenr in the range [0, U64_MAX].
*/
- if (range.len < fs_info->sb->s_blocksize)
+ if (range.len < fs_info->sectorsize)
return -EINVAL;
range.minlen = max(range.minlen, minlen);
diff --git a/fs/btrfs/reflink.c b/fs/btrfs/reflink.c
index 65d2bd6910f2c..9f60aa79a8c50 100644
--- a/fs/btrfs/reflink.c
+++ b/fs/btrfs/reflink.c
@@ -664,7 +664,7 @@ static int btrfs_extent_same_range(struct inode *src, u64 loff, u64 len,
struct inode *dst, u64 dst_loff)
{
struct btrfs_fs_info *fs_info = BTRFS_I(src)->root->fs_info;
- const u64 bs = fs_info->sb->s_blocksize;
+ const u64 bs = fs_info->sectorsize;
int ret;
/*
@@ -731,7 +731,7 @@ static noinline int btrfs_clone_files(struct file *file, struct file *file_src,
int ret;
int wb_ret;
u64 len = olen;
- u64 bs = fs_info->sb->s_blocksize;
+ u64 bs = fs_info->sectorsize;
/*
* VFS's generic_remap_file_range_prep() protects us from cloning the
@@ -797,7 +797,7 @@ static int btrfs_remap_file_range_prep(struct file *file_in, loff_t pos_in,
{
struct inode *inode_in = file_inode(file_in);
struct inode *inode_out = file_inode(file_out);
- u64 bs = BTRFS_I(inode_out)->root->fs_info->sb->s_blocksize;
+ u64 bs = BTRFS_I(inode_out)->root->fs_info->sectorsize;
u64 wb_len;
int ret;
diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 163f36eb7491a..633d306933f3f 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -6159,7 +6159,7 @@ static int send_write_or_clone(struct send_ctx *sctx,
int ret = 0;
u64 offset = key->offset;
u64 end;
- u64 bs = sctx->send_root->fs_info->sb->s_blocksize;
+ u64 bs = sctx->send_root->fs_info->sectorsize;
end = min_t(u64, btrfs_file_extent_end(path), sctx->cur_inode_size);
if (offset >= end)
diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index de0bfebce1269..e33587a814098 100644
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -2124,7 +2124,7 @@ static int btrfs_statfs(struct dentry *dentry, struct kstatfs *buf)
buf->f_bavail = 0;
buf->f_type = BTRFS_SUPER_MAGIC;
- buf->f_bsize = dentry->d_sb->s_blocksize;
+ buf->f_bsize = fs_info->sectorsize;
buf->f_namelen = BTRFS_NAME_LEN;
/* We treat it as constant endianness (it doesn't matter _which_)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 233/341] btrfs: send: allow cloning non-aligned extent if it ends at i_size
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 232/341] btrfs: replace sb::s_blocksize by fs_info::sectorsize Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 234/341] drm/amd/display: Adjust cursor position Greg Kroah-Hartman
` (120 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Filipe Manana,
David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 46a6e10a1ab16cc71d4a3cab73e79aabadd6b8ea ]
If we a find that an extent is shared but its end offset is not sector
size aligned, then we don't clone it and issue write operations instead.
This is because the reflink (remap_file_range) operation does not allow
to clone unaligned ranges, except if the end offset of the range matches
the i_size of the source and destination files (and the start offset is
sector size aligned).
While this is not incorrect because send can only guarantee that a file
has the same data in the source and destination snapshots, it's not
optimal and generates confusion and surprising behaviour for users.
For example, running this test:
$ cat test.sh
#!/bin/bash
DEV=/dev/sdi
MNT=/mnt/sdi
mkfs.btrfs -f $DEV
mount $DEV $MNT
# Use a file size not aligned to any possible sector size.
file_size=$((1 * 1024 * 1024 + 5)) # 1MB + 5 bytes
dd if=/dev/random of=$MNT/foo bs=$file_size count=1
cp --reflink=always $MNT/foo $MNT/bar
btrfs subvolume snapshot -r $MNT/ $MNT/snap
rm -f /tmp/send-test
btrfs send -f /tmp/send-test $MNT/snap
umount $MNT
mkfs.btrfs -f $DEV
mount $DEV $MNT
btrfs receive -vv -f /tmp/send-test $MNT
xfs_io -r -c "fiemap -v" $MNT/snap/bar
umount $MNT
Gives the following result:
(...)
mkfile o258-7-0
rename o258-7-0 -> bar
write bar - offset=0 length=49152
write bar - offset=49152 length=49152
write bar - offset=98304 length=49152
write bar - offset=147456 length=49152
write bar - offset=196608 length=49152
write bar - offset=245760 length=49152
write bar - offset=294912 length=49152
write bar - offset=344064 length=49152
write bar - offset=393216 length=49152
write bar - offset=442368 length=49152
write bar - offset=491520 length=49152
write bar - offset=540672 length=49152
write bar - offset=589824 length=49152
write bar - offset=638976 length=49152
write bar - offset=688128 length=49152
write bar - offset=737280 length=49152
write bar - offset=786432 length=49152
write bar - offset=835584 length=49152
write bar - offset=884736 length=49152
write bar - offset=933888 length=49152
write bar - offset=983040 length=49152
write bar - offset=1032192 length=16389
chown bar - uid=0, gid=0
chmod bar - mode=0644
utimes bar
utimes
BTRFS_IOC_SET_RECEIVED_SUBVOL uuid=06d640da-9ca1-604c-b87c-3375175a8eb3, stransid=7
/mnt/sdi/snap/bar:
EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS
0: [0..2055]: 26624..28679 2056 0x1
There's no clone operation to clone extents from the file foo into file
bar and fiemap confirms there's no shared flag (0x2000).
So update send_write_or_clone() so that it proceeds with cloning if the
source and destination ranges end at the i_size of the respective files.
After this changes the result of the test is:
(...)
mkfile o258-7-0
rename o258-7-0 -> bar
clone bar - source=foo source offset=0 offset=0 length=1048581
chown bar - uid=0, gid=0
chmod bar - mode=0644
utimes bar
utimes
BTRFS_IOC_SET_RECEIVED_SUBVOL uuid=582420f3-ea7d-564e-bbe5-ce440d622190, stransid=7
/mnt/sdi/snap/bar:
EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS
0: [0..2055]: 26624..28679 2056 0x2001
A test case for fstests will also follow up soon.
Link: https://github.com/kdave/btrfs-progs/issues/572#issuecomment-2282841416
CC: stable@vger.kernel.org # 5.10+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/send.c | 52 ++++++++++++++++++++++++++++++++++++-------------
1 file changed, 39 insertions(+), 13 deletions(-)
diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 633d306933f3f..e912d8e411cc4 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -6160,25 +6160,51 @@ static int send_write_or_clone(struct send_ctx *sctx,
u64 offset = key->offset;
u64 end;
u64 bs = sctx->send_root->fs_info->sectorsize;
+ struct btrfs_file_extent_item *ei;
+ u64 disk_byte;
+ u64 data_offset;
+ u64 num_bytes;
+ struct btrfs_inode_info info = { 0 };
end = min_t(u64, btrfs_file_extent_end(path), sctx->cur_inode_size);
if (offset >= end)
return 0;
- if (clone_root && IS_ALIGNED(end, bs)) {
- struct btrfs_file_extent_item *ei;
- u64 disk_byte;
- u64 data_offset;
+ num_bytes = end - offset;
- ei = btrfs_item_ptr(path->nodes[0], path->slots[0],
- struct btrfs_file_extent_item);
- disk_byte = btrfs_file_extent_disk_bytenr(path->nodes[0], ei);
- data_offset = btrfs_file_extent_offset(path->nodes[0], ei);
- ret = clone_range(sctx, path, clone_root, disk_byte,
- data_offset, offset, end - offset);
- } else {
- ret = send_extent_data(sctx, path, offset, end - offset);
- }
+ if (!clone_root)
+ goto write_data;
+
+ if (IS_ALIGNED(end, bs))
+ goto clone_data;
+
+ /*
+ * If the extent end is not aligned, we can clone if the extent ends at
+ * the i_size of the inode and the clone range ends at the i_size of the
+ * source inode, otherwise the clone operation fails with -EINVAL.
+ */
+ if (end != sctx->cur_inode_size)
+ goto write_data;
+
+ ret = get_inode_info(clone_root->root, clone_root->ino, &info);
+ if (ret < 0)
+ return ret;
+
+ if (clone_root->offset + num_bytes == info.size)
+ goto clone_data;
+
+write_data:
+ ret = send_extent_data(sctx, path, offset, num_bytes);
+ sctx->cur_inode_next_write_offset = end;
+ return ret;
+
+clone_data:
+ ei = btrfs_item_ptr(path->nodes[0], path->slots[0],
+ struct btrfs_file_extent_item);
+ disk_byte = btrfs_file_extent_disk_bytenr(path->nodes[0], ei);
+ data_offset = btrfs_file_extent_offset(path->nodes[0], ei);
+ ret = clone_range(sctx, path, clone_root, disk_byte, data_offset, offset,
+ num_bytes);
sctx->cur_inode_next_write_offset = end;
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 234/341] drm/amd/display: Adjust cursor position
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 233/341] btrfs: send: allow cloning non-aligned extent if it ends at i_size Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 235/341] drm/amd/display: Enable otg synchronization logic for DCN321 Greg Kroah-Hartman
` (119 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Wayne Lin, Rodrigo Siqueira, Tom Chung, Daniel Wheeler,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
[ Upstream commit 56fb276d0244d430496f249335a44ae114dd5f54 ]
[why & how]
When the commit 9d84c7ef8a87 ("drm/amd/display: Correct cursor position
on horizontal mirror") was introduced, it used the wrong calculation for
the position copy for X. This commit uses the correct calculation for that
based on the original patch.
Fixes: 9d84c7ef8a87 ("drm/amd/display: Correct cursor position on horizontal mirror")
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Acked-by: Wayne Lin <wayne.lin@amd.com>
Signed-off-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Signed-off-by: Tom Chung <chiahsuan.chung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 8f9b23abbae5ffcd64856facd26a86b67195bc2f)
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
index e3f4d497d32d5..c9f13c3768431 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
@@ -3614,7 +3614,7 @@ void dcn10_set_cursor_position(struct pipe_ctx *pipe_ctx)
(int)hubp->curs_attr.width || pos_cpy.x
<= (int)hubp->curs_attr.width +
pipe_ctx->plane_state->src_rect.x) {
- pos_cpy.x = 2 * viewport_width - temp_x;
+ pos_cpy.x = temp_x + viewport_width;
}
}
} else {
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 235/341] drm/amd/display: Enable otg synchronization logic for DCN321
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 234/341] drm/amd/display: Adjust cursor position Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 236/341] drm/amd/display: fix cursor offset on rotation 180 Greg Kroah-Hartman
` (118 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Alvin Lee, Loan Chen, Tom Chung, Daniel Wheeler, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Loan Chen <lo-an.chen@amd.com>
[ Upstream commit 0dbb81d44108a2a1004e5b485ef3fca5bc078424 ]
[Why]
Tiled display cannot synchronize properly after S3.
The fix for commit 5f0c74915815 ("drm/amd/display: Fix for otg
synchronization logic") is not enable in DCN321, which causes
the otg is excluded from synchronization.
[How]
Enable otg synchronization logic in dcn321.
Fixes: 5f0c74915815 ("drm/amd/display: Fix for otg synchronization logic")
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Alvin Lee <alvin.lee2@amd.com>
Signed-off-by: Loan Chen <lo-an.chen@amd.com>
Signed-off-by: Tom Chung <chiahsuan.chung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit d6ed53712f583423db61fbb802606759e023bf7b)
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c b/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c
index 8d73cceb485bf..aa4c64eec7b3d 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c
@@ -1756,6 +1756,9 @@ static bool dcn321_resource_construct(
dc->caps.color.mpc.ogam_rom_caps.hlg = 0;
dc->caps.color.mpc.ocsc = 1;
+ /* Use pipe context based otg sync logic */
+ dc->config.use_pipe_ctx_sync_logic = true;
+
dc->config.dc_mode_clk_limit_support = true;
/* read VBIOS LTTPR caps */
{
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 236/341] drm/amd/display: fix cursor offset on rotation 180
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 235/341] drm/amd/display: Enable otg synchronization logic for DCN321 Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 237/341] drm/amd/amdgpu: command submission parser for JPEG Greg Kroah-Hartman
` (117 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xaver Hugl, Harry Wentland,
Melissa Wen, Hamza Mahfooz, Tom Chung, Daniel Wheeler,
Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Melissa Wen <mwen@igalia.com>
[ Upstream commit 737222cebecbdbcdde2b69475c52bcb9ecfeb830 ]
[why & how]
Cursor gets clipped off in the middle of the screen with hw
rotation 180. Fix a miscalculation of cursor offset when it's
placed near the edges in the pipe split case.
Cursor bugs with hw rotation were reported on AMD issue
tracker:
https://gitlab.freedesktop.org/drm/amd/-/issues/2247
The issues on rotation 270 was fixed by:
https://lore.kernel.org/amd-gfx/20221118125935.4013669-22-Brian.Chang@amd.com/
that partially addressed the rotation 180 too. So, this patch is the
final bits for rotation 180.
Reported-by: Xaver Hugl <xaver.hugl@gmail.com>
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/2247
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Fixes: 9d84c7ef8a87 ("drm/amd/display: Correct cursor position on horizontal mirror")
Signed-off-by: Melissa Wen <mwen@igalia.com>
Signed-off-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
Signed-off-by: Tom Chung <chiahsuan.chung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 1fd2cf090096af8a25bf85564341cfc21cec659d)
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
index c9f13c3768431..ff38a85c4fa22 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
@@ -3521,7 +3521,7 @@ void dcn10_set_cursor_position(struct pipe_ctx *pipe_ctx)
(int)hubp->curs_attr.width || pos_cpy.x
<= (int)hubp->curs_attr.width +
pipe_ctx->plane_state->src_rect.x) {
- pos_cpy.x = temp_x + viewport_width;
+ pos_cpy.x = 2 * viewport_width - temp_x;
}
}
} else {
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 237/341] drm/amd/amdgpu: command submission parser for JPEG
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 236/341] drm/amd/display: fix cursor offset on rotation 180 Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 238/341] platform/surface: aggregator: Fix warning when controller is destroyed in probe Greg Kroah-Hartman
` (116 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Deucher, David (Ming Qiang) Wu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David (Ming Qiang) Wu <David.Wu3@amd.com>
[ Upstream commit 470516c2925493594a690bc4d05b1f4471d9f996 ]
Add JPEG IB command parser to ensure registers
in the command are within the JPEG IP block.
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: David (Ming Qiang) Wu <David.Wu3@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit a7f670d5d8e77b092404ca8a35bb0f8f89ed3117)
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 3 ++
drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 61 +++++++++++++++++++++++-
drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.h | 6 +++
drivers/gpu/drm/amd/amdgpu/soc15d.h | 6 +++
4 files changed, 75 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
index 4294f5e7bff9a..61668a784315f 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
@@ -1057,6 +1057,9 @@ static int amdgpu_cs_patch_ibs(struct amdgpu_cs_parser *p,
r = amdgpu_ring_parse_cs(ring, p, job, ib);
if (r)
return r;
+
+ if (ib->sa_bo)
+ ib->gpu_addr = amdgpu_sa_bo_gpu_addr(ib->sa_bo);
} else {
ib->ptr = (uint32_t *)kptr;
r = amdgpu_ring_patch_cs_in_place(ring, p, job, ib);
diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c
index e8dad396fa102..78aaaee492e11 100644
--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c
+++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c
@@ -23,6 +23,7 @@
#include "amdgpu.h"
#include "amdgpu_jpeg.h"
+#include "amdgpu_cs.h"
#include "soc15.h"
#include "soc15d.h"
#include "jpeg_v4_0_3.h"
@@ -769,7 +770,11 @@ static void jpeg_v4_0_3_dec_ring_emit_ib(struct amdgpu_ring *ring,
amdgpu_ring_write(ring, PACKETJ(regUVD_LMI_JRBC_IB_VMID_INTERNAL_OFFSET,
0, 0, PACKETJ_TYPE0));
- amdgpu_ring_write(ring, (vmid | (vmid << 4) | (vmid << 8)));
+
+ if (ring->funcs->parse_cs)
+ amdgpu_ring_write(ring, 0);
+ else
+ amdgpu_ring_write(ring, (vmid | (vmid << 4) | (vmid << 8)));
amdgpu_ring_write(ring, PACKETJ(regUVD_LMI_JPEG_VMID_INTERNAL_OFFSET,
0, 0, PACKETJ_TYPE0));
@@ -1052,6 +1057,7 @@ static const struct amdgpu_ring_funcs jpeg_v4_0_3_dec_ring_vm_funcs = {
.get_rptr = jpeg_v4_0_3_dec_ring_get_rptr,
.get_wptr = jpeg_v4_0_3_dec_ring_get_wptr,
.set_wptr = jpeg_v4_0_3_dec_ring_set_wptr,
+ .parse_cs = jpeg_v4_0_3_dec_ring_parse_cs,
.emit_frame_size =
SOC15_FLUSH_GPU_TLB_NUM_WREG * 6 +
SOC15_FLUSH_GPU_TLB_NUM_REG_WAIT * 8 +
@@ -1216,3 +1222,56 @@ static void jpeg_v4_0_3_set_ras_funcs(struct amdgpu_device *adev)
{
adev->jpeg.ras = &jpeg_v4_0_3_ras;
}
+
+/**
+ * jpeg_v4_0_3_dec_ring_parse_cs - command submission parser
+ *
+ * @parser: Command submission parser context
+ * @job: the job to parse
+ * @ib: the IB to parse
+ *
+ * Parse the command stream, return -EINVAL for invalid packet,
+ * 0 otherwise
+ */
+int jpeg_v4_0_3_dec_ring_parse_cs(struct amdgpu_cs_parser *parser,
+ struct amdgpu_job *job,
+ struct amdgpu_ib *ib)
+{
+ uint32_t i, reg, res, cond, type;
+ struct amdgpu_device *adev = parser->adev;
+
+ for (i = 0; i < ib->length_dw ; i += 2) {
+ reg = CP_PACKETJ_GET_REG(ib->ptr[i]);
+ res = CP_PACKETJ_GET_RES(ib->ptr[i]);
+ cond = CP_PACKETJ_GET_COND(ib->ptr[i]);
+ type = CP_PACKETJ_GET_TYPE(ib->ptr[i]);
+
+ if (res) /* only support 0 at the moment */
+ return -EINVAL;
+
+ switch (type) {
+ case PACKETJ_TYPE0:
+ if (cond != PACKETJ_CONDITION_CHECK0 || reg < JPEG_REG_RANGE_START || reg > JPEG_REG_RANGE_END) {
+ dev_err(adev->dev, "Invalid packet [0x%08x]!\n", ib->ptr[i]);
+ return -EINVAL;
+ }
+ break;
+ case PACKETJ_TYPE3:
+ if (cond != PACKETJ_CONDITION_CHECK3 || reg < JPEG_REG_RANGE_START || reg > JPEG_REG_RANGE_END) {
+ dev_err(adev->dev, "Invalid packet [0x%08x]!\n", ib->ptr[i]);
+ return -EINVAL;
+ }
+ break;
+ case PACKETJ_TYPE6:
+ if (ib->ptr[i] == CP_PACKETJ_NOP)
+ continue;
+ dev_err(adev->dev, "Invalid packet [0x%08x]!\n", ib->ptr[i]);
+ return -EINVAL;
+ default:
+ dev_err(adev->dev, "Unknown packet type %d !\n", type);
+ return -EINVAL;
+ }
+ }
+
+ return 0;
+}
diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.h b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.h
index 22483dc663518..9598eda9d7156 100644
--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.h
+++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.h
@@ -46,6 +46,12 @@
#define JRBC_DEC_EXTERNAL_REG_WRITE_ADDR 0x18000
+#define JPEG_REG_RANGE_START 0x4000
+#define JPEG_REG_RANGE_END 0x41c2
+
extern const struct amdgpu_ip_block_version jpeg_v4_0_3_ip_block;
+int jpeg_v4_0_3_dec_ring_parse_cs(struct amdgpu_cs_parser *parser,
+ struct amdgpu_job *job,
+ struct amdgpu_ib *ib);
#endif /* __JPEG_V4_0_3_H__ */
diff --git a/drivers/gpu/drm/amd/amdgpu/soc15d.h b/drivers/gpu/drm/amd/amdgpu/soc15d.h
index 2357ff39323f0..e74e1983da53a 100644
--- a/drivers/gpu/drm/amd/amdgpu/soc15d.h
+++ b/drivers/gpu/drm/amd/amdgpu/soc15d.h
@@ -76,6 +76,12 @@
((cond & 0xF) << 24) | \
((type & 0xF) << 28))
+#define CP_PACKETJ_NOP 0x60000000
+#define CP_PACKETJ_GET_REG(x) ((x) & 0x3FFFF)
+#define CP_PACKETJ_GET_RES(x) (((x) >> 18) & 0x3F)
+#define CP_PACKETJ_GET_COND(x) (((x) >> 24) & 0xF)
+#define CP_PACKETJ_GET_TYPE(x) (((x) >> 28) & 0xF)
+
/* Packet 3 types */
#define PACKET3_NOP 0x10
#define PACKET3_SET_BASE 0x11
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 238/341] platform/surface: aggregator: Fix warning when controller is destroyed in probe
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 237/341] drm/amd/amdgpu: command submission parser for JPEG Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 239/341] ALSA: hda/tas2781: Use correct endian conversion Greg Kroah-Hartman
` (115 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maximilian Luz, Ilpo Järvinen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maximilian Luz <luzmaximilian@gmail.com>
[ Upstream commit bc923d594db21bee0ead128eb4bb78f7e77467a4 ]
There is a small window in ssam_serial_hub_probe() where the controller
is initialized but has not been started yet. Specifically, between
ssam_controller_init() and ssam_controller_start(). Any failure in this
window, for example caused by a failure of serdev_device_open(),
currently results in an incorrect warning being emitted.
In particular, any failure in this window results in the controller
being destroyed via ssam_controller_destroy(). This function checks the
state of the controller and, in an attempt to validate that the
controller has been cleanly shut down before we try and deallocate any
resources, emits a warning if that state is not SSAM_CONTROLLER_STOPPED.
However, since we have only just initialized the controller and have not
yet started it, its state is SSAM_CONTROLLER_INITIALIZED. Note that this
is the only point at which the controller has this state, as it will
change after we start the controller with ssam_controller_start() and
never revert back. Further, at this point no communication has taken
place and the sender and receiver threads have not been started yet (and
we may not even have an open serdev device either).
Therefore, it is perfectly safe to call ssam_controller_destroy() with a
state of SSAM_CONTROLLER_INITIALIZED. This, however, means that the
warning currently being emitted is incorrect. Fix it by extending the
check.
Fixes: c167b9c7e3d6 ("platform/surface: Add Surface Aggregator subsystem")
Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
Link: https://lore.kernel.org/r/20240811124645.246016-1-luzmaximilian@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/surface/aggregator/controller.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/surface/aggregator/controller.c b/drivers/platform/surface/aggregator/controller.c
index 7fc602e01487d..7e89f547999b2 100644
--- a/drivers/platform/surface/aggregator/controller.c
+++ b/drivers/platform/surface/aggregator/controller.c
@@ -1354,7 +1354,8 @@ void ssam_controller_destroy(struct ssam_controller *ctrl)
if (ctrl->state == SSAM_CONTROLLER_UNINITIALIZED)
return;
- WARN_ON(ctrl->state != SSAM_CONTROLLER_STOPPED);
+ WARN_ON(ctrl->state != SSAM_CONTROLLER_STOPPED &&
+ ctrl->state != SSAM_CONTROLLER_INITIALIZED);
/*
* Note: New events could still have been received after the previous
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 239/341] ALSA: hda/tas2781: Use correct endian conversion
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 238/341] platform/surface: aggregator: Fix warning when controller is destroyed in probe Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 240/341] drm/amdkfd: reserve the BO before validating it Greg Kroah-Hartman
` (114 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 829e2a23121fb36ee30ea5145c2a85199f68e2c8 ]
The data conversion is done rather by a wrong function. We convert to
BE32, not from BE32. Although the end result must be same, this was
complained by the compiler.
Fix the code again and align with another similar function
tas2563_apply_calib() that does already right.
Fixes: 3beddef84d90 ("ALSA: hda/tas2781: fix wrong calibrated data order")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202408141630.DiDUB8Z4-lkp@intel.com/
Link: https://patch.msgid.link/20240814100500.1944-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/tas2781_hda_i2c.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/pci/hda/tas2781_hda_i2c.c b/sound/pci/hda/tas2781_hda_i2c.c
index 74d603524fbdb..e5bb1fed26a0c 100644
--- a/sound/pci/hda/tas2781_hda_i2c.c
+++ b/sound/pci/hda/tas2781_hda_i2c.c
@@ -433,8 +433,8 @@ static void tas2781_apply_calib(struct tasdevice_priv *tas_priv)
for (i = 0; i < tas_priv->ndev; i++) {
for (j = 0; j < CALIB_MAX; j++) {
- data = get_unaligned_be32(
- &tas_priv->cali_data.data[offset]);
+ data = cpu_to_be32(
+ *(uint32_t *)&tas_priv->cali_data.data[offset]);
rc = tasdevice_dev_bulk_write(tas_priv, i,
TASDEVICE_REG(0, page_array[j], rgno_array[j]),
(unsigned char *)&data, 4);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 240/341] drm/amdkfd: reserve the BO before validating it
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 239/341] ALSA: hda/tas2781: Use correct endian conversion Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 241/341] Bluetooth: hci_core: Fix LE quote calculation Greg Kroah-Hartman
` (113 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lang Yu, Felix Kuehling,
Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lang Yu <Lang.Yu@amd.com>
[ Upstream commit 0c93bd49576677ae1a18817d5ec000ef031d5187 ]
Fix a warning.
v2: Avoid unmapping attachment repeatedly when ERESTARTSYS.
v3: Lock the BO before accessing ttm->sg to avoid race conditions.(Felix)
[ 41.708711] WARNING: CPU: 0 PID: 1463 at drivers/gpu/drm/ttm/ttm_bo.c:846 ttm_bo_validate+0x146/0x1b0 [ttm]
[ 41.708989] Call Trace:
[ 41.708992] <TASK>
[ 41.708996] ? show_regs+0x6c/0x80
[ 41.709000] ? ttm_bo_validate+0x146/0x1b0 [ttm]
[ 41.709008] ? __warn+0x93/0x190
[ 41.709014] ? ttm_bo_validate+0x146/0x1b0 [ttm]
[ 41.709024] ? report_bug+0x1f9/0x210
[ 41.709035] ? handle_bug+0x46/0x80
[ 41.709041] ? exc_invalid_op+0x1d/0x80
[ 41.709048] ? asm_exc_invalid_op+0x1f/0x30
[ 41.709057] ? amdgpu_amdkfd_gpuvm_dmaunmap_mem+0x2c/0x80 [amdgpu]
[ 41.709185] ? ttm_bo_validate+0x146/0x1b0 [ttm]
[ 41.709197] ? amdgpu_amdkfd_gpuvm_dmaunmap_mem+0x2c/0x80 [amdgpu]
[ 41.709337] ? srso_alias_return_thunk+0x5/0x7f
[ 41.709346] kfd_mem_dmaunmap_attachment+0x9e/0x1e0 [amdgpu]
[ 41.709467] amdgpu_amdkfd_gpuvm_dmaunmap_mem+0x56/0x80 [amdgpu]
[ 41.709586] kfd_ioctl_unmap_memory_from_gpu+0x1b7/0x300 [amdgpu]
[ 41.709710] kfd_ioctl+0x1ec/0x650 [amdgpu]
[ 41.709822] ? __pfx_kfd_ioctl_unmap_memory_from_gpu+0x10/0x10 [amdgpu]
[ 41.709945] ? srso_alias_return_thunk+0x5/0x7f
[ 41.709949] ? tomoyo_file_ioctl+0x20/0x30
[ 41.709959] __x64_sys_ioctl+0x9c/0xd0
[ 41.709967] do_syscall_64+0x3f/0x90
[ 41.709973] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Fixes: 101b8104307e ("drm/amdkfd: Move dma unmapping after TLB flush")
Signed-off-by: Lang Yu <Lang.Yu@amd.com>
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 2 +-
.../gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 20 ++++++++++++++++---
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 4 +++-
3 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
index 5e4fb33b97351..db5b1c6beba75 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
@@ -303,7 +303,7 @@ int amdgpu_amdkfd_gpuvm_map_memory_to_gpu(struct amdgpu_device *adev,
struct kgd_mem *mem, void *drm_priv);
int amdgpu_amdkfd_gpuvm_unmap_memory_from_gpu(
struct amdgpu_device *adev, struct kgd_mem *mem, void *drm_priv);
-void amdgpu_amdkfd_gpuvm_dmaunmap_mem(struct kgd_mem *mem, void *drm_priv);
+int amdgpu_amdkfd_gpuvm_dmaunmap_mem(struct kgd_mem *mem, void *drm_priv);
int amdgpu_amdkfd_gpuvm_sync_memory(
struct amdgpu_device *adev, struct kgd_mem *mem, bool intr);
int amdgpu_amdkfd_gpuvm_map_gtt_bo_to_kernel(struct kgd_mem *mem,
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
index c2d1d57a6c668..9d72bb0a0eaec 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
@@ -2038,21 +2038,35 @@ int amdgpu_amdkfd_gpuvm_map_memory_to_gpu(
return ret;
}
-void amdgpu_amdkfd_gpuvm_dmaunmap_mem(struct kgd_mem *mem, void *drm_priv)
+int amdgpu_amdkfd_gpuvm_dmaunmap_mem(struct kgd_mem *mem, void *drm_priv)
{
struct kfd_mem_attachment *entry;
struct amdgpu_vm *vm;
+ int ret;
vm = drm_priv_to_vm(drm_priv);
mutex_lock(&mem->lock);
+ ret = amdgpu_bo_reserve(mem->bo, true);
+ if (ret)
+ goto out;
+
list_for_each_entry(entry, &mem->attachments, list) {
- if (entry->bo_va->base.vm == vm)
- kfd_mem_dmaunmap_attachment(mem, entry);
+ if (entry->bo_va->base.vm != vm)
+ continue;
+ if (entry->bo_va->base.bo->tbo.ttm &&
+ !entry->bo_va->base.bo->tbo.ttm->sg)
+ continue;
+
+ kfd_mem_dmaunmap_attachment(mem, entry);
}
+ amdgpu_bo_unreserve(mem->bo);
+out:
mutex_unlock(&mem->lock);
+
+ return ret;
}
int amdgpu_amdkfd_gpuvm_unmap_memory_from_gpu(
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index 045280c2b607c..9d10530283705 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -1442,7 +1442,9 @@ static int kfd_ioctl_unmap_memory_from_gpu(struct file *filep,
kfd_flush_tlb(peer_pdd, TLB_FLUSH_HEAVYWEIGHT);
/* Remove dma mapping after tlb flush to avoid IO_PAGE_FAULT */
- amdgpu_amdkfd_gpuvm_dmaunmap_mem(mem, peer_pdd->drm_priv);
+ err = amdgpu_amdkfd_gpuvm_dmaunmap_mem(mem, peer_pdd->drm_priv);
+ if (err)
+ goto sync_memory_failed;
}
mutex_unlock(&p->mutex);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 241/341] Bluetooth: hci_core: Fix LE quote calculation
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 240/341] drm/amdkfd: reserve the BO before validating it Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 242/341] Bluetooth: SMP: Fix assumption of Central always being Initiator Greg Kroah-Hartman
` (112 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 932021a11805b9da4bd6abf66fe233cccd59fe0e ]
Function hci_sched_le needs to update the respective counter variable
inplace other the likes of hci_quote_sent would attempt to use the
possible outdated value of conn->{le_cnt,acl_cnt}.
Link: https://github.com/bluez/bluez/issues/915
Fixes: 73d80deb7bdf ("Bluetooth: prioritizing data over HCI")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_core.c | 19 +++++++------------
1 file changed, 7 insertions(+), 12 deletions(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index c137f85a7fed7..e660b3d661dae 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -3637,19 +3637,19 @@ static void hci_sched_le(struct hci_dev *hdev)
{
struct hci_chan *chan;
struct sk_buff *skb;
- int quote, cnt, tmp;
+ int quote, *cnt, tmp;
BT_DBG("%s", hdev->name);
if (!hci_conn_num(hdev, LE_LINK))
return;
- cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
+ cnt = hdev->le_pkts ? &hdev->le_cnt : &hdev->acl_cnt;
- __check_timeout(hdev, cnt, LE_LINK);
+ __check_timeout(hdev, *cnt, LE_LINK);
- tmp = cnt;
- while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) {
+ tmp = *cnt;
+ while (*cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) {
u32 priority = (skb_peek(&chan->data_q))->priority;
while (quote-- && (skb = skb_peek(&chan->data_q))) {
BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
@@ -3664,7 +3664,7 @@ static void hci_sched_le(struct hci_dev *hdev)
hci_send_frame(hdev, skb);
hdev->le_last_tx = jiffies;
- cnt--;
+ (*cnt)--;
chan->sent++;
chan->conn->sent++;
@@ -3674,12 +3674,7 @@ static void hci_sched_le(struct hci_dev *hdev)
}
}
- if (hdev->le_pkts)
- hdev->le_cnt = cnt;
- else
- hdev->acl_cnt = cnt;
-
- if (cnt != tmp)
+ if (*cnt != tmp)
hci_prio_recalculate(hdev, LE_LINK);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 242/341] Bluetooth: SMP: Fix assumption of Central always being Initiator
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 241/341] Bluetooth: hci_core: Fix LE quote calculation Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 243/341] net: mscc: ocelot: use ocelot_xmit_get_vlan_info() also for FDMA and register injection Greg Kroah-Hartman
` (111 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 28cd47f75185c4818b0fb1b46f2f02faaba96376 ]
SMP initiator role shall be considered the one that initiates the
pairing procedure with SMP_CMD_PAIRING_REQ:
BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part H
page 1557:
Figure 2.1: LE pairing phases
Note that by sending SMP_CMD_SECURITY_REQ it doesn't change the role to
be Initiator.
Link: https://github.com/bluez/bluez/issues/567
Fixes: b28b4943660f ("Bluetooth: Add strict checks for allowed SMP PDUs")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/smp.c | 144 ++++++++++++++++++++++----------------------
1 file changed, 72 insertions(+), 72 deletions(-)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 37f95ea8c7db5..fa3986cfd5266 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -915,7 +915,7 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
* Confirms and the responder Enters the passkey.
*/
if (smp->method == OVERLAP) {
- if (hcon->role == HCI_ROLE_MASTER)
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
smp->method = CFM_PASSKEY;
else
smp->method = REQ_PASSKEY;
@@ -965,7 +965,7 @@ static u8 smp_confirm(struct smp_chan *smp)
smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
- if (conn->hcon->out)
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
else
SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
@@ -981,7 +981,8 @@ static u8 smp_random(struct smp_chan *smp)
int ret;
bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
- conn->hcon->out ? "initiator" : "responder");
+ test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" :
+ "responder");
ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
hcon->init_addr_type, &hcon->init_addr,
@@ -995,7 +996,7 @@ static u8 smp_random(struct smp_chan *smp)
return SMP_CONFIRM_FAILED;
}
- if (hcon->out) {
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
u8 stk[16];
__le64 rand = 0;
__le16 ediv = 0;
@@ -1257,14 +1258,15 @@ static void smp_distribute_keys(struct smp_chan *smp)
rsp = (void *) &smp->prsp[1];
/* The responder sends its keys first */
- if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags) &&
+ (smp->remote_key_dist & KEY_DIST_MASK)) {
smp_allow_key_dist(smp);
return;
}
req = (void *) &smp->preq[1];
- if (hcon->out) {
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
keydist = &rsp->init_key_dist;
*keydist &= req->init_key_dist;
} else {
@@ -1433,7 +1435,7 @@ static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
struct hci_conn *hcon = smp->conn->hcon;
u8 *na, *nb, a[7], b[7];
- if (hcon->out) {
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
na = smp->prnd;
nb = smp->rrnd;
} else {
@@ -1461,7 +1463,7 @@ static void sc_dhkey_check(struct smp_chan *smp)
a[6] = hcon->init_addr_type;
b[6] = hcon->resp_addr_type;
- if (hcon->out) {
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
local_addr = a;
remote_addr = b;
memcpy(io_cap, &smp->preq[1], 3);
@@ -1540,7 +1542,7 @@ static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
/* The round is only complete when the initiator
* receives pairing random.
*/
- if (!hcon->out) {
+ if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
sizeof(smp->prnd), smp->prnd);
if (smp->passkey_round == 20)
@@ -1568,7 +1570,7 @@ static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
- if (hcon->out) {
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
sizeof(smp->prnd), smp->prnd);
return 0;
@@ -1579,7 +1581,7 @@ static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
case SMP_CMD_PUBLIC_KEY:
default:
/* Initiating device starts the round */
- if (!hcon->out)
+ if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
return 0;
bt_dev_dbg(hdev, "Starting passkey round %u",
@@ -1624,7 +1626,7 @@ static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
}
/* Initiator sends DHKey check first */
- if (hcon->out) {
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
sc_dhkey_check(smp);
SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
@@ -1747,7 +1749,7 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
struct smp_cmd_pairing rsp, *req = (void *) skb->data;
struct l2cap_chan *chan = conn->smp;
struct hci_dev *hdev = conn->hcon->hdev;
- struct smp_chan *smp;
+ struct smp_chan *smp = chan->data;
u8 key_size, auth, sec_level;
int ret;
@@ -1756,16 +1758,14 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
if (skb->len < sizeof(*req))
return SMP_INVALID_PARAMS;
- if (conn->hcon->role != HCI_ROLE_SLAVE)
+ if (smp && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
return SMP_CMD_NOTSUPP;
- if (!chan->data)
+ if (!smp) {
smp = smp_chan_create(conn);
- else
- smp = chan->data;
-
- if (!smp)
- return SMP_UNSPECIFIED;
+ if (!smp)
+ return SMP_UNSPECIFIED;
+ }
/* We didn't start the pairing, so match remote */
auth = req->auth_req & AUTH_REQ_MASK(hdev);
@@ -1947,7 +1947,7 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
if (skb->len < sizeof(*rsp))
return SMP_INVALID_PARAMS;
- if (conn->hcon->role != HCI_ROLE_MASTER)
+ if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
return SMP_CMD_NOTSUPP;
skb_pull(skb, sizeof(*rsp));
@@ -2042,7 +2042,7 @@ static u8 sc_check_confirm(struct smp_chan *smp)
if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
- if (conn->hcon->out) {
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
smp->prnd);
SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
@@ -2064,7 +2064,7 @@ static int fixup_sc_false_positive(struct smp_chan *smp)
u8 auth;
/* The issue is only observed when we're in responder role */
- if (hcon->out)
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
return SMP_UNSPECIFIED;
if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
@@ -2100,7 +2100,8 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
struct hci_dev *hdev = hcon->hdev;
bt_dev_dbg(hdev, "conn %p %s", conn,
- hcon->out ? "initiator" : "responder");
+ test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" :
+ "responder");
if (skb->len < sizeof(smp->pcnf))
return SMP_INVALID_PARAMS;
@@ -2122,7 +2123,7 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
return ret;
}
- if (conn->hcon->out) {
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
smp->prnd);
SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
@@ -2157,7 +2158,7 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
if (!test_bit(SMP_FLAG_SC, &smp->flags))
return smp_random(smp);
- if (hcon->out) {
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
pkax = smp->local_pk;
pkbx = smp->remote_pk;
na = smp->prnd;
@@ -2170,7 +2171,7 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
}
if (smp->method == REQ_OOB) {
- if (!hcon->out)
+ if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
sizeof(smp->prnd), smp->prnd);
SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
@@ -2181,7 +2182,7 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
- if (hcon->out) {
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
u8 cfm[16];
err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
@@ -2222,7 +2223,7 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
return SMP_UNSPECIFIED;
if (smp->method == REQ_OOB) {
- if (hcon->out) {
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
sc_dhkey_check(smp);
SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
}
@@ -2296,10 +2297,27 @@ bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
return false;
}
+static void smp_send_pairing_req(struct smp_chan *smp, __u8 auth)
+{
+ struct smp_cmd_pairing cp;
+
+ if (smp->conn->hcon->type == ACL_LINK)
+ build_bredr_pairing_cmd(smp, &cp, NULL);
+ else
+ build_pairing_cmd(smp->conn, &cp, NULL, auth);
+
+ smp->preq[0] = SMP_CMD_PAIRING_REQ;
+ memcpy(&smp->preq[1], &cp, sizeof(cp));
+
+ smp_send_cmd(smp->conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
+ SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
+
+ set_bit(SMP_FLAG_INITIATOR, &smp->flags);
+}
+
static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
{
struct smp_cmd_security_req *rp = (void *) skb->data;
- struct smp_cmd_pairing cp;
struct hci_conn *hcon = conn->hcon;
struct hci_dev *hdev = hcon->hdev;
struct smp_chan *smp;
@@ -2348,16 +2366,20 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
skb_pull(skb, sizeof(*rp));
- memset(&cp, 0, sizeof(cp));
- build_pairing_cmd(conn, &cp, NULL, auth);
+ smp_send_pairing_req(smp, auth);
- smp->preq[0] = SMP_CMD_PAIRING_REQ;
- memcpy(&smp->preq[1], &cp, sizeof(cp));
+ return 0;
+}
- smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
- SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
+static void smp_send_security_req(struct smp_chan *smp, __u8 auth)
+{
+ struct smp_cmd_security_req cp;
- return 0;
+ cp.auth_req = auth;
+ smp_send_cmd(smp->conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
+ SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
+
+ clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
}
int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
@@ -2428,23 +2450,11 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
authreq |= SMP_AUTH_MITM;
}
- if (hcon->role == HCI_ROLE_MASTER) {
- struct smp_cmd_pairing cp;
-
- build_pairing_cmd(conn, &cp, NULL, authreq);
- smp->preq[0] = SMP_CMD_PAIRING_REQ;
- memcpy(&smp->preq[1], &cp, sizeof(cp));
-
- smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
- SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
- } else {
- struct smp_cmd_security_req cp;
- cp.auth_req = authreq;
- smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
- SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
- }
+ if (hcon->role == HCI_ROLE_MASTER)
+ smp_send_pairing_req(smp, authreq);
+ else
+ smp_send_security_req(smp, authreq);
- set_bit(SMP_FLAG_INITIATOR, &smp->flags);
ret = 0;
unlock:
@@ -2695,8 +2705,6 @@ static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
static u8 sc_select_method(struct smp_chan *smp)
{
- struct l2cap_conn *conn = smp->conn;
- struct hci_conn *hcon = conn->hcon;
struct smp_cmd_pairing *local, *remote;
u8 local_mitm, remote_mitm, local_io, remote_io, method;
@@ -2709,7 +2717,7 @@ static u8 sc_select_method(struct smp_chan *smp)
* the "struct smp_cmd_pairing" from them we need to skip the
* first byte which contains the opcode.
*/
- if (hcon->out) {
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
local = (void *) &smp->preq[1];
remote = (void *) &smp->prsp[1];
} else {
@@ -2778,7 +2786,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
/* Non-initiating device sends its public key after receiving
* the key from the initiating device.
*/
- if (!hcon->out) {
+ if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
err = sc_send_public_key(smp);
if (err)
return err;
@@ -2840,7 +2848,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
}
if (smp->method == REQ_OOB) {
- if (hcon->out)
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
sizeof(smp->prnd), smp->prnd);
@@ -2849,7 +2857,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
return 0;
}
- if (hcon->out)
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
if (smp->method == REQ_PASSKEY) {
@@ -2864,7 +2872,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
/* The Initiating device waits for the non-initiating device to
* send the confirm value.
*/
- if (conn->hcon->out)
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
return 0;
err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
@@ -2898,7 +2906,7 @@ static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
a[6] = hcon->init_addr_type;
b[6] = hcon->resp_addr_type;
- if (hcon->out) {
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
local_addr = a;
remote_addr = b;
memcpy(io_cap, &smp->prsp[1], 3);
@@ -2923,7 +2931,7 @@ static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
if (crypto_memneq(check->e, e, 16))
return SMP_DHKEY_CHECK_FAILED;
- if (!hcon->out) {
+ if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
return 0;
@@ -2935,7 +2943,7 @@ static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
sc_add_ltk(smp);
- if (hcon->out) {
+ if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
hcon->enc_key_size = smp->enc_key_size;
}
@@ -3084,7 +3092,6 @@ static void bredr_pairing(struct l2cap_chan *chan)
struct l2cap_conn *conn = chan->conn;
struct hci_conn *hcon = conn->hcon;
struct hci_dev *hdev = hcon->hdev;
- struct smp_cmd_pairing req;
struct smp_chan *smp;
bt_dev_dbg(hdev, "chan %p", chan);
@@ -3136,14 +3143,7 @@ static void bredr_pairing(struct l2cap_chan *chan)
bt_dev_dbg(hdev, "starting SMP over BR/EDR");
- /* Prepare and send the BR/EDR SMP Pairing Request */
- build_bredr_pairing_cmd(smp, &req, NULL);
-
- smp->preq[0] = SMP_CMD_PAIRING_REQ;
- memcpy(&smp->preq[1], &req, sizeof(req));
-
- smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
- SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
+ smp_send_pairing_req(smp, 0x00);
}
static void smp_resume_cb(struct l2cap_chan *chan)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 243/341] net: mscc: ocelot: use ocelot_xmit_get_vlan_info() also for FDMA and register injection
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 242/341] Bluetooth: SMP: Fix assumption of Central always being Initiator Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 244/341] net: mscc: ocelot: fix QoS class for injected packets with "ocelot-8021q" Greg Kroah-Hartman
` (110 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, David S. Miller,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit 67c3ca2c5cfe6a50772514e3349b5e7b3b0fac03 ]
Problem description
-------------------
On an NXP LS1028A (felix DSA driver) with the following configuration:
- ocelot-8021q tagging protocol
- VLAN-aware bridge (with STP) spanning at least swp0 and swp1
- 8021q VLAN upper interfaces on swp0 and swp1: swp0.700, swp1.700
- ptp4l on swp0.700 and swp1.700
we see that the ptp4l instances do not see each other's traffic,
and they all go to the grand master state due to the
ANNOUNCE_RECEIPT_TIMEOUT_EXPIRES condition.
Jumping to the conclusion for the impatient
-------------------------------------------
There is a zero-day bug in the ocelot switchdev driver in the way it
handles VLAN-tagged packet injection. The correct logic already exists in
the source code, in function ocelot_xmit_get_vlan_info() added by commit
5ca721c54d86 ("net: dsa: tag_ocelot: set the classified VLAN during xmit").
But it is used only for normal NPI-based injection with the DSA "ocelot"
tagging protocol. The other injection code paths (register-based and
FDMA-based) roll their own wrong logic. This affects and was noticed on
the DSA "ocelot-8021q" protocol because it uses register-based injection.
By moving ocelot_xmit_get_vlan_info() to a place that's common for both
the DSA tagger and the ocelot switch library, it can also be called from
ocelot_port_inject_frame() in ocelot.c.
We need to touch the lines with ocelot_ifh_port_set()'s prototype
anyway, so let's rename it to something clearer regarding what it does,
and add a kernel-doc. ocelot_ifh_set_basic() should do.
Investigation notes
-------------------
Debugging reveals that PTP event (aka those carrying timestamps, like
Sync) frames injected into swp0.700 (but also swp1.700) hit the wire
with two VLAN tags:
00000000: 01 1b 19 00 00 00 00 01 02 03 04 05 81 00 02 bc
~~~~~~~~~~~
00000010: 81 00 02 bc 88 f7 00 12 00 2c 00 00 02 00 00 00
~~~~~~~~~~~
00000020: 00 00 00 00 00 00 00 00 00 00 00 01 02 ff fe 03
00000030: 04 05 00 01 00 04 00 00 00 00 00 00 00 00 00 00
00000040: 00 00
The second (unexpected) VLAN tag makes felix_check_xtr_pkt() ->
ptp_classify_raw() fail to see these as PTP packets at the link
partner's receiving end, and return PTP_CLASS_NONE (because the BPF
classifier is not written to expect 2 VLAN tags).
The reason why packets have 2 VLAN tags is because the transmission
code treats VLAN incorrectly.
Neither ocelot switchdev, nor felix DSA, declare the NETIF_F_HW_VLAN_CTAG_TX
feature. Therefore, at xmit time, all VLANs should be in the skb head,
and none should be in the hwaccel area. This is done by:
static struct sk_buff *validate_xmit_vlan(struct sk_buff *skb,
netdev_features_t features)
{
if (skb_vlan_tag_present(skb) &&
!vlan_hw_offload_capable(features, skb->vlan_proto))
skb = __vlan_hwaccel_push_inside(skb);
return skb;
}
But ocelot_port_inject_frame() handles things incorrectly:
ocelot_ifh_port_set(ifh, port, rew_op, skb_vlan_tag_get(skb));
void ocelot_ifh_port_set(struct sk_buff *skb, void *ifh, int port, u32 rew_op)
{
(...)
if (vlan_tag)
ocelot_ifh_set_vlan_tci(ifh, vlan_tag);
(...)
}
The way __vlan_hwaccel_push_inside() pushes the tag inside the skb head
is by calling:
static inline void __vlan_hwaccel_clear_tag(struct sk_buff *skb)
{
skb->vlan_present = 0;
}
which does _not_ zero out skb->vlan_tci as seen by skb_vlan_tag_get().
This means that ocelot, when it calls skb_vlan_tag_get(), sees
(and uses) a residual skb->vlan_tci, while the same VLAN tag is
_already_ in the skb head.
The trivial fix for double VLAN headers is to replace the content of
ocelot_ifh_port_set() with:
if (skb_vlan_tag_present(skb))
ocelot_ifh_set_vlan_tci(ifh, skb_vlan_tag_get(skb));
but this would not be correct either, because, as mentioned,
vlan_hw_offload_capable() is false for us, so we'd be inserting dead
code and we'd always transmit packets with VID=0 in the injection frame
header.
I can't actually test the ocelot switchdev driver and rely exclusively
on code inspection, but I don't think traffic from 8021q uppers has ever
been injected properly, and not double-tagged. Thus I'm blaming the
introduction of VLAN fields in the injection header - early driver code.
As hinted at in the early conclusion, what we _want_ to happen for
VLAN transmission was already described once in commit 5ca721c54d86
("net: dsa: tag_ocelot: set the classified VLAN during xmit").
ocelot_xmit_get_vlan_info() intends to ensure that if the port through
which we're transmitting is under a VLAN-aware bridge, the outer VLAN
tag from the skb head is stripped from there and inserted into the
injection frame header (so that the packet is processed in hardware
through that actual VLAN). And in all other cases, the packet is sent
with VID=0 in the injection frame header, since the port is VLAN-unaware
and has logic to strip this VID on egress (making it invisible to the
wire).
Fixes: 08d02364b12f ("net: mscc: fix the injection header")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mscc/ocelot.c | 29 +++++++++++----
drivers/net/ethernet/mscc/ocelot_fdma.c | 2 +-
include/linux/dsa/ocelot.h | 47 +++++++++++++++++++++++++
include/soc/mscc/ocelot.h | 3 +-
net/dsa/tag_ocelot.c | 37 ++-----------------
5 files changed, 75 insertions(+), 43 deletions(-)
diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c
index 56ccbd4c37fe6..c739124b394b5 100644
--- a/drivers/net/ethernet/mscc/ocelot.c
+++ b/drivers/net/ethernet/mscc/ocelot.c
@@ -1193,17 +1193,34 @@ bool ocelot_can_inject(struct ocelot *ocelot, int grp)
}
EXPORT_SYMBOL(ocelot_can_inject);
-void ocelot_ifh_port_set(void *ifh, int port, u32 rew_op, u32 vlan_tag)
+/**
+ * ocelot_ifh_set_basic - Set basic information in Injection Frame Header
+ * @ifh: Pointer to Injection Frame Header memory
+ * @ocelot: Switch private data structure
+ * @port: Egress port number
+ * @rew_op: Egress rewriter operation for PTP
+ * @skb: Pointer to socket buffer (packet)
+ *
+ * Populate the Injection Frame Header with basic information for this skb: the
+ * analyzer bypass bit, destination port, VLAN info, egress rewriter info.
+ */
+void ocelot_ifh_set_basic(void *ifh, struct ocelot *ocelot, int port,
+ u32 rew_op, struct sk_buff *skb)
{
+ struct ocelot_port *ocelot_port = ocelot->ports[port];
+ u64 vlan_tci, tag_type;
+
+ ocelot_xmit_get_vlan_info(skb, ocelot_port->bridge, &vlan_tci,
+ &tag_type);
+
ocelot_ifh_set_bypass(ifh, 1);
ocelot_ifh_set_dest(ifh, BIT_ULL(port));
- ocelot_ifh_set_tag_type(ifh, IFH_TAG_TYPE_C);
- if (vlan_tag)
- ocelot_ifh_set_vlan_tci(ifh, vlan_tag);
+ ocelot_ifh_set_tag_type(ifh, tag_type);
+ ocelot_ifh_set_vlan_tci(ifh, vlan_tci);
if (rew_op)
ocelot_ifh_set_rew_op(ifh, rew_op);
}
-EXPORT_SYMBOL(ocelot_ifh_port_set);
+EXPORT_SYMBOL(ocelot_ifh_set_basic);
void ocelot_port_inject_frame(struct ocelot *ocelot, int port, int grp,
u32 rew_op, struct sk_buff *skb)
@@ -1214,7 +1231,7 @@ void ocelot_port_inject_frame(struct ocelot *ocelot, int port, int grp,
ocelot_write_rix(ocelot, QS_INJ_CTRL_GAP_SIZE(1) |
QS_INJ_CTRL_SOF, QS_INJ_CTRL, grp);
- ocelot_ifh_port_set(ifh, port, rew_op, skb_vlan_tag_get(skb));
+ ocelot_ifh_set_basic(ifh, ocelot, port, rew_op, skb);
for (i = 0; i < OCELOT_TAG_LEN / 4; i++)
ocelot_write_rix(ocelot, ifh[i], QS_INJ_WR, grp);
diff --git a/drivers/net/ethernet/mscc/ocelot_fdma.c b/drivers/net/ethernet/mscc/ocelot_fdma.c
index 312a468321544..87b59cc5e4416 100644
--- a/drivers/net/ethernet/mscc/ocelot_fdma.c
+++ b/drivers/net/ethernet/mscc/ocelot_fdma.c
@@ -666,7 +666,7 @@ static int ocelot_fdma_prepare_skb(struct ocelot *ocelot, int port, u32 rew_op,
ifh = skb_push(skb, OCELOT_TAG_LEN);
skb_put(skb, ETH_FCS_LEN);
memset(ifh, 0, OCELOT_TAG_LEN);
- ocelot_ifh_port_set(ifh, port, rew_op, skb_vlan_tag_get(skb));
+ ocelot_ifh_set_basic(ifh, ocelot, port, rew_op, skb);
return 0;
}
diff --git a/include/linux/dsa/ocelot.h b/include/linux/dsa/ocelot.h
index dca2969015d80..6fbfbde68a37c 100644
--- a/include/linux/dsa/ocelot.h
+++ b/include/linux/dsa/ocelot.h
@@ -5,6 +5,8 @@
#ifndef _NET_DSA_TAG_OCELOT_H
#define _NET_DSA_TAG_OCELOT_H
+#include <linux/if_bridge.h>
+#include <linux/if_vlan.h>
#include <linux/kthread.h>
#include <linux/packing.h>
#include <linux/skbuff.h>
@@ -273,4 +275,49 @@ static inline u32 ocelot_ptp_rew_op(struct sk_buff *skb)
return rew_op;
}
+/**
+ * ocelot_xmit_get_vlan_info: Determine VLAN_TCI and TAG_TYPE for injected frame
+ * @skb: Pointer to socket buffer
+ * @br: Pointer to bridge device that the port is under, if any
+ * @vlan_tci:
+ * @tag_type:
+ *
+ * If the port is under a VLAN-aware bridge, remove the VLAN header from the
+ * payload and move it into the DSA tag, which will make the switch classify
+ * the packet to the bridge VLAN. Otherwise, leave the classified VLAN at zero,
+ * which is the pvid of standalone ports (OCELOT_STANDALONE_PVID), although not
+ * of VLAN-unaware bridge ports (that would be ocelot_vlan_unaware_pvid()).
+ * Anyway, VID 0 is fine because it is stripped on egress for these port modes,
+ * and source address learning is not performed for packets injected from the
+ * CPU anyway, so it doesn't matter that the VID is "wrong".
+ */
+static inline void ocelot_xmit_get_vlan_info(struct sk_buff *skb,
+ struct net_device *br,
+ u64 *vlan_tci, u64 *tag_type)
+{
+ struct vlan_ethhdr *hdr;
+ u16 proto, tci;
+
+ if (!br || !br_vlan_enabled(br)) {
+ *vlan_tci = 0;
+ *tag_type = IFH_TAG_TYPE_C;
+ return;
+ }
+
+ hdr = (struct vlan_ethhdr *)skb_mac_header(skb);
+ br_vlan_get_proto(br, &proto);
+
+ if (ntohs(hdr->h_vlan_proto) == proto) {
+ vlan_remove_tag(skb, &tci);
+ *vlan_tci = tci;
+ } else {
+ rcu_read_lock();
+ br_vlan_get_pvid_rcu(br, &tci);
+ rcu_read_unlock();
+ *vlan_tci = tci;
+ }
+
+ *tag_type = (proto != ETH_P_8021Q) ? IFH_TAG_TYPE_S : IFH_TAG_TYPE_C;
+}
+
#endif
diff --git a/include/soc/mscc/ocelot.h b/include/soc/mscc/ocelot.h
index 1e1b40f4e664e..0297bc2277927 100644
--- a/include/soc/mscc/ocelot.h
+++ b/include/soc/mscc/ocelot.h
@@ -969,7 +969,8 @@ void __ocelot_target_write_ix(struct ocelot *ocelot, enum ocelot_target target,
bool ocelot_can_inject(struct ocelot *ocelot, int grp);
void ocelot_port_inject_frame(struct ocelot *ocelot, int port, int grp,
u32 rew_op, struct sk_buff *skb);
-void ocelot_ifh_port_set(void *ifh, int port, u32 rew_op, u32 vlan_tag);
+void ocelot_ifh_set_basic(void *ifh, struct ocelot *ocelot, int port,
+ u32 rew_op, struct sk_buff *skb);
int ocelot_xtr_poll_frame(struct ocelot *ocelot, int grp, struct sk_buff **skb);
void ocelot_drain_cpu_queue(struct ocelot *ocelot, int grp);
void ocelot_ptp_rx_timestamp(struct ocelot *ocelot, struct sk_buff *skb,
diff --git a/net/dsa/tag_ocelot.c b/net/dsa/tag_ocelot.c
index 20bf7074d5a67..ff0ae3f6be566 100644
--- a/net/dsa/tag_ocelot.c
+++ b/net/dsa/tag_ocelot.c
@@ -8,40 +8,6 @@
#define OCELOT_NAME "ocelot"
#define SEVILLE_NAME "seville"
-/* If the port is under a VLAN-aware bridge, remove the VLAN header from the
- * payload and move it into the DSA tag, which will make the switch classify
- * the packet to the bridge VLAN. Otherwise, leave the classified VLAN at zero,
- * which is the pvid of standalone and VLAN-unaware bridge ports.
- */
-static void ocelot_xmit_get_vlan_info(struct sk_buff *skb, struct dsa_port *dp,
- u64 *vlan_tci, u64 *tag_type)
-{
- struct net_device *br = dsa_port_bridge_dev_get(dp);
- struct vlan_ethhdr *hdr;
- u16 proto, tci;
-
- if (!br || !br_vlan_enabled(br)) {
- *vlan_tci = 0;
- *tag_type = IFH_TAG_TYPE_C;
- return;
- }
-
- hdr = skb_vlan_eth_hdr(skb);
- br_vlan_get_proto(br, &proto);
-
- if (ntohs(hdr->h_vlan_proto) == proto) {
- vlan_remove_tag(skb, &tci);
- *vlan_tci = tci;
- } else {
- rcu_read_lock();
- br_vlan_get_pvid_rcu(br, &tci);
- rcu_read_unlock();
- *vlan_tci = tci;
- }
-
- *tag_type = (proto != ETH_P_8021Q) ? IFH_TAG_TYPE_S : IFH_TAG_TYPE_C;
-}
-
static void ocelot_xmit_common(struct sk_buff *skb, struct net_device *netdev,
__be32 ifh_prefix, void **ifh)
{
@@ -53,7 +19,8 @@ static void ocelot_xmit_common(struct sk_buff *skb, struct net_device *netdev,
u32 rew_op = 0;
u64 qos_class;
- ocelot_xmit_get_vlan_info(skb, dp, &vlan_tci, &tag_type);
+ ocelot_xmit_get_vlan_info(skb, dsa_port_bridge_dev_get(dp), &vlan_tci,
+ &tag_type);
qos_class = netdev_get_num_tc(netdev) ?
netdev_get_prio_tc_map(netdev, skb->priority) : skb->priority;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 244/341] net: mscc: ocelot: fix QoS class for injected packets with "ocelot-8021q"
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 243/341] net: mscc: ocelot: use ocelot_xmit_get_vlan_info() also for FDMA and register injection Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 245/341] net: mscc: ocelot: serialize access to the injection/extraction groups Greg Kroah-Hartman
` (109 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, David S. Miller,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit e1b9e80236c540fa85d76e2d510d1b38e1968c5d ]
There are 2 distinct code paths (listed below) in the source code which
set up an injection header for Ocelot(-like) switches. Code path (2)
lacks the QoS class and source port being set correctly. Especially the
improper QoS classification is a problem for the "ocelot-8021q"
alternative DSA tagging protocol, because we support tc-taprio and each
packet needs to be scheduled precisely through its time slot. This
includes PTP, which is normally assigned to a traffic class other than
0, but would be sent through TC 0 nonetheless.
The code paths are:
(1) ocelot_xmit_common() from net/dsa/tag_ocelot.c - called only by the
standard "ocelot" DSA tagging protocol which uses NPI-based
injection - sets up bit fields in the tag manually to account for
a small difference (destination port offset) between Ocelot and
Seville. Namely, ocelot_ifh_set_dest() is omitted out of
ocelot_xmit_common(), because there's also seville_ifh_set_dest().
(2) ocelot_ifh_set_basic(), called by:
- ocelot_fdma_prepare_skb() for FDMA transmission of the ocelot
switchdev driver
- ocelot_port_xmit() -> ocelot_port_inject_frame() for
register-based transmission of the ocelot switchdev driver
- felix_port_deferred_xmit() -> ocelot_port_inject_frame() for the
DSA tagger ocelot-8021q when it must transmit PTP frames (also
through register-based injection).
sets the bit fields according to its own logic.
The problem is that (2) doesn't call ocelot_ifh_set_qos_class().
Copying that logic from ocelot_xmit_common() fixes that.
Unfortunately, although desirable, it is not easily possible to
de-duplicate code paths (1) and (2), and make net/dsa/tag_ocelot.c
directly call ocelot_ifh_set_basic()), because of the ocelot/seville
difference. This is the "minimal" fix with some logic duplicated (but
at least more consolidated).
Fixes: 0a6f17c6ae21 ("net: dsa: tag_ocelot_8021q: add support for PTP timestamping")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mscc/ocelot.c | 10 +++++++++-
drivers/net/ethernet/mscc/ocelot_fdma.c | 1 -
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c
index c739124b394b5..4e01abf6cc72c 100644
--- a/drivers/net/ethernet/mscc/ocelot.c
+++ b/drivers/net/ethernet/mscc/ocelot.c
@@ -1208,13 +1208,21 @@ void ocelot_ifh_set_basic(void *ifh, struct ocelot *ocelot, int port,
u32 rew_op, struct sk_buff *skb)
{
struct ocelot_port *ocelot_port = ocelot->ports[port];
+ struct net_device *dev = skb->dev;
u64 vlan_tci, tag_type;
+ int qos_class;
ocelot_xmit_get_vlan_info(skb, ocelot_port->bridge, &vlan_tci,
&tag_type);
+ qos_class = netdev_get_num_tc(dev) ?
+ netdev_get_prio_tc_map(dev, skb->priority) : skb->priority;
+
+ memset(ifh, 0, OCELOT_TAG_LEN);
ocelot_ifh_set_bypass(ifh, 1);
+ ocelot_ifh_set_src(ifh, BIT_ULL(ocelot->num_phys_ports));
ocelot_ifh_set_dest(ifh, BIT_ULL(port));
+ ocelot_ifh_set_qos_class(ifh, qos_class);
ocelot_ifh_set_tag_type(ifh, tag_type);
ocelot_ifh_set_vlan_tci(ifh, vlan_tci);
if (rew_op)
@@ -1225,7 +1233,7 @@ EXPORT_SYMBOL(ocelot_ifh_set_basic);
void ocelot_port_inject_frame(struct ocelot *ocelot, int port, int grp,
u32 rew_op, struct sk_buff *skb)
{
- u32 ifh[OCELOT_TAG_LEN / 4] = {0};
+ u32 ifh[OCELOT_TAG_LEN / 4];
unsigned int i, count, last;
ocelot_write_rix(ocelot, QS_INJ_CTRL_GAP_SIZE(1) |
diff --git a/drivers/net/ethernet/mscc/ocelot_fdma.c b/drivers/net/ethernet/mscc/ocelot_fdma.c
index 87b59cc5e4416..00326ae8c708b 100644
--- a/drivers/net/ethernet/mscc/ocelot_fdma.c
+++ b/drivers/net/ethernet/mscc/ocelot_fdma.c
@@ -665,7 +665,6 @@ static int ocelot_fdma_prepare_skb(struct ocelot *ocelot, int port, u32 rew_op,
ifh = skb_push(skb, OCELOT_TAG_LEN);
skb_put(skb, ETH_FCS_LEN);
- memset(ifh, 0, OCELOT_TAG_LEN);
ocelot_ifh_set_basic(ifh, ocelot, port, rew_op, skb);
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 245/341] net: mscc: ocelot: serialize access to the injection/extraction groups
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 244/341] net: mscc: ocelot: fix QoS class for injected packets with "ocelot-8021q" Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 246/341] tc-testing: dont access non-existent variable on exception Greg Kroah-Hartman
` (108 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, David S. Miller,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit c5e12ac3beb0dd3a718296b2d8af5528e9ab728e ]
As explained by Horatiu Vultur in commit 603ead96582d ("net: sparx5: Add
spinlock for frame transmission from CPU") which is for a similar
hardware design, multiple CPUs can simultaneously perform injection
or extraction. There are only 2 register groups for injection and 2
for extraction, and the driver only uses one of each. So we'd better
serialize access using spin locks, otherwise frame corruption is
possible.
Note that unlike in sparx5, FDMA in ocelot does not have this issue
because struct ocelot_fdma_tx_ring already contains an xmit_lock.
I guess this is mostly a problem for NXP LS1028A, as that is dual core.
I don't think VSC7514 is. So I'm blaming the commit where LS1028A (aka
the felix DSA driver) started using register-based packet injection and
extraction.
Fixes: 0a6f17c6ae21 ("net: dsa: tag_ocelot_8021q: add support for PTP timestamping")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/ocelot/felix.c | 11 +++++
drivers/net/ethernet/mscc/ocelot.c | 52 ++++++++++++++++++++++
drivers/net/ethernet/mscc/ocelot_vsc7514.c | 4 ++
include/soc/mscc/ocelot.h | 9 ++++
4 files changed, 76 insertions(+)
diff --git a/drivers/net/dsa/ocelot/felix.c b/drivers/net/dsa/ocelot/felix.c
index 9a3e5ec169726..b0b4b4af9a1df 100644
--- a/drivers/net/dsa/ocelot/felix.c
+++ b/drivers/net/dsa/ocelot/felix.c
@@ -528,7 +528,9 @@ static int felix_tag_8021q_setup(struct dsa_switch *ds)
* so we need to be careful that there are no extra frames to be
* dequeued over MMIO, since we would never know to discard them.
*/
+ ocelot_lock_xtr_grp_bh(ocelot, 0);
ocelot_drain_cpu_queue(ocelot, 0);
+ ocelot_unlock_xtr_grp_bh(ocelot, 0);
return 0;
}
@@ -1504,6 +1506,8 @@ static void felix_port_deferred_xmit(struct kthread_work *work)
int port = xmit_work->dp->index;
int retries = 10;
+ ocelot_lock_inj_grp(ocelot, 0);
+
do {
if (ocelot_can_inject(ocelot, 0))
break;
@@ -1512,6 +1516,7 @@ static void felix_port_deferred_xmit(struct kthread_work *work)
} while (--retries);
if (!retries) {
+ ocelot_unlock_inj_grp(ocelot, 0);
dev_err(ocelot->dev, "port %d failed to inject skb\n",
port);
ocelot_port_purge_txtstamp_skb(ocelot, port, skb);
@@ -1521,6 +1526,8 @@ static void felix_port_deferred_xmit(struct kthread_work *work)
ocelot_port_inject_frame(ocelot, port, 0, rew_op, skb);
+ ocelot_unlock_inj_grp(ocelot, 0);
+
consume_skb(skb);
kfree(xmit_work);
}
@@ -1671,6 +1678,8 @@ static bool felix_check_xtr_pkt(struct ocelot *ocelot)
if (!felix->info->quirk_no_xtr_irq)
return false;
+ ocelot_lock_xtr_grp(ocelot, grp);
+
while (ocelot_read(ocelot, QS_XTR_DATA_PRESENT) & BIT(grp)) {
struct sk_buff *skb;
unsigned int type;
@@ -1707,6 +1716,8 @@ static bool felix_check_xtr_pkt(struct ocelot *ocelot)
ocelot_drain_cpu_queue(ocelot, 0);
}
+ ocelot_unlock_xtr_grp(ocelot, grp);
+
return true;
}
diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c
index 4e01abf6cc72c..c2118bde908b1 100644
--- a/drivers/net/ethernet/mscc/ocelot.c
+++ b/drivers/net/ethernet/mscc/ocelot.c
@@ -1099,6 +1099,48 @@ void ocelot_ptp_rx_timestamp(struct ocelot *ocelot, struct sk_buff *skb,
}
EXPORT_SYMBOL(ocelot_ptp_rx_timestamp);
+void ocelot_lock_inj_grp(struct ocelot *ocelot, int grp)
+ __acquires(&ocelot->inj_lock)
+{
+ spin_lock(&ocelot->inj_lock);
+}
+EXPORT_SYMBOL_GPL(ocelot_lock_inj_grp);
+
+void ocelot_unlock_inj_grp(struct ocelot *ocelot, int grp)
+ __releases(&ocelot->inj_lock)
+{
+ spin_unlock(&ocelot->inj_lock);
+}
+EXPORT_SYMBOL_GPL(ocelot_unlock_inj_grp);
+
+void ocelot_lock_xtr_grp(struct ocelot *ocelot, int grp)
+ __acquires(&ocelot->inj_lock)
+{
+ spin_lock(&ocelot->inj_lock);
+}
+EXPORT_SYMBOL_GPL(ocelot_lock_xtr_grp);
+
+void ocelot_unlock_xtr_grp(struct ocelot *ocelot, int grp)
+ __releases(&ocelot->inj_lock)
+{
+ spin_unlock(&ocelot->inj_lock);
+}
+EXPORT_SYMBOL_GPL(ocelot_unlock_xtr_grp);
+
+void ocelot_lock_xtr_grp_bh(struct ocelot *ocelot, int grp)
+ __acquires(&ocelot->xtr_lock)
+{
+ spin_lock_bh(&ocelot->xtr_lock);
+}
+EXPORT_SYMBOL_GPL(ocelot_lock_xtr_grp_bh);
+
+void ocelot_unlock_xtr_grp_bh(struct ocelot *ocelot, int grp)
+ __releases(&ocelot->xtr_lock)
+{
+ spin_unlock_bh(&ocelot->xtr_lock);
+}
+EXPORT_SYMBOL_GPL(ocelot_unlock_xtr_grp_bh);
+
int ocelot_xtr_poll_frame(struct ocelot *ocelot, int grp, struct sk_buff **nskb)
{
u64 timestamp, src_port, len;
@@ -1109,6 +1151,8 @@ int ocelot_xtr_poll_frame(struct ocelot *ocelot, int grp, struct sk_buff **nskb)
u32 val, *buf;
int err;
+ lockdep_assert_held(&ocelot->xtr_lock);
+
err = ocelot_xtr_poll_xfh(ocelot, grp, xfh);
if (err)
return err;
@@ -1184,6 +1228,8 @@ bool ocelot_can_inject(struct ocelot *ocelot, int grp)
{
u32 val = ocelot_read(ocelot, QS_INJ_STATUS);
+ lockdep_assert_held(&ocelot->inj_lock);
+
if (!(val & QS_INJ_STATUS_FIFO_RDY(BIT(grp))))
return false;
if (val & QS_INJ_STATUS_WMARK_REACHED(BIT(grp)))
@@ -1236,6 +1282,8 @@ void ocelot_port_inject_frame(struct ocelot *ocelot, int port, int grp,
u32 ifh[OCELOT_TAG_LEN / 4];
unsigned int i, count, last;
+ lockdep_assert_held(&ocelot->inj_lock);
+
ocelot_write_rix(ocelot, QS_INJ_CTRL_GAP_SIZE(1) |
QS_INJ_CTRL_SOF, QS_INJ_CTRL, grp);
@@ -1272,6 +1320,8 @@ EXPORT_SYMBOL(ocelot_port_inject_frame);
void ocelot_drain_cpu_queue(struct ocelot *ocelot, int grp)
{
+ lockdep_assert_held(&ocelot->xtr_lock);
+
while (ocelot_read(ocelot, QS_XTR_DATA_PRESENT) & BIT(grp))
ocelot_read_rix(ocelot, QS_XTR_RD, grp);
}
@@ -2954,6 +3004,8 @@ int ocelot_init(struct ocelot *ocelot)
mutex_init(&ocelot->fwd_domain_lock);
spin_lock_init(&ocelot->ptp_clock_lock);
spin_lock_init(&ocelot->ts_id_lock);
+ spin_lock_init(&ocelot->inj_lock);
+ spin_lock_init(&ocelot->xtr_lock);
ocelot->owq = alloc_ordered_workqueue("ocelot-owq", 0);
if (!ocelot->owq)
diff --git a/drivers/net/ethernet/mscc/ocelot_vsc7514.c b/drivers/net/ethernet/mscc/ocelot_vsc7514.c
index 151b424653483..bc20bd1ef05c7 100644
--- a/drivers/net/ethernet/mscc/ocelot_vsc7514.c
+++ b/drivers/net/ethernet/mscc/ocelot_vsc7514.c
@@ -51,6 +51,8 @@ static irqreturn_t ocelot_xtr_irq_handler(int irq, void *arg)
struct ocelot *ocelot = arg;
int grp = 0, err;
+ ocelot_lock_xtr_grp(ocelot, grp);
+
while (ocelot_read(ocelot, QS_XTR_DATA_PRESENT) & BIT(grp)) {
struct sk_buff *skb;
@@ -69,6 +71,8 @@ static irqreturn_t ocelot_xtr_irq_handler(int irq, void *arg)
if (err < 0)
ocelot_drain_cpu_queue(ocelot, 0);
+ ocelot_unlock_xtr_grp(ocelot, grp);
+
return IRQ_HANDLED;
}
diff --git a/include/soc/mscc/ocelot.h b/include/soc/mscc/ocelot.h
index 0297bc2277927..846132ca5503d 100644
--- a/include/soc/mscc/ocelot.h
+++ b/include/soc/mscc/ocelot.h
@@ -813,6 +813,9 @@ struct ocelot {
const u32 *const *map;
struct list_head stats_regions;
+ spinlock_t inj_lock;
+ spinlock_t xtr_lock;
+
u32 pool_size[OCELOT_SB_NUM][OCELOT_SB_POOL_NUM];
int packet_buffer_size;
int num_frame_refs;
@@ -966,6 +969,12 @@ void __ocelot_target_write_ix(struct ocelot *ocelot, enum ocelot_target target,
u32 val, u32 reg, u32 offset);
/* Packet I/O */
+void ocelot_lock_inj_grp(struct ocelot *ocelot, int grp);
+void ocelot_unlock_inj_grp(struct ocelot *ocelot, int grp);
+void ocelot_lock_xtr_grp(struct ocelot *ocelot, int grp);
+void ocelot_unlock_xtr_grp(struct ocelot *ocelot, int grp);
+void ocelot_lock_xtr_grp_bh(struct ocelot *ocelot, int grp);
+void ocelot_unlock_xtr_grp_bh(struct ocelot *ocelot, int grp);
bool ocelot_can_inject(struct ocelot *ocelot, int grp);
void ocelot_port_inject_frame(struct ocelot *ocelot, int port, int grp,
u32 rew_op, struct sk_buff *skb);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 246/341] tc-testing: dont access non-existent variable on exception
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 245/341] net: mscc: ocelot: serialize access to the injection/extraction groups Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 247/341] selftests: udpgro: report error when receive failed Greg Kroah-Hartman
` (107 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Horman <horms@kernel.org>
[ Upstream commit a0c9fe5eecc97680323ee83780ea3eaf440ba1b7 ]
Since commit 255c1c7279ab ("tc-testing: Allow test cases to be skipped")
the variable test_ordinal doesn't exist in call_pre_case().
So it should not be accessed when an exception occurs.
This resolves the following splat:
...
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File ".../tdc.py", line 1028, in <module>
main()
File ".../tdc.py", line 1022, in main
set_operation_mode(pm, parser, args, remaining)
File ".../tdc.py", line 966, in set_operation_mode
catresults = test_runner_serial(pm, args, alltests)
File ".../tdc.py", line 642, in test_runner_serial
(index, tsr) = test_runner(pm, args, alltests)
File ".../tdc.py", line 536, in test_runner
res = run_one_test(pm, args, index, tidx)
File ".../tdc.py", line 419, in run_one_test
pm.call_pre_case(tidx)
File ".../tdc.py", line 146, in call_pre_case
print('test_ordinal is {}'.format(test_ordinal))
NameError: name 'test_ordinal' is not defined
Fixes: 255c1c7279ab ("tc-testing: Allow test cases to be skipped")
Signed-off-by: Simon Horman <horms@kernel.org>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20240815-tdc-test-ordinal-v1-1-0255c122a427@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/tc-testing/tdc.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/tools/testing/selftests/tc-testing/tdc.py b/tools/testing/selftests/tc-testing/tdc.py
index b98256f38447d..8f969f54ddf40 100755
--- a/tools/testing/selftests/tc-testing/tdc.py
+++ b/tools/testing/selftests/tc-testing/tdc.py
@@ -129,7 +129,6 @@ class PluginMgr:
except Exception as ee:
print('exception {} in call to pre_case for {} plugin'.
format(ee, pgn_inst.__class__))
- print('test_ordinal is {}'.format(test_ordinal))
print('testid is {}'.format(caseinfo['id']))
raise
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 247/341] selftests: udpgro: report error when receive failed
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 246/341] tc-testing: dont access non-existent variable on exception Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 248/341] tcp/dccp: bypass empty buckets in inet_twsk_purge() Greg Kroah-Hartman
` (106 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Hangbin Liu,
David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 7167395a4be7930ecac6a33b4e54d7e3dd9ee209 ]
Currently, we only check the latest senders's exit code. If the receiver
report failed, it is not recoreded. Fix it by checking the exit code
of all the involved processes.
Before:
bad GRO lookup ok
multiple GRO socks ./udpgso_bench_rx: recv: bad packet len, got 1452, expected 14520
./udpgso_bench_rx: recv: bad packet len, got 1452, expected 14520
failed
$ echo $?
0
After:
bad GRO lookup ok
multiple GRO socks ./udpgso_bench_rx: recv: bad packet len, got 1452, expected 14520
./udpgso_bench_rx: recv: bad packet len, got 1452, expected 14520
failed
$ echo $?
1
Fixes: 3327a9c46352 ("selftests: add functionals test for UDP GRO")
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/udpgro.sh | 44 ++++++++++++++++-----------
1 file changed, 27 insertions(+), 17 deletions(-)
diff --git a/tools/testing/selftests/net/udpgro.sh b/tools/testing/selftests/net/udpgro.sh
index 8802604148dda..53341c8135e88 100755
--- a/tools/testing/selftests/net/udpgro.sh
+++ b/tools/testing/selftests/net/udpgro.sh
@@ -46,17 +46,19 @@ run_one() {
local -r all="$@"
local -r tx_args=${all%rx*}
local -r rx_args=${all#*rx}
+ local ret=0
cfg_veth
- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${rx_args} && \
- echo "ok" || \
- echo "failed" &
+ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${rx_args} &
+ local PID1=$!
wait_local_port_listen ${PEER_NS} 8000 udp
./udpgso_bench_tx ${tx_args}
- ret=$?
- wait $(jobs -p)
+ check_err $?
+ wait ${PID1}
+ check_err $?
+ [ "$ret" -eq 0 ] && echo "ok" || echo "failed"
return $ret
}
@@ -73,6 +75,7 @@ run_one_nat() {
local -r all="$@"
local -r tx_args=${all%rx*}
local -r rx_args=${all#*rx}
+ local ret=0
if [[ ${tx_args} = *-4* ]]; then
ipt_cmd=iptables
@@ -93,16 +96,17 @@ run_one_nat() {
# ... so that GRO will match the UDP_GRO enabled socket, but packets
# will land on the 'plain' one
ip netns exec "${PEER_NS}" ./udpgso_bench_rx -G ${family} -b ${addr1} -n 0 &
- pid=$!
- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${family} -b ${addr2%/*} ${rx_args} && \
- echo "ok" || \
- echo "failed"&
+ local PID1=$!
+ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${family} -b ${addr2%/*} ${rx_args} &
+ local PID2=$!
wait_local_port_listen "${PEER_NS}" 8000 udp
./udpgso_bench_tx ${tx_args}
- ret=$?
- kill -INT $pid
- wait $(jobs -p)
+ check_err $?
+ kill -INT ${PID1}
+ wait ${PID2}
+ check_err $?
+ [ "$ret" -eq 0 ] && echo "ok" || echo "failed"
return $ret
}
@@ -111,20 +115,26 @@ run_one_2sock() {
local -r all="$@"
local -r tx_args=${all%rx*}
local -r rx_args=${all#*rx}
+ local ret=0
cfg_veth
ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${rx_args} -p 12345 &
- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 2000 -R 10 ${rx_args} && \
- echo "ok" || \
- echo "failed" &
+ local PID1=$!
+ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 2000 -R 10 ${rx_args} &
+ local PID2=$!
wait_local_port_listen "${PEER_NS}" 12345 udp
./udpgso_bench_tx ${tx_args} -p 12345
+ check_err $?
wait_local_port_listen "${PEER_NS}" 8000 udp
./udpgso_bench_tx ${tx_args}
- ret=$?
- wait $(jobs -p)
+ check_err $?
+ wait ${PID1}
+ check_err $?
+ wait ${PID2}
+ check_err $?
+ [ "$ret" -eq 0 ] && echo "ok" || echo "failed"
return $ret
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 248/341] tcp/dccp: bypass empty buckets in inet_twsk_purge()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 247/341] selftests: udpgro: report error when receive failed Greg Kroah-Hartman
@ 2024-08-27 14:37 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 249/341] tcp/dccp: do not care about families " Greg Kroah-Hartman
` (105 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 50e2907ef8bb52cf80ecde9eec5c4dac07177146 ]
TCP ehash table is often sparsely populated.
inet_twsk_purge() spends too much time calling cond_resched().
This patch can reduce time spent in inet_twsk_purge() by 20x.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20240327191206.508114-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 565d121b6998 ("tcp: prevent concurrent execution of tcp_sk_exit_batch")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/inet_timewait_sock.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
index 757ae3a4e2f1a..55f60d1b46f2d 100644
--- a/net/ipv4/inet_timewait_sock.c
+++ b/net/ipv4/inet_timewait_sock.c
@@ -281,12 +281,17 @@ EXPORT_SYMBOL_GPL(__inet_twsk_schedule);
/* Remove all non full sockets (TIME_WAIT and NEW_SYN_RECV) for dead netns */
void inet_twsk_purge(struct inet_hashinfo *hashinfo, int family)
{
+ struct inet_ehash_bucket *head = &hashinfo->ehash[0];
+ unsigned int ehash_mask = hashinfo->ehash_mask;
struct hlist_nulls_node *node;
unsigned int slot;
struct sock *sk;
- for (slot = 0; slot <= hashinfo->ehash_mask; slot++) {
- struct inet_ehash_bucket *head = &hashinfo->ehash[slot];
+ for (slot = 0; slot <= ehash_mask; slot++, head++) {
+
+ if (hlist_nulls_empty(&head->chain))
+ continue;
+
restart_rcu:
cond_resched();
rcu_read_lock();
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 249/341] tcp/dccp: do not care about families in inet_twsk_purge()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2024-08-27 14:37 ` [PATCH 6.6 248/341] tcp/dccp: bypass empty buckets in inet_twsk_purge() Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 250/341] tcp: prevent concurrent execution of tcp_sk_exit_batch Greg Kroah-Hartman
` (104 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 1eeb5043573981f3a1278876515851b7f6b1df1b ]
We lost ability to unload ipv6 module a long time ago.
Instead of calling expensive inet_twsk_purge() twice,
we can handle all families in one round.
Also remove an extra line added in my prior patch,
per Kuniyuki Iwashima feedback.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/netdev/20240327192934.6843-1-kuniyu@amazon.com/
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20240329153203.345203-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 565d121b6998 ("tcp: prevent concurrent execution of tcp_sk_exit_batch")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/inet_timewait_sock.h | 2 +-
include/net/tcp.h | 2 +-
net/dccp/ipv4.c | 2 +-
net/dccp/ipv6.c | 6 ------
net/ipv4/inet_timewait_sock.c | 9 +++------
net/ipv4/tcp_ipv4.c | 2 +-
net/ipv4/tcp_minisocks.c | 6 +++---
net/ipv6/tcp_ipv6.c | 6 ------
8 files changed, 10 insertions(+), 25 deletions(-)
diff --git a/include/net/inet_timewait_sock.h b/include/net/inet_timewait_sock.h
index 4a8e578405cb3..9365e5af8d6da 100644
--- a/include/net/inet_timewait_sock.h
+++ b/include/net/inet_timewait_sock.h
@@ -114,7 +114,7 @@ static inline void inet_twsk_reschedule(struct inet_timewait_sock *tw, int timeo
void inet_twsk_deschedule_put(struct inet_timewait_sock *tw);
-void inet_twsk_purge(struct inet_hashinfo *hashinfo, int family);
+void inet_twsk_purge(struct inet_hashinfo *hashinfo);
static inline
struct net *twsk_net(const struct inet_timewait_sock *twsk)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 71af244104433..cc3b56bf19e05 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -344,7 +344,7 @@ void tcp_rcv_established(struct sock *sk, struct sk_buff *skb);
void tcp_rcv_space_adjust(struct sock *sk);
int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp);
void tcp_twsk_destructor(struct sock *sk);
-void tcp_twsk_purge(struct list_head *net_exit_list, int family);
+void tcp_twsk_purge(struct list_head *net_exit_list);
ssize_t tcp_splice_read(struct socket *sk, loff_t *ppos,
struct pipe_inode_info *pipe, size_t len,
unsigned int flags);
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 65a6733fc897f..ca31c3b096bbf 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -1042,7 +1042,7 @@ static void __net_exit dccp_v4_exit_net(struct net *net)
static void __net_exit dccp_v4_exit_batch(struct list_head *net_exit_list)
{
- inet_twsk_purge(&dccp_hashinfo, AF_INET);
+ inet_twsk_purge(&dccp_hashinfo);
}
static struct pernet_operations dccp_v4_ops = {
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 683e4291b348a..d25e962b18a53 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -1122,15 +1122,9 @@ static void __net_exit dccp_v6_exit_net(struct net *net)
inet_ctl_sock_destroy(pn->v6_ctl_sk);
}
-static void __net_exit dccp_v6_exit_batch(struct list_head *net_exit_list)
-{
- inet_twsk_purge(&dccp_hashinfo, AF_INET6);
-}
-
static struct pernet_operations dccp_v6_ops = {
.init = dccp_v6_init_net,
.exit = dccp_v6_exit_net,
- .exit_batch = dccp_v6_exit_batch,
.id = &dccp_v6_pernet_id,
.size = sizeof(struct dccp_v6_pernet),
};
diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
index 55f60d1b46f2d..fff53144250c5 100644
--- a/net/ipv4/inet_timewait_sock.c
+++ b/net/ipv4/inet_timewait_sock.c
@@ -279,7 +279,7 @@ void __inet_twsk_schedule(struct inet_timewait_sock *tw, int timeo, bool rearm)
EXPORT_SYMBOL_GPL(__inet_twsk_schedule);
/* Remove all non full sockets (TIME_WAIT and NEW_SYN_RECV) for dead netns */
-void inet_twsk_purge(struct inet_hashinfo *hashinfo, int family)
+void inet_twsk_purge(struct inet_hashinfo *hashinfo)
{
struct inet_ehash_bucket *head = &hashinfo->ehash[0];
unsigned int ehash_mask = hashinfo->ehash_mask;
@@ -288,7 +288,6 @@ void inet_twsk_purge(struct inet_hashinfo *hashinfo, int family)
struct sock *sk;
for (slot = 0; slot <= ehash_mask; slot++, head++) {
-
if (hlist_nulls_empty(&head->chain))
continue;
@@ -303,15 +302,13 @@ void inet_twsk_purge(struct inet_hashinfo *hashinfo, int family)
TCPF_NEW_SYN_RECV))
continue;
- if (sk->sk_family != family ||
- refcount_read(&sock_net(sk)->ns.count))
+ if (refcount_read(&sock_net(sk)->ns.count))
continue;
if (unlikely(!refcount_inc_not_zero(&sk->sk_refcnt)))
continue;
- if (unlikely(sk->sk_family != family ||
- refcount_read(&sock_net(sk)->ns.count))) {
+ if (refcount_read(&sock_net(sk)->ns.count)) {
sock_gen_put(sk);
goto restart;
}
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 48ec2c1777d45..6ef51d253abb7 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -3304,7 +3304,7 @@ static void __net_exit tcp_sk_exit_batch(struct list_head *net_exit_list)
{
struct net *net;
- tcp_twsk_purge(net_exit_list, AF_INET);
+ tcp_twsk_purge(net_exit_list);
list_for_each_entry(net, net_exit_list, exit_list) {
inet_pernet_hashinfo_free(net->ipv4.tcp_death_row.hashinfo);
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 260bfb9ada38d..78962c7f8c339 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -363,7 +363,7 @@ void tcp_twsk_destructor(struct sock *sk)
}
EXPORT_SYMBOL_GPL(tcp_twsk_destructor);
-void tcp_twsk_purge(struct list_head *net_exit_list, int family)
+void tcp_twsk_purge(struct list_head *net_exit_list)
{
bool purged_once = false;
struct net *net;
@@ -371,9 +371,9 @@ void tcp_twsk_purge(struct list_head *net_exit_list, int family)
list_for_each_entry(net, net_exit_list, exit_list) {
if (net->ipv4.tcp_death_row.hashinfo->pernet) {
/* Even if tw_refcount == 1, we must clean up kernel reqsk */
- inet_twsk_purge(net->ipv4.tcp_death_row.hashinfo, family);
+ inet_twsk_purge(net->ipv4.tcp_death_row.hashinfo);
} else if (!purged_once) {
- inet_twsk_purge(&tcp_hashinfo, family);
+ inet_twsk_purge(&tcp_hashinfo);
purged_once = true;
}
}
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index d0034916d386b..83b48dc2b3ee2 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -2213,15 +2213,9 @@ static void __net_exit tcpv6_net_exit(struct net *net)
inet_ctl_sock_destroy(net->ipv6.tcp_sk);
}
-static void __net_exit tcpv6_net_exit_batch(struct list_head *net_exit_list)
-{
- tcp_twsk_purge(net_exit_list, AF_INET6);
-}
-
static struct pernet_operations tcpv6_net_ops = {
.init = tcpv6_net_init,
.exit = tcpv6_net_exit,
- .exit_batch = tcpv6_net_exit_batch,
};
int __init tcpv6_init(void)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 250/341] tcp: prevent concurrent execution of tcp_sk_exit_batch
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 249/341] tcp/dccp: do not care about families " Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 251/341] net: mctp: test: Use correct skb for route input check Greg Kroah-Hartman
` (103 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8ea26396ff85d23a8929,
Florian Westphal, Kuniyuki Iwashima, Jason Xing, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 565d121b69980637f040eb4d84289869cdaabedf ]
Its possible that two threads call tcp_sk_exit_batch() concurrently,
once from the cleanup_net workqueue, once from a task that failed to clone
a new netns. In the latter case, error unwinding calls the exit handlers
in reverse order for the 'failed' netns.
tcp_sk_exit_batch() calls tcp_twsk_purge().
Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),
this function picks up twsk in any dying netns, not just the one passed
in via exit_batch list.
This means that the error unwind of setup_net() can "steal" and destroy
timewait sockets belonging to the exiting netns.
This allows the netns exit worker to proceed to call
WARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));
without the expected 1 -> 0 transition, which then splats.
At same time, error unwind path that is also running inet_twsk_purge()
will splat as well:
WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210
...
refcount_dec include/linux/refcount.h:351 [inline]
inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70
inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221
inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304
tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522
ops_exit_list+0x128/0x180 net/core/net_namespace.c:178
setup_net+0x714/0xb40 net/core/net_namespace.c:375
copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508
create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110
... because refcount_dec() of tw_refcount unexpectedly dropped to 0.
This doesn't seem like an actual bug (no tw sockets got lost and I don't
see a use-after-free) but as erroneous trigger of debug check.
Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()
blocks other task from doing final _dec_and_test before mutex-owner has
removed all tw sockets of dying netns.
Fixes: e9bd0cca09d1 ("tcp: Don't allocate tcp_death_row outside of struct netns_ipv4.")
Reported-by: syzbot+8ea26396ff85d23a8929@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/0000000000003a5292061f5e4e19@google.com/
Link: https://lore.kernel.org/netdev/20240812140104.GA21559@breakpoint.cc/
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20240812222857.29837-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_ipv4.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 6ef51d253abb7..96d235bcf5cb2 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -94,6 +94,8 @@ EXPORT_SYMBOL(tcp_hashinfo);
static DEFINE_PER_CPU(struct sock *, ipv4_tcp_sk);
+static DEFINE_MUTEX(tcp_exit_batch_mutex);
+
static u32 tcp_v4_init_seq(const struct sk_buff *skb)
{
return secure_tcp_seq(ip_hdr(skb)->daddr,
@@ -3304,6 +3306,16 @@ static void __net_exit tcp_sk_exit_batch(struct list_head *net_exit_list)
{
struct net *net;
+ /* make sure concurrent calls to tcp_sk_exit_batch from net_cleanup_work
+ * and failed setup_net error unwinding path are serialized.
+ *
+ * tcp_twsk_purge() handles twsk in any dead netns, not just those in
+ * net_exit_list, the thread that dismantles a particular twsk must
+ * do so without other thread progressing to refcount_dec_and_test() of
+ * tcp_death_row.tw_refcount.
+ */
+ mutex_lock(&tcp_exit_batch_mutex);
+
tcp_twsk_purge(net_exit_list);
list_for_each_entry(net, net_exit_list, exit_list) {
@@ -3311,6 +3323,8 @@ static void __net_exit tcp_sk_exit_batch(struct list_head *net_exit_list)
WARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));
tcp_fastopen_ctx_destroy(net);
}
+
+ mutex_unlock(&tcp_exit_batch_mutex);
}
static struct pernet_operations __net_initdata tcp_sk_ops = {
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 251/341] net: mctp: test: Use correct skb for route input check
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 250/341] tcp: prevent concurrent execution of tcp_sk_exit_batch Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 252/341] kcm: Serialise kcm_sendmsg() for the same socket Greg Kroah-Hartman
` (102 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Jeremy Kerr,
Simon Horman, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Kerr <jk@codeconstruct.com.au>
[ Upstream commit ce335db0621648472f9bb4b7191eb2e13a5793cf ]
In the MCTP route input test, we're routing one skb, then (when delivery
is expected) checking the resulting routed skb.
However, we're currently checking the original skb length, rather than
the routed skb. Check the routed skb instead; the original will have
been freed at this point.
Fixes: 8892c0490779 ("mctp: Add route input to socket tests")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/kernel-janitors/4ad204f0-94cf-46c5-bdab-49592addf315@kili.mountain/
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240816-mctp-kunit-skb-fix-v1-1-3c367ac89c27@codeconstruct.com.au
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mctp/test/route-test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/mctp/test/route-test.c b/net/mctp/test/route-test.c
index 92ea4158f7fc4..a944490a724d3 100644
--- a/net/mctp/test/route-test.c
+++ b/net/mctp/test/route-test.c
@@ -354,7 +354,7 @@ static void mctp_test_route_input_sk(struct kunit *test)
skb2 = skb_recv_datagram(sock->sk, MSG_DONTWAIT, &rc);
KUNIT_EXPECT_NOT_ERR_OR_NULL(test, skb2);
- KUNIT_EXPECT_EQ(test, skb->len, 1);
+ KUNIT_EXPECT_EQ(test, skb2->len, 1);
skb_free_datagram(sock->sk, skb2);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 252/341] kcm: Serialise kcm_sendmsg() for the same socket.
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 251/341] net: mctp: test: Use correct skb for route input check Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 253/341] netfilter: nft_counter: Disable BH in nft_counter_offload_stats() Greg Kroah-Hartman
` (101 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b72d86aa5df17ce74c60,
Kuniyuki Iwashima, Eric Dumazet, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 807067bf014d4a3ae2cc55bd3de16f22a01eb580 ]
syzkaller reported UAF in kcm_release(). [0]
The scenario is
1. Thread A builds a skb with MSG_MORE and sets kcm->seq_skb.
2. Thread A resumes building skb from kcm->seq_skb but is blocked
by sk_stream_wait_memory()
3. Thread B calls sendmsg() concurrently, finishes building kcm->seq_skb
and puts the skb to the write queue
4. Thread A faces an error and finally frees skb that is already in the
write queue
5. kcm_release() does double-free the skb in the write queue
When a thread is building a MSG_MORE skb, another thread must not touch it.
Let's add a per-sk mutex and serialise kcm_sendmsg().
[0]:
BUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline]
BUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline]
BUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]
BUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline]
BUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691
Read of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167
CPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call trace:
dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x178/0x518 mm/kasan/report.c:488
kasan_report+0xd8/0x138 mm/kasan/report.c:601
__asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
__skb_unlink include/linux/skbuff.h:2366 [inline]
__skb_dequeue include/linux/skbuff.h:2385 [inline]
__skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]
__skb_queue_purge include/linux/skbuff.h:3181 [inline]
kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691
__sock_release net/socket.c:659 [inline]
sock_close+0xa4/0x1e8 net/socket.c:1421
__fput+0x30c/0x738 fs/file_table.c:376
____fput+0x20/0x30 fs/file_table.c:404
task_work_run+0x230/0x2e0 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x618/0x1f64 kernel/exit.c:871
do_group_exit+0x194/0x22c kernel/exit.c:1020
get_signal+0x1500/0x15ec kernel/signal.c:2893
do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249
do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
Allocated by task 6166:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:68
kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626
unpoison_slab_object mm/kasan/common.c:314 [inline]
__kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3813 [inline]
slab_alloc_node mm/slub.c:3860 [inline]
kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903
__alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641
alloc_skb include/linux/skbuff.h:1296 [inline]
kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
sock_sendmsg+0x220/0x2c0 net/socket.c:768
splice_to_socket+0x7cc/0xd58 fs/splice.c:889
do_splice_from fs/splice.c:941 [inline]
direct_splice_actor+0xec/0x1d8 fs/splice.c:1164
splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108
do_splice_direct_actor fs/splice.c:1207 [inline]
do_splice_direct+0x1e4/0x304 fs/splice.c:1233
do_sendfile+0x460/0xb3c fs/read_write.c:1295
__do_sys_sendfile64 fs/read_write.c:1362 [inline]
__se_sys_sendfile64 fs/read_write.c:1348 [inline]
__arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1348
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
Freed by task 6167:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:68
kasan_save_free_info+0x5c/0x74 mm/kasan/generic.c:640
poison_slab_object+0x124/0x18c mm/kasan/common.c:241
__kasan_slab_free+0x3c/0x78 mm/kasan/common.c:257
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2121 [inline]
slab_free mm/slub.c:4299 [inline]
kmem_cache_free+0x15c/0x3d4 mm/slub.c:4363
kfree_skbmem+0x10c/0x19c
__kfree_skb net/core/skbuff.c:1109 [inline]
kfree_skb_reason+0x240/0x6f4 net/core/skbuff.c:1144
kfree_skb include/linux/skbuff.h:1244 [inline]
kcm_release+0x104/0x4c8 net/kcm/kcmsock.c:1685
__sock_release net/socket.c:659 [inline]
sock_close+0xa4/0x1e8 net/socket.c:1421
__fput+0x30c/0x738 fs/file_table.c:376
____fput+0x20/0x30 fs/file_table.c:404
task_work_run+0x230/0x2e0 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x618/0x1f64 kernel/exit.c:871
do_group_exit+0x194/0x22c kernel/exit.c:1020
get_signal+0x1500/0x15ec kernel/signal.c:2893
do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249
do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
The buggy address belongs to the object at ffff0000ced0fc80
which belongs to the cache skbuff_head_cache of size 240
The buggy address is located 0 bytes inside of
freed 240-byte region [ffff0000ced0fc80, ffff0000ced0fd70)
The buggy address belongs to the physical page:
page:00000000d35f4ae4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10ed0f
flags: 0x5ffc00000000800(slab|node=0|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 05ffc00000000800 ffff0000c1cbf640 fffffdffc3423100 dead000000000004
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000ced0fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000ced0fc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
>ffff0000ced0fc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000ced0fd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
ffff0000ced0fd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
Reported-by: syzbot+b72d86aa5df17ce74c60@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b72d86aa5df17ce74c60
Tested-by: syzbot+b72d86aa5df17ce74c60@syzkaller.appspotmail.com
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20240815220437.69511-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/kcm.h | 1 +
net/kcm/kcmsock.c | 4 ++++
2 files changed, 5 insertions(+)
diff --git a/include/net/kcm.h b/include/net/kcm.h
index 90279e5e09a5c..441e993be634c 100644
--- a/include/net/kcm.h
+++ b/include/net/kcm.h
@@ -70,6 +70,7 @@ struct kcm_sock {
struct work_struct tx_work;
struct list_head wait_psock_list;
struct sk_buff *seq_skb;
+ struct mutex tx_mutex;
u32 tx_stopped : 1;
/* Don't use bit fields here, these are set under different locks */
diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index 41d892bf12cc6..829eb67240a99 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -754,6 +754,7 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
!(msg->msg_flags & MSG_MORE) : !!(msg->msg_flags & MSG_EOR);
int err = -EPIPE;
+ mutex_lock(&kcm->tx_mutex);
lock_sock(sk);
/* Per tcp_sendmsg this should be in poll */
@@ -925,6 +926,7 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
KCM_STATS_ADD(kcm->stats.tx_bytes, copied);
release_sock(sk);
+ mutex_unlock(&kcm->tx_mutex);
return copied;
out_error:
@@ -950,6 +952,7 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
sk->sk_write_space(sk);
release_sock(sk);
+ mutex_unlock(&kcm->tx_mutex);
return err;
}
@@ -1203,6 +1206,7 @@ static void init_kcm_sock(struct kcm_sock *kcm, struct kcm_mux *mux)
spin_unlock_bh(&mux->lock);
INIT_WORK(&kcm->tx_work, kcm_tx_work);
+ mutex_init(&kcm->tx_mutex);
spin_lock_bh(&mux->rx_lock);
kcm_rcv_ready(kcm);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 253/341] netfilter: nft_counter: Disable BH in nft_counter_offload_stats().
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 252/341] kcm: Serialise kcm_sendmsg() for the same socket Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 254/341] netfilter: nft_counter: Synchronize nft_counter_reset() against reader Greg Kroah-Hartman
` (100 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit 1eacdd71b3436b54d5fc8218c4bb0187d92a6892 ]
The sequence counter nft_counter_seq is a per-CPU counter. There is no
lock associated with it. nft_counter_do_eval() is using the same counter
and disables BH which suggest that it can be invoked from a softirq.
This in turn means that nft_counter_offload_stats(), which disables only
preemption, can be interrupted by nft_counter_do_eval() leading to two
writer for one seqcount_t.
This can lead to loosing stats or reading statistics while they are
updated.
Disable BH during stats update in nft_counter_offload_stats() to ensure
one writer at a time.
Fixes: b72920f6e4a9d ("netfilter: nftables: counter hardware offload support")
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_counter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_counter.c b/net/netfilter/nft_counter.c
index dccc68a5135ad..5a90c3c7268bf 100644
--- a/net/netfilter/nft_counter.c
+++ b/net/netfilter/nft_counter.c
@@ -265,7 +265,7 @@ static void nft_counter_offload_stats(struct nft_expr *expr,
struct nft_counter *this_cpu;
seqcount_t *myseq;
- preempt_disable();
+ local_bh_disable();
this_cpu = this_cpu_ptr(priv->counter);
myseq = this_cpu_ptr(&nft_counter_seq);
@@ -273,7 +273,7 @@ static void nft_counter_offload_stats(struct nft_expr *expr,
this_cpu->packets += stats->pkts;
this_cpu->bytes += stats->bytes;
write_seqcount_end(myseq);
- preempt_enable();
+ local_bh_enable();
}
void nft_counter_init_seqcount(void)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 254/341] netfilter: nft_counter: Synchronize nft_counter_reset() against reader.
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 253/341] netfilter: nft_counter: Disable BH in nft_counter_offload_stats() Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 255/341] ip6_tunnel: Fix broken GRO Greg Kroah-Hartman
` (99 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit a0b39e2dc7017ac667b70bdeee5293e410fab2fb ]
nft_counter_reset() resets the counter by subtracting the previously
retrieved value from the counter. This is a write operation on the
counter and as such it requires to be performed with a write sequence of
nft_counter_seq to serialize against its possible reader.
Update the packets/ bytes within write-sequence of nft_counter_seq.
Fixes: d84701ecbcd6a ("netfilter: nft_counter: rework atomic dump and reset")
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_counter.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/netfilter/nft_counter.c b/net/netfilter/nft_counter.c
index 5a90c3c7268bf..b7aa4d2c8c22f 100644
--- a/net/netfilter/nft_counter.c
+++ b/net/netfilter/nft_counter.c
@@ -107,11 +107,16 @@ static void nft_counter_reset(struct nft_counter_percpu_priv *priv,
struct nft_counter *total)
{
struct nft_counter *this_cpu;
+ seqcount_t *myseq;
local_bh_disable();
this_cpu = this_cpu_ptr(priv->counter);
+ myseq = this_cpu_ptr(&nft_counter_seq);
+
+ write_seqcount_begin(myseq);
this_cpu->packets -= total->packets;
this_cpu->bytes -= total->bytes;
+ write_seqcount_end(myseq);
local_bh_enable();
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 255/341] ip6_tunnel: Fix broken GRO
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 254/341] netfilter: nft_counter: Synchronize nft_counter_reset() against reader Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 256/341] bonding: fix bond_ipsec_offload_ok return type Greg Kroah-Hartman
` (98 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Bogendoerfer, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Bogendoerfer <tbogendoerfer@suse.de>
[ Upstream commit 4b3e33fcc38f7750604b065c55a43e94c5bc3145 ]
GRO code checks for matching layer 2 headers to see, if packet belongs
to the same flow and because ip6 tunnel set dev->hard_header_len
this check fails in cases, where it shouldn't. To fix this don't
set hard_header_len, but use needed_headroom like ipv4/ip_tunnel.c
does.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
Link: https://patch.msgid.link/20240815151419.109864-1-tbogendoerfer@suse.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_tunnel.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 70478027a7af7..97905d4174eca 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1508,7 +1508,8 @@ static void ip6_tnl_link_config(struct ip6_tnl *t)
tdev = __dev_get_by_index(t->net, p->link);
if (tdev) {
- dev->hard_header_len = tdev->hard_header_len + t_hlen;
+ dev->needed_headroom = tdev->hard_header_len +
+ tdev->needed_headroom + t_hlen;
mtu = min_t(unsigned int, tdev->mtu, IP6_MAX_MTU);
mtu = mtu - t_hlen;
@@ -1732,7 +1733,9 @@ ip6_tnl_siocdevprivate(struct net_device *dev, struct ifreq *ifr,
int ip6_tnl_change_mtu(struct net_device *dev, int new_mtu)
{
struct ip6_tnl *tnl = netdev_priv(dev);
+ int t_hlen;
+ t_hlen = tnl->hlen + sizeof(struct ipv6hdr);
if (tnl->parms.proto == IPPROTO_IPV6) {
if (new_mtu < IPV6_MIN_MTU)
return -EINVAL;
@@ -1741,10 +1744,10 @@ int ip6_tnl_change_mtu(struct net_device *dev, int new_mtu)
return -EINVAL;
}
if (tnl->parms.proto == IPPROTO_IPV6 || tnl->parms.proto == 0) {
- if (new_mtu > IP6_MAX_MTU - dev->hard_header_len)
+ if (new_mtu > IP6_MAX_MTU - dev->hard_header_len - t_hlen)
return -EINVAL;
} else {
- if (new_mtu > IP_MAX_MTU - dev->hard_header_len)
+ if (new_mtu > IP_MAX_MTU - dev->hard_header_len - t_hlen)
return -EINVAL;
}
dev->mtu = new_mtu;
@@ -1890,12 +1893,11 @@ ip6_tnl_dev_init_gen(struct net_device *dev)
t_hlen = t->hlen + sizeof(struct ipv6hdr);
dev->type = ARPHRD_TUNNEL6;
- dev->hard_header_len = LL_MAX_HEADER + t_hlen;
dev->mtu = ETH_DATA_LEN - t_hlen;
if (!(t->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT))
dev->mtu -= 8;
dev->min_mtu = ETH_MIN_MTU;
- dev->max_mtu = IP6_MAX_MTU - dev->hard_header_len;
+ dev->max_mtu = IP6_MAX_MTU - dev->hard_header_len - t_hlen;
netdev_hold(dev, &t->dev_tracker, GFP_KERNEL);
netdev_lockdep_set_classes(dev);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 256/341] bonding: fix bond_ipsec_offload_ok return type
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 255/341] ip6_tunnel: Fix broken GRO Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 257/341] bonding: fix null pointer deref in bond_ipsec_offload_ok Greg Kroah-Hartman
` (97 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Aleksandrov, Hangbin Liu,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <razor@blackwall.org>
[ Upstream commit fc59b9a5f7201b9f7272944596113a82cc7773d5 ]
Fix the return type which should be bool.
Fixes: 955b785ec6b3 ("bonding: fix suspicious RCU usage in bond_ipsec_offload_ok()")
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 18 ++++++------------
1 file changed, 6 insertions(+), 12 deletions(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 722ac5c4992c9..b4f8f5112edd5 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -599,34 +599,28 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
struct net_device *real_dev;
struct slave *curr_active;
struct bonding *bond;
- int err;
+ bool ok = false;
bond = netdev_priv(bond_dev);
rcu_read_lock();
curr_active = rcu_dereference(bond->curr_active_slave);
real_dev = curr_active->dev;
- if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) {
- err = false;
+ if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP)
goto out;
- }
- if (!xs->xso.real_dev) {
- err = false;
+ if (!xs->xso.real_dev)
goto out;
- }
if (!real_dev->xfrmdev_ops ||
!real_dev->xfrmdev_ops->xdo_dev_offload_ok ||
- netif_is_bond_master(real_dev)) {
- err = false;
+ netif_is_bond_master(real_dev))
goto out;
- }
- err = real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);
+ ok = real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);
out:
rcu_read_unlock();
- return err;
+ return ok;
}
static const struct xfrmdev_ops bond_xfrmdev_ops = {
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 257/341] bonding: fix null pointer deref in bond_ipsec_offload_ok
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 256/341] bonding: fix bond_ipsec_offload_ok return type Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 258/341] bonding: fix xfrm real_dev null pointer dereference Greg Kroah-Hartman
` (96 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Aleksandrov, Hangbin Liu,
Eric Dumazet, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <razor@blackwall.org>
[ Upstream commit 95c90e4ad89d493a7a14fa200082e466e2548f9d ]
We must check if there is an active slave before dereferencing the pointer.
Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index b4f8f5112edd5..a6eb907a9a273 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -604,6 +604,8 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
bond = netdev_priv(bond_dev);
rcu_read_lock();
curr_active = rcu_dereference(bond->curr_active_slave);
+ if (!curr_active)
+ goto out;
real_dev = curr_active->dev;
if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 258/341] bonding: fix xfrm real_dev null pointer dereference
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 257/341] bonding: fix null pointer deref in bond_ipsec_offload_ok Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 259/341] bonding: fix xfrm state handling when clearing active slave Greg Kroah-Hartman
` (95 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Aleksandrov, Hangbin Liu,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <razor@blackwall.org>
[ Upstream commit f8cde9805981c50d0c029063dc7d82821806fc44 ]
We shouldn't set real_dev to NULL because packets can be in transit and
xfrm might call xdo_dev_offload_ok() in parallel. All callbacks assume
real_dev is set.
Example trace:
kernel: BUG: unable to handle page fault for address: 0000000000001030
kernel: bond0: (slave eni0np1): making interface the new active one
kernel: #PF: supervisor write access in kernel mode
kernel: #PF: error_code(0x0002) - not-present page
kernel: PGD 0 P4D 0
kernel: Oops: 0002 [#1] PREEMPT SMP
kernel: CPU: 4 PID: 2237 Comm: ping Not tainted 6.7.7+ #12
kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
kernel: RIP: 0010:nsim_ipsec_offload_ok+0xc/0x20 [netdevsim]
kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA
kernel: Code: e0 0f 0b 48 83 7f 38 00 74 de 0f 0b 48 8b 47 08 48 8b 37 48 8b 78 40 e9 b2 e5 9a d7 66 90 0f 1f 44 00 00 48 8b 86 80 02 00 00 <83> 80 30 10 00 00 01 b8 01 00 00 00 c3 0f 1f 80 00 00 00 00 0f 1f
kernel: bond0: (slave eni0np1): making interface the new active one
kernel: RSP: 0018:ffffabde81553b98 EFLAGS: 00010246
kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA
kernel:
kernel: RAX: 0000000000000000 RBX: ffff9eb404e74900 RCX: ffff9eb403d97c60
kernel: RDX: ffffffffc090de10 RSI: ffff9eb404e74900 RDI: ffff9eb3c5de9e00
kernel: RBP: ffff9eb3c0a42000 R08: 0000000000000010 R09: 0000000000000014
kernel: R10: 7974203030303030 R11: 3030303030303030 R12: 0000000000000000
kernel: R13: ffff9eb3c5de9e00 R14: ffffabde81553cc8 R15: ffff9eb404c53000
kernel: FS: 00007f2a77a3ad00(0000) GS:ffff9eb43bd00000(0000) knlGS:0000000000000000
kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 0000000000001030 CR3: 00000001122ab000 CR4: 0000000000350ef0
kernel: bond0: (slave eni0np1): making interface the new active one
kernel: Call Trace:
kernel: <TASK>
kernel: ? __die+0x1f/0x60
kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA
kernel: ? page_fault_oops+0x142/0x4c0
kernel: ? do_user_addr_fault+0x65/0x670
kernel: ? kvm_read_and_reset_apf_flags+0x3b/0x50
kernel: bond0: (slave eni0np1): making interface the new active one
kernel: ? exc_page_fault+0x7b/0x180
kernel: ? asm_exc_page_fault+0x22/0x30
kernel: ? nsim_bpf_uninit+0x50/0x50 [netdevsim]
kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA
kernel: ? nsim_ipsec_offload_ok+0xc/0x20 [netdevsim]
kernel: bond0: (slave eni0np1): making interface the new active one
kernel: bond_ipsec_offload_ok+0x7b/0x90 [bonding]
kernel: xfrm_output+0x61/0x3b0
kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA
kernel: ip_push_pending_frames+0x56/0x80
Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index a6eb907a9a273..566b02ca78261 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -582,7 +582,6 @@ static void bond_ipsec_del_sa_all(struct bonding *bond)
} else {
slave->dev->xfrmdev_ops->xdo_dev_state_delete(ipsec->xs);
}
- ipsec->xs->xso.real_dev = NULL;
}
spin_unlock_bh(&bond->ipsec_lock);
rcu_read_unlock();
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 259/341] bonding: fix xfrm state handling when clearing active slave
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 258/341] bonding: fix xfrm real_dev null pointer dereference Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 260/341] ice: fix page reuse when PAGE_SIZE is over 8k Greg Kroah-Hartman
` (94 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Aleksandrov, Hangbin Liu,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <razor@blackwall.org>
[ Upstream commit c4c5c5d2ef40a9f67a9241dc5422eac9ffe19547 ]
If the active slave is cleared manually the xfrm state is not flushed.
This leads to xfrm add/del imbalance and adding the same state multiple
times. For example when the device cannot handle anymore states we get:
[ 1169.884811] bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA
because it's filled with the same state after multiple active slave
clearings. This change also has a few nice side effects: user-space
gets a notification for the change, the old device gets its mac address
and promisc/mcast adjusted properly.
Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_options.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
index 00a662f8edd6b..d1208d058eea1 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -920,7 +920,7 @@ static int bond_option_active_slave_set(struct bonding *bond,
/* check to see if we are clearing active */
if (!slave_dev) {
netdev_dbg(bond->dev, "Clearing current active slave\n");
- RCU_INIT_POINTER(bond->curr_active_slave, NULL);
+ bond_change_active_slave(bond, NULL);
bond_select_active_slave(bond);
} else {
struct slave *old_active = rtnl_dereference(bond->curr_active_slave);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 260/341] ice: fix page reuse when PAGE_SIZE is over 8k
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 259/341] bonding: fix xfrm state handling when clearing active slave Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 261/341] ice: fix ICE_LAST_OFFSET formula Greg Kroah-Hartman
` (93 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej Fijalkowski, Tony Nguyen,
Sasha Levin, Chandan Kumar Rout
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
[ Upstream commit 50b2143356e888777fc5bca023c39f34f404613a ]
Architectures that have PAGE_SIZE >= 8192 such as arm64 should act the
same as x86 currently, meaning reuse of a page should only take place
when no one else is busy with it.
Do two things independently of underlying PAGE_SIZE:
- store the page count under ice_rx_buf::pgcnt
- then act upon its value vs ice_rx_buf::pagecnt_bias when making the
decision regarding page reuse
Fixes: 2b245cb29421 ("ice: Implement transmit and NAPI support")
Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_txrx.c | 12 +++---------
1 file changed, 3 insertions(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c
index 49b1fa9651161..8e53195df2b1c 100644
--- a/drivers/net/ethernet/intel/ice/ice_txrx.c
+++ b/drivers/net/ethernet/intel/ice/ice_txrx.c
@@ -834,16 +834,15 @@ ice_can_reuse_rx_page(struct ice_rx_buf *rx_buf)
if (!dev_page_is_reusable(page))
return false;
-#if (PAGE_SIZE < 8192)
/* if we are only owner of page we can reuse it */
if (unlikely(rx_buf->pgcnt - pagecnt_bias > 1))
return false;
-#else
+#if (PAGE_SIZE >= 8192)
#define ICE_LAST_OFFSET \
(SKB_WITH_OVERHEAD(PAGE_SIZE) - ICE_RXBUF_2048)
if (rx_buf->page_offset > ICE_LAST_OFFSET)
return false;
-#endif /* PAGE_SIZE < 8192) */
+#endif /* PAGE_SIZE >= 8192) */
/* If we have drained the page fragment pool we need to update
* the pagecnt_bias and page count so that we fully restock the
@@ -946,12 +945,7 @@ ice_get_rx_buf(struct ice_rx_ring *rx_ring, const unsigned int size,
struct ice_rx_buf *rx_buf;
rx_buf = &rx_ring->rx_buf[ntc];
- rx_buf->pgcnt =
-#if (PAGE_SIZE < 8192)
- page_count(rx_buf->page);
-#else
- 0;
-#endif
+ rx_buf->pgcnt = page_count(rx_buf->page);
prefetchw(rx_buf->page);
if (!size)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 261/341] ice: fix ICE_LAST_OFFSET formula
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 260/341] ice: fix page reuse when PAGE_SIZE is over 8k Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 262/341] ice: fix truesize operations for PAGE_SIZE >= 8192 Greg Kroah-Hartman
` (92 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luiz Capitulino, Maciej Fijalkowski,
Tony Nguyen, Sasha Levin, Chandan Kumar Rout
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
[ Upstream commit b966ad832942b5a11e002f9b5ef102b08425b84a ]
For bigger PAGE_SIZE archs, ice driver works on 3k Rx buffers.
Therefore, ICE_LAST_OFFSET should take into account ICE_RXBUF_3072, not
ICE_RXBUF_2048.
Fixes: 7237f5b0dba4 ("ice: introduce legacy Rx flag")
Suggested-by: Luiz Capitulino <luizcap@redhat.com>
Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_txrx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c
index 8e53195df2b1c..55faa8384bcfe 100644
--- a/drivers/net/ethernet/intel/ice/ice_txrx.c
+++ b/drivers/net/ethernet/intel/ice/ice_txrx.c
@@ -839,7 +839,7 @@ ice_can_reuse_rx_page(struct ice_rx_buf *rx_buf)
return false;
#if (PAGE_SIZE >= 8192)
#define ICE_LAST_OFFSET \
- (SKB_WITH_OVERHEAD(PAGE_SIZE) - ICE_RXBUF_2048)
+ (SKB_WITH_OVERHEAD(PAGE_SIZE) - ICE_RXBUF_3072)
if (rx_buf->page_offset > ICE_LAST_OFFSET)
return false;
#endif /* PAGE_SIZE >= 8192) */
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 262/341] ice: fix truesize operations for PAGE_SIZE >= 8192
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 261/341] ice: fix ICE_LAST_OFFSET formula Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 263/341] dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp() Greg Kroah-Hartman
` (91 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej Fijalkowski, Tony Nguyen,
Sasha Levin, Luiz Capitulino, Chandan Kumar Rout
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
[ Upstream commit d53d4dcce69be5773e2d0878c9899ebfbf58c393 ]
When working on multi-buffer packet on arch that has PAGE_SIZE >= 8192,
truesize is calculated and stored in xdp_buff::frame_sz per each
processed Rx buffer. This means that frame_sz will contain the truesize
based on last received buffer, but commit 1dc1a7e7f410 ("ice:
Centrallize Rx buffer recycling") assumed this value will be constant
for each buffer, which breaks the page recycling scheme and mess up the
way we update the page::page_offset.
To fix this, let us work on constant truesize when PAGE_SIZE >= 8192
instead of basing this on size of a packet read from Rx descriptor. This
way we can simplify the code and avoid calculating truesize per each
received frame and on top of that when using
xdp_update_skb_shared_info(), current formula for truesize update will
be valid.
This means ice_rx_frame_truesize() can be removed altogether.
Furthermore, first call to it within ice_clean_rx_irq() for 4k PAGE_SIZE
was redundant as xdp_buff::frame_sz is initialized via xdp_init_buff()
in ice_vsi_cfg_rxq(). This should have been removed at the point where
xdp_buff struct started to be a member of ice_rx_ring and it was no
longer a stack based variable.
There are two fixes tags as my understanding is that the first one
exposed us to broken truesize and page_offset handling and then second
introduced broken skb_shared_info update in ice_{construct,build}_skb().
Reported-and-tested-by: Luiz Capitulino <luizcap@redhat.com>
Closes: https://lore.kernel.org/netdev/8f9e2a5c-fd30-4206-9311-946a06d031bb@redhat.com/
Fixes: 1dc1a7e7f410 ("ice: Centrallize Rx buffer recycling")
Fixes: 2fba7dc5157b ("ice: Add support for XDP multi-buffer on Rx side")
Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_base.c | 21 ++++++++++++++-
drivers/net/ethernet/intel/ice/ice_txrx.c | 33 -----------------------
2 files changed, 20 insertions(+), 34 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_base.c b/drivers/net/ethernet/intel/ice/ice_base.c
index 4f3e65b47cdc3..9a0682b05c4ff 100644
--- a/drivers/net/ethernet/intel/ice/ice_base.c
+++ b/drivers/net/ethernet/intel/ice/ice_base.c
@@ -519,6 +519,25 @@ static int ice_setup_rx_ctx(struct ice_rx_ring *ring)
return 0;
}
+/**
+ * ice_get_frame_sz - calculate xdp_buff::frame_sz
+ * @rx_ring: the ring being configured
+ *
+ * Return frame size based on underlying PAGE_SIZE
+ */
+static unsigned int ice_get_frame_sz(struct ice_rx_ring *rx_ring)
+{
+ unsigned int frame_sz;
+
+#if (PAGE_SIZE >= 8192)
+ frame_sz = rx_ring->rx_buf_len;
+#else
+ frame_sz = ice_rx_pg_size(rx_ring) / 2;
+#endif
+
+ return frame_sz;
+}
+
/**
* ice_vsi_cfg_rxq - Configure an Rx queue
* @ring: the ring being configured
@@ -582,7 +601,7 @@ int ice_vsi_cfg_rxq(struct ice_rx_ring *ring)
}
}
- xdp_init_buff(&ring->xdp, ice_rx_pg_size(ring) / 2, &ring->xdp_rxq);
+ xdp_init_buff(&ring->xdp, ice_get_frame_sz(ring), &ring->xdp_rxq);
ring->xdp.data = NULL;
err = ice_setup_rx_ctx(ring);
if (err) {
diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c
index 55faa8384bcfe..429afffa4c316 100644
--- a/drivers/net/ethernet/intel/ice/ice_txrx.c
+++ b/drivers/net/ethernet/intel/ice/ice_txrx.c
@@ -521,30 +521,6 @@ int ice_setup_rx_ring(struct ice_rx_ring *rx_ring)
return -ENOMEM;
}
-/**
- * ice_rx_frame_truesize
- * @rx_ring: ptr to Rx ring
- * @size: size
- *
- * calculate the truesize with taking into the account PAGE_SIZE of
- * underlying arch
- */
-static unsigned int
-ice_rx_frame_truesize(struct ice_rx_ring *rx_ring, const unsigned int size)
-{
- unsigned int truesize;
-
-#if (PAGE_SIZE < 8192)
- truesize = ice_rx_pg_size(rx_ring) / 2; /* Must be power-of-2 */
-#else
- truesize = rx_ring->rx_offset ?
- SKB_DATA_ALIGN(rx_ring->rx_offset + size) +
- SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) :
- SKB_DATA_ALIGN(size);
-#endif
- return truesize;
-}
-
/**
* ice_run_xdp - Executes an XDP program on initialized xdp_buff
* @rx_ring: Rx ring
@@ -1152,11 +1128,6 @@ int ice_clean_rx_irq(struct ice_rx_ring *rx_ring, int budget)
bool failure;
u32 first;
- /* Frame size depend on rx_ring setup when PAGE_SIZE=4K */
-#if (PAGE_SIZE < 8192)
- xdp->frame_sz = ice_rx_frame_truesize(rx_ring, 0);
-#endif
-
xdp_prog = READ_ONCE(rx_ring->xdp_prog);
if (xdp_prog) {
xdp_ring = rx_ring->xdp_ring;
@@ -1216,10 +1187,6 @@ int ice_clean_rx_irq(struct ice_rx_ring *rx_ring, int budget)
hard_start = page_address(rx_buf->page) + rx_buf->page_offset -
offset;
xdp_prepare_buff(xdp, hard_start, offset, size, !!offset);
-#if (PAGE_SIZE > 4096)
- /* At larger PAGE_SIZE, frame_sz depend on len size */
- xdp->frame_sz = ice_rx_frame_truesize(rx_ring, size);
-#endif
xdp_buff_clear_frags_flag(xdp);
} else if (ice_add_xdp_frag(rx_ring, xdp, rx_buf, size)) {
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 263/341] dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 262/341] ice: fix truesize operations for PAGE_SIZE >= 8192 Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 264/341] igb: cope with large MAX_SKB_FRAGS Greg Kroah-Hartman
` (90 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Simon Horman,
Ioana Ciornei, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit c50e7475961c36ec4d21d60af055b32f9436b431 ]
The dpaa2_switch_add_bufs() function returns the number of bufs that it
was able to add. It returns BUFS_PER_CMD (7) for complete success or a
smaller number if there are not enough pages available. However, the
error checking is looking at the total number of bufs instead of the
number which were added on this iteration. Thus the error checking
only works correctly for the first iteration through the loop and
subsequent iterations are always counted as a success.
Fix this by checking only the bufs added in the current iteration.
Fixes: 0b1b71370458 ("staging: dpaa2-switch: handle Rx path on control interface")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Tested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Link: https://patch.msgid.link/eec27f30-b43f-42b6-b8ee-04a6f83423b6@stanley.mountain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
index e01a246124ac6..a05a8525caa45 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
@@ -2603,13 +2603,14 @@ static int dpaa2_switch_refill_bp(struct ethsw_core *ethsw)
static int dpaa2_switch_seed_bp(struct ethsw_core *ethsw)
{
- int *count, i;
+ int *count, ret, i;
for (i = 0; i < DPAA2_ETHSW_NUM_BUFS; i += BUFS_PER_CMD) {
+ ret = dpaa2_switch_add_bufs(ethsw, ethsw->bpid);
count = ðsw->buf_count;
- *count += dpaa2_switch_add_bufs(ethsw, ethsw->bpid);
+ *count += ret;
- if (unlikely(*count < BUFS_PER_CMD))
+ if (unlikely(ret < BUFS_PER_CMD))
return -ENOMEM;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 264/341] igb: cope with large MAX_SKB_FRAGS
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 263/341] dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp() Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 265/341] net: dsa: mv88e6xxx: Fix out-of-bound access Greg Kroah-Hartman
` (89 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Tluka, Jirka Hladky,
Sabrina Dubroca, Corinna Vinschen, Paolo Abeni, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 8aba27c4a5020abdf60149239198297f88338a8d ]
Sabrina reports that the igb driver does not cope well with large
MAX_SKB_FRAG values: setting MAX_SKB_FRAG to 45 causes payload
corruption on TX.
An easy reproducer is to run ssh to connect to the machine. With
MAX_SKB_FRAGS=17 it works, with MAX_SKB_FRAGS=45 it fails. This has
been reported originally in
https://bugzilla.redhat.com/show_bug.cgi?id=2265320
The root cause of the issue is that the driver does not take into
account properly the (possibly large) shared info size when selecting
the ring layout, and will try to fit two packets inside the same 4K
page even when the 1st fraglist will trump over the 2nd head.
Address the issue by checking if 2K buffers are insufficient.
Fixes: 3948b05950fd ("net: introduce a config option to tweak MAX_SKB_FRAGS")
Reported-by: Jan Tluka <jtluka@redhat.com>
Reported-by: Jirka Hladky <jhladky@redhat.com>
Reported-by: Sabrina Dubroca <sd@queasysnail.net>
Tested-by: Sabrina Dubroca <sd@queasysnail.net>
Tested-by: Corinna Vinschen <vinschen@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
Link: https://patch.msgid.link/20240816152034.1453285-1-vinschen@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igb/igb_main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index 4431e7693d45f..8c8894ef33886 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -4833,6 +4833,7 @@ static void igb_set_rx_buffer_len(struct igb_adapter *adapter,
#if (PAGE_SIZE < 8192)
if (adapter->max_frame_size > IGB_MAX_FRAME_BUILD_SKB ||
+ IGB_2K_TOO_SMALL_WITH_PADDING ||
rd32(E1000_RCTL) & E1000_RCTL_SBP)
set_ring_uses_large_buffer(rx_ring);
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 265/341] net: dsa: mv88e6xxx: Fix out-of-bound access
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 264/341] igb: cope with large MAX_SKB_FRAGS Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 266/341] netem: fix return value if duplicate enqueue fails Greg Kroah-Hartman
` (88 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joseph Huang, Andrew Lunn,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Huang <Joseph.Huang@garmin.com>
[ Upstream commit 528876d867a23b5198022baf2e388052ca67c952 ]
If an ATU violation was caused by a CPU Load operation, the SPID could
be larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[] array).
Fixes: 75c05a74e745 ("net: dsa: mv88e6xxx: Fix counting of ATU violations")
Signed-off-by: Joseph Huang <Joseph.Huang@garmin.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20240819235251.1331763-1-Joseph.Huang@garmin.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/mv88e6xxx/global1_atu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/dsa/mv88e6xxx/global1_atu.c b/drivers/net/dsa/mv88e6xxx/global1_atu.c
index ce3b3690c3c05..c47f068f56b32 100644
--- a/drivers/net/dsa/mv88e6xxx/global1_atu.c
+++ b/drivers/net/dsa/mv88e6xxx/global1_atu.c
@@ -457,7 +457,8 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id)
trace_mv88e6xxx_atu_full_violation(chip->dev, spid,
entry.portvec, entry.mac,
fid);
- chip->ports[spid].atu_full_violation++;
+ if (spid < ARRAY_SIZE(chip->ports))
+ chip->ports[spid].atu_full_violation++;
}
return IRQ_HANDLED;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 266/341] netem: fix return value if duplicate enqueue fails
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 265/341] net: dsa: mv88e6xxx: Fix out-of-bound access Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 267/341] udp: fix receiving fraglist GSO packets Greg Kroah-Hartman
` (87 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Budimir Markovic, Stephen Hemminger,
Simon Horman, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen@networkplumber.org>
[ Upstream commit c07ff8592d57ed258afee5a5e04991a48dbaf382 ]
There is a bug in netem_enqueue() introduced by
commit 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec")
that can lead to a use-after-free.
This commit made netem_enqueue() always return NET_XMIT_SUCCESS
when a packet is duplicated, which can cause the parent qdisc's q.qlen
to be mistakenly incremented. When this happens qlen_notify() may be
skipped on the parent during destruction, leaving a dangling pointer
for some classful qdiscs like DRR.
There are two ways for the bug happen:
- If the duplicated packet is dropped by rootq->enqueue() and then
the original packet is also dropped.
- If rootq->enqueue() sends the duplicated packet to a different qdisc
and the original packet is dropped.
In both cases NET_XMIT_SUCCESS is returned even though no packets
are enqueued at the netem qdisc.
The fix is to defer the enqueue of the duplicate packet until after
the original packet has been guaranteed to return NET_XMIT_SUCCESS.
Fixes: 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240819175753.5151-1-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 47 ++++++++++++++++++++++++++-----------------
1 file changed, 29 insertions(+), 18 deletions(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 4ad39a4a3cf5b..0224a92492453 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -446,12 +446,10 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
struct netem_sched_data *q = qdisc_priv(sch);
/* We don't fill cb now as skb_unshare() may invalidate it */
struct netem_skb_cb *cb;
- struct sk_buff *skb2;
+ struct sk_buff *skb2 = NULL;
struct sk_buff *segs = NULL;
unsigned int prev_len = qdisc_pkt_len(skb);
int count = 1;
- int rc = NET_XMIT_SUCCESS;
- int rc_drop = NET_XMIT_DROP;
/* Do not fool qdisc_drop_all() */
skb->prev = NULL;
@@ -480,19 +478,11 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
skb_orphan_partial(skb);
/*
- * If we need to duplicate packet, then re-insert at top of the
- * qdisc tree, since parent queuer expects that only one
- * skb will be queued.
+ * If we need to duplicate packet, then clone it before
+ * original is modified.
*/
- if (count > 1 && (skb2 = skb_clone(skb, GFP_ATOMIC)) != NULL) {
- struct Qdisc *rootq = qdisc_root_bh(sch);
- u32 dupsave = q->duplicate; /* prevent duplicating a dup... */
-
- q->duplicate = 0;
- rootq->enqueue(skb2, rootq, to_free);
- q->duplicate = dupsave;
- rc_drop = NET_XMIT_SUCCESS;
- }
+ if (count > 1)
+ skb2 = skb_clone(skb, GFP_ATOMIC);
/*
* Randomized packet corruption.
@@ -504,7 +494,8 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
if (skb_is_gso(skb)) {
skb = netem_segment(skb, sch, to_free);
if (!skb)
- return rc_drop;
+ goto finish_segs;
+
segs = skb->next;
skb_mark_not_on_list(skb);
qdisc_skb_cb(skb)->pkt_len = skb->len;
@@ -530,7 +521,24 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
/* re-link segs, so that qdisc_drop_all() frees them all */
skb->next = segs;
qdisc_drop_all(skb, sch, to_free);
- return rc_drop;
+ if (skb2)
+ __qdisc_drop(skb2, to_free);
+ return NET_XMIT_DROP;
+ }
+
+ /*
+ * If doing duplication then re-insert at top of the
+ * qdisc tree, since parent queuer expects that only one
+ * skb will be queued.
+ */
+ if (skb2) {
+ struct Qdisc *rootq = qdisc_root_bh(sch);
+ u32 dupsave = q->duplicate; /* prevent duplicating a dup... */
+
+ q->duplicate = 0;
+ rootq->enqueue(skb2, rootq, to_free);
+ q->duplicate = dupsave;
+ skb2 = NULL;
}
qdisc_qstats_backlog_inc(sch, skb);
@@ -601,9 +609,12 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
}
finish_segs:
+ if (skb2)
+ __qdisc_drop(skb2, to_free);
+
if (segs) {
unsigned int len, last_len;
- int nb;
+ int rc, nb;
len = skb ? skb->len : 0;
nb = skb ? 1 : 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 267/341] udp: fix receiving fraglist GSO packets
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 266/341] netem: fix return value if duplicate enqueue fails Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 268/341] ipv6: prevent UAF in ip6_send_skb() Greg Kroah-Hartman
` (86 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Fietkau, Willem de Bruijn,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Fietkau <nbd@nbd.name>
[ Upstream commit b128ed5ab27330deeeaf51ea8bb69f1442a96f7f ]
When assembling fraglist GSO packets, udp4_gro_complete does not set
skb->csum_start, which makes the extra validation in __udp_gso_segment fail.
Fixes: 89add40066f9 ("net: drop bad gso csum_start and offset in virtio_net_hdr")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20240819150621.59833-1-nbd@nbd.name
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/udp_offload.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
index 9cb13a50011ef..f544016e6eb3f 100644
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -279,7 +279,8 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb,
return ERR_PTR(-EINVAL);
if (unlikely(skb_checksum_start(gso_skb) !=
- skb_transport_header(gso_skb)))
+ skb_transport_header(gso_skb) &&
+ !(skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST)))
return ERR_PTR(-EINVAL);
if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) {
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 268/341] ipv6: prevent UAF in ip6_send_skb()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 267/341] udp: fix receiving fraglist GSO packets Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 269/341] ipv6: fix possible UAF in ip6_finish_output2() Greg Kroah-Hartman
` (85 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, syzbot, David Ahern,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit faa389b2fbaaec7fd27a390b4896139f9da662e3 ]
syzbot reported an UAF in ip6_send_skb() [1]
After ip6_local_out() has returned, we no longer can safely
dereference rt, unless we hold rcu_read_lock().
A similar issue has been fixed in commit
a688caa34beb ("ipv6: take rcu lock in rawv6_send_hdrinc()")
Another potential issue in ip6_finish_output2() is handled in a
separate patch.
[1]
BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964
Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530
CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964
rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588
rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x1a6/0x270 net/socket.c:745
sock_write_iter+0x2dd/0x400 net/socket.c:1160
do_iter_readv_writev+0x60a/0x890
vfs_writev+0x37c/0xbb0 fs/read_write.c:971
do_writev+0x1b1/0x350 fs/read_write.c:1018
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f936bf79e79
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79
RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8
</TASK>
Allocated by task 6530:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:312 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3988 [inline]
slab_alloc_node mm/slub.c:4037 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044
dst_alloc+0x12b/0x190 net/core/dst.c:89
ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670
make_blackhole net/xfrm/xfrm_policy.c:3120 [inline]
xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313
ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257
rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x1a6/0x270 net/socket.c:745
____sys_sendmsg+0x525/0x7d0 net/socket.c:2597
___sys_sendmsg net/socket.c:2651 [inline]
__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 45:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
__kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2252 [inline]
slab_free mm/slub.c:4473 [inline]
kmem_cache_free+0x145/0x350 mm/slub.c:4548
dst_destroy+0x2ac/0x460 net/core/dst.c:124
rcu_do_batch kernel/rcu/tree.c:2569 [inline]
rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2843
handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Last potentially related work creation:
kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
__call_rcu_common kernel/rcu/tree.c:3106 [inline]
call_rcu+0x167/0xa70 kernel/rcu/tree.c:3210
refdst_drop include/net/dst.h:263 [inline]
skb_dst_drop include/net/dst.h:275 [inline]
nf_ct_frag6_queue net/ipv6/netfilter/nf_conntrack_reasm.c:306 [inline]
nf_ct_frag6_gather+0xb9a/0x2080 net/ipv6/netfilter/nf_conntrack_reasm.c:485
ipv6_defrag+0x2c8/0x3c0 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:67
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
nf_hook include/linux/netfilter.h:269 [inline]
__ip6_local_out+0x6fa/0x800 net/ipv6/output_core.c:143
ip6_local_out+0x26/0x70 net/ipv6/output_core.c:153
ip6_send_skb+0x112/0x230 net/ipv6/ip6_output.c:1959
rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588
rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x1a6/0x270 net/socket.c:745
sock_write_iter+0x2dd/0x400 net/socket.c:1160
do_iter_readv_writev+0x60a/0x890
Fixes: 0625491493d9 ("ipv6: ip6_push_pending_frames() should increment IPSTATS_MIB_OUTDISCARDS")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20240820160859.3786976-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_output.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index db8d0e1bf69ff..8d4aaa4029b3e 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -2023,6 +2023,7 @@ int ip6_send_skb(struct sk_buff *skb)
struct rt6_info *rt = (struct rt6_info *)skb_dst(skb);
int err;
+ rcu_read_lock();
err = ip6_local_out(net, skb->sk, skb);
if (err) {
if (err > 0)
@@ -2032,6 +2033,7 @@ int ip6_send_skb(struct sk_buff *skb)
IPSTATS_MIB_OUTDISCARDS);
}
+ rcu_read_unlock();
return err;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 269/341] ipv6: fix possible UAF in ip6_finish_output2()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 268/341] ipv6: prevent UAF in ip6_send_skb() Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 270/341] ipv6: prevent possible UAF in ip6_xmit() Greg Kroah-Hartman
` (84 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Vasily Averin,
David Ahern, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit da273b377ae0d9bd255281ed3c2adb228321687b ]
If skb_expand_head() returns NULL, skb has been freed
and associated dst/idev could also have been freed.
We need to hold rcu_read_lock() to make sure the dst and
associated idev are alive.
Fixes: 5796015fa968 ("ipv6: allocate enough headroom in ip6_finish_output2()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Vasily Averin <vasily.averin@linux.dev>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20240820160859.3786976-3-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_output.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 8d4aaa4029b3e..9cff86c01abca 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -70,11 +70,15 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *
/* Be paranoid, rather than too clever. */
if (unlikely(hh_len > skb_headroom(skb)) && dev->header_ops) {
+ /* Make sure idev stays alive */
+ rcu_read_lock();
skb = skb_expand_head(skb, hh_len);
if (!skb) {
IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
+ rcu_read_unlock();
return -ENOMEM;
}
+ rcu_read_unlock();
}
hdr = ipv6_hdr(skb);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 270/341] ipv6: prevent possible UAF in ip6_xmit()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 269/341] ipv6: fix possible UAF in ip6_finish_output2() Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 271/341] bnxt_en: Fix double DMA unmapping for XDP_REDIRECT Greg Kroah-Hartman
` (83 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Vasily Averin,
David Ahern, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 2d5ff7e339d04622d8282661df36151906d0e1c7 ]
If skb_expand_head() returns NULL, skb has been freed
and the associated dst/idev could also have been freed.
We must use rcu_read_lock() to prevent a possible UAF.
Fixes: 0c9f227bee11 ("ipv6: use skb_expand_head in ip6_xmit")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Vasily Averin <vasily.averin@linux.dev>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20240820160859.3786976-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_output.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 9cff86c01abca..5d8d86c159dc3 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -281,11 +281,15 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
head_room += opt->opt_nflen + opt->opt_flen;
if (unlikely(head_room > skb_headroom(skb))) {
+ /* Make sure idev stays alive */
+ rcu_read_lock();
skb = skb_expand_head(skb, head_room);
if (!skb) {
IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
+ rcu_read_unlock();
return -ENOBUFS;
}
+ rcu_read_unlock();
}
if (opt) {
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 271/341] bnxt_en: Fix double DMA unmapping for XDP_REDIRECT
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 270/341] ipv6: prevent possible UAF in ip6_xmit() Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 272/341] netfilter: flowtable: validate vlan header Greg Kroah-Hartman
` (82 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Gospodarek, Kalesh AP,
Somnath Kotur, Michael Chan, Jacob Keller, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Somnath Kotur <somnath.kotur@broadcom.com>
[ Upstream commit 8baeef7616d5194045c5a6b97fd1246b87c55b13 ]
Remove the dma_unmap_page_attrs() call in the driver's XDP_REDIRECT
code path. This should have been removed when we let the page pool
handle the DMA mapping. This bug causes the warning:
WARNING: CPU: 7 PID: 59 at drivers/iommu/dma-iommu.c:1198 iommu_dma_unmap_page+0xd5/0x100
CPU: 7 PID: 59 Comm: ksoftirqd/7 Tainted: G W 6.8.0-1010-gcp #11-Ubuntu
Hardware name: Dell Inc. PowerEdge R7525/0PYVT1, BIOS 2.15.2 04/02/2024
RIP: 0010:iommu_dma_unmap_page+0xd5/0x100
Code: 89 ee 48 89 df e8 cb f2 69 ff 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 c9 31 f6 31 ff 45 31 c0 e9 ab 17 71 00 <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 c9
RSP: 0018:ffffab1fc0597a48 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff99ff838280c8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffab1fc0597a78 R08: 0000000000000002 R09: ffffab1fc0597c1c
R10: ffffab1fc0597cd3 R11: ffff99ffe375acd8 R12: 00000000e65b9000
R13: 0000000000000050 R14: 0000000000001000 R15: 0000000000000002
FS: 0000000000000000(0000) GS:ffff9a06efb80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000565c34c37210 CR3: 00000005c7e3e000 CR4: 0000000000350ef0
? show_regs+0x6d/0x80
? __warn+0x89/0x150
? iommu_dma_unmap_page+0xd5/0x100
? report_bug+0x16a/0x190
? handle_bug+0x51/0xa0
? exc_invalid_op+0x18/0x80
? iommu_dma_unmap_page+0xd5/0x100
? iommu_dma_unmap_page+0x35/0x100
dma_unmap_page_attrs+0x55/0x220
? bpf_prog_4d7e87c0d30db711_xdp_dispatcher+0x64/0x9f
bnxt_rx_xdp+0x237/0x520 [bnxt_en]
bnxt_rx_pkt+0x640/0xdd0 [bnxt_en]
__bnxt_poll_work+0x1a1/0x3d0 [bnxt_en]
bnxt_poll+0xaa/0x1e0 [bnxt_en]
__napi_poll+0x33/0x1e0
net_rx_action+0x18a/0x2f0
Fixes: 578fcfd26e2a ("bnxt_en: Let the page pool manage the DMA mapping")
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Signed-off-by: Somnath Kotur <somnath.kotur@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20240820203415.168178-1-michael.chan@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c
index 8cb9a99154aad..2845796f782c2 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c
@@ -297,11 +297,6 @@ bool bnxt_rx_xdp(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, u16 cons,
* redirect is coming from a frame received by the
* bnxt_en driver.
*/
- rx_buf = &rxr->rx_buf_ring[cons];
- mapping = rx_buf->mapping - bp->rx_dma_offset;
- dma_unmap_page_attrs(&pdev->dev, mapping,
- BNXT_RX_PAGE_SIZE, bp->rx_dir,
- DMA_ATTR_WEAK_ORDERING);
/* if we are unable to allocate a new buffer, abort and reuse */
if (bnxt_alloc_rx_data(bp, rxr, rxr->rx_prod, GFP_ATOMIC)) {
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 272/341] netfilter: flowtable: validate vlan header
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 271/341] bnxt_en: Fix double DMA unmapping for XDP_REDIRECT Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 273/341] octeontx2-af: Fix CPT AF register offset calculation Greg Kroah-Hartman
` (81 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8407d9bb88cd4c6bf61a,
Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 6ea14ccb60c8ab829349979b22b58a941ec4a3ee ]
Ensure there is sufficient room to access the protocol field of the
VLAN header, validate it once before the flowtable lookup.
=====================================================
BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x45a/0x5f0 net/netfilter/nf_flow_table_inet.c:32
nf_flow_offload_inet_hook+0x45a/0x5f0 net/netfilter/nf_flow_table_inet.c:32
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline]
nf_ingress net/core/dev.c:5440 [inline]
Fixes: 4cd91f7c290f ("netfilter: flowtable: add vlan support")
Reported-by: syzbot+8407d9bb88cd4c6bf61a@syzkaller.appspotmail.com
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_flow_table_inet.c | 3 +++
net/netfilter/nf_flow_table_ip.c | 3 +++
2 files changed, 6 insertions(+)
diff --git a/net/netfilter/nf_flow_table_inet.c b/net/netfilter/nf_flow_table_inet.c
index 6eef15648b7b0..b0f1991719324 100644
--- a/net/netfilter/nf_flow_table_inet.c
+++ b/net/netfilter/nf_flow_table_inet.c
@@ -17,6 +17,9 @@ nf_flow_offload_inet_hook(void *priv, struct sk_buff *skb,
switch (skb->protocol) {
case htons(ETH_P_8021Q):
+ if (!pskb_may_pull(skb, skb_mac_offset(skb) + sizeof(*veth)))
+ return NF_ACCEPT;
+
veth = (struct vlan_ethhdr *)skb_mac_header(skb);
proto = veth->h_vlan_encapsulated_proto;
break;
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 5383bed3d3e00..846fa2ad7c858 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -281,6 +281,9 @@ static bool nf_flow_skb_encap_protocol(struct sk_buff *skb, __be16 proto,
switch (skb->protocol) {
case htons(ETH_P_8021Q):
+ if (!pskb_may_pull(skb, skb_mac_offset(skb) + sizeof(*veth)))
+ return false;
+
veth = (struct vlan_ethhdr *)skb_mac_header(skb);
if (veth->h_vlan_encapsulated_proto == proto) {
*offset += VLAN_HLEN;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 273/341] octeontx2-af: Fix CPT AF register offset calculation
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 272/341] netfilter: flowtable: validate vlan header Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 274/341] net: xilinx: axienet: Always disable promiscuous mode Greg Kroah-Hartman
` (80 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bharat Bhushan, Simon Horman,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bharat Bhushan <bbhushan2@marvell.com>
[ Upstream commit af688a99eb1fc7ef69774665d61e6be51cea627a ]
Some CPT AF registers are per LF and others are global. Translation
of PF/VF local LF slot number to actual LF slot number is required
only for accessing perf LF registers. CPT AF global registers access
do not require any LF slot number. Also, there is no reason CPT
PF/VF to know actual lf's register offset.
Without this fix microcode loading will fail, VFs cannot be created
and hardware is not usable.
Fixes: bc35e28af789 ("octeontx2-af: replace cpt slot with lf id on reg write")
Signed-off-by: Bharat Bhushan <bbhushan2@marvell.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240821070558.1020101-1-bbhushan2@marvell.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/marvell/octeontx2/af/rvu_cpt.c | 23 +++++++++----------
1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c
index 3e09d22858147..daf4b951e9059 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c
@@ -632,7 +632,9 @@ int rvu_mbox_handler_cpt_inline_ipsec_cfg(struct rvu *rvu,
return ret;
}
-static bool is_valid_offset(struct rvu *rvu, struct cpt_rd_wr_reg_msg *req)
+static bool validate_and_update_reg_offset(struct rvu *rvu,
+ struct cpt_rd_wr_reg_msg *req,
+ u64 *reg_offset)
{
u64 offset = req->reg_offset;
int blkaddr, num_lfs, lf;
@@ -663,6 +665,11 @@ static bool is_valid_offset(struct rvu *rvu, struct cpt_rd_wr_reg_msg *req)
if (lf < 0)
return false;
+ /* Translate local LF's offset to global CPT LF's offset to
+ * access LFX register.
+ */
+ *reg_offset = (req->reg_offset & 0xFF000) + (lf << 3);
+
return true;
} else if (!(req->hdr.pcifunc & RVU_PFVF_FUNC_MASK)) {
/* Registers that can be accessed from PF */
@@ -697,7 +704,7 @@ int rvu_mbox_handler_cpt_rd_wr_register(struct rvu *rvu,
struct cpt_rd_wr_reg_msg *rsp)
{
u64 offset = req->reg_offset;
- int blkaddr, lf;
+ int blkaddr;
blkaddr = validate_and_get_cpt_blkaddr(req->blkaddr);
if (blkaddr < 0)
@@ -708,18 +715,10 @@ int rvu_mbox_handler_cpt_rd_wr_register(struct rvu *rvu,
!is_cpt_vf(rvu, req->hdr.pcifunc))
return CPT_AF_ERR_ACCESS_DENIED;
- if (!is_valid_offset(rvu, req))
+ if (!validate_and_update_reg_offset(rvu, req, &offset))
return CPT_AF_ERR_ACCESS_DENIED;
- /* Translate local LF used by VFs to global CPT LF */
- lf = rvu_get_lf(rvu, &rvu->hw->block[blkaddr], req->hdr.pcifunc,
- (offset & 0xFFF) >> 3);
-
- /* Translate local LF's offset to global CPT LF's offset */
- offset &= 0xFF000;
- offset += lf << 3;
-
- rsp->reg_offset = offset;
+ rsp->reg_offset = req->reg_offset;
rsp->ret_val = req->ret_val;
rsp->is_write = req->is_write;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 274/341] net: xilinx: axienet: Always disable promiscuous mode
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 273/341] octeontx2-af: Fix CPT AF register offset calculation Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 275/341] net: xilinx: axienet: Fix dangling multicast addresses Greg Kroah-Hartman
` (79 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Anderson, Simon Horman,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Anderson <sean.anderson@linux.dev>
[ Upstream commit 4ae738dfef2c0323752ab81786e2d298c9939321 ]
If promiscuous mode is disabled when there are fewer than four multicast
addresses, then it will not be reflected in the hardware. Fix this by
always clearing the promiscuous mode flag even when we program multicast
addresses.
Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240822154059.1066595-2-sean.anderson@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
index 11e08cb8d3c3e..9afd9b7f3044e 100644
--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
@@ -430,6 +430,10 @@ static void axienet_set_multicast_list(struct net_device *ndev)
} else if (!netdev_mc_empty(ndev)) {
struct netdev_hw_addr *ha;
+ reg = axienet_ior(lp, XAE_FMI_OFFSET);
+ reg &= ~XAE_FMI_PM_MASK;
+ axienet_iow(lp, XAE_FMI_OFFSET, reg);
+
i = 0;
netdev_for_each_mc_addr(ha, ndev) {
if (i >= XAE_MULTICAST_CAM_TABLE_NUM)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 275/341] net: xilinx: axienet: Fix dangling multicast addresses
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 274/341] net: xilinx: axienet: Always disable promiscuous mode Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 276/341] net: ovs: fix ovs_drop_reasons error Greg Kroah-Hartman
` (78 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Anderson, Simon Horman,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Anderson <sean.anderson@linux.dev>
[ Upstream commit 797a68c9de0f5a5447baf4bd3bb9c10a3993435b ]
If a multicast address is removed but there are still some multicast
addresses, that address would remain programmed into the frame filter.
Fix this by explicitly setting the enable bit for each filter.
Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240822154059.1066595-3-sean.anderson@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/xilinx/xilinx_axienet.h | 1 +
.../net/ethernet/xilinx/xilinx_axienet_main.c | 21 ++++++++-----------
2 files changed, 10 insertions(+), 12 deletions(-)
diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet.h b/drivers/net/ethernet/xilinx/xilinx_axienet.h
index a62c2b4c6b2f2..f09f10f17d7ea 100644
--- a/drivers/net/ethernet/xilinx/xilinx_axienet.h
+++ b/drivers/net/ethernet/xilinx/xilinx_axienet.h
@@ -169,6 +169,7 @@
#define XAE_UAW0_OFFSET 0x00000700 /* Unicast address word 0 */
#define XAE_UAW1_OFFSET 0x00000704 /* Unicast address word 1 */
#define XAE_FMI_OFFSET 0x00000708 /* Frame Filter Control */
+#define XAE_FFE_OFFSET 0x0000070C /* Frame Filter Enable */
#define XAE_AF0_OFFSET 0x00000710 /* Address Filter 0 */
#define XAE_AF1_OFFSET 0x00000714 /* Address Filter 1 */
diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
index 9afd9b7f3044e..144feb7a2fdac 100644
--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
@@ -412,7 +412,7 @@ static int netdev_set_mac_address(struct net_device *ndev, void *p)
*/
static void axienet_set_multicast_list(struct net_device *ndev)
{
- int i;
+ int i = 0;
u32 reg, af0reg, af1reg;
struct axienet_local *lp = netdev_priv(ndev);
@@ -434,7 +434,6 @@ static void axienet_set_multicast_list(struct net_device *ndev)
reg &= ~XAE_FMI_PM_MASK;
axienet_iow(lp, XAE_FMI_OFFSET, reg);
- i = 0;
netdev_for_each_mc_addr(ha, ndev) {
if (i >= XAE_MULTICAST_CAM_TABLE_NUM)
break;
@@ -453,6 +452,7 @@ static void axienet_set_multicast_list(struct net_device *ndev)
axienet_iow(lp, XAE_FMI_OFFSET, reg);
axienet_iow(lp, XAE_AF0_OFFSET, af0reg);
axienet_iow(lp, XAE_AF1_OFFSET, af1reg);
+ axienet_iow(lp, XAE_FFE_OFFSET, 1);
i++;
}
} else {
@@ -460,18 +460,15 @@ static void axienet_set_multicast_list(struct net_device *ndev)
reg &= ~XAE_FMI_PM_MASK;
axienet_iow(lp, XAE_FMI_OFFSET, reg);
-
- for (i = 0; i < XAE_MULTICAST_CAM_TABLE_NUM; i++) {
- reg = axienet_ior(lp, XAE_FMI_OFFSET) & 0xFFFFFF00;
- reg |= i;
-
- axienet_iow(lp, XAE_FMI_OFFSET, reg);
- axienet_iow(lp, XAE_AF0_OFFSET, 0);
- axienet_iow(lp, XAE_AF1_OFFSET, 0);
- }
-
dev_info(&ndev->dev, "Promiscuous mode disabled.\n");
}
+
+ for (; i < XAE_MULTICAST_CAM_TABLE_NUM; i++) {
+ reg = axienet_ior(lp, XAE_FMI_OFFSET) & 0xFFFFFF00;
+ reg |= i;
+ axienet_iow(lp, XAE_FMI_OFFSET, reg);
+ axienet_iow(lp, XAE_FFE_OFFSET, 0);
+ }
}
/**
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 276/341] net: ovs: fix ovs_drop_reasons error
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 275/341] net: xilinx: axienet: Fix dangling multicast addresses Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 277/341] drm/msm/dpu: dont play tricks with debug macros Greg Kroah-Hartman
` (77 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Menglong Dong, Adrian Moreno,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Menglong Dong <menglong8.dong@gmail.com>
[ Upstream commit 57fb67783c4011581882f32e656d738da1f82042 ]
There is something wrong with ovs_drop_reasons. ovs_drop_reasons[0] is
"OVS_DROP_LAST_ACTION", but OVS_DROP_LAST_ACTION == __OVS_DROP_REASON + 1,
which means that ovs_drop_reasons[1] should be "OVS_DROP_LAST_ACTION".
And as Adrian tested, without the patch, adding flow to drop packets
results in:
drop at: do_execute_actions+0x197/0xb20 [openvsw (0xffffffffc0db6f97)
origin: software
input port ifindex: 8
timestamp: Tue Aug 20 10:19:17 2024 859853461 nsec
protocol: 0x800
length: 98
original length: 98
drop reason: OVS_DROP_ACTION_ERROR
With the patch, the same results in:
drop at: do_execute_actions+0x197/0xb20 [openvsw (0xffffffffc0db6f97)
origin: software
input port ifindex: 8
timestamp: Tue Aug 20 10:16:13 2024 475856608 nsec
protocol: 0x800
length: 98
original length: 98
drop reason: OVS_DROP_LAST_ACTION
Fix this by initializing ovs_drop_reasons with index.
Fixes: 9d802da40b7c ("net: openvswitch: add last-action drop reason")
Signed-off-by: Menglong Dong <dongml2@chinatelecom.cn>
Tested-by: Adrian Moreno <amorenoz@redhat.com>
Reviewed-by: Adrian Moreno <amorenoz@redhat.com>
Link: https://patch.msgid.link/20240821123252.186305-1-dongml2@chinatelecom.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/datapath.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 11c69415c6052..b7232142c13f8 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -2707,7 +2707,7 @@ static struct pernet_operations ovs_net_ops = {
};
static const char * const ovs_drop_reasons[] = {
-#define S(x) (#x),
+#define S(x) [(x) & ~SKB_DROP_REASON_SUBSYS_MASK] = (#x),
OVS_DROP_REASONS(S)
#undef S
};
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 277/341] drm/msm/dpu: dont play tricks with debug macros
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 276/341] net: ovs: fix ovs_drop_reasons error Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 278/341] drm/msm/dp: fix the max supported bpp logic Greg Kroah-Hartman
` (76 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Abhinav Kumar,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit df24373435f5899a2a98b7d377479c8d4376613b ]
DPU debugging macros need to be converted to a proper drm_debug_*
macros, however this is a going an intrusive patch, not suitable for a
fix. Wire DPU_DEBUG and DPU_DEBUG_DRIVER to always use DRM_DEBUG_DRIVER
to make sure that DPU debugging messages always end up in the drm debug
messages and are controlled via the usual drm.debug mask.
I don't think that it is a good idea for a generic DPU_DEBUG macro to be
tied to DRM_UT_KMS. It is used to report a debug message from driver, so by
default it should go to the DRM_UT_DRIVER channel. While refactoring
debug macros later on we might end up with particular messages going to
ATOMIC or KMS, but DRIVER should be the default.
Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Patchwork: https://patchwork.freedesktop.org/patch/606932/
Link: https://lore.kernel.org/r/20240802-dpu-fix-wb-v2-2-7eac9eb8e895@linaro.org
Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h | 14 ++------------
1 file changed, 2 insertions(+), 12 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h
index f5473d4dea92f..8cb3cf842c52c 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h
@@ -31,24 +31,14 @@
* @fmt: Pointer to format string
*/
#define DPU_DEBUG(fmt, ...) \
- do { \
- if (drm_debug_enabled(DRM_UT_KMS)) \
- DRM_DEBUG(fmt, ##__VA_ARGS__); \
- else \
- pr_debug(fmt, ##__VA_ARGS__); \
- } while (0)
+ DRM_DEBUG_DRIVER(fmt, ##__VA_ARGS__)
/**
* DPU_DEBUG_DRIVER - macro for hardware driver logging
* @fmt: Pointer to format string
*/
#define DPU_DEBUG_DRIVER(fmt, ...) \
- do { \
- if (drm_debug_enabled(DRM_UT_DRIVER)) \
- DRM_ERROR(fmt, ##__VA_ARGS__); \
- else \
- pr_debug(fmt, ##__VA_ARGS__); \
- } while (0)
+ DRM_DEBUG_DRIVER(fmt, ##__VA_ARGS__)
#define DPU_ERROR(fmt, ...) pr_err("[dpu error]" fmt, ##__VA_ARGS__)
#define DPU_ERROR_RATELIMITED(fmt, ...) pr_err_ratelimited("[dpu error]" fmt, ##__VA_ARGS__)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 278/341] drm/msm/dp: fix the max supported bpp logic
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 277/341] drm/msm/dpu: dont play tricks with debug macros Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 279/341] drm/msm/dpu: use drmm-managed allocation for dpu_encoder_phys Greg Kroah-Hartman
` (75 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Stephen Boyd,
Abhinav Kumar, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abhinav Kumar <quic_abhinavk@quicinc.com>
[ Upstream commit d19d5b8d8f6dab942ce5ddbcf34bf7275e778250 ]
Fix the dp_panel_get_supported_bpp() API to return the minimum
supported bpp correctly for relevant cases and use this API
to correct the behavior of DP driver which hard-codes the max supported
bpp to 30.
This is incorrect because the number of lanes and max data rate
supported by the lanes need to be taken into account.
Replace the hardcoded limit with the appropriate math which accounts
for the accurate number of lanes and max data rate.
changes in v2:
- Fix the dp_panel_get_supported_bpp() and use it
- Drop the max_t usage as dp_panel_get_supported_bpp() already
returns the min_bpp correctly now
changes in v3:
- replace min_t with just min as all params are u32
Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support")
Reported-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/43
Tested-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> # SM8350-HDK
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Patchwork: https://patchwork.freedesktop.org/patch/607073/
Link: https://lore.kernel.org/r/20240805202009.1120981-1-quic_abhinavk@quicinc.com
Signed-off-by: Stephen Boyd <swboyd@chromium.org>
Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dp/dp_panel.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/drivers/gpu/drm/msm/dp/dp_panel.c b/drivers/gpu/drm/msm/dp/dp_panel.c
index 86a8e06c7a60f..d26589eb8b218 100644
--- a/drivers/gpu/drm/msm/dp/dp_panel.c
+++ b/drivers/gpu/drm/msm/dp/dp_panel.c
@@ -136,22 +136,22 @@ static int dp_panel_read_dpcd(struct dp_panel *dp_panel)
static u32 dp_panel_get_supported_bpp(struct dp_panel *dp_panel,
u32 mode_edid_bpp, u32 mode_pclk_khz)
{
- struct dp_link_info *link_info;
+ const struct dp_link_info *link_info;
const u32 max_supported_bpp = 30, min_supported_bpp = 18;
- u32 bpp = 0, data_rate_khz = 0;
+ u32 bpp, data_rate_khz;
- bpp = min_t(u32, mode_edid_bpp, max_supported_bpp);
+ bpp = min(mode_edid_bpp, max_supported_bpp);
link_info = &dp_panel->link_info;
data_rate_khz = link_info->num_lanes * link_info->rate * 8;
- while (bpp > min_supported_bpp) {
+ do {
if (mode_pclk_khz * bpp <= data_rate_khz)
- break;
+ return bpp;
bpp -= 6;
- }
+ } while (bpp > min_supported_bpp);
- return bpp;
+ return min_supported_bpp;
}
static int dp_panel_update_modes(struct drm_connector *connector,
@@ -444,8 +444,9 @@ int dp_panel_init_panel_info(struct dp_panel *dp_panel)
drm_mode->clock);
drm_dbg_dp(panel->drm_dev, "bpp = %d\n", dp_panel->dp_mode.bpp);
- dp_panel->dp_mode.bpp = max_t(u32, 18,
- min_t(u32, dp_panel->dp_mode.bpp, 30));
+ dp_panel->dp_mode.bpp = dp_panel_get_mode_bpp(dp_panel, dp_panel->dp_mode.bpp,
+ dp_panel->dp_mode.drm_mode.clock);
+
drm_dbg_dp(panel->drm_dev, "updated bpp = %d\n",
dp_panel->dp_mode.bpp);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 279/341] drm/msm/dpu: use drmm-managed allocation for dpu_encoder_phys
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 278/341] drm/msm/dp: fix the max supported bpp logic Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 280/341] drm/msm/dpu: drop MSM_ENC_VBLANK support Greg Kroah-Hartman
` (74 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jessica Zhang, Dmitry Baryshkov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit 73169b45e1ed296b4357a694f5fa586ac0643ac1 ]
Change struct allocation of encoder's phys backend data to use
drmm_kzalloc(). This removes the need to perform any actions on encoder
destruction.
Reviewed-by: Jessica Zhang <quic_jesszhan@quicinc.com>
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Patchwork: https://patchwork.freedesktop.org/patch/570051/
Link: https://lore.kernel.org/r/20231201211845.1026967-12-dmitry.baryshkov@linaro.org
Stable-dep-of: aedf02e46eb5 ("drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 9 ++++----
.../gpu/drm/msm/disp/dpu1/dpu_encoder_phys.h | 8 ++++---
.../drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c | 15 ++++---------
.../drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 13 ++++--------
.../drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 21 ++++---------------
5 files changed, 22 insertions(+), 44 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
index e454b80907121..781adb5e2c595 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
@@ -2172,6 +2172,7 @@ static void dpu_encoder_early_unregister(struct drm_encoder *encoder)
}
static int dpu_encoder_virt_add_phys_encs(
+ struct drm_device *dev,
struct msm_display_info *disp_info,
struct dpu_encoder_virt *dpu_enc,
struct dpu_enc_phys_init_params *params)
@@ -2193,7 +2194,7 @@ static int dpu_encoder_virt_add_phys_encs(
if (disp_info->intf_type == INTF_WB) {
- enc = dpu_encoder_phys_wb_init(params);
+ enc = dpu_encoder_phys_wb_init(dev, params);
if (IS_ERR(enc)) {
DPU_ERROR_ENC(dpu_enc, "failed to init wb enc: %ld\n",
@@ -2204,7 +2205,7 @@ static int dpu_encoder_virt_add_phys_encs(
dpu_enc->phys_encs[dpu_enc->num_phys_encs] = enc;
++dpu_enc->num_phys_encs;
} else if (disp_info->is_cmd_mode) {
- enc = dpu_encoder_phys_cmd_init(params);
+ enc = dpu_encoder_phys_cmd_init(dev, params);
if (IS_ERR(enc)) {
DPU_ERROR_ENC(dpu_enc, "failed to init cmd enc: %ld\n",
@@ -2215,7 +2216,7 @@ static int dpu_encoder_virt_add_phys_encs(
dpu_enc->phys_encs[dpu_enc->num_phys_encs] = enc;
++dpu_enc->num_phys_encs;
} else {
- enc = dpu_encoder_phys_vid_init(params);
+ enc = dpu_encoder_phys_vid_init(dev, params);
if (IS_ERR(enc)) {
DPU_ERROR_ENC(dpu_enc, "failed to init vid enc: %ld\n",
@@ -2304,7 +2305,7 @@ static int dpu_encoder_setup_display(struct dpu_encoder_virt *dpu_enc,
break;
}
- ret = dpu_encoder_virt_add_phys_encs(disp_info,
+ ret = dpu_encoder_virt_add_phys_encs(dpu_kms->dev, disp_info,
dpu_enc, &phys_params);
if (ret) {
DPU_ERROR_ENC(dpu_enc, "failed to add phys encs\n");
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys.h
index f91661a698882..99997707b0ee9 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys.h
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys.h
@@ -281,22 +281,24 @@ struct dpu_encoder_wait_info {
* @p: Pointer to init params structure
* Return: Error code or newly allocated encoder
*/
-struct dpu_encoder_phys *dpu_encoder_phys_vid_init(
+struct dpu_encoder_phys *dpu_encoder_phys_vid_init(struct drm_device *dev,
struct dpu_enc_phys_init_params *p);
/**
* dpu_encoder_phys_cmd_init - Construct a new command mode physical encoder
+ * @dev: Corresponding device for devres management
* @p: Pointer to init params structure
* Return: Error code or newly allocated encoder
*/
-struct dpu_encoder_phys *dpu_encoder_phys_cmd_init(
+struct dpu_encoder_phys *dpu_encoder_phys_cmd_init(struct drm_device *dev,
struct dpu_enc_phys_init_params *p);
/**
* dpu_encoder_phys_wb_init - initialize writeback encoder
+ * @dev: Corresponding device for devres management
* @init: Pointer to init info structure with initialization params
*/
-struct dpu_encoder_phys *dpu_encoder_phys_wb_init(
+struct dpu_encoder_phys *dpu_encoder_phys_wb_init(struct drm_device *dev,
struct dpu_enc_phys_init_params *p);
/**
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c
index 718421306247f..548be5cf07be8 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c
@@ -13,6 +13,8 @@
#include "dpu_trace.h"
#include "disp/msm_disp_snapshot.h"
+#include <drm/drm_managed.h>
+
#define DPU_DEBUG_CMDENC(e, fmt, ...) DPU_DEBUG("enc%d intf%d " fmt, \
(e) && (e)->base.parent ? \
(e)->base.parent->base.id : -1, \
@@ -564,14 +566,6 @@ static void dpu_encoder_phys_cmd_disable(struct dpu_encoder_phys *phys_enc)
phys_enc->enable_state = DPU_ENC_DISABLED;
}
-static void dpu_encoder_phys_cmd_destroy(struct dpu_encoder_phys *phys_enc)
-{
- struct dpu_encoder_phys_cmd *cmd_enc =
- to_dpu_encoder_phys_cmd(phys_enc);
-
- kfree(cmd_enc);
-}
-
static void dpu_encoder_phys_cmd_prepare_for_kickoff(
struct dpu_encoder_phys *phys_enc)
{
@@ -737,7 +731,6 @@ static void dpu_encoder_phys_cmd_init_ops(
ops->atomic_mode_set = dpu_encoder_phys_cmd_atomic_mode_set;
ops->enable = dpu_encoder_phys_cmd_enable;
ops->disable = dpu_encoder_phys_cmd_disable;
- ops->destroy = dpu_encoder_phys_cmd_destroy;
ops->control_vblank_irq = dpu_encoder_phys_cmd_control_vblank_irq;
ops->wait_for_commit_done = dpu_encoder_phys_cmd_wait_for_commit_done;
ops->prepare_for_kickoff = dpu_encoder_phys_cmd_prepare_for_kickoff;
@@ -752,7 +745,7 @@ static void dpu_encoder_phys_cmd_init_ops(
ops->get_line_count = dpu_encoder_phys_cmd_get_line_count;
}
-struct dpu_encoder_phys *dpu_encoder_phys_cmd_init(
+struct dpu_encoder_phys *dpu_encoder_phys_cmd_init(struct drm_device *dev,
struct dpu_enc_phys_init_params *p)
{
struct dpu_encoder_phys *phys_enc = NULL;
@@ -760,7 +753,7 @@ struct dpu_encoder_phys *dpu_encoder_phys_cmd_init(
DPU_DEBUG("intf\n");
- cmd_enc = kzalloc(sizeof(*cmd_enc), GFP_KERNEL);
+ cmd_enc = drmm_kzalloc(dev, sizeof(*cmd_enc), GFP_KERNEL);
if (!cmd_enc) {
DPU_ERROR("failed to allocate\n");
return ERR_PTR(-ENOMEM);
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
index aec3ca4aa0fb7..ab26e21871235 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
@@ -11,6 +11,8 @@
#include "dpu_trace.h"
#include "disp/msm_disp_snapshot.h"
+#include <drm/drm_managed.h>
+
#define DPU_DEBUG_VIDENC(e, fmt, ...) DPU_DEBUG("enc%d intf%d " fmt, \
(e) && (e)->parent ? \
(e)->parent->base.id : -1, \
@@ -441,12 +443,6 @@ static void dpu_encoder_phys_vid_enable(struct dpu_encoder_phys *phys_enc)
phys_enc->enable_state = DPU_ENC_ENABLING;
}
-static void dpu_encoder_phys_vid_destroy(struct dpu_encoder_phys *phys_enc)
-{
- DPU_DEBUG_VIDENC(phys_enc, "\n");
- kfree(phys_enc);
-}
-
static int dpu_encoder_phys_vid_wait_for_vblank(
struct dpu_encoder_phys *phys_enc)
{
@@ -684,7 +680,6 @@ static void dpu_encoder_phys_vid_init_ops(struct dpu_encoder_phys_ops *ops)
ops->atomic_mode_set = dpu_encoder_phys_vid_atomic_mode_set;
ops->enable = dpu_encoder_phys_vid_enable;
ops->disable = dpu_encoder_phys_vid_disable;
- ops->destroy = dpu_encoder_phys_vid_destroy;
ops->control_vblank_irq = dpu_encoder_phys_vid_control_vblank_irq;
ops->wait_for_commit_done = dpu_encoder_phys_vid_wait_for_commit_done;
ops->wait_for_vblank = dpu_encoder_phys_vid_wait_for_vblank;
@@ -697,7 +692,7 @@ static void dpu_encoder_phys_vid_init_ops(struct dpu_encoder_phys_ops *ops)
ops->get_frame_count = dpu_encoder_phys_vid_get_frame_count;
}
-struct dpu_encoder_phys *dpu_encoder_phys_vid_init(
+struct dpu_encoder_phys *dpu_encoder_phys_vid_init(struct drm_device *dev,
struct dpu_enc_phys_init_params *p)
{
struct dpu_encoder_phys *phys_enc = NULL;
@@ -707,7 +702,7 @@ struct dpu_encoder_phys *dpu_encoder_phys_vid_init(
return ERR_PTR(-EINVAL);
}
- phys_enc = kzalloc(sizeof(*phys_enc), GFP_KERNEL);
+ phys_enc = drmm_kzalloc(dev, sizeof(*phys_enc), GFP_KERNEL);
if (!phys_enc) {
DPU_ERROR("failed to create encoder due to memory allocation error\n");
return ERR_PTR(-ENOMEM);
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c
index a81a9ee71a86c..0a45c546b03f2 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c
@@ -8,6 +8,7 @@
#include <linux/debugfs.h>
#include <drm/drm_framebuffer.h>
+#include <drm/drm_managed.h>
#include "dpu_encoder_phys.h"
#include "dpu_formats.h"
@@ -546,20 +547,6 @@ static void dpu_encoder_phys_wb_disable(struct dpu_encoder_phys *phys_enc)
phys_enc->enable_state = DPU_ENC_DISABLED;
}
-/**
- * dpu_encoder_phys_wb_destroy - destroy writeback encoder
- * @phys_enc: Pointer to physical encoder
- */
-static void dpu_encoder_phys_wb_destroy(struct dpu_encoder_phys *phys_enc)
-{
- if (!phys_enc)
- return;
-
- DPU_DEBUG("[wb:%d]\n", phys_enc->hw_wb->idx - WB_0);
-
- kfree(phys_enc);
-}
-
static void dpu_encoder_phys_wb_prepare_wb_job(struct dpu_encoder_phys *phys_enc,
struct drm_writeback_job *job)
{
@@ -655,7 +642,6 @@ static void dpu_encoder_phys_wb_init_ops(struct dpu_encoder_phys_ops *ops)
ops->atomic_mode_set = dpu_encoder_phys_wb_atomic_mode_set;
ops->enable = dpu_encoder_phys_wb_enable;
ops->disable = dpu_encoder_phys_wb_disable;
- ops->destroy = dpu_encoder_phys_wb_destroy;
ops->atomic_check = dpu_encoder_phys_wb_atomic_check;
ops->wait_for_commit_done = dpu_encoder_phys_wb_wait_for_commit_done;
ops->prepare_for_kickoff = dpu_encoder_phys_wb_prepare_for_kickoff;
@@ -671,9 +657,10 @@ static void dpu_encoder_phys_wb_init_ops(struct dpu_encoder_phys_ops *ops)
/**
* dpu_encoder_phys_wb_init - initialize writeback encoder
+ * @dev: Corresponding device for devres management
* @p: Pointer to init info structure with initialization params
*/
-struct dpu_encoder_phys *dpu_encoder_phys_wb_init(
+struct dpu_encoder_phys *dpu_encoder_phys_wb_init(struct drm_device *dev,
struct dpu_enc_phys_init_params *p)
{
struct dpu_encoder_phys *phys_enc = NULL;
@@ -686,7 +673,7 @@ struct dpu_encoder_phys *dpu_encoder_phys_wb_init(
return ERR_PTR(-EINVAL);
}
- wb_enc = kzalloc(sizeof(*wb_enc), GFP_KERNEL);
+ wb_enc = drmm_kzalloc(dev, sizeof(*wb_enc), GFP_KERNEL);
if (!wb_enc) {
DPU_ERROR("failed to allocate wb phys_enc enc\n");
return ERR_PTR(-ENOMEM);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 280/341] drm/msm/dpu: drop MSM_ENC_VBLANK support
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 279/341] drm/msm/dpu: use drmm-managed allocation for dpu_encoder_phys Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 281/341] drm/msm/dpu: split dpu_encoder_wait_for_event into two functions Greg Kroah-Hartman
` (73 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abhinav Kumar, Dmitry Baryshkov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit a08935fc859b22884dcb6b5126d3a986467101ce ]
There are no in-kernel users of MSM_ENC_VBLANK wait type. Drop it
together with the corresponding wait_for_vblank callback.
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Patchwork: https://patchwork.freedesktop.org/patch/560701/
Link: https://lore.kernel.org/r/20231004031903.518223-1-dmitry.baryshkov@linaro.org
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Stable-dep-of: aedf02e46eb5 ("drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 3 --
.../gpu/drm/msm/disp/dpu1/dpu_encoder_phys.h | 1 -
.../drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c | 28 -------------------
.../drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 9 +++---
drivers/gpu/drm/msm/msm_drv.h | 2 --
5 files changed, 4 insertions(+), 39 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
index 781adb5e2c595..57001543dc220 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
@@ -2441,9 +2441,6 @@ int dpu_encoder_wait_for_event(struct drm_encoder *drm_enc,
case MSM_ENC_TX_COMPLETE:
fn_wait = phys->ops.wait_for_tx_complete;
break;
- case MSM_ENC_VBLANK:
- fn_wait = phys->ops.wait_for_vblank;
- break;
default:
DPU_ERROR_ENC(dpu_enc, "unknown wait event %d\n",
event);
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys.h
index 99997707b0ee9..57a3598f2a303 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys.h
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys.h
@@ -106,7 +106,6 @@ struct dpu_encoder_phys_ops {
int (*control_vblank_irq)(struct dpu_encoder_phys *enc, bool enable);
int (*wait_for_commit_done)(struct dpu_encoder_phys *phys_enc);
int (*wait_for_tx_complete)(struct dpu_encoder_phys *phys_enc);
- int (*wait_for_vblank)(struct dpu_encoder_phys *phys_enc);
void (*prepare_for_kickoff)(struct dpu_encoder_phys *phys_enc);
void (*handle_post_kickoff)(struct dpu_encoder_phys *phys_enc);
void (*trigger_start)(struct dpu_encoder_phys *phys_enc);
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c
index 548be5cf07be8..83a804ebf8d7e 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c
@@ -681,33 +681,6 @@ static int dpu_encoder_phys_cmd_wait_for_commit_done(
return _dpu_encoder_phys_cmd_wait_for_ctl_start(phys_enc);
}
-static int dpu_encoder_phys_cmd_wait_for_vblank(
- struct dpu_encoder_phys *phys_enc)
-{
- int rc = 0;
- struct dpu_encoder_phys_cmd *cmd_enc;
- struct dpu_encoder_wait_info wait_info;
-
- cmd_enc = to_dpu_encoder_phys_cmd(phys_enc);
-
- /* only required for master controller */
- if (!dpu_encoder_phys_cmd_is_master(phys_enc))
- return rc;
-
- wait_info.wq = &cmd_enc->pending_vblank_wq;
- wait_info.atomic_cnt = &cmd_enc->pending_vblank_cnt;
- wait_info.timeout_ms = KICKOFF_TIMEOUT_MS;
-
- atomic_inc(&cmd_enc->pending_vblank_cnt);
-
- rc = dpu_encoder_helper_wait_for_irq(phys_enc,
- phys_enc->irq[INTR_IDX_RDPTR],
- dpu_encoder_phys_cmd_te_rd_ptr_irq,
- &wait_info);
-
- return rc;
-}
-
static void dpu_encoder_phys_cmd_handle_post_kickoff(
struct dpu_encoder_phys *phys_enc)
{
@@ -735,7 +708,6 @@ static void dpu_encoder_phys_cmd_init_ops(
ops->wait_for_commit_done = dpu_encoder_phys_cmd_wait_for_commit_done;
ops->prepare_for_kickoff = dpu_encoder_phys_cmd_prepare_for_kickoff;
ops->wait_for_tx_complete = dpu_encoder_phys_cmd_wait_for_tx_complete;
- ops->wait_for_vblank = dpu_encoder_phys_cmd_wait_for_vblank;
ops->trigger_start = dpu_encoder_phys_cmd_trigger_start;
ops->needs_single_flush = dpu_encoder_phys_cmd_needs_single_flush;
ops->irq_control = dpu_encoder_phys_cmd_irq_control;
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
index ab26e21871235..daaf0e6047538 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
@@ -443,7 +443,7 @@ static void dpu_encoder_phys_vid_enable(struct dpu_encoder_phys *phys_enc)
phys_enc->enable_state = DPU_ENC_ENABLING;
}
-static int dpu_encoder_phys_vid_wait_for_vblank(
+static int dpu_encoder_phys_vid_wait_for_tx_complete(
struct dpu_encoder_phys *phys_enc)
{
struct dpu_encoder_wait_info wait_info;
@@ -557,7 +557,7 @@ static void dpu_encoder_phys_vid_disable(struct dpu_encoder_phys *phys_enc)
* scanout buffer) don't latch properly..
*/
if (dpu_encoder_phys_vid_is_master(phys_enc)) {
- ret = dpu_encoder_phys_vid_wait_for_vblank(phys_enc);
+ ret = dpu_encoder_phys_vid_wait_for_tx_complete(phys_enc);
if (ret) {
atomic_set(&phys_enc->pending_kickoff_cnt, 0);
DRM_ERROR("wait disable failed: id:%u intf:%d ret:%d\n",
@@ -577,7 +577,7 @@ static void dpu_encoder_phys_vid_disable(struct dpu_encoder_phys *phys_enc)
spin_lock_irqsave(phys_enc->enc_spinlock, lock_flags);
dpu_encoder_phys_inc_pending(phys_enc);
spin_unlock_irqrestore(phys_enc->enc_spinlock, lock_flags);
- ret = dpu_encoder_phys_vid_wait_for_vblank(phys_enc);
+ ret = dpu_encoder_phys_vid_wait_for_tx_complete(phys_enc);
if (ret) {
atomic_set(&phys_enc->pending_kickoff_cnt, 0);
DRM_ERROR("wait disable failed: id:%u intf:%d ret:%d\n",
@@ -682,8 +682,7 @@ static void dpu_encoder_phys_vid_init_ops(struct dpu_encoder_phys_ops *ops)
ops->disable = dpu_encoder_phys_vid_disable;
ops->control_vblank_irq = dpu_encoder_phys_vid_control_vblank_irq;
ops->wait_for_commit_done = dpu_encoder_phys_vid_wait_for_commit_done;
- ops->wait_for_vblank = dpu_encoder_phys_vid_wait_for_vblank;
- ops->wait_for_tx_complete = dpu_encoder_phys_vid_wait_for_vblank;
+ ops->wait_for_tx_complete = dpu_encoder_phys_vid_wait_for_tx_complete;
ops->irq_control = dpu_encoder_phys_vid_irq_control;
ops->prepare_for_kickoff = dpu_encoder_phys_vid_prepare_for_kickoff;
ops->handle_post_kickoff = dpu_encoder_phys_vid_handle_post_kickoff;
diff --git a/drivers/gpu/drm/msm/msm_drv.h b/drivers/gpu/drm/msm/msm_drv.h
index 02fd6c7d0bb7b..182543c92770c 100644
--- a/drivers/gpu/drm/msm/msm_drv.h
+++ b/drivers/gpu/drm/msm/msm_drv.h
@@ -78,12 +78,10 @@ enum msm_dsi_controller {
* enum msm_event_wait - type of HW events to wait for
* @MSM_ENC_COMMIT_DONE - wait for the driver to flush the registers to HW
* @MSM_ENC_TX_COMPLETE - wait for the HW to transfer the frame to panel
- * @MSM_ENC_VBLANK - wait for the HW VBLANK event (for driver-internal waiters)
*/
enum msm_event_wait {
MSM_ENC_COMMIT_DONE = 0,
MSM_ENC_TX_COMPLETE,
- MSM_ENC_VBLANK,
};
/**
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 281/341] drm/msm/dpu: split dpu_encoder_wait_for_event into two functions
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 280/341] drm/msm/dpu: drop MSM_ENC_VBLANK support Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 282/341] drm/msm/dpu: capture snapshot on the first commit_done timeout Greg Kroah-Hartman
` (72 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abhinav Kumar, Dmitry Baryshkov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit d72a3d35b7ef5a3c0260462f130fa3dd7576aa2f ]
Stop multiplexing several events via the dpu_encoder_wait_for_event()
function. Split it into two distinct functions two allow separate
handling of those events.
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Patchwork: https://patchwork.freedesktop.org/patch/579848/
Link: https://lore.kernel.org/r/20240226-fd-dpu-debug-timeout-v4-2-51eec83dde23@linaro.org
Stable-dep-of: aedf02e46eb5 ("drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 70 +++++++++++++++------
drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.h | 22 +------
drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 2 +-
drivers/gpu/drm/msm/msm_drv.h | 10 ---
4 files changed, 55 insertions(+), 49 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
index 57001543dc220..ba60997350890 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
@@ -1265,7 +1265,7 @@ static void dpu_encoder_virt_atomic_disable(struct drm_encoder *drm_enc,
trace_dpu_enc_disable(DRMID(drm_enc));
/* wait for idle */
- dpu_encoder_wait_for_event(drm_enc, MSM_ENC_TX_COMPLETE);
+ dpu_encoder_wait_for_tx_complete(drm_enc);
dpu_encoder_resource_control(drm_enc, DPU_ENC_RC_EVENT_PRE_STOP);
@@ -2417,10 +2417,18 @@ struct drm_encoder *dpu_encoder_init(struct drm_device *dev,
return ERR_PTR(ret);
}
-int dpu_encoder_wait_for_event(struct drm_encoder *drm_enc,
- enum msm_event_wait event)
+/**
+ * dpu_encoder_wait_for_commit_done() - Wait for encoder to flush pending state
+ * @drm_enc: encoder pointer
+ *
+ * Wait for hardware to have flushed the current pending changes to hardware at
+ * a vblank or CTL_START. Physical encoders will map this differently depending
+ * on the type: vid mode -> vsync_irq, cmd mode -> CTL_START.
+ *
+ * Return: 0 on success, -EWOULDBLOCK if already signaled, error otherwise
+ */
+int dpu_encoder_wait_for_commit_done(struct drm_encoder *drm_enc)
{
- int (*fn_wait)(struct dpu_encoder_phys *phys_enc) = NULL;
struct dpu_encoder_virt *dpu_enc = NULL;
int i, ret = 0;
@@ -2434,23 +2442,47 @@ int dpu_encoder_wait_for_event(struct drm_encoder *drm_enc,
for (i = 0; i < dpu_enc->num_phys_encs; i++) {
struct dpu_encoder_phys *phys = dpu_enc->phys_encs[i];
- switch (event) {
- case MSM_ENC_COMMIT_DONE:
- fn_wait = phys->ops.wait_for_commit_done;
- break;
- case MSM_ENC_TX_COMPLETE:
- fn_wait = phys->ops.wait_for_tx_complete;
- break;
- default:
- DPU_ERROR_ENC(dpu_enc, "unknown wait event %d\n",
- event);
- return -EINVAL;
+ if (phys->ops.wait_for_commit_done) {
+ DPU_ATRACE_BEGIN("wait_for_commit_done");
+ ret = phys->ops.wait_for_commit_done(phys);
+ DPU_ATRACE_END("wait_for_commit_done");
+ if (ret)
+ return ret;
}
+ }
+
+ return ret;
+}
+
+/**
+ * dpu_encoder_wait_for_tx_complete() - Wait for encoder to transfer pixels to panel
+ * @drm_enc: encoder pointer
+ *
+ * Wait for the hardware to transfer all the pixels to the panel. Physical
+ * encoders will map this differently depending on the type: vid mode -> vsync_irq,
+ * cmd mode -> pp_done.
+ *
+ * Return: 0 on success, -EWOULDBLOCK if already signaled, error otherwise
+ */
+int dpu_encoder_wait_for_tx_complete(struct drm_encoder *drm_enc)
+{
+ struct dpu_encoder_virt *dpu_enc = NULL;
+ int i, ret = 0;
+
+ if (!drm_enc) {
+ DPU_ERROR("invalid encoder\n");
+ return -EINVAL;
+ }
+ dpu_enc = to_dpu_encoder_virt(drm_enc);
+ DPU_DEBUG_ENC(dpu_enc, "\n");
+
+ for (i = 0; i < dpu_enc->num_phys_encs; i++) {
+ struct dpu_encoder_phys *phys = dpu_enc->phys_encs[i];
- if (fn_wait) {
- DPU_ATRACE_BEGIN("wait_for_completion_event");
- ret = fn_wait(phys);
- DPU_ATRACE_END("wait_for_completion_event");
+ if (phys->ops.wait_for_tx_complete) {
+ DPU_ATRACE_BEGIN("wait_for_tx_complete");
+ ret = phys->ops.wait_for_tx_complete(phys);
+ DPU_ATRACE_END("wait_for_tx_complete");
if (ret)
return ret;
}
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.h
index fe6b1d312a742..0c928d1876e4a 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.h
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.h
@@ -93,25 +93,9 @@ void dpu_encoder_kickoff(struct drm_encoder *encoder);
*/
int dpu_encoder_vsync_time(struct drm_encoder *drm_enc, ktime_t *wakeup_time);
-/**
- * dpu_encoder_wait_for_event - Waits for encoder events
- * @encoder: encoder pointer
- * @event: event to wait for
- * MSM_ENC_COMMIT_DONE - Wait for hardware to have flushed the current pending
- * frames to hardware at a vblank or ctl_start
- * Encoders will map this differently depending on the
- * panel type.
- * vid mode -> vsync_irq
- * cmd mode -> ctl_start
- * MSM_ENC_TX_COMPLETE - Wait for the hardware to transfer all the pixels to
- * the panel. Encoders will map this differently
- * depending on the panel type.
- * vid mode -> vsync_irq
- * cmd mode -> pp_done
- * Returns: 0 on success, -EWOULDBLOCK if already signaled, error otherwise
- */
-int dpu_encoder_wait_for_event(struct drm_encoder *drm_encoder,
- enum msm_event_wait event);
+int dpu_encoder_wait_for_commit_done(struct drm_encoder *drm_encoder);
+
+int dpu_encoder_wait_for_tx_complete(struct drm_encoder *drm_encoder);
/*
* dpu_encoder_get_intf_mode - get interface mode of the given encoder
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
index aa6ba2cf4b840..6ba289e04b3b2 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
@@ -490,7 +490,7 @@ static void dpu_kms_wait_for_commit_done(struct msm_kms *kms,
* mode panels. This may be a no-op for command mode panels.
*/
trace_dpu_kms_wait_for_commit_done(DRMID(crtc));
- ret = dpu_encoder_wait_for_event(encoder, MSM_ENC_COMMIT_DONE);
+ ret = dpu_encoder_wait_for_commit_done(encoder);
if (ret && ret != -EWOULDBLOCK) {
DPU_ERROR("wait for commit done returned %d\n", ret);
break;
diff --git a/drivers/gpu/drm/msm/msm_drv.h b/drivers/gpu/drm/msm/msm_drv.h
index 182543c92770c..48e1a8c6942c9 100644
--- a/drivers/gpu/drm/msm/msm_drv.h
+++ b/drivers/gpu/drm/msm/msm_drv.h
@@ -74,16 +74,6 @@ enum msm_dsi_controller {
#define MSM_GPU_MAX_RINGS 4
#define MAX_H_TILES_PER_DISPLAY 2
-/**
- * enum msm_event_wait - type of HW events to wait for
- * @MSM_ENC_COMMIT_DONE - wait for the driver to flush the registers to HW
- * @MSM_ENC_TX_COMPLETE - wait for the HW to transfer the frame to panel
- */
-enum msm_event_wait {
- MSM_ENC_COMMIT_DONE = 0,
- MSM_ENC_TX_COMPLETE,
-};
-
/**
* struct msm_display_topology - defines a display topology pipeline
* @num_lm: number of layer mixers used
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 282/341] drm/msm/dpu: capture snapshot on the first commit_done timeout
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 281/341] drm/msm/dpu: split dpu_encoder_wait_for_event into two functions Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 283/341] drm/msm/dpu: move dpu_encoders connector assignment to atomic_enable() Greg Kroah-Hartman
` (71 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abhinav Kumar, Dmitry Baryshkov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit 4be445f5b6b6810baf397b2d159bd07c3573fd75 ]
In order to debug commit_done timeouts, capture the devcoredump state
when the first timeout occurs after the encoder has been enabled.
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Patchwork: https://patchwork.freedesktop.org/patch/579850/
Link: https://lore.kernel.org/r/20240226-fd-dpu-debug-timeout-v4-3-51eec83dde23@linaro.org
Stable-dep-of: aedf02e46eb5 ("drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
index ba60997350890..0c57588044641 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
@@ -124,6 +124,8 @@ enum dpu_enc_rc_states {
* @base: drm_encoder base class for registration with DRM
* @enc_spinlock: Virtual-Encoder-Wide Spin Lock for IRQ purposes
* @enabled: True if the encoder is active, protected by enc_lock
+ * @commit_done_timedout: True if there has been a timeout on commit after
+ * enabling the encoder.
* @num_phys_encs: Actual number of physical encoders contained.
* @phys_encs: Container of physical encoders managed.
* @cur_master: Pointer to the current master in this mode. Optimization
@@ -172,6 +174,7 @@ struct dpu_encoder_virt {
spinlock_t enc_spinlock;
bool enabled;
+ bool commit_done_timedout;
unsigned int num_phys_encs;
struct dpu_encoder_phys *phys_encs[MAX_PHYS_ENCODERS_PER_VIRTUAL];
@@ -1210,6 +1213,9 @@ static void dpu_encoder_virt_atomic_enable(struct drm_encoder *drm_enc,
dpu_enc->dsc = dpu_encoder_get_dsc_config(drm_enc);
mutex_lock(&dpu_enc->enc_lock);
+
+ dpu_enc->commit_done_timedout = false;
+
cur_mode = &dpu_enc->base.crtc->state->adjusted_mode;
trace_dpu_enc_enable(DRMID(drm_enc), cur_mode->hdisplay,
@@ -2446,6 +2452,10 @@ int dpu_encoder_wait_for_commit_done(struct drm_encoder *drm_enc)
DPU_ATRACE_BEGIN("wait_for_commit_done");
ret = phys->ops.wait_for_commit_done(phys);
DPU_ATRACE_END("wait_for_commit_done");
+ if (ret == -ETIMEDOUT && !dpu_enc->commit_done_timedout) {
+ dpu_enc->commit_done_timedout = true;
+ msm_disp_snapshot_state(drm_enc->dev);
+ }
if (ret)
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 283/341] drm/msm/dpu: move dpu_encoders connector assignment to atomic_enable()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 282/341] drm/msm/dpu: capture snapshot on the first commit_done timeout Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 284/341] drm/msm/dp: reset the link phy params before link training Greg Kroah-Hartman
` (70 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Abhinav Kumar,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abhinav Kumar <quic_abhinavk@quicinc.com>
[ Upstream commit aedf02e46eb549dac8db4821a6b9f0c6bf6e3990 ]
For cases where the crtc's connectors_changed was set without enable/active
getting toggled , there is an atomic_enable() call followed by an
atomic_disable() but without an atomic_mode_set().
This results in a NULL ptr access for the dpu_encoder_get_drm_fmt() call in
the atomic_enable() as the dpu_encoder's connector was cleared in the
atomic_disable() but not re-assigned as there was no atomic_mode_set() call.
Fix the NULL ptr access by moving the assignment for atomic_enable() and also
use drm_atomic_get_new_connector_for_encoder() to get the connector from
the atomic_state.
Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
Reported-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/59
Suggested-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Tested-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> # SM8350-HDK
Patchwork: https://patchwork.freedesktop.org/patch/606729/
Link: https://lore.kernel.org/r/20240731191723.3050932-1-quic_abhinavk@quicinc.com
Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
index 0c57588044641..6262ec5e40204 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
@@ -1119,8 +1119,6 @@ static void dpu_encoder_virt_atomic_mode_set(struct drm_encoder *drm_enc,
cstate->num_mixers = num_lm;
- dpu_enc->connector = conn_state->connector;
-
for (i = 0; i < dpu_enc->num_phys_encs; i++) {
struct dpu_encoder_phys *phys = dpu_enc->phys_encs[i];
@@ -1216,6 +1214,8 @@ static void dpu_encoder_virt_atomic_enable(struct drm_encoder *drm_enc,
dpu_enc->commit_done_timedout = false;
+ dpu_enc->connector = drm_atomic_get_new_connector_for_encoder(state, drm_enc);
+
cur_mode = &dpu_enc->base.crtc->state->adjusted_mode;
trace_dpu_enc_enable(DRMID(drm_enc), cur_mode->hdisplay,
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 284/341] drm/msm/dp: reset the link phy params before link training
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 283/341] drm/msm/dpu: move dpu_encoders connector assignment to atomic_enable() Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 285/341] drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails Greg Kroah-Hartman
` (69 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Stephen Boyd,
Abhinav Kumar, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abhinav Kumar <quic_abhinavk@quicinc.com>
[ Upstream commit 319aca883bfa1b85ee08411541b51b9a934ac858 ]
Before re-starting link training reset the link phy params namely
the pre-emphasis and voltage swing levels otherwise the next
link training begins at the previously cached levels which can result
in link training failures.
Fixes: 8ede2ecc3e5e ("drm/msm/dp: Add DP compliance tests on Snapdragon Chipsets")
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Tested-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> # SM8350-HDK
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Patchwork: https://patchwork.freedesktop.org/patch/605946/
Link: https://lore.kernel.org/r/20240725220450.131245-1-quic_abhinavk@quicinc.com
Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dp/dp_ctrl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.c b/drivers/gpu/drm/msm/dp/dp_ctrl.c
index 780e9747be1fb..7472dfd631b83 100644
--- a/drivers/gpu/drm/msm/dp/dp_ctrl.c
+++ b/drivers/gpu/drm/msm/dp/dp_ctrl.c
@@ -1253,6 +1253,8 @@ static int dp_ctrl_link_train(struct dp_ctrl_private *ctrl,
link_info.rate = ctrl->link->link_params.rate;
link_info.capabilities = DP_LINK_CAP_ENHANCED_FRAMING;
+ dp_link_reset_phy_params_vx_px(ctrl->link);
+
dp_aux_link_configure(ctrl->aux, &link_info);
if (drm_dp_max_downspread(dpcd))
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 285/341] drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 284/341] drm/msm/dp: reset the link phy params before link training Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 286/341] drm/msm/dpu: try multirect based on mdp clock limits Greg Kroah-Hartman
` (68 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Abhinav Kumar,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit bfa1a6283be390947d3649c482e5167186a37016 ]
If the dpu_format_populate_layout() fails, then FB is prepared, but not
cleaned up. This ends up leaking the pin_count on the GEM object and
causes a splat during DRM file closure:
msm_obj->pin_count
WARNING: CPU: 2 PID: 569 at drivers/gpu/drm/msm/msm_gem.c:121 update_lru_locked+0xc4/0xcc
[...]
Call trace:
update_lru_locked+0xc4/0xcc
put_pages+0xac/0x100
msm_gem_free_object+0x138/0x180
drm_gem_object_free+0x1c/0x30
drm_gem_object_handle_put_unlocked+0x108/0x10c
drm_gem_object_release_handle+0x58/0x70
idr_for_each+0x68/0xec
drm_gem_release+0x28/0x40
drm_file_free+0x174/0x234
drm_release+0xb0/0x160
__fput+0xc0/0x2c8
__fput_sync+0x50/0x5c
__arm64_sys_close+0x38/0x7c
invoke_syscall+0x48/0x118
el0_svc_common.constprop.0+0x40/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x4c/0x120
el0t_64_sync_handler+0x100/0x12c
el0t_64_sync+0x190/0x194
irq event stamp: 129818
hardirqs last enabled at (129817): [<ffffa5f6d953fcc0>] console_unlock+0x118/0x124
hardirqs last disabled at (129818): [<ffffa5f6da7dcf04>] el1_dbg+0x24/0x8c
softirqs last enabled at (129808): [<ffffa5f6d94afc18>] handle_softirqs+0x4c8/0x4e8
softirqs last disabled at (129785): [<ffffa5f6d94105e4>] __do_softirq+0x14/0x20
Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Patchwork: https://patchwork.freedesktop.org/patch/600714/
Link: https://lore.kernel.org/r/20240625-dpu-mode-config-width-v5-1-501d984d634f@linaro.org
Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
index 0be195f9149c5..5ffbf131e1e80 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
@@ -679,6 +679,9 @@ static int dpu_plane_prepare_fb(struct drm_plane *plane,
new_state->fb, &layout);
if (ret) {
DPU_ERROR_PLANE(pdpu, "failed to get format layout, %d\n", ret);
+ if (pstate->aspace)
+ msm_framebuffer_cleanup(new_state->fb, pstate->aspace,
+ pstate->needs_dirtyfb);
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 286/341] drm/msm/dpu: try multirect based on mdp clock limits
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 285/341] drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 287/341] drm/msm/dpu: take plane rotation into account for wide planes Greg Kroah-Hartman
` (67 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abhinav Kumar, Dmitry Baryshkov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abhinav Kumar <quic_abhinavk@quicinc.com>
[ Upstream commit e6c0de5f445091d250b75dabc4c60dd2643b8c98 ]
It's certainly possible that for large resolutions a single DPU SSPP
cannot process the image without exceeding the MDP clock limits but
it can still process it in multirect mode because the source rectangles
will get divided and can fall within the MDP clock limits.
If the SSPP cannot process the image even in multirect mode, then it
will be rejected in dpu_plane_atomic_check_pipe().
Hence try using multirect for resolutions which cannot be processed
by a single SSPP without exceeding the MDP clock limits.
changes in v2:
- use crtc_state's adjusted_mode instead of mode
- fix the UBWC condition to check maxlinewidth
Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Tested-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Patchwork: https://patchwork.freedesktop.org/patch/556817/
Link: https://lore.kernel.org/r/20230911221627.9569-2-quic_abhinavk@quicinc.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Stable-dep-of: d3a785e4f983 ("drm/msm/dpu: take plane rotation into account for wide planes")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
index 5ffbf131e1e80..3c2a8c0ddaf76 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
@@ -795,6 +795,8 @@ static int dpu_plane_atomic_check(struct drm_plane *plane,
plane);
int ret = 0, min_scale;
struct dpu_plane *pdpu = to_dpu_plane(plane);
+ struct dpu_kms *kms = _dpu_plane_get_kms(&pdpu->base);
+ u64 max_mdp_clk_rate = kms->perf.max_core_clk_rate;
struct dpu_plane_state *pstate = to_dpu_plane_state(new_plane_state);
struct dpu_sw_pipe *pipe = &pstate->pipe;
struct dpu_sw_pipe *r_pipe = &pstate->r_pipe;
@@ -863,14 +865,16 @@ static int dpu_plane_atomic_check(struct drm_plane *plane,
max_linewidth = pdpu->catalog->caps->max_linewidth;
- if (drm_rect_width(&pipe_cfg->src_rect) > max_linewidth) {
+ if ((drm_rect_width(&pipe_cfg->src_rect) > max_linewidth) ||
+ _dpu_plane_calc_clk(&crtc_state->adjusted_mode, pipe_cfg) > max_mdp_clk_rate) {
/*
* In parallel multirect case only the half of the usual width
* is supported for tiled formats. If we are here, we know that
* full width is more than max_linewidth, thus each rect is
* wider than allowed.
*/
- if (DPU_FORMAT_IS_UBWC(fmt)) {
+ if (DPU_FORMAT_IS_UBWC(fmt) &&
+ drm_rect_width(&pipe_cfg->src_rect) > max_linewidth) {
DPU_DEBUG_PLANE(pdpu, "invalid src " DRM_RECT_FMT " line:%u, tiled format\n",
DRM_RECT_ARG(&pipe_cfg->src_rect), max_linewidth);
return -E2BIG;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 287/341] drm/msm/dpu: take plane rotation into account for wide planes
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 286/341] drm/msm/dpu: try multirect based on mdp clock limits Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 288/341] drm/msm/mdss: switch mdss to use devm_of_icc_get() Greg Kroah-Hartman
` (66 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abhinav Kumar, Dmitry Baryshkov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit d3a785e4f983f523380e023d8a05fb6d04402957 ]
Take into account the plane rotation and flipping when calculating src
positions for the wide plane parts.
This is not an issue yet, because rotation is only supported for the
UBWC planes and wide UBWC planes are rejected anyway because in parallel
multirect case only the half of the usual width is supported for tiled
formats. However it's better to fix this now rather than stumbling upon
it later.
Fixes: 80e8ae3b38ab ("drm/msm/dpu: add support for wide planes")
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Patchwork: https://patchwork.freedesktop.org/patch/601059/
Link: https://lore.kernel.org/r/20240627-dpu-virtual-wide-v5-3-5efb90cbb8be@linaro.org
Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
index 3c2a8c0ddaf76..637f50a8d42e6 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
@@ -865,6 +865,10 @@ static int dpu_plane_atomic_check(struct drm_plane *plane,
max_linewidth = pdpu->catalog->caps->max_linewidth;
+ drm_rect_rotate(&pipe_cfg->src_rect,
+ new_plane_state->fb->width, new_plane_state->fb->height,
+ new_plane_state->rotation);
+
if ((drm_rect_width(&pipe_cfg->src_rect) > max_linewidth) ||
_dpu_plane_calc_clk(&crtc_state->adjusted_mode, pipe_cfg) > max_mdp_clk_rate) {
/*
@@ -914,6 +918,14 @@ static int dpu_plane_atomic_check(struct drm_plane *plane,
r_pipe_cfg->dst_rect.x1 = pipe_cfg->dst_rect.x2;
}
+ drm_rect_rotate_inv(&pipe_cfg->src_rect,
+ new_plane_state->fb->width, new_plane_state->fb->height,
+ new_plane_state->rotation);
+ if (r_pipe->sspp)
+ drm_rect_rotate_inv(&r_pipe_cfg->src_rect,
+ new_plane_state->fb->width, new_plane_state->fb->height,
+ new_plane_state->rotation);
+
ret = dpu_plane_atomic_check_pipe(pdpu, pipe, pipe_cfg, fmt, &crtc_state->adjusted_mode);
if (ret)
return ret;
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 288/341] drm/msm/mdss: switch mdss to use devm_of_icc_get()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 287/341] drm/msm/dpu: take plane rotation into account for wide planes Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 289/341] drm/msm/mdss: Rename path references to mdp_path Greg Kroah-Hartman
` (65 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Abhinav Kumar, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit ded61d7dc5a0f8cfe7390aba33187c862d09b177 ]
Stop using hand-written reset function for ICC release, use
devm_of_icc_get() instead.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Patchwork: https://patchwork.freedesktop.org/patch/570161/
Link: https://lore.kernel.org/r/20231202224247.1282567-2-dmitry.baryshkov@linaro.org
Stable-dep-of: 3e30296b374a ("drm/msm: fix the highest_bank_bit for sc7180")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/msm_mdss.c | 16 ++--------------
1 file changed, 2 insertions(+), 14 deletions(-)
diff --git a/drivers/gpu/drm/msm/msm_mdss.c b/drivers/gpu/drm/msm/msm_mdss.c
index 348c66b146834..67f225de57d74 100644
--- a/drivers/gpu/drm/msm/msm_mdss.c
+++ b/drivers/gpu/drm/msm/msm_mdss.c
@@ -50,14 +50,14 @@ static int msm_mdss_parse_data_bus_icc_path(struct device *dev,
struct icc_path *path0;
struct icc_path *path1;
- path0 = of_icc_get(dev, "mdp0-mem");
+ path0 = devm_of_icc_get(dev, "mdp0-mem");
if (IS_ERR_OR_NULL(path0))
return PTR_ERR_OR_ZERO(path0);
msm_mdss->path[0] = path0;
msm_mdss->num_paths = 1;
- path1 = of_icc_get(dev, "mdp1-mem");
+ path1 = devm_of_icc_get(dev, "mdp1-mem");
if (!IS_ERR_OR_NULL(path1)) {
msm_mdss->path[1] = path1;
msm_mdss->num_paths++;
@@ -66,15 +66,6 @@ static int msm_mdss_parse_data_bus_icc_path(struct device *dev,
return 0;
}
-static void msm_mdss_put_icc_path(void *data)
-{
- struct msm_mdss *msm_mdss = data;
- int i;
-
- for (i = 0; i < msm_mdss->num_paths; i++)
- icc_put(msm_mdss->path[i]);
-}
-
static void msm_mdss_icc_request_bw(struct msm_mdss *msm_mdss, unsigned long bw)
{
int i;
@@ -391,9 +382,6 @@ static struct msm_mdss *msm_mdss_init(struct platform_device *pdev, bool is_mdp5
dev_dbg(&pdev->dev, "mapped mdss address space @%pK\n", msm_mdss->mmio);
ret = msm_mdss_parse_data_bus_icc_path(&pdev->dev, msm_mdss);
- if (ret)
- return ERR_PTR(ret);
- ret = devm_add_action_or_reset(&pdev->dev, msm_mdss_put_icc_path, msm_mdss);
if (ret)
return ERR_PTR(ret);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 289/341] drm/msm/mdss: Rename path references to mdp_path
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 288/341] drm/msm/mdss: switch mdss to use devm_of_icc_get() Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 290/341] drm/msm/mdss: Handle the reg bus ICC path Greg Kroah-Hartman
` (64 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dmitry Baryshkov,
Abhinav Kumar, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@linaro.org>
[ Upstream commit fabaf176322d687b91a4acf1630c0d0a7d097faa ]
The DPU1 driver needs to handle all MDPn<->DDR paths, as well as
CPU<->SLAVE_DISPLAY_CFG. The former ones share how their values are
calculated, but the latter one has static predefines spanning all SoCs.
In preparation for supporting the CPU<->SLAVE_DISPLAY_CFG path, rename
the path-related struct members to include "mdp_".
Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Patchwork: https://patchwork.freedesktop.org/patch/570163/
Link: https://lore.kernel.org/r/20231202224247.1282567-3-dmitry.baryshkov@linaro.org
Stable-dep-of: 3e30296b374a ("drm/msm: fix the highest_bank_bit for sc7180")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/msm_mdss.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/gpu/drm/msm/msm_mdss.c b/drivers/gpu/drm/msm/msm_mdss.c
index 67f225de57d74..cce3eb505bf46 100644
--- a/drivers/gpu/drm/msm/msm_mdss.c
+++ b/drivers/gpu/drm/msm/msm_mdss.c
@@ -40,8 +40,8 @@ struct msm_mdss {
struct irq_domain *domain;
} irq_controller;
const struct msm_mdss_data *mdss_data;
- struct icc_path *path[2];
- u32 num_paths;
+ struct icc_path *mdp_path[2];
+ u32 num_mdp_paths;
};
static int msm_mdss_parse_data_bus_icc_path(struct device *dev,
@@ -54,13 +54,13 @@ static int msm_mdss_parse_data_bus_icc_path(struct device *dev,
if (IS_ERR_OR_NULL(path0))
return PTR_ERR_OR_ZERO(path0);
- msm_mdss->path[0] = path0;
- msm_mdss->num_paths = 1;
+ msm_mdss->mdp_path[0] = path0;
+ msm_mdss->num_mdp_paths = 1;
path1 = devm_of_icc_get(dev, "mdp1-mem");
if (!IS_ERR_OR_NULL(path1)) {
- msm_mdss->path[1] = path1;
- msm_mdss->num_paths++;
+ msm_mdss->mdp_path[1] = path1;
+ msm_mdss->num_mdp_paths++;
}
return 0;
@@ -70,8 +70,8 @@ static void msm_mdss_icc_request_bw(struct msm_mdss *msm_mdss, unsigned long bw)
{
int i;
- for (i = 0; i < msm_mdss->num_paths; i++)
- icc_set_bw(msm_mdss->path[i], 0, Bps_to_icc(bw));
+ for (i = 0; i < msm_mdss->num_mdp_paths; i++)
+ icc_set_bw(msm_mdss->mdp_path[i], 0, Bps_to_icc(bw));
}
static void msm_mdss_irq(struct irq_desc *desc)
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 290/341] drm/msm/mdss: Handle the reg bus ICC path
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 289/341] drm/msm/mdss: Rename path references to mdp_path Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 291/341] drm/msm: fix the highest_bank_bit for sc7180 Greg Kroah-Hartman
` (63 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dmitry Baryshkov,
Abhinav Kumar, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit a55c8ff252d374acb6f78b979cadc38073ce95e8 ]
Apart from the already handled data bus (MAS_MDP_Pn<->DDR), there's
another path that needs to be handled to ensure MDSS functions properly,
namely the "reg bus", a.k.a the CPU-MDSS interconnect.
Gating that path may have a variety of effects, from none to otherwise
inexplicable DSI timeouts.
Provide a way for MDSS driver to vote on this bus.
A note regarding vote values. Newer platforms have corresponding
bandwidth values in the vendor DT files. For the older platforms there
was a static vote in the mdss_mdp and rotator drivers. I choose to be
conservative here and choose this value as a default.
Co-developed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Patchwork: https://patchwork.freedesktop.org/patch/570164/
Link: https://lore.kernel.org/r/20231202224247.1282567-5-dmitry.baryshkov@linaro.org
Stable-dep-of: 3e30296b374a ("drm/msm: fix the highest_bank_bit for sc7180")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/msm_mdss.c | 49 +++++++++++++++++++++++++++++++---
drivers/gpu/drm/msm/msm_mdss.h | 1 +
2 files changed, 46 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/msm/msm_mdss.c b/drivers/gpu/drm/msm/msm_mdss.c
index cce3eb505bf46..222b72dc52269 100644
--- a/drivers/gpu/drm/msm/msm_mdss.c
+++ b/drivers/gpu/drm/msm/msm_mdss.c
@@ -28,6 +28,8 @@
#define MIN_IB_BW 400000000UL /* Min ib vote 400MB */
+#define DEFAULT_REG_BW 153600 /* Used in mdss fbdev driver */
+
struct msm_mdss {
struct device *dev;
@@ -42,6 +44,7 @@ struct msm_mdss {
const struct msm_mdss_data *mdss_data;
struct icc_path *mdp_path[2];
u32 num_mdp_paths;
+ struct icc_path *reg_bus_path;
};
static int msm_mdss_parse_data_bus_icc_path(struct device *dev,
@@ -49,6 +52,7 @@ static int msm_mdss_parse_data_bus_icc_path(struct device *dev,
{
struct icc_path *path0;
struct icc_path *path1;
+ struct icc_path *reg_bus_path;
path0 = devm_of_icc_get(dev, "mdp0-mem");
if (IS_ERR_OR_NULL(path0))
@@ -63,6 +67,10 @@ static int msm_mdss_parse_data_bus_icc_path(struct device *dev,
msm_mdss->num_mdp_paths++;
}
+ reg_bus_path = of_icc_get(dev, "cpu-cfg");
+ if (!IS_ERR_OR_NULL(reg_bus_path))
+ msm_mdss->reg_bus_path = reg_bus_path;
+
return 0;
}
@@ -236,6 +244,13 @@ static int msm_mdss_enable(struct msm_mdss *msm_mdss)
*/
msm_mdss_icc_request_bw(msm_mdss, MIN_IB_BW);
+ if (msm_mdss->mdss_data && msm_mdss->mdss_data->reg_bus_bw)
+ icc_set_bw(msm_mdss->reg_bus_path, 0,
+ msm_mdss->mdss_data->reg_bus_bw);
+ else
+ icc_set_bw(msm_mdss->reg_bus_path, 0,
+ DEFAULT_REG_BW);
+
ret = clk_bulk_prepare_enable(msm_mdss->num_clocks, msm_mdss->clocks);
if (ret) {
dev_err(msm_mdss->dev, "clock enable failed, ret:%d\n", ret);
@@ -289,6 +304,9 @@ static int msm_mdss_disable(struct msm_mdss *msm_mdss)
clk_bulk_disable_unprepare(msm_mdss->num_clocks, msm_mdss->clocks);
msm_mdss_icc_request_bw(msm_mdss, 0);
+ if (msm_mdss->reg_bus_path)
+ icc_set_bw(msm_mdss->reg_bus_path, 0, 0);
+
return 0;
}
@@ -375,6 +393,8 @@ static struct msm_mdss *msm_mdss_init(struct platform_device *pdev, bool is_mdp5
if (!msm_mdss)
return ERR_PTR(-ENOMEM);
+ msm_mdss->mdss_data = of_device_get_match_data(&pdev->dev);
+
msm_mdss->mmio = devm_platform_ioremap_resource_byname(pdev, is_mdp5 ? "mdss_phys" : "mdss");
if (IS_ERR(msm_mdss->mmio))
return ERR_CAST(msm_mdss->mmio);
@@ -465,8 +485,6 @@ static int mdss_probe(struct platform_device *pdev)
if (IS_ERR(mdss))
return PTR_ERR(mdss);
- mdss->mdss_data = of_device_get_match_data(&pdev->dev);
-
platform_set_drvdata(pdev, mdss);
/*
@@ -500,11 +518,13 @@ static const struct msm_mdss_data msm8998_data = {
.ubwc_enc_version = UBWC_1_0,
.ubwc_dec_version = UBWC_1_0,
.highest_bank_bit = 2,
+ .reg_bus_bw = 76800,
};
static const struct msm_mdss_data qcm2290_data = {
/* no UBWC */
.highest_bank_bit = 0x2,
+ .reg_bus_bw = 76800,
};
static const struct msm_mdss_data sc7180_data = {
@@ -512,6 +532,7 @@ static const struct msm_mdss_data sc7180_data = {
.ubwc_dec_version = UBWC_2_0,
.ubwc_static = 0x1e,
.highest_bank_bit = 0x3,
+ .reg_bus_bw = 76800,
};
static const struct msm_mdss_data sc7280_data = {
@@ -521,6 +542,7 @@ static const struct msm_mdss_data sc7280_data = {
.ubwc_static = 1,
.highest_bank_bit = 1,
.macrotile_mode = 1,
+ .reg_bus_bw = 74000,
};
static const struct msm_mdss_data sc8180x_data = {
@@ -528,6 +550,7 @@ static const struct msm_mdss_data sc8180x_data = {
.ubwc_dec_version = UBWC_3_0,
.highest_bank_bit = 3,
.macrotile_mode = 1,
+ .reg_bus_bw = 76800,
};
static const struct msm_mdss_data sc8280xp_data = {
@@ -537,12 +560,14 @@ static const struct msm_mdss_data sc8280xp_data = {
.ubwc_static = 1,
.highest_bank_bit = 2,
.macrotile_mode = 1,
+ .reg_bus_bw = 76800,
};
static const struct msm_mdss_data sdm845_data = {
.ubwc_enc_version = UBWC_2_0,
.ubwc_dec_version = UBWC_2_0,
.highest_bank_bit = 2,
+ .reg_bus_bw = 76800,
};
static const struct msm_mdss_data sm6350_data = {
@@ -551,12 +576,14 @@ static const struct msm_mdss_data sm6350_data = {
.ubwc_swizzle = 6,
.ubwc_static = 0x1e,
.highest_bank_bit = 1,
+ .reg_bus_bw = 76800,
};
static const struct msm_mdss_data sm8150_data = {
.ubwc_enc_version = UBWC_3_0,
.ubwc_dec_version = UBWC_3_0,
.highest_bank_bit = 2,
+ .reg_bus_bw = 76800,
};
static const struct msm_mdss_data sm6115_data = {
@@ -565,6 +592,7 @@ static const struct msm_mdss_data sm6115_data = {
.ubwc_swizzle = 7,
.ubwc_static = 0x11f,
.highest_bank_bit = 0x1,
+ .reg_bus_bw = 76800,
};
static const struct msm_mdss_data sm6125_data = {
@@ -582,6 +610,18 @@ static const struct msm_mdss_data sm8250_data = {
/* TODO: highest_bank_bit = 2 for LP_DDR4 */
.highest_bank_bit = 3,
.macrotile_mode = 1,
+ .reg_bus_bw = 76800,
+};
+
+static const struct msm_mdss_data sm8350_data = {
+ .ubwc_enc_version = UBWC_4_0,
+ .ubwc_dec_version = UBWC_4_0,
+ .ubwc_swizzle = 6,
+ .ubwc_static = 1,
+ /* TODO: highest_bank_bit = 2 for LP_DDR4 */
+ .highest_bank_bit = 3,
+ .macrotile_mode = 1,
+ .reg_bus_bw = 74000,
};
static const struct msm_mdss_data sm8550_data = {
@@ -592,6 +632,7 @@ static const struct msm_mdss_data sm8550_data = {
/* TODO: highest_bank_bit = 2 for LP_DDR4 */
.highest_bank_bit = 3,
.macrotile_mode = 1,
+ .reg_bus_bw = 57000,
};
static const struct of_device_id mdss_dt_match[] = {
{ .compatible = "qcom,mdss" },
@@ -608,8 +649,8 @@ static const struct of_device_id mdss_dt_match[] = {
{ .compatible = "qcom,sm6375-mdss", .data = &sm6350_data },
{ .compatible = "qcom,sm8150-mdss", .data = &sm8150_data },
{ .compatible = "qcom,sm8250-mdss", .data = &sm8250_data },
- { .compatible = "qcom,sm8350-mdss", .data = &sm8250_data },
- { .compatible = "qcom,sm8450-mdss", .data = &sm8250_data },
+ { .compatible = "qcom,sm8350-mdss", .data = &sm8350_data },
+ { .compatible = "qcom,sm8450-mdss", .data = &sm8350_data },
{ .compatible = "qcom,sm8550-mdss", .data = &sm8550_data },
{}
};
diff --git a/drivers/gpu/drm/msm/msm_mdss.h b/drivers/gpu/drm/msm/msm_mdss.h
index 02bbab42adbc0..3afef4b1786d2 100644
--- a/drivers/gpu/drm/msm/msm_mdss.h
+++ b/drivers/gpu/drm/msm/msm_mdss.h
@@ -14,6 +14,7 @@ struct msm_mdss_data {
u32 ubwc_static;
u32 highest_bank_bit;
u32 macrotile_mode;
+ u32 reg_bus_bw;
};
#define UBWC_1_0 0x10000000
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 291/341] drm/msm: fix the highest_bank_bit for sc7180
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 290/341] drm/msm/mdss: Handle the reg bus ICC path Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 292/341] mmc: mmc_test: Fix NULL dereference on allocation failure Greg Kroah-Hartman
` (62 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rob Clark, Abhinav Kumar,
Sasha Levin, Stephen Boyd
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abhinav Kumar <quic_abhinavk@quicinc.com>
[ Upstream commit 3e30296b374af33cb4c12ff93df0b1e5b2d0f80b ]
sc7180 programs the ubwc settings as 0x1e as that would mean a
highest bank bit of 14 which matches what the GPU sets as well.
However, the highest_bank_bit field of the msm_mdss_data which is
being used to program the SSPP's fetch configuration is programmed
to a highest bank bit of 16 as 0x3 translates to 16 and not 14.
Fix the highest bank bit field used for the SSPP to match the mdss
and gpu settings.
Fixes: 6f410b246209 ("drm/msm/mdss: populate missing data")
Reviewed-by: Rob Clark <robdclark@gmail.com>
Tested-by: Stephen Boyd <swboyd@chromium.org> # Trogdor.Lazor
Patchwork: https://patchwork.freedesktop.org/patch/607625/
Link: https://lore.kernel.org/r/20240808235227.2701479-1-quic_abhinavk@quicinc.com
Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/msm_mdss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/msm_mdss.c b/drivers/gpu/drm/msm/msm_mdss.c
index 222b72dc52269..69d10acd8ca74 100644
--- a/drivers/gpu/drm/msm/msm_mdss.c
+++ b/drivers/gpu/drm/msm/msm_mdss.c
@@ -531,7 +531,7 @@ static const struct msm_mdss_data sc7180_data = {
.ubwc_enc_version = UBWC_2_0,
.ubwc_dec_version = UBWC_2_0,
.ubwc_static = 0x1e,
- .highest_bank_bit = 0x3,
+ .highest_bank_bit = 0x1,
.reg_bus_bw = 76800,
};
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 292/341] mmc: mmc_test: Fix NULL dereference on allocation failure
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 291/341] drm/msm: fix the highest_bank_bit for sc7180 Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 293/341] smb: client: ignore unhandled reparse tags Greg Kroah-Hartman
` (61 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Ulf Hansson,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit a1e627af32ed60713941cbfc8075d44cad07f6dd ]
If the "test->highmem = alloc_pages()" allocation fails then calling
__free_pages(test->highmem) will result in a NULL dereference. Also
change the error code to -ENOMEM instead of returning success.
Fixes: 2661081f5ab9 ("mmc_test: highmem tests")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/8c90be28-67b4-4b0d-a105-034dc72a0b31@stanley.mountain
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/core/mmc_test.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/mmc/core/mmc_test.c b/drivers/mmc/core/mmc_test.c
index 0f6a563103fd2..d780880ddd14b 100644
--- a/drivers/mmc/core/mmc_test.c
+++ b/drivers/mmc/core/mmc_test.c
@@ -3104,13 +3104,13 @@ static ssize_t mtf_test_write(struct file *file, const char __user *buf,
test->buffer = kzalloc(BUFFER_SIZE, GFP_KERNEL);
#ifdef CONFIG_HIGHMEM
test->highmem = alloc_pages(GFP_KERNEL | __GFP_HIGHMEM, BUFFER_ORDER);
+ if (!test->highmem) {
+ count = -ENOMEM;
+ goto free_test_buffer;
+ }
#endif
-#ifdef CONFIG_HIGHMEM
- if (test->buffer && test->highmem) {
-#else
if (test->buffer) {
-#endif
mutex_lock(&mmc_test_lock);
mmc_test_run(test, testcase);
mutex_unlock(&mmc_test_lock);
@@ -3118,6 +3118,7 @@ static ssize_t mtf_test_write(struct file *file, const char __user *buf,
#ifdef CONFIG_HIGHMEM
__free_pages(test->highmem, BUFFER_ORDER);
+free_test_buffer:
#endif
kfree(test->buffer);
kfree(test);
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 293/341] smb: client: ignore unhandled reparse tags
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 292/341] mmc: mmc_test: Fix NULL dereference on allocation failure Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 294/341] Bluetooth: MGMT: Add error handling to pair_device() Greg Kroah-Hartman
` (60 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc, Anthony Nandaa (Microsoft),
Paulo Alcantara (Red Hat), Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.com>
[ Upstream commit ec686804117a0421cf31d54427768aaf93aa0069 ]
Just ignore reparse points that the client can't parse rather than
bailing out and not opening the file or directory.
Reported-by: Marc <1marc1@gmail.com>
Closes: https://lore.kernel.org/r/CAMHwNVv-B+Q6wa0FEXrAuzdchzcJRsPKDDRrNaYZJd6X-+iJzw@mail.gmail.com
Fixes: 539aad7f14da ("smb: client: introduce ->parse_reparse_point()")
Tested-by: Anthony Nandaa (Microsoft) <profnandaa@gmail.com>
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/reparse.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
index 689d8a506d459..48c27581ec511 100644
--- a/fs/smb/client/reparse.c
+++ b/fs/smb/client/reparse.c
@@ -378,6 +378,8 @@ int parse_reparse_point(struct reparse_data_buffer *buf,
u32 plen, struct cifs_sb_info *cifs_sb,
bool unicode, struct cifs_open_info_data *data)
{
+ struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb);
+
data->reparse.buf = buf;
/* See MS-FSCC 2.1.2 */
@@ -394,12 +396,13 @@ int parse_reparse_point(struct reparse_data_buffer *buf,
case IO_REPARSE_TAG_LX_FIFO:
case IO_REPARSE_TAG_LX_CHR:
case IO_REPARSE_TAG_LX_BLK:
- return 0;
+ break;
default:
- cifs_dbg(VFS, "%s: unhandled reparse tag: 0x%08x\n",
- __func__, le32_to_cpu(buf->ReparseTag));
- return -EOPNOTSUPP;
+ cifs_tcon_dbg(VFS | ONCE, "unhandled reparse tag: 0x%08x\n",
+ le32_to_cpu(buf->ReparseTag));
+ break;
}
+ return 0;
}
int smb2_parse_reparse_point(struct cifs_sb_info *cifs_sb,
--
2.43.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 294/341] Bluetooth: MGMT: Add error handling to pair_device()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 293/341] smb: client: ignore unhandled reparse tags Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 295/341] scsi: core: Fix the return value of scsi_logical_block_count() Greg Kroah-Hartman
` (59 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Griffin Kroah-Hartman,
Yiwei Zhang, Luiz Augusto von Dentz
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Griffin Kroah-Hartman <griffin@kroah.com>
commit 538fd3921afac97158d4177139a0ad39f056dbb2 upstream.
hci_conn_params_add() never checks for a NULL value and could lead to a NULL
pointer dereference causing a crash.
Fixed by adding error handling in the function.
Cc: Stable <stable@kernel.org>
Fixes: 5157b8a503fa ("Bluetooth: Fix initializing conn_params in scan phase")
Signed-off-by: Griffin Kroah-Hartman <griffin@kroah.com>
Reported-by: Yiwei Zhang <zhan4630@purdue.edu>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/mgmt.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -3449,6 +3449,10 @@ static int pair_device(struct sock *sk,
* will be kept and this function does nothing.
*/
p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
+ if (!p) {
+ err = -EIO;
+ goto unlock;
+ }
if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT)
p->auto_connect = HCI_AUTO_CONN_DISABLED;
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 295/341] scsi: core: Fix the return value of scsi_logical_block_count()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 294/341] Bluetooth: MGMT: Add error handling to pair_device() Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 296/341] ksmbd: the buffer of smb2 query dir response has at least 1 byte Greg Kroah-Hartman
` (58 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chaotian Jing, Bart Van Assche,
Martin K. Petersen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chaotian Jing <chaotian.jing@mediatek.com>
commit f03e94f23b04c2b71c0044c1534921b3975ef10c upstream.
scsi_logical_block_count() should return the block count of a given SCSI
command. The original implementation ended up shifting twice, leading to an
incorrect count being returned. Fix the conversion between bytes and
logical blocks.
Cc: stable@vger.kernel.org
Fixes: 6a20e21ae1e2 ("scsi: core: Add helper to return number of logical blocks in a request")
Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
Link: https://lore.kernel.org/r/20240813053534.7720-1-chaotian.jing@mediatek.com
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/scsi/scsi_cmnd.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/scsi/scsi_cmnd.h
+++ b/include/scsi/scsi_cmnd.h
@@ -234,7 +234,7 @@ static inline sector_t scsi_get_lba(stru
static inline unsigned int scsi_logical_block_count(struct scsi_cmnd *scmd)
{
- unsigned int shift = ilog2(scmd->device->sector_size) - SECTOR_SHIFT;
+ unsigned int shift = ilog2(scmd->device->sector_size);
return blk_rq_bytes(scsi_cmd_to_rq(scmd)) >> shift;
}
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 296/341] ksmbd: the buffer of smb2 query dir response has at least 1 byte
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 295/341] scsi: core: Fix the return value of scsi_logical_block_count() Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 297/341] drm/amdgpu: Validate TA binary size Greg Kroah-Hartman
` (57 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit ce61b605a00502c59311d0a4b1f58d62b48272d0 upstream.
When STATUS_NO_MORE_FILES status is set to smb2 query dir response,
->StructureSize is set to 9, which mean buffer has 1 byte.
This issue occurs because ->Buffer[1] in smb2_query_directory_rsp to
flex-array.
Fixes: eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays")
Cc: stable@vger.kernel.org # v6.1+
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -4406,7 +4406,8 @@ int smb2_query_dir(struct ksmbd_work *wo
rsp->OutputBufferLength = cpu_to_le32(0);
rsp->Buffer[0] = 0;
rc = ksmbd_iov_pin_rsp(work, (void *)rsp,
- sizeof(struct smb2_query_directory_rsp));
+ offsetof(struct smb2_query_directory_rsp, Buffer)
+ + 1);
if (rc)
goto err_out;
} else {
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 297/341] drm/amdgpu: Validate TA binary size
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 296/341] ksmbd: the buffer of smb2 query dir response has at least 1 byte Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 298/341] net: dsa: microchip: fix PTP config failure when using multiple ports Greg Kroah-Hartman
` (56 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Candice Li, Hawking Zhang,
Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Candice Li <candice.li@amd.com>
commit c99769bceab4ecb6a067b9af11f9db281eea3e2a upstream.
Add TA binary size validation to avoid OOB write.
Signed-off-by: Candice Li <candice.li@amd.com>
Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit c0a04e3570d72aaf090962156ad085e37c62e442)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c
@@ -166,6 +166,9 @@ static ssize_t ta_if_load_debugfs_write(
if (ret)
return -EFAULT;
+ if (ta_bin_len > PSP_1_MEG)
+ return -EINVAL;
+
copy_pos += sizeof(uint32_t);
ta_bin = kzalloc(ta_bin_len, GFP_KERNEL);
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 298/341] net: dsa: microchip: fix PTP config failure when using multiple ports
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 297/341] drm/amdgpu: Validate TA binary size Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 299/341] MIPS: Loongson64: Set timer mode in cpu-probe Greg Kroah-Hartman
` (55 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Whitaker, Andrew Lunn,
Arun Ramadoss, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Whitaker <foss@martin-whitaker.me.uk>
commit 6efea5135417ae8194485d1d05ea79a21cf1a11c upstream.
When performing the port_hwtstamp_set operation, ptp_schedule_worker()
will be called if hardware timestamoing is enabled on any of the ports.
When using multiple ports for PTP, port_hwtstamp_set is executed for
each port. When called for the first time ptp_schedule_worker() returns
0. On subsequent calls it returns 1, indicating the worker is already
scheduled. Currently the ksz driver treats 1 as an error and fails to
complete the port_hwtstamp_set operation, thus leaving the timestamping
configuration for those ports unchanged.
This patch fixes this by ignoring the ptp_schedule_worker() return
value.
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/7aae307a-35ca-4209-a850-7b2749d40f90@martin-whitaker.me.uk
Fixes: bb01ad30570b0 ("net: dsa: microchip: ptp: manipulating absolute time using ptp hw clock")
Signed-off-by: Martin Whitaker <foss@martin-whitaker.me.uk>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Acked-by: Arun Ramadoss <arun.ramadoss@microchip.com>
Link: https://patch.msgid.link/20240817094141.3332-1-foss@martin-whitaker.me.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/microchip/ksz_ptp.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/net/dsa/microchip/ksz_ptp.c
+++ b/drivers/net/dsa/microchip/ksz_ptp.c
@@ -266,7 +266,6 @@ static int ksz_ptp_enable_mode(struct ks
struct ksz_port *prt;
struct dsa_port *dp;
bool tag_en = false;
- int ret;
dsa_switch_for_each_user_port(dp, dev->ds) {
prt = &dev->ports[dp->index];
@@ -277,9 +276,7 @@ static int ksz_ptp_enable_mode(struct ks
}
if (tag_en) {
- ret = ptp_schedule_worker(ptp_data->clock, 0);
- if (ret)
- return ret;
+ ptp_schedule_worker(ptp_data->clock, 0);
} else {
ptp_cancel_worker_sync(ptp_data->clock);
}
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 299/341] MIPS: Loongson64: Set timer mode in cpu-probe
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 298/341] net: dsa: microchip: fix PTP config failure when using multiple ports Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 300/341] HID: wacom: Defer calculation of resolution until resolution_code is known Greg Kroah-Hartman
` (54 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiaxun Yang, Thomas Bogendoerfer
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiaxun Yang <jiaxun.yang@flygoat.com>
commit 1cb6ab446424649f03c82334634360c2e3043684 upstream.
Loongson64 C and G processors have EXTIMER feature which
is conflicting with CP0 counter.
Although the processor resets in EXTIMER disabled & INTIMER
enabled mode, which is compatible with MIPS CP0 compare, firmware
may attempt to enable EXTIMER and interfere CP0 compare.
Set timer mode back to MIPS compatible mode to fix booting on
systems with such firmware before we have an actual driver for
EXTIMER.
Cc: stable@vger.kernel.org
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/kernel/cpu-probe.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/mips/kernel/cpu-probe.c
+++ b/arch/mips/kernel/cpu-probe.c
@@ -1725,12 +1725,16 @@ static inline void cpu_probe_loongson(st
c->ases |= (MIPS_ASE_LOONGSON_MMI | MIPS_ASE_LOONGSON_CAM |
MIPS_ASE_LOONGSON_EXT | MIPS_ASE_LOONGSON_EXT2);
c->ases &= ~MIPS_ASE_VZ; /* VZ of Loongson-3A2000/3000 is incomplete */
+ change_c0_config6(LOONGSON_CONF6_EXTIMER | LOONGSON_CONF6_INTIMER,
+ LOONGSON_CONF6_INTIMER);
break;
case PRID_IMP_LOONGSON_64G:
__cpu_name[cpu] = "ICT Loongson-3";
set_elf_platform(cpu, "loongson3a");
set_isa(c, MIPS_CPU_ISA_M64R2);
decode_cpucfg(c);
+ change_c0_config6(LOONGSON_CONF6_EXTIMER | LOONGSON_CONF6_INTIMER,
+ LOONGSON_CONF6_INTIMER);
break;
default:
panic("Unknown Loongson Processor ID!");
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 300/341] HID: wacom: Defer calculation of resolution until resolution_code is known
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 299/341] MIPS: Loongson64: Set timer mode in cpu-probe Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 301/341] Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3 Greg Kroah-Hartman
` (53 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gerecke, Jiri Kosina
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gerecke <jason.gerecke@wacom.com>
commit 1b8f9c1fb464968a5b18d3acc1da8c00bad24fad upstream.
The Wacom driver maps the HID_DG_TWIST usage to ABS_Z (rather than ABS_RZ)
for historic reasons. When the code to support twist was introduced in
commit 50066a042da5 ("HID: wacom: generic: Add support for height, tilt,
and twist usages"), we were careful to write it in such a way that it had
HID calculate the resolution of the twist axis assuming ABS_RZ instead
(so that we would get correct angular behavior). This was broken with
the introduction of commit 08a46b4190d3 ("HID: wacom: Set a default
resolution for older tablets"), which moved the resolution calculation
to occur *before* the adjustment from ABS_Z to ABS_RZ occurred.
This commit moves the calculation of resolution after the point that
we are finished setting things up for its proper use.
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Fixes: 08a46b4190d3 ("HID: wacom: Set a default resolution for older tablets")
Cc: stable@vger.kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/wacom_wac.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -1924,12 +1924,14 @@ static void wacom_map_usage(struct input
int fmax = field->logical_maximum;
unsigned int equivalent_usage = wacom_equivalent_usage(usage->hid);
int resolution_code = code;
- int resolution = hidinput_calc_abs_res(field, resolution_code);
+ int resolution;
if (equivalent_usage == HID_DG_TWIST) {
resolution_code = ABS_RZ;
}
+ resolution = hidinput_calc_abs_res(field, resolution_code);
+
if (equivalent_usage == HID_GD_X) {
fmin += features->offset_left;
fmax -= features->offset_right;
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 301/341] Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 300/341] HID: wacom: Defer calculation of resolution until resolution_code is known Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 302/341] Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination Greg Kroah-Hartman
` (52 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Werner Sembach, Hans de Goede,
Dmitry Torokhov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Werner Sembach <wse@tuxedocomputers.com>
commit 3d765ae2daccc570b3f4fbcb57eb321b12cdded2 upstream.
On s3 resume the i8042 driver tries to restore the controller to a known
state by reinitializing things, however this can confuse the controller
with different effects. Mostly occasionally unresponsive keyboards after
resume.
These issues do not rise on s0ix resume as here the controller is assumed
to preserved its state from before suspend.
This patch adds a quirk for devices where the reinitialization on s3 resume
is not needed and might be harmful as described above. It does this by
using the s0ix resume code path at selected locations.
This new quirk goes beyond what the preexisting reset=never quirk does,
which only skips some reinitialization steps.
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Cc: stable@vger.kernel.org
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20240104183118.779778-2-wse@tuxedocomputers.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/serio/i8042-acpipnpio.h | 10 +++++++---
drivers/input/serio/i8042.c | 10 +++++++---
2 files changed, 14 insertions(+), 6 deletions(-)
--- a/drivers/input/serio/i8042-acpipnpio.h
+++ b/drivers/input/serio/i8042-acpipnpio.h
@@ -83,6 +83,7 @@ static inline void i8042_write_command(i
#define SERIO_QUIRK_KBDRESET BIT(12)
#define SERIO_QUIRK_DRITEK BIT(13)
#define SERIO_QUIRK_NOPNP BIT(14)
+#define SERIO_QUIRK_FORCENORESTORE BIT(15)
/* Quirk table for different mainboards. Options similar or identical to i8042
* module parameters.
@@ -1685,6 +1686,8 @@ static void __init i8042_check_quirks(vo
if (quirks & SERIO_QUIRK_NOPNP)
i8042_nopnp = true;
#endif
+ if (quirks & SERIO_QUIRK_FORCENORESTORE)
+ i8042_forcenorestore = true;
}
#else
static inline void i8042_check_quirks(void) {}
@@ -1718,7 +1721,7 @@ static int __init i8042_platform_init(vo
i8042_check_quirks();
- pr_debug("Active quirks (empty means none):%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
+ pr_debug("Active quirks (empty means none):%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
i8042_nokbd ? " nokbd" : "",
i8042_noaux ? " noaux" : "",
i8042_nomux ? " nomux" : "",
@@ -1738,10 +1741,11 @@ static int __init i8042_platform_init(vo
"",
#endif
#ifdef CONFIG_PNP
- i8042_nopnp ? " nopnp" : "");
+ i8042_nopnp ? " nopnp" : "",
#else
- "");
+ "",
#endif
+ i8042_forcenorestore ? " forcenorestore" : "");
retval = i8042_pnp_init();
if (retval)
--- a/drivers/input/serio/i8042.c
+++ b/drivers/input/serio/i8042.c
@@ -115,6 +115,10 @@ module_param_named(nopnp, i8042_nopnp, b
MODULE_PARM_DESC(nopnp, "Do not use PNP to detect controller settings");
#endif
+static bool i8042_forcenorestore;
+module_param_named(forcenorestore, i8042_forcenorestore, bool, 0);
+MODULE_PARM_DESC(forcenorestore, "Force no restore on s3 resume, copying s2idle behaviour");
+
#define DEBUG
#ifdef DEBUG
static bool i8042_debug;
@@ -1232,7 +1236,7 @@ static int i8042_pm_suspend(struct devic
{
int i;
- if (pm_suspend_via_firmware())
+ if (!i8042_forcenorestore && pm_suspend_via_firmware())
i8042_controller_reset(true);
/* Set up serio interrupts for system wakeup. */
@@ -1248,7 +1252,7 @@ static int i8042_pm_suspend(struct devic
static int i8042_pm_resume_noirq(struct device *dev)
{
- if (!pm_resume_via_firmware())
+ if (i8042_forcenorestore || !pm_resume_via_firmware())
i8042_interrupt(0, NULL);
return 0;
@@ -1271,7 +1275,7 @@ static int i8042_pm_resume(struct device
* not restore the controller state to whatever it had been at boot
* time, so we do not need to do anything.
*/
- if (!pm_suspend_via_firmware())
+ if (i8042_forcenorestore || !pm_suspend_via_firmware())
return 0;
/*
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 302/341] Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 301/341] Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3 Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 303/341] cxgb4: add forgotten u64 ivlan cast before shift Greg Kroah-Hartman
` (51 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Werner Sembach, Hans de Goede,
Dmitry Torokhov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Werner Sembach <wse@tuxedocomputers.com>
commit aaa4ca873d3da768896ffc909795359a01e853ef upstream.
The old quirk combination sometimes cause a laggy keyboard after boot. With
the new quirk the initial issue of an unresponsive keyboard after s3 resume
is also fixed, but it doesn't have the negative side effect of the
sometimes laggy keyboard.
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Cc: stable@vger.kernel.org
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20240104183118.779778-3-wse@tuxedocomputers.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/serio/i8042-acpipnpio.h | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)
--- a/drivers/input/serio/i8042-acpipnpio.h
+++ b/drivers/input/serio/i8042-acpipnpio.h
@@ -1150,18 +1150,10 @@ static const struct dmi_system_id i8042_
SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP)
},
{
- /*
- * Setting SERIO_QUIRK_NOMUX or SERIO_QUIRK_RESET_ALWAYS makes
- * the keyboard very laggy for ~5 seconds after boot and
- * sometimes also after resume.
- * However both are required for the keyboard to not fail
- * completely sometimes after boot or resume.
- */
.matches = {
DMI_MATCH(DMI_BOARD_NAME, "N150CU"),
},
- .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS |
- SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP)
+ .driver_data = (void *)(SERIO_QUIRK_FORCENORESTORE)
},
{
.matches = {
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 303/341] cxgb4: add forgotten u64 ivlan cast before shift
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 302/341] Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 304/341] KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 Greg Kroah-Hartman
` (50 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Kuratov, Simon Horman,
Jacob Keller, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Kuratov <kniv@yandex-team.ru>
commit 80a1e7b83bb1834b5568a3872e64c05795d88f31 upstream.
It is done everywhere in cxgb4 code, e.g. in is_filter_exact_match()
There is no reason it should not be done here
Found by Linux Verification Center (linuxtesting.org) with SVACE
Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru>
Cc: stable@vger.kernel.org
Fixes: 12b276fbf6e0 ("cxgb4: add support to create hash filters")
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20240819075408.92378-1-kniv@yandex-team.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
@@ -1244,7 +1244,8 @@ static u64 hash_filter_ntuple(struct ch_
* in the Compressed Filter Tuple.
*/
if (tp->vlan_shift >= 0 && fs->mask.ivlan)
- ntuple |= (FT_VLAN_VLD_F | fs->val.ivlan) << tp->vlan_shift;
+ ntuple |= (u64)(FT_VLAN_VLD_F |
+ fs->val.ivlan) << tp->vlan_shift;
if (tp->port_shift >= 0 && fs->mask.iport)
ntuple |= (u64)fs->val.iport << tp->port_shift;
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 304/341] KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 303/341] cxgb4: add forgotten u64 ivlan cast before shift Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 305/341] mmc: mtk-sd: receive cmd8 data when hs400 tuning fail Greg Kroah-Hartman
` (49 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Potapenko, Marc Zyngier,
Oliver Upton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit 3e6245ebe7ef341639e9a7e402b3ade8ad45a19f upstream.
On a system with a GICv3, if a guest hasn't been configured with
GICv3 and that the host is not capable of GICv2 emulation,
a write to any of the ICC_*SGI*_EL1 registers is trapped to EL2.
We therefore try to emulate the SGI access, only to hit a NULL
pointer as no private interrupt is allocated (no GIC, remember?).
The obvious fix is to give the guest what it deserves, in the
shape of a UNDEF exception.
Reported-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240820100349.3544850-2-maz@kernel.org
Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/sys_regs.c | 6 ++++++
arch/arm64/kvm/vgic/vgic.h | 7 +++++++
2 files changed, 13 insertions(+)
--- a/arch/arm64/kvm/sys_regs.c
+++ b/arch/arm64/kvm/sys_regs.c
@@ -32,6 +32,7 @@
#include <trace/events/kvm.h>
#include "sys_regs.h"
+#include "vgic/vgic.h"
#include "trace.h"
@@ -301,6 +302,11 @@ static bool access_gic_sgi(struct kvm_vc
{
bool g1;
+ if (!kvm_has_gicv3(vcpu->kvm)) {
+ kvm_inject_undefined(vcpu);
+ return false;
+ }
+
if (!p->is_write)
return read_from_write_only(vcpu, p, r);
--- a/arch/arm64/kvm/vgic/vgic.h
+++ b/arch/arm64/kvm/vgic/vgic.h
@@ -343,4 +343,11 @@ void vgic_v4_configure_vsgis(struct kvm
void vgic_v4_get_vlpi_state(struct vgic_irq *irq, bool *val);
int vgic_v4_request_vpe_irq(struct kvm_vcpu *vcpu, int irq);
+static inline bool kvm_has_gicv3(struct kvm *kvm)
+{
+ return (static_branch_unlikely(&kvm_vgic_global_state.gicv3_cpuif) &&
+ irqchip_in_kernel(kvm) &&
+ kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3);
+}
+
#endif
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 305/341] mmc: mtk-sd: receive cmd8 data when hs400 tuning fail
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 304/341] KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 306/341] mmc: dw_mmc: allow biu and ciu clocks to defer Greg Kroah-Hartman
` (48 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mengqi Zhang, stable, Ulf Hansson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mengqi Zhang <mengqi.zhang@mediatek.com>
commit 9374ae912dbb1eed8139ed75fd2c0f1b30ca454d upstream.
When we use cmd8 as the tuning command in hs400 mode, the command
response sent back by some eMMC devices cannot be correctly sampled
by MTK eMMC controller at some weak sample timing. In this case,
command timeout error may occur. So we must receive the following
data to make sure the next cmd8 send correctly.
Signed-off-by: Mengqi Zhang <mengqi.zhang@mediatek.com>
Fixes: c4ac38c6539b ("mmc: mtk-sd: Add HS400 online tuning support")
Cc: stable@vger.stable.com
Link: https://lore.kernel.org/r/20240716013704.10578-1-mengqi.zhang@mediatek.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/mtk-sd.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/mmc/host/mtk-sd.c
+++ b/drivers/mmc/host/mtk-sd.c
@@ -1222,7 +1222,7 @@ static bool msdc_cmd_done(struct msdc_ho
}
if (!sbc_error && !(events & MSDC_INT_CMDRDY)) {
- if (events & MSDC_INT_CMDTMO ||
+ if ((events & MSDC_INT_CMDTMO && !host->hs400_tuning) ||
(!mmc_op_tuning(cmd->opcode) && !host->hs400_tuning))
/*
* should not clear fifo/interrupt as the tune data
@@ -1315,9 +1315,9 @@ static void msdc_start_command(struct ms
static void msdc_cmd_next(struct msdc_host *host,
struct mmc_request *mrq, struct mmc_command *cmd)
{
- if ((cmd->error &&
- !(cmd->error == -EILSEQ &&
- (mmc_op_tuning(cmd->opcode) || host->hs400_tuning))) ||
+ if ((cmd->error && !host->hs400_tuning &&
+ !(cmd->error == -EILSEQ &&
+ mmc_op_tuning(cmd->opcode))) ||
(mrq->sbc && mrq->sbc->error))
msdc_request_done(host, mrq);
else if (cmd == mrq->sbc)
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 306/341] mmc: dw_mmc: allow biu and ciu clocks to defer
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 305/341] mmc: mtk-sd: receive cmd8 data when hs400 tuning fail Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 307/341] pmdomain: imx: scu-pd: Remove duplicated clocks Greg Kroah-Hartman
` (47 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ben Whitten, Ulf Hansson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Whitten <ben.whitten@gmail.com>
commit 6275c7bc8dd07644ea8142a1773d826800f0f3f7 upstream.
Fix a race condition if the clock provider comes up after mmc is probed,
this causes mmc to fail without retrying.
When given the DEFER error from the clk source, pass it on up the chain.
Fixes: f90a0612f0e1 ("mmc: dw_mmc: lookup for optional biu and ciu clocks")
Signed-off-by: Ben Whitten <ben.whitten@gmail.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240811212212.123255-1-ben.whitten@gmail.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/dw_mmc.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/mmc/host/dw_mmc.c
+++ b/drivers/mmc/host/dw_mmc.c
@@ -3294,6 +3294,10 @@ int dw_mci_probe(struct dw_mci *host)
host->biu_clk = devm_clk_get(host->dev, "biu");
if (IS_ERR(host->biu_clk)) {
dev_dbg(host->dev, "biu clock not available\n");
+ ret = PTR_ERR(host->biu_clk);
+ if (ret == -EPROBE_DEFER)
+ return ret;
+
} else {
ret = clk_prepare_enable(host->biu_clk);
if (ret) {
@@ -3305,6 +3309,10 @@ int dw_mci_probe(struct dw_mci *host)
host->ciu_clk = devm_clk_get(host->dev, "ciu");
if (IS_ERR(host->ciu_clk)) {
dev_dbg(host->dev, "ciu clock not available\n");
+ ret = PTR_ERR(host->ciu_clk);
+ if (ret == -EPROBE_DEFER)
+ goto err_clk_biu;
+
host->bus_hz = host->pdata->bus_hz;
} else {
ret = clk_prepare_enable(host->ciu_clk);
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 307/341] pmdomain: imx: scu-pd: Remove duplicated clocks
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 306/341] mmc: dw_mmc: allow biu and ciu clocks to defer Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 308/341] pmdomain: imx: wait SSAR when i.MX93 power domain on Greg Kroah-Hartman
` (46 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexander Stein, Ulf Hansson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Stein <alexander.stein@ew.tq-group.com>
commit 50359c9c3cb3e55e840e3485f5ee37da5b2b16b6 upstream.
These clocks are already added to the list. Remove the duplicates ones.
Fixes: a67d780720ff ("genpd: imx: scu-pd: add more PDs")
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240717080334.2210988-1-alexander.stein@ew.tq-group.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pmdomain/imx/scu-pd.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/drivers/pmdomain/imx/scu-pd.c b/drivers/pmdomain/imx/scu-pd.c
index 05841b0bf7f3..01d465d88f60 100644
--- a/drivers/pmdomain/imx/scu-pd.c
+++ b/drivers/pmdomain/imx/scu-pd.c
@@ -223,11 +223,6 @@ static const struct imx_sc_pd_range imx8qxp_scu_pd_ranges[] = {
{ "lvds1-pwm", IMX_SC_R_LVDS_1_PWM_0, 1, false, 0 },
{ "lvds1-lpi2c", IMX_SC_R_LVDS_1_I2C_0, 2, true, 0 },
- { "mipi1", IMX_SC_R_MIPI_1, 1, 0 },
- { "mipi1-pwm0", IMX_SC_R_MIPI_1_PWM_0, 1, 0 },
- { "mipi1-i2c", IMX_SC_R_MIPI_1_I2C_0, 2, 1 },
- { "lvds1", IMX_SC_R_LVDS_1, 1, 0 },
-
/* DC SS */
{ "dc0", IMX_SC_R_DC_0, 1, false, 0 },
{ "dc0-pll", IMX_SC_R_DC_0_PLL_0, 2, true, 0 },
--
2.46.0
^ permalink raw reply related [flat|nested] 367+ messages in thread
* [PATCH 6.6 308/341] pmdomain: imx: wait SSAR when i.MX93 power domain on
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 307/341] pmdomain: imx: scu-pd: Remove duplicated clocks Greg Kroah-Hartman
@ 2024-08-27 14:38 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 309/341] nouveau/firmware: use dma non-coherent allocator Greg Kroah-Hartman
` (45 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jacky Bai, Peng Fan, Ulf Hansson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
commit 52dd070c62e4ae2b5e7411b920e3f7a64235ecfb upstream.
With "quiet" set in bootargs, there is power domain failure:
"imx93_power_domain 44462400.power-domain: pd_off timeout: name:
44462400.power-domain, stat: 4"
The current power on opertation takes ISO state as power on finished
flag, but it is wrong. Before powering on operation really finishes,
powering off comes and powering off will never finish because the last
powering on still not finishes, so the following powering off actually
not trigger hardware state machine to run. SSAR is the last step when
powering on a domain, so need to wait SSAR done when powering on.
Since EdgeLock Enclave(ELE) handshake is involved in the flow, enlarge
the waiting time to 10ms for both on and off to avoid timeout.
Cc: stable@vger.kernel.org
Fixes: 0a0f7cc25d4a ("soc: imx: add i.MX93 SRC power domain driver")
Reviewed-by: Jacky Bai <ping.bai@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Link: https://lore.kernel.org/r/20240814124740.2778952-1-peng.fan@oss.nxp.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pmdomain/imx/imx93-pd.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/pmdomain/imx/imx93-pd.c
+++ b/drivers/pmdomain/imx/imx93-pd.c
@@ -20,6 +20,7 @@
#define FUNC_STAT_PSW_STAT_MASK BIT(0)
#define FUNC_STAT_RST_STAT_MASK BIT(2)
#define FUNC_STAT_ISO_STAT_MASK BIT(4)
+#define FUNC_STAT_SSAR_STAT_MASK BIT(8)
struct imx93_power_domain {
struct generic_pm_domain genpd;
@@ -50,7 +51,7 @@ static int imx93_pd_on(struct generic_pm
writel(val, addr + MIX_SLICE_SW_CTRL_OFF);
ret = readl_poll_timeout(addr + MIX_FUNC_STAT_OFF, val,
- !(val & FUNC_STAT_ISO_STAT_MASK), 1, 10000);
+ !(val & FUNC_STAT_SSAR_STAT_MASK), 1, 10000);
if (ret) {
dev_err(domain->dev, "pd_on timeout: name: %s, stat: %x\n", genpd->name, val);
return ret;
@@ -72,7 +73,7 @@ static int imx93_pd_off(struct generic_p
writel(val, addr + MIX_SLICE_SW_CTRL_OFF);
ret = readl_poll_timeout(addr + MIX_FUNC_STAT_OFF, val,
- val & FUNC_STAT_PSW_STAT_MASK, 1, 1000);
+ val & FUNC_STAT_PSW_STAT_MASK, 1, 10000);
if (ret) {
dev_err(domain->dev, "pd_off timeout: name: %s, stat: %x\n", genpd->name, val);
return ret;
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 309/341] nouveau/firmware: use dma non-coherent allocator
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2024-08-27 14:38 ` [PATCH 6.6 308/341] pmdomain: imx: wait SSAR when i.MX93 power domain on Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 310/341] mptcp: pm: re-using ID of unused removed ADD_ADDR Greg Kroah-Hartman
` (44 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dave Airlie, Danilo Krummrich
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Airlie <airlied@redhat.com>
commit 9b340aeb26d50e9a9ec99599e2a39b035fac978e upstream.
Currently, enabling SG_DEBUG in the kernel will cause nouveau to hit a
BUG() on startup, when the iommu is enabled:
kernel BUG at include/linux/scatterlist.h:187!
invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 7 PID: 930 Comm: (udev-worker) Not tainted 6.9.0-rc3Lyude-Test+ #30
Hardware name: MSI MS-7A39/A320M GAMING PRO (MS-7A39), BIOS 1.I0 01/22/2019
RIP: 0010:sg_init_one+0x85/0xa0
Code: 69 88 32 01 83 e1 03 f6 c3 03 75 20 a8 01 75 1e 48 09 cb 41 89 54
24 08 49 89 1c 24 41 89 6c 24 0c 5b 5d 41 5c e9 7b b9 88 00 <0f> 0b 0f 0b
0f 0b 48 8b 05 5e 46 9a 01 eb b2 66 66 2e 0f 1f 84 00
RSP: 0018:ffffa776017bf6a0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffa77600d87000 RCX: 000000000000002b
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa77680d87000
RBP: 000000000000e000 R08: 0000000000000000 R09: 0000000000000000
R10: ffff98f4c46aa508 R11: 0000000000000000 R12: ffff98f4c46aa508
R13: ffff98f4c46aa008 R14: ffffa77600d4a000 R15: ffffa77600d4a018
FS: 00007feeb5aae980(0000) GS:ffff98f5c4dc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f22cb9a4520 CR3: 00000001043ba000 CR4: 00000000003506f0
Call Trace:
<TASK>
? die+0x36/0x90
? do_trap+0xdd/0x100
? sg_init_one+0x85/0xa0
? do_error_trap+0x65/0x80
? sg_init_one+0x85/0xa0
? exc_invalid_op+0x50/0x70
? sg_init_one+0x85/0xa0
? asm_exc_invalid_op+0x1a/0x20
? sg_init_one+0x85/0xa0
nvkm_firmware_ctor+0x14a/0x250 [nouveau]
nvkm_falcon_fw_ctor+0x42/0x70 [nouveau]
ga102_gsp_booter_ctor+0xb4/0x1a0 [nouveau]
r535_gsp_oneinit+0xb3/0x15f0 [nouveau]
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? nvkm_udevice_new+0x95/0x140 [nouveau]
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? ktime_get+0x47/0xb0
Fix this by using the non-coherent allocator instead, I think there
might be a better answer to this, but it involve ripping up some of
APIs using sg lists.
Cc: stable@vger.kernel.org
Fixes: 2541626cfb79 ("drm/nouveau/acr: use common falcon HS FW code for ACR FWs")
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20240815201923.632803-1-airlied@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nvkm/core/firmware.c | 9 ++++++---
drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 6 ++++++
2 files changed, 12 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/nouveau/nvkm/core/firmware.c
+++ b/drivers/gpu/drm/nouveau/nvkm/core/firmware.c
@@ -187,7 +187,8 @@ nvkm_firmware_dtor(struct nvkm_firmware
break;
case NVKM_FIRMWARE_IMG_DMA:
nvkm_memory_unref(&memory);
- dma_free_coherent(fw->device->dev, sg_dma_len(&fw->mem.sgl), fw->img, fw->phys);
+ dma_free_noncoherent(fw->device->dev, sg_dma_len(&fw->mem.sgl),
+ fw->img, fw->phys, DMA_TO_DEVICE);
break;
default:
WARN_ON(1);
@@ -212,10 +213,12 @@ nvkm_firmware_ctor(const struct nvkm_fir
break;
case NVKM_FIRMWARE_IMG_DMA: {
dma_addr_t addr;
-
len = ALIGN(fw->len, PAGE_SIZE);
- fw->img = dma_alloc_coherent(fw->device->dev, len, &addr, GFP_KERNEL);
+ fw->img = dma_alloc_noncoherent(fw->device->dev,
+ len, &addr,
+ DMA_TO_DEVICE,
+ GFP_KERNEL);
if (fw->img) {
memcpy(fw->img, src, fw->len);
fw->phys = addr;
--- a/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
+++ b/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
@@ -89,6 +89,12 @@ nvkm_falcon_fw_boot(struct nvkm_falcon_f
nvkm_falcon_fw_dtor_sigs(fw);
}
+ /* after last write to the img, sync dma mappings */
+ dma_sync_single_for_device(fw->fw.device->dev,
+ fw->fw.phys,
+ sg_dma_len(&fw->fw.mem.sgl),
+ DMA_TO_DEVICE);
+
FLCNFW_DBG(fw, "resetting");
fw->func->reset(fw);
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 310/341] mptcp: pm: re-using ID of unused removed ADD_ADDR
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 309/341] nouveau/firmware: use dma non-coherent allocator Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 311/341] mptcp: pm: re-using ID of unused removed subflows Greg Kroah-Hartman
` (43 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit e255683c06df572ead96db5efb5d21be30c0efaa upstream.
If no subflow is attached to the 'signal' endpoint that is being
removed, the addr ID will not be marked as available again.
Mark the linked ID as available when removing the address entry from the
list to cover this case.
Fixes: b6c08380860b ("mptcp: remove addr and subflow in PM netlink")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-1-38035d40de5b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -1462,7 +1462,10 @@ static bool mptcp_pm_remove_anno_addr(st
ret = remove_anno_list_by_saddr(msk, addr);
if (ret || force) {
spin_lock_bh(&msk->pm.lock);
- msk->pm.add_addr_signaled -= ret;
+ if (ret) {
+ __set_bit(addr->id, msk->pm.id_avail_bitmap);
+ msk->pm.add_addr_signaled--;
+ }
mptcp_pm_remove_addr(msk, &list);
spin_unlock_bh(&msk->pm.lock);
}
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 311/341] mptcp: pm: re-using ID of unused removed subflows
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 310/341] mptcp: pm: re-using ID of unused removed ADD_ADDR Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 312/341] mptcp: pm: re-using ID of unused flushed subflows Greg Kroah-Hartman
` (42 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit edd8b5d868a4d459f3065493001e293901af758d upstream.
If no subflow is attached to the 'subflow' endpoint that is being
removed, the addr ID will not be marked as available again.
Mark the linked ID as available when removing the 'subflow' endpoint if
no subflow is attached to it.
While at it, the local_addr_used counter is decremented if the ID was
marked as being used to reflect the reality, but also to allow adding
new endpoints after that.
Fixes: b6c08380860b ("mptcp: remove addr and subflow in PM netlink")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-3-38035d40de5b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -1500,8 +1500,17 @@ static int mptcp_nl_remove_subflow_and_s
remove_subflow = lookup_subflow_by_saddr(&msk->conn_list, addr);
mptcp_pm_remove_anno_addr(msk, addr, remove_subflow &&
!(entry->flags & MPTCP_PM_ADDR_FLAG_IMPLICIT));
- if (remove_subflow)
+
+ if (remove_subflow) {
mptcp_pm_remove_subflow(msk, &list);
+ } else if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) {
+ /* If the subflow has been used, but now closed */
+ spin_lock_bh(&msk->pm.lock);
+ if (!__test_and_set_bit(entry->addr.id, msk->pm.id_avail_bitmap))
+ msk->pm.local_addr_used--;
+ spin_unlock_bh(&msk->pm.lock);
+ }
+
release_sock(sk);
next:
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 312/341] mptcp: pm: re-using ID of unused flushed subflows
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 311/341] mptcp: pm: re-using ID of unused removed subflows Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 313/341] mptcp: pm: remove mptcp_pm_remove_subflow() Greg Kroah-Hartman
` (41 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit ef34a6ea0cab1800f4b3c9c3c2cefd5091e03379 upstream.
If no subflows are attached to the 'subflow' endpoints that are being
flushed, the corresponding addr IDs will not be marked as available
again.
Mark all ID as being available when flushing all the 'subflow'
endpoints, and reset local_addr_used counter to cover these cases.
Note that mptcp_pm_remove_addrs_and_subflows() helper is only called for
flushing operations, not to remove a specific set of addresses and
subflows.
Fixes: 06faa2271034 ("mptcp: remove multi addresses and subflows in PM")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-5-38035d40de5b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -1654,8 +1654,15 @@ void mptcp_pm_remove_addrs_and_subflows(
mptcp_pm_remove_addr(msk, &alist);
spin_unlock_bh(&msk->pm.lock);
}
+
if (slist.nr)
mptcp_pm_remove_subflow(msk, &slist);
+
+ /* Reset counters: maybe some subflows have been removed before */
+ spin_lock_bh(&msk->pm.lock);
+ bitmap_fill(msk->pm.id_avail_bitmap, MPTCP_PM_MAX_ADDR_ID + 1);
+ msk->pm.local_addr_used = 0;
+ spin_unlock_bh(&msk->pm.lock);
}
static void mptcp_nl_remove_addrs_list(struct net *net,
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 313/341] mptcp: pm: remove mptcp_pm_remove_subflow()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 312/341] mptcp: pm: re-using ID of unused flushed subflows Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 314/341] mptcp: pm: only mark subflow endp as available Greg Kroah-Hartman
` (40 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit f448451aa62d54be16acb0034223c17e0d12bc69 upstream.
This helper is confusing. It is in pm.c, but it is specific to the
in-kernel PM and it cannot be used by the userspace one. Also, it simply
calls one in-kernel specific function with the PM lock, while the
similar mptcp_pm_remove_addr() helper requires the PM lock.
What's left is the pr_debug(), which is not that useful, because a
similar one is present in the only function called by this helper:
mptcp_pm_nl_rm_subflow_received()
After these modifications, this helper can be marked as 'static', and
the lock can be taken only once in mptcp_pm_flush_addrs_and_subflows().
Note that it is not a bug fix, but it will help backporting the
following commits.
Fixes: 0ee4261a3681 ("mptcp: implement mptcp_pm_remove_subflow")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-7-38035d40de5b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 10 ----------
net/mptcp/pm_netlink.c | 16 +++++++---------
net/mptcp/protocol.h | 3 ---
3 files changed, 7 insertions(+), 22 deletions(-)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -61,16 +61,6 @@ int mptcp_pm_remove_addr(struct mptcp_so
return 0;
}
-int mptcp_pm_remove_subflow(struct mptcp_sock *msk, const struct mptcp_rm_list *rm_list)
-{
- pr_debug("msk=%p, rm_list_nr=%d", msk, rm_list->nr);
-
- spin_lock_bh(&msk->pm.lock);
- mptcp_pm_nl_rm_subflow_received(msk, rm_list);
- spin_unlock_bh(&msk->pm.lock);
- return 0;
-}
-
/* path manager event handlers */
void mptcp_pm_new_connection(struct mptcp_sock *msk, const struct sock *ssk, int server_side)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -865,8 +865,8 @@ static void mptcp_pm_nl_rm_addr_received
mptcp_pm_nl_rm_addr_or_subflow(msk, &msk->pm.rm_list_rx, MPTCP_MIB_RMADDR);
}
-void mptcp_pm_nl_rm_subflow_received(struct mptcp_sock *msk,
- const struct mptcp_rm_list *rm_list)
+static void mptcp_pm_nl_rm_subflow_received(struct mptcp_sock *msk,
+ const struct mptcp_rm_list *rm_list)
{
mptcp_pm_nl_rm_addr_or_subflow(msk, rm_list, MPTCP_MIB_RMSUBFLOW);
}
@@ -1502,7 +1502,9 @@ static int mptcp_nl_remove_subflow_and_s
!(entry->flags & MPTCP_PM_ADDR_FLAG_IMPLICIT));
if (remove_subflow) {
- mptcp_pm_remove_subflow(msk, &list);
+ spin_lock_bh(&msk->pm.lock);
+ mptcp_pm_nl_rm_subflow_received(msk, &list);
+ spin_unlock_bh(&msk->pm.lock);
} else if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) {
/* If the subflow has been used, but now closed */
spin_lock_bh(&msk->pm.lock);
@@ -1648,18 +1650,14 @@ void mptcp_pm_remove_addrs_and_subflows(
alist.ids[alist.nr++] = entry->addr.id;
}
+ spin_lock_bh(&msk->pm.lock);
if (alist.nr) {
- spin_lock_bh(&msk->pm.lock);
msk->pm.add_addr_signaled -= alist.nr;
mptcp_pm_remove_addr(msk, &alist);
- spin_unlock_bh(&msk->pm.lock);
}
-
if (slist.nr)
- mptcp_pm_remove_subflow(msk, &slist);
-
+ mptcp_pm_nl_rm_subflow_received(msk, &slist);
/* Reset counters: maybe some subflows have been removed before */
- spin_lock_bh(&msk->pm.lock);
bitmap_fill(msk->pm.id_avail_bitmap, MPTCP_PM_MAX_ADDR_ID + 1);
msk->pm.local_addr_used = 0;
spin_unlock_bh(&msk->pm.lock);
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -945,7 +945,6 @@ int mptcp_pm_announce_addr(struct mptcp_
const struct mptcp_addr_info *addr,
bool echo);
int mptcp_pm_remove_addr(struct mptcp_sock *msk, const struct mptcp_rm_list *rm_list);
-int mptcp_pm_remove_subflow(struct mptcp_sock *msk, const struct mptcp_rm_list *rm_list);
void mptcp_pm_remove_addrs(struct mptcp_sock *msk, struct list_head *rm_list);
void mptcp_pm_remove_addrs_and_subflows(struct mptcp_sock *msk,
struct list_head *rm_list);
@@ -1047,8 +1046,6 @@ static inline u8 subflow_get_local_id(co
void __init mptcp_pm_nl_init(void);
void mptcp_pm_nl_work(struct mptcp_sock *msk);
-void mptcp_pm_nl_rm_subflow_received(struct mptcp_sock *msk,
- const struct mptcp_rm_list *rm_list);
unsigned int mptcp_pm_get_add_addr_signal_max(const struct mptcp_sock *msk);
unsigned int mptcp_pm_get_add_addr_accept_max(const struct mptcp_sock *msk);
unsigned int mptcp_pm_get_subflows_max(const struct mptcp_sock *msk);
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 314/341] mptcp: pm: only mark subflow endp as available
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 313/341] mptcp: pm: remove mptcp_pm_remove_subflow() Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 315/341] mptcp: pm: only decrement add_addr_accepted for MPJ req Greg Kroah-Hartman
` (39 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 322ea3778965da72862cca2a0c50253aacf65fe6 upstream.
Adding the following warning ...
WARN_ON_ONCE(msk->pm.local_addr_used == 0)
... before decrementing the local_addr_used counter helped to find a bug
when running the "remove single address" subtest from the mptcp_join.sh
selftests.
Removing a 'signal' endpoint will trigger the removal of all subflows
linked to this endpoint via mptcp_pm_nl_rm_addr_or_subflow() with
rm_type == MPTCP_MIB_RMSUBFLOW. This will decrement the local_addr_used
counter, which is wrong in this case because this counter is linked to
'subflow' endpoints, and here it is a 'signal' endpoint that is being
removed.
Now, the counter is decremented, only if the ID is being used outside
of mptcp_pm_nl_rm_addr_or_subflow(), only for 'subflow' endpoints, and
if the ID is not 0 -- local_addr_used is not taking into account these
ones. This marking of the ID as being available, and the decrement is
done no matter if a subflow using this ID is currently available,
because the subflow could have been closed before.
Fixes: 06faa2271034 ("mptcp: remove multi addresses and subflows in PM")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-8-38035d40de5b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -841,10 +841,10 @@ static void mptcp_pm_nl_rm_addr_or_subfl
if (rm_type == MPTCP_MIB_RMSUBFLOW)
__MPTCP_INC_STATS(sock_net(sk), rm_type);
}
- if (rm_type == MPTCP_MIB_RMSUBFLOW)
- __set_bit(rm_id ? rm_id : msk->mpc_endpoint_id, msk->pm.id_avail_bitmap);
- else if (rm_type == MPTCP_MIB_RMADDR)
+
+ if (rm_type == MPTCP_MIB_RMADDR)
__MPTCP_INC_STATS(sock_net(sk), rm_type);
+
if (!removed)
continue;
@@ -854,8 +854,6 @@ static void mptcp_pm_nl_rm_addr_or_subfl
if (rm_type == MPTCP_MIB_RMADDR) {
msk->pm.add_addr_accepted--;
WRITE_ONCE(msk->pm.accept_addr, true);
- } else if (rm_type == MPTCP_MIB_RMSUBFLOW) {
- msk->pm.local_addr_used--;
}
}
}
@@ -1472,6 +1470,14 @@ static bool mptcp_pm_remove_anno_addr(st
return ret;
}
+static void __mark_subflow_endp_available(struct mptcp_sock *msk, u8 id)
+{
+ /* If it was marked as used, and not ID 0, decrement local_addr_used */
+ if (!__test_and_set_bit(id ? : msk->mpc_endpoint_id, msk->pm.id_avail_bitmap) &&
+ id && !WARN_ON_ONCE(msk->pm.local_addr_used == 0))
+ msk->pm.local_addr_used--;
+}
+
static int mptcp_nl_remove_subflow_and_signal_addr(struct net *net,
const struct mptcp_pm_addr_entry *entry)
{
@@ -1505,11 +1511,11 @@ static int mptcp_nl_remove_subflow_and_s
spin_lock_bh(&msk->pm.lock);
mptcp_pm_nl_rm_subflow_received(msk, &list);
spin_unlock_bh(&msk->pm.lock);
- } else if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) {
- /* If the subflow has been used, but now closed */
+ }
+
+ if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) {
spin_lock_bh(&msk->pm.lock);
- if (!__test_and_set_bit(entry->addr.id, msk->pm.id_avail_bitmap))
- msk->pm.local_addr_used--;
+ __mark_subflow_endp_available(msk, list.ids[0]);
spin_unlock_bh(&msk->pm.lock);
}
@@ -1547,6 +1553,7 @@ static int mptcp_nl_remove_id_zero_addre
spin_lock_bh(&msk->pm.lock);
mptcp_pm_remove_addr(msk, &list);
mptcp_pm_nl_rm_subflow_received(msk, &list);
+ __mark_subflow_endp_available(msk, 0);
spin_unlock_bh(&msk->pm.lock);
release_sock(sk);
@@ -1939,6 +1946,7 @@ static void mptcp_pm_nl_fullmesh(struct
spin_lock_bh(&msk->pm.lock);
mptcp_pm_nl_rm_subflow_received(msk, &list);
+ __mark_subflow_endp_available(msk, list.ids[0]);
mptcp_pm_create_subflow_or_signal_addr(msk);
spin_unlock_bh(&msk->pm.lock);
}
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 315/341] mptcp: pm: only decrement add_addr_accepted for MPJ req
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 314/341] mptcp: pm: only mark subflow endp as available Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 316/341] mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR Greg Kroah-Hartman
` (38 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 1c1f721375989579e46741f59523e39ec9b2a9bd upstream.
Adding the following warning ...
WARN_ON_ONCE(msk->pm.add_addr_accepted == 0)
... before decrementing the add_addr_accepted counter helped to find a
bug when running the "remove single subflow" subtest from the
mptcp_join.sh selftest.
Removing a 'subflow' endpoint will first trigger a RM_ADDR, then the
subflow closure. Before this patch, and upon the reception of the
RM_ADDR, the other peer will then try to decrement this
add_addr_accepted. That's not correct because the attached subflows have
not been created upon the reception of an ADD_ADDR.
A way to solve that is to decrement the counter only if the attached
subflow was an MP_JOIN to a remote id that was not 0, and initiated by
the host receiving the RM_ADDR.
Fixes: d0876b2284cf ("mptcp: add the incoming RM_ADDR support")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-9-38035d40de5b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -837,7 +837,7 @@ static void mptcp_pm_nl_rm_addr_or_subfl
mptcp_close_ssk(sk, ssk, subflow);
spin_lock_bh(&msk->pm.lock);
- removed = true;
+ removed |= subflow->request_join;
if (rm_type == MPTCP_MIB_RMSUBFLOW)
__MPTCP_INC_STATS(sock_net(sk), rm_type);
}
@@ -851,7 +851,11 @@ static void mptcp_pm_nl_rm_addr_or_subfl
if (!mptcp_pm_is_kernel(msk))
continue;
- if (rm_type == MPTCP_MIB_RMADDR) {
+ if (rm_type == MPTCP_MIB_RMADDR && rm_id &&
+ !WARN_ON_ONCE(msk->pm.add_addr_accepted == 0)) {
+ /* Note: if the subflow has been closed before, this
+ * add_addr_accepted counter will not be decremented.
+ */
msk->pm.add_addr_accepted--;
WRITE_ONCE(msk->pm.accept_addr, true);
}
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 316/341] mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 315/341] mptcp: pm: only decrement add_addr_accepted for MPJ req Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 317/341] mptcp: pm: only in-kernel cannot have entries with ID 0 Greg Kroah-Hartman
` (37 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 0137a3c7c2ea3f9df8ebfc65d78b4ba712a187bb upstream.
The limits might have changed in between, it is best to check them
before accepting new ADD_ADDR.
Fixes: d0876b2284cf ("mptcp: add the incoming RM_ADDR support")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-10-38035d40de5b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -856,8 +856,8 @@ static void mptcp_pm_nl_rm_addr_or_subfl
/* Note: if the subflow has been closed before, this
* add_addr_accepted counter will not be decremented.
*/
- msk->pm.add_addr_accepted--;
- WRITE_ONCE(msk->pm.accept_addr, true);
+ if (--msk->pm.add_addr_accepted < mptcp_pm_get_add_addr_accept_max(msk))
+ WRITE_ONCE(msk->pm.accept_addr, true);
}
}
}
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 317/341] mptcp: pm: only in-kernel cannot have entries with ID 0
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 316/341] mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 318/341] mptcp: pm: fullmesh: select the right ID later Greg Kroah-Hartman
` (36 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geliang Tang, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit ca6e55a703ca2894611bb5c5bca8bfd2290fd91e upstream.
The ID 0 is specific per MPTCP connections. The per netns entries cannot
have this special ID 0 then.
But that's different for the userspace PM where the entries are per
connection, they can then use this special ID 0.
Fixes: f40be0db0b76 ("mptcp: unify pm get_flags_and_ifindex_by_id")
Cc: stable@vger.kernel.org
Acked-by: Geliang Tang <geliang@kernel.org>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-11-38035d40de5b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 3 ---
net/mptcp/pm_netlink.c | 4 ++++
2 files changed, 4 insertions(+), 3 deletions(-)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -435,9 +435,6 @@ int mptcp_pm_get_flags_and_ifindex_by_id
*flags = 0;
*ifindex = 0;
- if (!id)
- return 0;
-
if (mptcp_pm_is_userspace(msk))
return mptcp_userspace_pm_get_flags_and_ifindex_by_id(msk, id, flags, ifindex);
return mptcp_pm_nl_get_flags_and_ifindex_by_id(msk, id, flags, ifindex);
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -1426,6 +1426,10 @@ int mptcp_pm_nl_get_flags_and_ifindex_by
struct sock *sk = (struct sock *)msk;
struct net *net = sock_net(sk);
+ /* No entries with ID 0 */
+ if (id == 0)
+ return 0;
+
rcu_read_lock();
entry = __lookup_addr_by_id(pm_nl_get_pernet(net), id);
if (entry) {
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 318/341] mptcp: pm: fullmesh: select the right ID later
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 317/341] mptcp: pm: only in-kernel cannot have entries with ID 0 Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 319/341] mptcp: pm: avoid possible UaF when selecting endp Greg Kroah-Hartman
` (35 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 09355f7abb9fbfc1a240be029837921ea417bf4f upstream.
When reacting upon the reception of an ADD_ADDR, the in-kernel PM first
looks for fullmesh endpoints. If there are some, it will pick them,
using their entry ID.
It should set the ID 0 when using the endpoint corresponding to the
initial subflow, it is a special case imposed by the MPTCP specs.
Note that msk->mpc_endpoint_id might not be set when receiving the first
ADD_ADDR from the server. So better to compare the addresses.
Fixes: 1a0d6136c5f0 ("mptcp: local addresses fullmesh")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-12-38035d40de5b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -644,6 +644,7 @@ static unsigned int fill_local_addresses
{
struct sock *sk = (struct sock *)msk;
struct mptcp_pm_addr_entry *entry;
+ struct mptcp_addr_info mpc_addr;
struct pm_nl_pernet *pernet;
unsigned int subflows_max;
int i = 0;
@@ -651,6 +652,8 @@ static unsigned int fill_local_addresses
pernet = pm_nl_get_pernet_from_msk(msk);
subflows_max = mptcp_pm_get_subflows_max(msk);
+ mptcp_local_address((struct sock_common *)msk, &mpc_addr);
+
rcu_read_lock();
list_for_each_entry_rcu(entry, &pernet->local_addr_list, list) {
if (!(entry->flags & MPTCP_PM_ADDR_FLAG_FULLMESH))
@@ -661,7 +664,13 @@ static unsigned int fill_local_addresses
if (msk->pm.subflows < subflows_max) {
msk->pm.subflows++;
- addrs[i++] = entry->addr;
+ addrs[i] = entry->addr;
+
+ /* Special case for ID0: set the correct ID */
+ if (mptcp_addresses_equal(&entry->addr, &mpc_addr, entry->addr.port))
+ addrs[i].id = 0;
+
+ i++;
}
}
rcu_read_unlock();
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 319/341] mptcp: pm: avoid possible UaF when selecting endp
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 318/341] mptcp: pm: fullmesh: select the right ID later Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 320/341] selftests: mptcp: join: validate fullmesh endp on 1st sf Greg Kroah-Hartman
` (34 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 48e50dcbcbaaf713d82bf2da5c16aeced94ad07d upstream.
select_local_address() and select_signal_address() both select an
endpoint entry from the list inside an RCU protected section, but return
a reference to it, to be read later on. If the entry is dereferenced
after the RCU unlock, reading info could cause a Use-after-Free.
A simple solution is to copy the required info while inside the RCU
protected section to avoid any risk of UaF later. The address ID might
need to be modified later to handle the ID0 case later, so a copy seems
OK to deal with.
Reported-by: Paolo Abeni <pabeni@redhat.com>
Closes: https://lore.kernel.org/45cd30d3-7710-491c-ae4d-a1368c00beb1@redhat.com
Fixes: 01cacb00b35c ("mptcp: add netlink-based PM")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-14-38035d40de5b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 64 ++++++++++++++++++++++++++-----------------------
1 file changed, 34 insertions(+), 30 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -148,11 +148,13 @@ static bool lookup_subflow_by_daddr(cons
return false;
}
-static struct mptcp_pm_addr_entry *
+static bool
select_local_address(const struct pm_nl_pernet *pernet,
- const struct mptcp_sock *msk)
+ const struct mptcp_sock *msk,
+ struct mptcp_pm_addr_entry *new_entry)
{
- struct mptcp_pm_addr_entry *entry, *ret = NULL;
+ struct mptcp_pm_addr_entry *entry;
+ bool found = false;
msk_owned_by_me(msk);
@@ -164,17 +166,21 @@ select_local_address(const struct pm_nl_
if (!test_bit(entry->addr.id, msk->pm.id_avail_bitmap))
continue;
- ret = entry;
+ *new_entry = *entry;
+ found = true;
break;
}
rcu_read_unlock();
- return ret;
+
+ return found;
}
-static struct mptcp_pm_addr_entry *
-select_signal_address(struct pm_nl_pernet *pernet, const struct mptcp_sock *msk)
+static bool
+select_signal_address(struct pm_nl_pernet *pernet, const struct mptcp_sock *msk,
+ struct mptcp_pm_addr_entry *new_entry)
{
- struct mptcp_pm_addr_entry *entry, *ret = NULL;
+ struct mptcp_pm_addr_entry *entry;
+ bool found = false;
rcu_read_lock();
/* do not keep any additional per socket state, just signal
@@ -189,11 +195,13 @@ select_signal_address(struct pm_nl_perne
if (!(entry->flags & MPTCP_PM_ADDR_FLAG_SIGNAL))
continue;
- ret = entry;
+ *new_entry = *entry;
+ found = true;
break;
}
rcu_read_unlock();
- return ret;
+
+ return found;
}
unsigned int mptcp_pm_get_add_addr_signal_max(const struct mptcp_sock *msk)
@@ -520,9 +528,10 @@ __lookup_addr(struct pm_nl_pernet *perne
static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk)
{
- struct mptcp_pm_addr_entry *local, *signal_and_subflow = NULL;
struct sock *sk = (struct sock *)msk;
+ struct mptcp_pm_addr_entry local;
unsigned int add_addr_signal_max;
+ bool signal_and_subflow = false;
unsigned int local_addr_max;
struct pm_nl_pernet *pernet;
unsigned int subflows_max;
@@ -573,23 +582,22 @@ static void mptcp_pm_create_subflow_or_s
if (msk->pm.addr_signal & BIT(MPTCP_ADD_ADDR_SIGNAL))
return;
- local = select_signal_address(pernet, msk);
- if (!local)
+ if (!select_signal_address(pernet, msk, &local))
goto subflow;
/* If the alloc fails, we are on memory pressure, not worth
* continuing, and trying to create subflows.
*/
- if (!mptcp_pm_alloc_anno_list(msk, &local->addr))
+ if (!mptcp_pm_alloc_anno_list(msk, &local.addr))
return;
- __clear_bit(local->addr.id, msk->pm.id_avail_bitmap);
+ __clear_bit(local.addr.id, msk->pm.id_avail_bitmap);
msk->pm.add_addr_signaled++;
- mptcp_pm_announce_addr(msk, &local->addr, false);
+ mptcp_pm_announce_addr(msk, &local.addr, false);
mptcp_pm_nl_addr_send_ack(msk);
- if (local->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW)
- signal_and_subflow = local;
+ if (local.flags & MPTCP_PM_ADDR_FLAG_SUBFLOW)
+ signal_and_subflow = true;
}
subflow:
@@ -600,26 +608,22 @@ subflow:
bool fullmesh;
int i, nr;
- if (signal_and_subflow) {
- local = signal_and_subflow;
- signal_and_subflow = NULL;
- } else {
- local = select_local_address(pernet, msk);
- if (!local)
- break;
- }
+ if (signal_and_subflow)
+ signal_and_subflow = false;
+ else if (!select_local_address(pernet, msk, &local))
+ break;
- fullmesh = !!(local->flags & MPTCP_PM_ADDR_FLAG_FULLMESH);
+ fullmesh = !!(local.flags & MPTCP_PM_ADDR_FLAG_FULLMESH);
msk->pm.local_addr_used++;
- __clear_bit(local->addr.id, msk->pm.id_avail_bitmap);
- nr = fill_remote_addresses_vec(msk, &local->addr, fullmesh, addrs);
+ __clear_bit(local.addr.id, msk->pm.id_avail_bitmap);
+ nr = fill_remote_addresses_vec(msk, &local.addr, fullmesh, addrs);
if (nr == 0)
continue;
spin_unlock_bh(&msk->pm.lock);
for (i = 0; i < nr; i++)
- __mptcp_subflow_connect(sk, &local->addr, &addrs[i]);
+ __mptcp_subflow_connect(sk, &local.addr, &addrs[i]);
spin_lock_bh(&msk->pm.lock);
}
mptcp_pm_nl_check_work_pending(msk);
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 320/341] selftests: mptcp: join: validate fullmesh endp on 1st sf
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 319/341] mptcp: pm: avoid possible UaF when selecting endp Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 321/341] selftests: mptcp: join: check re-using ID of closed subflow Greg Kroah-Hartman
` (33 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 4878f9f8421f4587bee7b232c1c8a9d3a7d4d782 upstream.
This case was not covered, and the wrong ID was set before the previous
commit.
The rest is not modified, it is just that it will increase the code
coverage.
The right address ID can be verified by looking at the packet traces. We
could automate that using Netfilter with some cBPF code for example, but
that's always a bit cryptic. Packetdrill seems better fitted for that.
Fixes: 4f49d63352da ("selftests: mptcp: add fullmesh testcases")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-13-38035d40de5b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 1 +
1 file changed, 1 insertion(+)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -3220,6 +3220,7 @@ fullmesh_tests()
pm_nl_set_limits $ns1 1 3
pm_nl_set_limits $ns2 1 3
pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
+ pm_nl_add_endpoint $ns2 10.0.1.2 flags subflow,fullmesh
fullmesh=1 speed=slow \
run_tests $ns1 $ns2 10.0.1.1
chk_join_nr 3 3 3
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 321/341] selftests: mptcp: join: check re-using ID of closed subflow
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 320/341] selftests: mptcp: join: validate fullmesh endp on 1st sf Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 322/341] Revert "usb: gadget: uvc: cleanup request when not in correct state" Greg Kroah-Hartman
` (32 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 65fb58afa341ad68e71e5c4d816b407e6a683a66 upstream.
This test extends "delete and re-add" to validate the previous commit. A
new 'subflow' endpoint is added, but the subflow request will be
rejected. The result is that no subflow will be established from this
address.
Later, the endpoint is removed and re-added after having cleared the
firewall rule. Before the previous commit, the client would not have
been able to create this new subflow.
While at it, extra checks have been added to validate the expected
numbers of MPJ and RM_ADDR.
The 'Fixes' tag here below is the same as the one from the previous
commit: this patch here is not fixing anything wrong in the selftests,
but it validates the previous fix for an issue introduced by this commit
ID.
Fixes: b6c08380860b ("mptcp: remove addr and subflow in PM netlink")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-4-38035d40de5b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 27 +++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -481,9 +481,10 @@ reset_with_tcp_filter()
local ns="${!1}"
local src="${2}"
local target="${3}"
+ local chain="${4:-INPUT}"
if ! ip netns exec "${ns}" ${iptables} \
- -A INPUT \
+ -A "${chain}" \
-s "${src}" \
-p tcp \
-j "${target}"; then
@@ -3575,10 +3576,10 @@ endpoint_tests()
mptcp_lib_kill_wait $tests_pid
fi
- if reset "delete and re-add" &&
+ if reset_with_tcp_filter "delete and re-add" ns2 10.0.3.2 REJECT OUTPUT &&
mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then
- pm_nl_set_limits $ns1 1 1
- pm_nl_set_limits $ns2 1 1
+ pm_nl_set_limits $ns1 0 2
+ pm_nl_set_limits $ns2 0 2
pm_nl_add_endpoint $ns2 10.0.2.2 id 2 dev ns2eth2 flags subflow
test_linkfail=4 speed=20 \
run_tests $ns1 $ns2 10.0.1.1 &
@@ -3595,11 +3596,27 @@ endpoint_tests()
chk_subflow_nr "after delete" 1
chk_mptcp_info subflows 0 subflows 0
- pm_nl_add_endpoint $ns2 10.0.2.2 dev ns2eth2 flags subflow
+ pm_nl_add_endpoint $ns2 10.0.2.2 id 2 dev ns2eth2 flags subflow
wait_mpj $ns2
chk_subflow_nr "after re-add" 2
chk_mptcp_info subflows 1 subflows 1
+
+ pm_nl_add_endpoint $ns2 10.0.3.2 id 3 flags subflow
+ wait_attempt_fail $ns2
+ chk_subflow_nr "after new reject" 2
+ chk_mptcp_info subflows 1 subflows 1
+
+ ip netns exec "${ns2}" ${iptables} -D OUTPUT -s "10.0.3.2" -p tcp -j REJECT
+ pm_nl_del_endpoint $ns2 3 10.0.3.2
+ pm_nl_add_endpoint $ns2 10.0.3.2 id 3 flags subflow
+ wait_mpj $ns2
+ chk_subflow_nr "after no reject" 3
+ chk_mptcp_info subflows 2 subflows 2
+
mptcp_lib_kill_wait $tests_pid
+
+ chk_join_nr 3 3 3
+ chk_rm_nr 1 1
fi
}
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 322/341] Revert "usb: gadget: uvc: cleanup request when not in correct state"
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 321/341] selftests: mptcp: join: check re-using ID of closed subflow Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 323/341] Revert "drm/amd/display: Validate hw_points_num before using it" Greg Kroah-Hartman
` (31 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Michael Grzeschik
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dddc00f255415b826190cfbaa5d6dbc87cd9ded1 upstream.
This reverts commit 52a39f2cf62bb5430ad1f54cd522dbfdab1d71ba.
Based on review comments, it was applied too soon and needs more work.
Reported-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://lore.kernel.org/r/20231005081716.GA13853@pendragon.ideasonboard.com
Cc: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/uvc_video.c | 6 ------
1 file changed, 6 deletions(-)
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -259,12 +259,6 @@ uvc_video_complete(struct usb_ep *ep, st
struct uvc_device *uvc = video->uvc;
unsigned long flags;
- if (uvc->state == UVC_STATE_CONNECTED) {
- usb_ep_free_request(video->ep, ureq->req);
- ureq->req = NULL;
- return;
- }
-
switch (req->status) {
case 0:
break;
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 323/341] Revert "drm/amd/display: Validate hw_points_num before using it"
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 322/341] Revert "usb: gadget: uvc: cleanup request when not in correct state" Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 324/341] platform/x86/intel/ifs: Call release_firmware() when handling errors Greg Kroah-Hartman
` (30 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland,
Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Hung <alex.hung@amd.com>
commit 8f4bdbc8e99db6ec9cb0520748e49a2f2d7d1727 upstream.
This reverts commit 58c3b3341cea4f75dc8c003b89f8a6dd8ec55e50.
[WHY & HOW]
The writeback series cause a regression in thunderbolt display.
Signed-off-by: Alex Hung <alex.hung@amd.com>
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dwb_cm.c | 3 ---
1 file changed, 3 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dwb_cm.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dwb_cm.c
@@ -243,9 +243,6 @@ static bool dwb3_program_ogam_lut(
return false;
}
- if (params->hw_points_num == 0)
- return false;
-
REG_SET(DWB_OGAM_CONTROL, 0, DWB_OGAM_MODE, 2);
current_mode = dwb3_get_ogam_current(dwbc30);
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 324/341] platform/x86/intel/ifs: Call release_firmware() when handling errors.
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 323/341] Revert "drm/amd/display: Validate hw_points_num before using it" Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 325/341] tcp: do not export tcp_twsk_purge() Greg Kroah-Hartman
` (29 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengfei Xu, Jithu Joseph, Ashok Raj,
Tony Luck, Ilpo Järvinen, Hans de Goede
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jithu Joseph <jithu.joseph@intel.com>
commit 8c898ec07a2fc1d4694e81097a48e94a3816308d upstream.
Missing release_firmware() due to error handling blocked any future image
loading.
Fix the return code and release_fiwmare() to release the bad image.
Fixes: 25a76dbb36dd ("platform/x86/intel/ifs: Validate image size")
Reported-by: Pengfei Xu <pengfei.xu@intel.com>
Signed-off-by: Jithu Joseph <jithu.joseph@intel.com>
Signed-off-by: Ashok Raj <ashok.raj@intel.com>
Tested-by: Pengfei Xu <pengfei.xu@intel.com>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20240125082254.424859-2-ashok.raj@intel.com
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/intel/ifs/load.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/platform/x86/intel/ifs/load.c
+++ b/drivers/platform/x86/intel/ifs/load.c
@@ -279,7 +279,8 @@ int ifs_load_firmware(struct device *dev
if (fw->size != expected_size) {
dev_err(dev, "File size mismatch (expected %u, actual %zu). Corrupted IFS image.\n",
expected_size, fw->size);
- return -EINVAL;
+ ret = -EINVAL;
+ goto release;
}
ret = image_sanity_check(dev, (struct microcode_header_intel *)fw->data);
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 325/341] tcp: do not export tcp_twsk_purge()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 324/341] platform/x86/intel/ifs: Call release_firmware() when handling errors Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 326/341] hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt() Greg Kroah-Hartman
` (28 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Kuniyuki Iwashima,
David S. Miller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit c51db4ac10d57c366f9a92121e3889bfc6c324cd upstream.
After commit 1eeb50435739 ("tcp/dccp: do not care about
families in inet_twsk_purge()") tcp_twsk_purge() is
no longer potentially called from a module.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_minisocks.c | 1 -
1 file changed, 1 deletion(-)
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -378,7 +378,6 @@ void tcp_twsk_purge(struct list_head *ne
}
}
}
-EXPORT_SYMBOL_GPL(tcp_twsk_purge);
/* Warning : This function is called without sk_listener being locked.
* Be sure to read socket fields once, as their value could change under us.
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 326/341] hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 325/341] tcp: do not export tcp_twsk_purge() Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 327/341] drm/msm/mdss: specify cfg bandwidth for SDM670 Greg Kroah-Hartman
` (27 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Javier Carrasco, Guenter Roeck
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
commit a94ff8e50c20bde6d50864849a98b106e45d30c6 upstream.
A new error path was added to the fwnode_for_each_available_node() loop
in ltc2992_parse_dt(), which leads to an early return that requires a
call to fwnode_handle_put() to avoid a memory leak in that case.
Add the missing fwnode_handle_put() in the error path from a zero value
shunt resistor.
Cc: stable@vger.kernel.org
Fixes: 10b029020487 ("hwmon: (ltc2992) Avoid division by zero")
Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Link: https://lore.kernel.org/r/20240523-fwnode_for_each_available_child_node_scoped-v2-1-701f3a03f2fb@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/ltc2992.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/hwmon/ltc2992.c
+++ b/drivers/hwmon/ltc2992.c
@@ -876,9 +876,11 @@ static int ltc2992_parse_dt(struct ltc29
ret = fwnode_property_read_u32(child, "shunt-resistor-micro-ohms", &val);
if (!ret) {
- if (!val)
+ if (!val) {
+ fwnode_handle_put(child);
return dev_err_probe(&st->client->dev, -EINVAL,
"shunt resistor value cannot be zero\n");
+ }
st->r_sense_uohm[addr] = val;
}
}
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 327/341] drm/msm/mdss: specify cfg bandwidth for SDM670
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 326/341] hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt() Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 328/341] drm/panel: nt36523: Set 120Hz fps for xiaomi,elish panels Greg Kroah-Hartman
` (26 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Abhinav Kumar,
Richard Acayan
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
commit 8d35217149daa33358c284aca6a56d5ab92cfc6c upstream.
Lower the requested CFG bus bandwidth for the SDM670 platform. The
default value is 153600 kBps, which is twice as big as required by the
platform according to the vendor kernel.
Fixes: a55c8ff252d3 ("drm/msm/mdss: Handle the reg bus ICC path")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Tested-by: Richard Acayan <mailingradian@gmail.com>
Patchwork: https://patchwork.freedesktop.org/patch/572182/
Link: https://lore.kernel.org/r/20231215013222.827975-1-dmitry.baryshkov@linaro.org
Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/msm/msm_mdss.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/msm/msm_mdss.c
+++ b/drivers/gpu/drm/msm/msm_mdss.c
@@ -600,6 +600,7 @@ static const struct msm_mdss_data sm6125
.ubwc_dec_version = UBWC_3_0,
.ubwc_swizzle = 1,
.highest_bank_bit = 1,
+ .reg_bus_bw = 76800,
};
static const struct msm_mdss_data sm8250_data = {
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 328/341] drm/panel: nt36523: Set 120Hz fps for xiaomi,elish panels
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 327/341] drm/msm/mdss: specify cfg bandwidth for SDM670 Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 329/341] igc: Fix qbv tx latency by setting gtxoffset Greg Kroah-Hartman
` (25 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianhua Lu, Jessica Zhang,
Neil Armstrong
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianhua Lu <lujianhua000@gmail.com>
commit de8ac5696ebc3a2d89c88b70aa3996ee112e76ef upstream.
After commit e6c0de5f4450 ("drm/msm/dpu: try multirect based on mdp clock limits")
merged, 120Hz is working on xiaomi,elish panels, so feature it.
Signed-off-by: Jianhua Lu <lujianhua000@gmail.com>
Reviewed-by: Jessica Zhang <quic_jesszhan@quicinc.com>
Link: https://lore.kernel.org/r/20240112140047.18123-1-lujianhua000@gmail.com
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20240112140047.18123-1-lujianhua000@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/panel/panel-novatek-nt36523.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/panel/panel-novatek-nt36523.c
+++ b/drivers/gpu/drm/panel/panel-novatek-nt36523.c
@@ -935,8 +935,7 @@ static int j606f_boe_init_sequence(struc
static const struct drm_display_mode elish_boe_modes[] = {
{
- /* There is only one 120 Hz timing, but it doesn't work perfectly, 104 Hz preferred */
- .clock = (1600 + 60 + 8 + 60) * (2560 + 26 + 4 + 168) * 104 / 1000,
+ .clock = (1600 + 60 + 8 + 60) * (2560 + 26 + 4 + 168) * 120 / 1000,
.hdisplay = 1600,
.hsync_start = 1600 + 60,
.hsync_end = 1600 + 60 + 8,
@@ -950,8 +949,7 @@ static const struct drm_display_mode eli
static const struct drm_display_mode elish_csot_modes[] = {
{
- /* There is only one 120 Hz timing, but it doesn't work perfectly, 104 Hz preferred */
- .clock = (1600 + 200 + 40 + 52) * (2560 + 26 + 4 + 168) * 104 / 1000,
+ .clock = (1600 + 200 + 40 + 52) * (2560 + 26 + 4 + 168) * 120 / 1000,
.hdisplay = 1600,
.hsync_start = 1600 + 200,
.hsync_end = 1600 + 200 + 40,
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 329/341] igc: Fix qbv tx latency by setting gtxoffset
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 328/341] drm/panel: nt36523: Set 120Hz fps for xiaomi,elish panels Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 330/341] ALSA: timer: Relax start tick time check for slave timer elements Greg Kroah-Hartman
` (24 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Faizal Rahim, Simon Horman,
Vinicius Costa Gomes, Mor Bar-Gabay, Tony Nguyen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Faizal Rahim <faizal.abdul.rahim@linux.intel.com>
commit 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 upstream.
A large tx latency issue was discovered during testing when only QBV was
enabled. The issue occurs because gtxoffset was not set when QBV is
active, it was only set when launch time is active.
The patch "igc: Correct the launchtime offset" only sets gtxoffset when
the launchtime_enable field is set by the user. Enabling launchtime_enable
ultimately sets the register IGC_TXQCTL_QUEUE_MODE_LAUNCHT (referred to as
LaunchT in the SW user manual).
Section 7.5.2.6 of the IGC i225/6 SW User Manual Rev 1.2.4 states:
"The latency between transmission scheduling (launch time) and the
time the packet is transmitted to the network is listed in Table 7-61."
However, the patch misinterprets the phrase "launch time" in that section
by assuming it specifically refers to the LaunchT register, whereas it
actually denotes the generic term for when a packet is released from the
internal buffer to the MAC transmit logic.
This launch time, as per that section, also implicitly refers to the QBV
gate open time, where a packet waits in the buffer for the QBV gate to
open. Therefore, latency applies whenever QBV is in use. TSN features such
as QBU and QAV reuse QBV, making the latency universal to TSN features.
Discussed with i226 HW owner (Shalev, Avi) and we were in agreement that
the term "launch time" used in Section 7.5.2.6 is not clear and can be
easily misinterpreted. Avi will update this section to:
"When TQAVCTRL.TRANSMIT_MODE = TSN, the latency between transmission
scheduling and the time the packet is transmitted to the network is listed
in Table 7-61."
Fix this issue by using igc_tsn_is_tx_mode_in_tsn() as a condition to
write to gtxoffset, aligning with the newly updated SW User Manual.
Tested:
1. Enrol taprio on talker board
base-time 0
cycle-time 1000000
flags 0x2
index 0 cmd S gatemask 0x1 interval1
index 0 cmd S gatemask 0x1 interval2
Note:
interval1 = interval for a 64 bytes packet to go through
interval2 = cycle-time - interval1
2. Take tcpdump on listener board
3. Use udp tai app on talker to send packets to listener
4. Check the timestamp on listener via wireshark
Test Result:
100 Mbps: 113 ~193 ns
1000 Mbps: 52 ~ 84 ns
2500 Mbps: 95 ~ 223 ns
Note that the test result is similar to the patch "igc: Correct the
launchtime offset".
Fixes: 790835fcc0cb ("igc: Correct the launchtime offset")
Signed-off-by: Faizal Rahim <faizal.abdul.rahim@linux.intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/igc/igc_tsn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/igc/igc_tsn.c
+++ b/drivers/net/ethernet/intel/igc/igc_tsn.c
@@ -61,7 +61,7 @@ void igc_tsn_adjust_txtime_offset(struct
struct igc_hw *hw = &adapter->hw;
u16 txoffset;
- if (!is_any_launchtime(adapter))
+ if (!igc_tsn_is_tx_mode_in_tsn(adapter))
return;
switch (adapter->link_speed) {
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 330/341] ALSA: timer: Relax start tick time check for slave timer elements
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 329/341] igc: Fix qbv tx latency by setting gtxoffset Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 331/341] mm/numa: no task_numa_fault() call if PMD is changed Greg Kroah-Hartman
` (23 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit ccbfcac05866ebe6eb3bc6d07b51d4ed4fcde436 upstream.
The recent addition of a sanity check for a too low start tick time
seems breaking some applications that uses aloop with a certain slave
timer setup. They may have the initial resolution 0, hence it's
treated as if it were a too low value.
Relax and skip the check for the slave timer instance for addressing
the regression.
Fixes: 4a63bd179fa8 ("ALSA: timer: Set lower bound of start tick time")
Cc: <stable@vger.kernel.org>
Link: https://github.com/raspberrypi/linux/issues/6294
Link: https://patch.msgid.link/20240810084833.10939-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/timer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -556,7 +556,7 @@ static int snd_timer_start1(struct snd_t
/* check the actual time for the start tick;
* bail out as error if it's way too low (< 100us)
*/
- if (start) {
+ if (start && !(timer->hw.flags & SNDRV_TIMER_HW_SLAVE)) {
if ((u64)snd_timer_hw_resolution(timer) * ticks < 100000) {
result = -EINVAL;
goto unlock;
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 331/341] mm/numa: no task_numa_fault() call if PMD is changed
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 330/341] ALSA: timer: Relax start tick time check for slave timer elements Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 332/341] mm/numa: no task_numa_fault() call if PTE " Greg Kroah-Hartman
` (22 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Huang, Ying, Zi Yan,
David Hildenbrand, Baolin Wang, Kefeng Wang, Mel Gorman, Yang Shi,
Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zi Yan <ziy@nvidia.com>
commit fd8c35a92910f4829b7c99841f39b1b952c259d5 upstream.
When handling a numa page fault, task_numa_fault() should be called by a
process that restores the page table of the faulted folio to avoid
duplicated stats counting. Commit c5b5a3dd2c1f ("mm: thp: refactor NUMA
fault handling") restructured do_huge_pmd_numa_page() and did not avoid
task_numa_fault() call in the second page table check after a numa
migration failure. Fix it by making all !pmd_same() return immediately.
This issue can cause task_numa_fault() being called more than necessary
and lead to unexpected numa balancing results (It is hard to tell whether
the issue will cause positive or negative performance impact due to
duplicated numa fault counting).
Link: https://lkml.kernel.org/r/20240809145906.1513458-3-ziy@nvidia.com
Fixes: c5b5a3dd2c1f ("mm: thp: refactor NUMA fault handling")
Reported-by: "Huang, Ying" <ying.huang@intel.com>
Closes: https://lore.kernel.org/linux-mm/87zfqfw0yw.fsf@yhuang6-desk2.ccr.corp.intel.com/
Signed-off-by: Zi Yan <ziy@nvidia.com>
Acked-by: David Hildenbrand <david@redhat.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: "Huang, Ying" <ying.huang@intel.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Yang Shi <shy828301@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/huge_memory.c | 30 +++++++++++++-----------------
1 file changed, 13 insertions(+), 17 deletions(-)
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -1504,7 +1504,7 @@ vm_fault_t do_huge_pmd_numa_page(struct
vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd);
if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) {
spin_unlock(vmf->ptl);
- goto out;
+ return 0;
}
pmd = pmd_modify(oldpmd, vma->vm_page_prot);
@@ -1548,23 +1548,16 @@ vm_fault_t do_huge_pmd_numa_page(struct
if (migrated) {
flags |= TNF_MIGRATED;
page_nid = target_nid;
- } else {
- flags |= TNF_MIGRATE_FAIL;
- vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd);
- if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) {
- spin_unlock(vmf->ptl);
- goto out;
- }
- goto out_map;
+ task_numa_fault(last_cpupid, page_nid, HPAGE_PMD_NR, flags);
+ return 0;
}
-out:
- if (page_nid != NUMA_NO_NODE)
- task_numa_fault(last_cpupid, page_nid, HPAGE_PMD_NR,
- flags);
-
- return 0;
-
+ flags |= TNF_MIGRATE_FAIL;
+ vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd);
+ if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) {
+ spin_unlock(vmf->ptl);
+ return 0;
+ }
out_map:
/* Restore the PMD */
pmd = pmd_modify(oldpmd, vma->vm_page_prot);
@@ -1574,7 +1567,10 @@ out_map:
set_pmd_at(vma->vm_mm, haddr, vmf->pmd, pmd);
update_mmu_cache_pmd(vma, vmf->address, vmf->pmd);
spin_unlock(vmf->ptl);
- goto out;
+
+ if (page_nid != NUMA_NO_NODE)
+ task_numa_fault(last_cpupid, page_nid, HPAGE_PMD_NR, flags);
+ return 0;
}
/*
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 332/341] mm/numa: no task_numa_fault() call if PTE is changed
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 331/341] mm/numa: no task_numa_fault() call if PMD is changed Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 333/341] bpf: Fix a kernel verifier crash in stacksafe() Greg Kroah-Hartman
` (21 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zi Yan, Huang, Ying,
David Hildenbrand, Baolin Wang, Kefeng Wang, Mel Gorman, Yang Shi,
Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zi Yan <ziy@nvidia.com>
commit 40b760cfd44566bca791c80e0720d70d75382b84 upstream.
When handling a numa page fault, task_numa_fault() should be called by a
process that restores the page table of the faulted folio to avoid
duplicated stats counting. Commit b99a342d4f11 ("NUMA balancing: reduce
TLB flush via delaying mapping on hint page fault") restructured
do_numa_page() and did not avoid task_numa_fault() call in the second page
table check after a numa migration failure. Fix it by making all
!pte_same() return immediately.
This issue can cause task_numa_fault() being called more than necessary
and lead to unexpected numa balancing results (It is hard to tell whether
the issue will cause positive or negative performance impact due to
duplicated numa fault counting).
Link: https://lkml.kernel.org/r/20240809145906.1513458-2-ziy@nvidia.com
Fixes: b99a342d4f11 ("NUMA balancing: reduce TLB flush via delaying mapping on hint page fault")
Signed-off-by: Zi Yan <ziy@nvidia.com>
Reported-by: "Huang, Ying" <ying.huang@intel.com>
Closes: https://lore.kernel.org/linux-mm/87zfqfw0yw.fsf@yhuang6-desk2.ccr.corp.intel.com/
Acked-by: David Hildenbrand <david@redhat.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Yang Shi <shy828301@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory.c | 33 ++++++++++++++++-----------------
1 file changed, 16 insertions(+), 17 deletions(-)
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -4775,7 +4775,7 @@ static vm_fault_t do_numa_page(struct vm
spin_lock(vmf->ptl);
if (unlikely(!pte_same(ptep_get(vmf->pte), vmf->orig_pte))) {
pte_unmap_unlock(vmf->pte, vmf->ptl);
- goto out;
+ return 0;
}
/* Get the normal PTE */
@@ -4840,23 +4840,19 @@ static vm_fault_t do_numa_page(struct vm
if (migrate_misplaced_page(page, vma, target_nid)) {
page_nid = target_nid;
flags |= TNF_MIGRATED;
- } else {
- flags |= TNF_MIGRATE_FAIL;
- vmf->pte = pte_offset_map_lock(vma->vm_mm, vmf->pmd,
- vmf->address, &vmf->ptl);
- if (unlikely(!vmf->pte))
- goto out;
- if (unlikely(!pte_same(ptep_get(vmf->pte), vmf->orig_pte))) {
- pte_unmap_unlock(vmf->pte, vmf->ptl);
- goto out;
- }
- goto out_map;
+ task_numa_fault(last_cpupid, page_nid, 1, flags);
+ return 0;
}
-out:
- if (page_nid != NUMA_NO_NODE)
- task_numa_fault(last_cpupid, page_nid, 1, flags);
- return 0;
+ flags |= TNF_MIGRATE_FAIL;
+ vmf->pte = pte_offset_map_lock(vma->vm_mm, vmf->pmd,
+ vmf->address, &vmf->ptl);
+ if (unlikely(!vmf->pte))
+ return 0;
+ if (unlikely(!pte_same(ptep_get(vmf->pte), vmf->orig_pte))) {
+ pte_unmap_unlock(vmf->pte, vmf->ptl);
+ return 0;
+ }
out_map:
/*
* Make it present again, depending on how arch implements
@@ -4870,7 +4866,10 @@ out_map:
ptep_modify_prot_commit(vma, vmf->address, vmf->pte, old_pte, pte);
update_mmu_cache_range(vmf, vma, vmf->address, vmf->pte, 1);
pte_unmap_unlock(vmf->pte, vmf->ptl);
- goto out;
+
+ if (page_nid != NUMA_NO_NODE)
+ task_numa_fault(last_cpupid, page_nid, 1, flags);
+ return 0;
}
static inline vm_fault_t create_huge_pmd(struct vm_fault *vmf)
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 333/341] bpf: Fix a kernel verifier crash in stacksafe()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 332/341] mm/numa: no task_numa_fault() call if PTE " Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 334/341] selftests/bpf: Add a test to verify previous stacksafe() fix Greg Kroah-Hartman
` (20 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eduard Zingerman, Daniel Hodges,
Yonghong Song, Alexei Starovoitov, Shung-Hsi Yu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yonghong Song <yonghong.song@linux.dev>
commit bed2eb964c70b780fb55925892a74f26cb590b25 upstream.
Daniel Hodges reported a kernel verifier crash when playing with sched-ext.
Further investigation shows that the crash is due to invalid memory access
in stacksafe(). More specifically, it is the following code:
if (exact != NOT_EXACT &&
old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
cur->stack[spi].slot_type[i % BPF_REG_SIZE])
return false;
The 'i' iterates old->allocated_stack.
If cur->allocated_stack < old->allocated_stack the out-of-bound
access will happen.
To fix the issue add 'i >= cur->allocated_stack' check such that if
the condition is true, stacksafe() should fail. Otherwise,
cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal.
Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks")
Cc: Eduard Zingerman <eddyz87@gmail.com>
Reported-by: Daniel Hodges <hodgesd@meta.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20240812214847.213612-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
[ shung-hsi.yu: "exact" variable is bool instead enum because commit
4f81c16f50ba ("bpf: Recognize that two registers are safe when their
ranges match") is not present. ]
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/verifier.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -16124,8 +16124,9 @@ static bool stacksafe(struct bpf_verifie
spi = i / BPF_REG_SIZE;
if (exact &&
- old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
- cur->stack[spi].slot_type[i % BPF_REG_SIZE])
+ (i >= cur->allocated_stack ||
+ old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
+ cur->stack[spi].slot_type[i % BPF_REG_SIZE]))
return false;
if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ) && !exact) {
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 334/341] selftests/bpf: Add a test to verify previous stacksafe() fix
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 333/341] bpf: Fix a kernel verifier crash in stacksafe() Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 335/341] NFSD: simplify error paths in nfsd_svc() Greg Kroah-Hartman
` (19 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yonghong Song, Alexei Starovoitov,
Shung-Hsi Yu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yonghong Song <yonghong.song@linux.dev>
commit 662c3e2db00f92e50c26e9dc4fe47c52223d9982 upstream.
A selftest is added such that without the previous patch,
a crash can happen. With the previous patch, the test can
run successfully. The new test is written in a way which
mimics original crash case:
main_prog
static_prog_1
static_prog_2
where static_prog_1 has different paths to static_prog_2
and some path has stack allocated and some other path
does not. A stacksafe() checking in static_prog_2()
triggered the crash.
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20240812214852.214037-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/bpf/progs/iters.c | 54 ++++++++++++++++++++++++++++++
1 file changed, 54 insertions(+)
--- a/tools/testing/selftests/bpf/progs/iters.c
+++ b/tools/testing/selftests/bpf/progs/iters.c
@@ -1411,4 +1411,58 @@ __naked int checkpoint_states_deletion(v
);
}
+__u32 upper, select_n, result;
+__u64 global;
+
+static __noinline bool nest_2(char *str)
+{
+ /* some insns (including branch insns) to ensure stacksafe() is triggered
+ * in nest_2(). This way, stacksafe() can compare frame associated with nest_1().
+ */
+ if (str[0] == 't')
+ return true;
+ if (str[1] == 'e')
+ return true;
+ if (str[2] == 's')
+ return true;
+ if (str[3] == 't')
+ return true;
+ return false;
+}
+
+static __noinline bool nest_1(int n)
+{
+ /* case 0: allocate stack, case 1: no allocate stack */
+ switch (n) {
+ case 0: {
+ char comm[16];
+
+ if (bpf_get_current_comm(comm, 16))
+ return false;
+ return nest_2(comm);
+ }
+ case 1:
+ return nest_2((char *)&global);
+ default:
+ return false;
+ }
+}
+
+SEC("raw_tp")
+__success
+int iter_subprog_check_stacksafe(const void *ctx)
+{
+ long i;
+
+ bpf_for(i, 0, upper) {
+ if (!nest_1(select_n)) {
+ result = 1;
+ return 0;
+ }
+ }
+
+ result = 2;
+ return 0;
+}
+
char _license[] SEC("license") = "GPL";
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 335/341] NFSD: simplify error paths in nfsd_svc()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 334/341] selftests/bpf: Add a test to verify previous stacksafe() fix Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 336/341] drm/amdgpu/vcn: identify unified queue in sw init Greg Kroah-Hartman
` (18 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, NeilBrown, Jeff Layton, Chuck Lever,
Li Lingfeng
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neilb@suse.de>
commit bf32075256e9dd9c6b736859e2c5813981339908 upstream.
The error paths in nfsd_svc() are needlessly complex and can result in a
final call to svc_put() without nfsd_last_thread() being called. This
results in the listening sockets not being closed properly.
The per-netns setup provided by nfsd_startup_new() and removed by
nfsd_shutdown_net() is needed precisely when there are running threads.
So we don't need nfsd_up_before. We don't need to know if it *was* up.
We only need to know if any threads are left. If none are, then we must
call nfsd_shutdown_net(). But we don't need to do that explicitly as
nfsd_last_thread() does that for us.
So simply call nfsd_last_thread() before the last svc_put() if there are
no running threads. That will always do the right thing.
Also discard:
pr_info("nfsd: last server has exited, flushing export cache\n");
It may not be true if an attempt to start the first server failed, and
it isn't particularly helpful and it simply reports normal behaviour.
Signed-off-by: NeilBrown <neilb@suse.de>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reported-by: Li Lingfeng <lilingfeng3@huawei.com>
Suggested-by: Li Lingfeng <lilingfeng3@huawei.com>
Tested-by: Li Lingfeng <lilingfeng3@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfssvc.c | 14 ++++----------
1 file changed, 4 insertions(+), 10 deletions(-)
--- a/fs/nfsd/nfssvc.c
+++ b/fs/nfsd/nfssvc.c
@@ -567,7 +567,6 @@ void nfsd_last_thread(struct net *net)
return;
nfsd_shutdown_net(net);
- pr_info("nfsd: last server has exited, flushing export cache\n");
nfsd_export_flush(net);
}
@@ -783,7 +782,6 @@ int
nfsd_svc(int nrservs, struct net *net, const struct cred *cred)
{
int error;
- bool nfsd_up_before;
struct nfsd_net *nn = net_generic(net, nfsd_net_id);
struct svc_serv *serv;
@@ -803,8 +801,6 @@ nfsd_svc(int nrservs, struct net *net, c
error = nfsd_create_serv(net);
if (error)
goto out;
-
- nfsd_up_before = nn->nfsd_net_up;
serv = nn->nfsd_serv;
error = nfsd_startup_net(net, cred);
@@ -812,17 +808,15 @@ nfsd_svc(int nrservs, struct net *net, c
goto out_put;
error = svc_set_num_threads(serv, NULL, nrservs);
if (error)
- goto out_shutdown;
+ goto out_put;
error = serv->sv_nrthreads;
- if (error == 0)
- nfsd_last_thread(net);
-out_shutdown:
- if (error < 0 && !nfsd_up_before)
- nfsd_shutdown_net(net);
out_put:
/* Threads now hold service active */
if (xchg(&nn->keep_active, 0))
svc_put(serv);
+
+ if (serv->sv_nrthreads == 0)
+ nfsd_last_thread(net);
svc_put(serv);
out:
mutex_unlock(&nfsd_mutex);
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 336/341] drm/amdgpu/vcn: identify unified queue in sw init
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 335/341] NFSD: simplify error paths in nfsd_svc() Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 337/341] drm/amdgpu/vcn: not pause dpg for unified queue Greg Kroah-Hartman
` (17 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boyuan Zhang, Alex Deucher,
Ruijing Dong, Mario Limonciello
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boyuan Zhang <boyuan.zhang@amd.com>
commit ecfa23c8df7ef3ea2a429dfe039341bf792e95b4 upstream.
Determine whether VCN using unified queue in sw_init, instead of calling
functions later on.
v2: fix coding style
Signed-off-by: Boyuan Zhang <boyuan.zhang@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 39 ++++++++++++--------------------
drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1
2 files changed, 16 insertions(+), 24 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c
@@ -135,6 +135,10 @@ int amdgpu_vcn_sw_init(struct amdgpu_dev
}
}
+ /* from vcn4 and above, only unified queue is used */
+ adev->vcn.using_unified_queue =
+ adev->ip_versions[UVD_HWIP][0] >= IP_VERSION(4, 0, 0);
+
hdr = (const struct common_firmware_header *)adev->vcn.fw->data;
adev->vcn.fw_version = le32_to_cpu(hdr->ucode_version);
@@ -259,18 +263,6 @@ int amdgpu_vcn_sw_fini(struct amdgpu_dev
return 0;
}
-/* from vcn4 and above, only unified queue is used */
-static bool amdgpu_vcn_using_unified_queue(struct amdgpu_ring *ring)
-{
- struct amdgpu_device *adev = ring->adev;
- bool ret = false;
-
- if (adev->ip_versions[UVD_HWIP][0] >= IP_VERSION(4, 0, 0))
- ret = true;
-
- return ret;
-}
-
bool amdgpu_vcn_is_disabled_vcn(struct amdgpu_device *adev, enum vcn_ring_type type, uint32_t vcn_instance)
{
bool ret = false;
@@ -707,12 +699,11 @@ static int amdgpu_vcn_dec_sw_send_msg(st
struct amdgpu_job *job;
struct amdgpu_ib *ib;
uint64_t addr = AMDGPU_GPU_PAGE_ALIGN(ib_msg->gpu_addr);
- bool sq = amdgpu_vcn_using_unified_queue(ring);
uint32_t *ib_checksum;
uint32_t ib_pack_in_dw;
int i, r;
- if (sq)
+ if (adev->vcn.using_unified_queue)
ib_size_dw += 8;
r = amdgpu_job_alloc_with_ib(ring->adev, NULL, NULL,
@@ -725,7 +716,7 @@ static int amdgpu_vcn_dec_sw_send_msg(st
ib->length_dw = 0;
/* single queue headers */
- if (sq) {
+ if (adev->vcn.using_unified_queue) {
ib_pack_in_dw = sizeof(struct amdgpu_vcn_decode_buffer) / sizeof(uint32_t)
+ 4 + 2; /* engine info + decoding ib in dw */
ib_checksum = amdgpu_vcn_unified_ring_ib_header(ib, ib_pack_in_dw, false);
@@ -744,7 +735,7 @@ static int amdgpu_vcn_dec_sw_send_msg(st
for (i = ib->length_dw; i < ib_size_dw; ++i)
ib->ptr[i] = 0x0;
- if (sq)
+ if (adev->vcn.using_unified_queue)
amdgpu_vcn_unified_ring_ib_checksum(&ib_checksum, ib_pack_in_dw);
r = amdgpu_job_submit_direct(job, ring, &f);
@@ -834,15 +825,15 @@ static int amdgpu_vcn_enc_get_create_msg
struct dma_fence **fence)
{
unsigned int ib_size_dw = 16;
+ struct amdgpu_device *adev = ring->adev;
struct amdgpu_job *job;
struct amdgpu_ib *ib;
struct dma_fence *f = NULL;
uint32_t *ib_checksum = NULL;
uint64_t addr;
- bool sq = amdgpu_vcn_using_unified_queue(ring);
int i, r;
- if (sq)
+ if (adev->vcn.using_unified_queue)
ib_size_dw += 8;
r = amdgpu_job_alloc_with_ib(ring->adev, NULL, NULL,
@@ -856,7 +847,7 @@ static int amdgpu_vcn_enc_get_create_msg
ib->length_dw = 0;
- if (sq)
+ if (adev->vcn.using_unified_queue)
ib_checksum = amdgpu_vcn_unified_ring_ib_header(ib, 0x11, true);
ib->ptr[ib->length_dw++] = 0x00000018;
@@ -878,7 +869,7 @@ static int amdgpu_vcn_enc_get_create_msg
for (i = ib->length_dw; i < ib_size_dw; ++i)
ib->ptr[i] = 0x0;
- if (sq)
+ if (adev->vcn.using_unified_queue)
amdgpu_vcn_unified_ring_ib_checksum(&ib_checksum, 0x11);
r = amdgpu_job_submit_direct(job, ring, &f);
@@ -901,15 +892,15 @@ static int amdgpu_vcn_enc_get_destroy_ms
struct dma_fence **fence)
{
unsigned int ib_size_dw = 16;
+ struct amdgpu_device *adev = ring->adev;
struct amdgpu_job *job;
struct amdgpu_ib *ib;
struct dma_fence *f = NULL;
uint32_t *ib_checksum = NULL;
uint64_t addr;
- bool sq = amdgpu_vcn_using_unified_queue(ring);
int i, r;
- if (sq)
+ if (adev->vcn.using_unified_queue)
ib_size_dw += 8;
r = amdgpu_job_alloc_with_ib(ring->adev, NULL, NULL,
@@ -923,7 +914,7 @@ static int amdgpu_vcn_enc_get_destroy_ms
ib->length_dw = 0;
- if (sq)
+ if (adev->vcn.using_unified_queue)
ib_checksum = amdgpu_vcn_unified_ring_ib_header(ib, 0x11, true);
ib->ptr[ib->length_dw++] = 0x00000018;
@@ -945,7 +936,7 @@ static int amdgpu_vcn_enc_get_destroy_ms
for (i = ib->length_dw; i < ib_size_dw; ++i)
ib->ptr[i] = 0x0;
- if (sq)
+ if (adev->vcn.using_unified_queue)
amdgpu_vcn_unified_ring_ib_checksum(&ib_checksum, 0x11);
r = amdgpu_job_submit_direct(job, ring, &f);
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h
@@ -284,6 +284,7 @@ struct amdgpu_vcn {
uint16_t inst_mask;
uint8_t num_inst_per_aid;
+ bool using_unified_queue;
};
struct amdgpu_fw_shared_rb_ptrs_struct {
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 337/341] drm/amdgpu/vcn: not pause dpg for unified queue
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 336/341] drm/amdgpu/vcn: identify unified queue in sw init Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 338/341] ksmbd: fix race condition between destroy_previous_session() and smb2 operations() Greg Kroah-Hartman
` (16 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boyuan Zhang, Alex Deucher,
Ruijing Dong, Mario Limonciello
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boyuan Zhang <boyuan.zhang@amd.com>
commit 7d75ef3736a025db441be652c8cc8e84044a215f upstream.
For unified queue, DPG pause for encoding is done inside VCN firmware,
so there is no need to pause dpg based on ring type in kernel.
For VCN3 and below, pausing DPG for encoding in kernel is still needed.
v2: add more comments
v3: update commit message
Signed-off-by: Boyuan Zhang <boyuan.zhang@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c
@@ -372,7 +372,9 @@ static void amdgpu_vcn_idle_work_handler
for (i = 0; i < adev->vcn.num_enc_rings; ++i)
fence[j] += amdgpu_fence_count_emitted(&adev->vcn.inst[j].ring_enc[i]);
- if (adev->pg_flags & AMD_PG_SUPPORT_VCN_DPG) {
+ /* Only set DPG pause for VCN3 or below, VCN4 and above will be handled by FW */
+ if (adev->pg_flags & AMD_PG_SUPPORT_VCN_DPG &&
+ !adev->vcn.using_unified_queue) {
struct dpg_pause_state new_state;
if (fence[j] ||
@@ -418,7 +420,9 @@ void amdgpu_vcn_ring_begin_use(struct am
amdgpu_device_ip_set_powergating_state(adev, AMD_IP_BLOCK_TYPE_VCN,
AMD_PG_STATE_UNGATE);
- if (adev->pg_flags & AMD_PG_SUPPORT_VCN_DPG) {
+ /* Only set DPG pause for VCN3 or below, VCN4 and above will be handled by FW */
+ if (adev->pg_flags & AMD_PG_SUPPORT_VCN_DPG &&
+ !adev->vcn.using_unified_queue) {
struct dpg_pause_state new_state;
if (ring->funcs->type == AMDGPU_RING_TYPE_VCN_ENC) {
@@ -444,8 +448,12 @@ void amdgpu_vcn_ring_begin_use(struct am
void amdgpu_vcn_ring_end_use(struct amdgpu_ring *ring)
{
+ struct amdgpu_device *adev = ring->adev;
+
+ /* Only set DPG pause for VCN3 or below, VCN4 and above will be handled by FW */
if (ring->adev->pg_flags & AMD_PG_SUPPORT_VCN_DPG &&
- ring->funcs->type == AMDGPU_RING_TYPE_VCN_ENC)
+ ring->funcs->type == AMDGPU_RING_TYPE_VCN_ENC &&
+ !adev->vcn.using_unified_queue)
atomic_dec(&ring->adev->vcn.inst[ring->me].dpg_enc_submission_cnt);
atomic_dec(&ring->adev->vcn.total_submission_cnt);
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 338/341] ksmbd: fix race condition between destroy_previous_session() and smb2 operations()
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 337/341] drm/amdgpu/vcn: not pause dpg for unified queue Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 339/341] net: ngbe: Fix phy mode set to external phy Greg Kroah-Hartman
` (15 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French,
zdi-disclosures
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit 76e98a158b207771a6c9a0de0a60522a446a3447 ]
If there is ->PreviousSessionId field in the session setup request,
The session of the previous connection should be destroyed.
During this, if the smb2 operation requests in the previous session are
being processed, a racy issue could happen with ksmbd_destroy_file_table().
This patch sets conn->status to KSMBD_SESS_NEED_RECONNECT to block
incoming operations and waits until on-going operations are complete
(i.e. idle) before desctorying the previous session.
Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2")
Cc: stable@vger.kernel.org # v6.6+
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-25040
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/connection.c | 34 +++++++++++++++++++++++++++++++++-
fs/smb/server/connection.h | 3 ++-
fs/smb/server/mgmt/user_session.c | 8 ++++++++
fs/smb/server/smb2pdu.c | 2 +-
4 files changed, 44 insertions(+), 3 deletions(-)
--- a/fs/smb/server/connection.c
+++ b/fs/smb/server/connection.c
@@ -165,11 +165,43 @@ void ksmbd_all_conn_set_status(u64 sess_
up_read(&conn_list_lock);
}
-void ksmbd_conn_wait_idle(struct ksmbd_conn *conn, u64 sess_id)
+void ksmbd_conn_wait_idle(struct ksmbd_conn *conn)
{
wait_event(conn->req_running_q, atomic_read(&conn->req_running) < 2);
}
+int ksmbd_conn_wait_idle_sess_id(struct ksmbd_conn *curr_conn, u64 sess_id)
+{
+ struct ksmbd_conn *conn;
+ int rc, retry_count = 0, max_timeout = 120;
+ int rcount = 1;
+
+retry_idle:
+ if (retry_count >= max_timeout)
+ return -EIO;
+
+ down_read(&conn_list_lock);
+ list_for_each_entry(conn, &conn_list, conns_list) {
+ if (conn->binding || xa_load(&conn->sessions, sess_id)) {
+ if (conn == curr_conn)
+ rcount = 2;
+ if (atomic_read(&conn->req_running) >= rcount) {
+ rc = wait_event_timeout(conn->req_running_q,
+ atomic_read(&conn->req_running) < rcount,
+ HZ);
+ if (!rc) {
+ up_read(&conn_list_lock);
+ retry_count++;
+ goto retry_idle;
+ }
+ }
+ }
+ }
+ up_read(&conn_list_lock);
+
+ return 0;
+}
+
int ksmbd_conn_write(struct ksmbd_work *work)
{
struct ksmbd_conn *conn = work->conn;
--- a/fs/smb/server/connection.h
+++ b/fs/smb/server/connection.h
@@ -145,7 +145,8 @@ extern struct list_head conn_list;
extern struct rw_semaphore conn_list_lock;
bool ksmbd_conn_alive(struct ksmbd_conn *conn);
-void ksmbd_conn_wait_idle(struct ksmbd_conn *conn, u64 sess_id);
+void ksmbd_conn_wait_idle(struct ksmbd_conn *conn);
+int ksmbd_conn_wait_idle_sess_id(struct ksmbd_conn *curr_conn, u64 sess_id);
struct ksmbd_conn *ksmbd_conn_alloc(void);
void ksmbd_conn_free(struct ksmbd_conn *conn);
bool ksmbd_conn_lookup_dialect(struct ksmbd_conn *c);
--- a/fs/smb/server/mgmt/user_session.c
+++ b/fs/smb/server/mgmt/user_session.c
@@ -310,6 +310,7 @@ void destroy_previous_session(struct ksm
{
struct ksmbd_session *prev_sess;
struct ksmbd_user *prev_user;
+ int err;
down_write(&sessions_table_lock);
down_write(&conn->session_lock);
@@ -324,8 +325,15 @@ void destroy_previous_session(struct ksm
memcmp(user->passkey, prev_user->passkey, user->passkey_sz))
goto out;
+ ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_RECONNECT);
+ err = ksmbd_conn_wait_idle_sess_id(conn, id);
+ if (err) {
+ ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE);
+ goto out;
+ }
ksmbd_destroy_file_table(&prev_sess->file_table);
prev_sess->state = SMB2_SESSION_EXPIRED;
+ ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE);
out:
up_write(&conn->session_lock);
up_write(&sessions_table_lock);
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2210,7 +2210,7 @@ int smb2_session_logoff(struct ksmbd_wor
ksmbd_conn_unlock(conn);
ksmbd_close_session_fds(work);
- ksmbd_conn_wait_idle(conn, sess_id);
+ ksmbd_conn_wait_idle(conn);
/*
* Re-lookup session to validate if session is deleted
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 339/341] net: ngbe: Fix phy mode set to external phy
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 338/341] ksmbd: fix race condition between destroy_previous_session() and smb2 operations() Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 340/341] Revert "s390/dasd: Establish DMA alignment" Greg Kroah-Hartman
` (14 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mengyuan Lou, Jacob Keller,
Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mengyuan Lou <mengyuanlou@net-swift.com>
commit f2916c83d746eb99f50f42c15cf4c47c2ea5f3b3 upstream.
The MAC only has add the TX delay and it can not be modified.
MAC and PHY are both set the TX delay cause transmission problems.
So just disable TX delay in PHY, when use rgmii to attach to
external phy, set PHY_INTERFACE_MODE_RGMII_RXID to phy drivers.
And it is does not matter to internal phy.
Fixes: bc2426d74aa3 ("net: ngbe: convert phylib to phylink")
Signed-off-by: Mengyuan Lou <mengyuanlou@net-swift.com>
Cc: stable@vger.kernel.org # 6.3+
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/E6759CF1387CF84C+20240820030425.93003-1-mengyuanlou@net-swift.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: mengyuanlou <mengyuanlou@net-swift.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c
+++ b/drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c
@@ -215,10 +215,14 @@ int ngbe_phy_connect(struct wx *wx)
{
int ret;
+ /* The MAC only has add the Tx delay and it can not be modified.
+ * So just disable TX delay in PHY, and it is does not matter to
+ * internal phy.
+ */
ret = phy_connect_direct(wx->netdev,
wx->phydev,
ngbe_handle_link_change,
- PHY_INTERFACE_MODE_RGMII_ID);
+ PHY_INTERFACE_MODE_RGMII_RXID);
if (ret) {
wx_err(wx, "PHY connect failed.\n");
return ret;
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 340/341] Revert "s390/dasd: Establish DMA alignment"
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 339/341] net: ngbe: Fix phy mode set to external phy Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 341/341] Input: MT - limit max slots Greg Kroah-Hartman
` (13 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Höppner
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 4191 bytes --]
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Jan Höppner" <hoeppner@linux.ibm.com>
This reverts commit bc792884b76f ("s390/dasd: Establish DMA alignment").
Quoting the original commit:
linux-next commit bf8d08532bc1 ("iomap: add support for dma aligned
direct-io") changes the alignment requirement to come from the block
device rather than the block size, and the default alignment
requirement is 512-byte boundaries. Since DASD I/O has page
alignments for IDAW/TIDAW requests, let's override this value to
restore the expected behavior.
I mentioned TIDAW, but that was wrong. TIDAWs have no distinct alignment
requirement (per p. 15-70 of POPS SA22-7832-13):
Unless otherwise specified, TIDAWs may designate
a block of main storage on any boundary and length
up to 4K bytes, provided the specified block does not
cross a 4 K-byte boundary.
IDAWs do, but the original commit neglected that while ECKD DASD are
typically formatted in 4096-byte blocks, they don't HAVE to be. Formatting
an ECKD volume with smaller blocks is permitted (dasdfmt -b xxx), and the
problematic commit enforces alignment properties to such a device that
will result in errors, such as:
[test@host ~]# lsdasd -l a367 | grep blksz
blksz: 512
[test@host ~]# mkfs.xfs -f /dev/disk/by-path/ccw-0.0.a367-part1
meta-data=/dev/dasdc1 isize=512 agcount=4, agsize=230075 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=1, sparse=1, rmapbt=1
= reflink=1 bigtime=1 inobtcount=1 nrext64=1
data = bsize=4096 blocks=920299, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0, ftype=1
log =internal log bsize=4096 blocks=16384, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
error reading existing superblock: Invalid argument
mkfs.xfs: pwrite failed: Invalid argument
libxfs_bwrite: write failed on (unknown) bno 0x70565c/0x100, err=22
mkfs.xfs: Releasing dirty buffer to free list!
found dirty buffer (bulk) on free list!
mkfs.xfs: pwrite failed: Invalid argument
...snipped...
The original commit omitted the FBA discipline for just this reason,
but the formatted block size of the other disciplines was overlooked.
The solution to all of this is to revert to the original behavior,
such that the block size can be respected.
But what of the original problem? That was manifested with a direct-io
QEMU guest, where QEMU itself was changed a month or two later with
commit 25474d90aa ("block: use the request length for iov alignment")
such that the blamed kernel commit is unnecessary.
Note: This is an adapted version of the original upstream commit
2a07bb64d801 ("s390/dasd: Remove DMA alignment").
Cc: stable@vger.kernel.org # 6.0+
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/block/dasd_diag.c | 1 -
drivers/s390/block/dasd_eckd.c | 1 -
2 files changed, 2 deletions(-)
--- a/drivers/s390/block/dasd_diag.c
+++ b/drivers/s390/block/dasd_diag.c
@@ -639,7 +639,6 @@ static void dasd_diag_setup_blk_queue(st
/* With page sized segments each segment can be translated into one idaw/tidaw */
blk_queue_max_segment_size(q, PAGE_SIZE);
blk_queue_segment_boundary(q, PAGE_SIZE - 1);
- blk_queue_dma_alignment(q, PAGE_SIZE - 1);
}
static int dasd_diag_pe_handler(struct dasd_device *device,
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -6888,7 +6888,6 @@ static void dasd_eckd_setup_blk_queue(st
/* With page sized segments each segment can be translated into one idaw/tidaw */
blk_queue_max_segment_size(q, PAGE_SIZE);
blk_queue_segment_boundary(q, PAGE_SIZE - 1);
- blk_queue_dma_alignment(q, PAGE_SIZE - 1);
}
static struct ccw_driver dasd_eckd_driver = {
^ permalink raw reply [flat|nested] 367+ messages in thread
* [PATCH 6.6 341/341] Input: MT - limit max slots
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 340/341] Revert "s390/dasd: Establish DMA alignment" Greg Kroah-Hartman
@ 2024-08-27 14:39 ` Greg Kroah-Hartman
2024-08-27 15:39 ` [PATCH 6.6 000/341] 6.6.48-rc1 review Naresh Kamboju
` (12 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Dmitry Torokhov,
Tetsuo Handa, Linus Torvalds, George Kennedy
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
commit 99d3bf5f7377d42f8be60a6b9cb60fb0be34dceb upstream.
syzbot is reporting too large allocation at input_mt_init_slots(), for
num_slots is supplied from userspace using ioctl(UI_DEV_CREATE).
Since nobody knows possible max slots, this patch chose 1024.
Reported-by: syzbot <syzbot+0122fa359a69694395d5@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=0122fa359a69694395d5
Suggested-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: George Kennedy <george.kennedy@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/input-mt.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/input/input-mt.c
+++ b/drivers/input/input-mt.c
@@ -46,6 +46,9 @@ int input_mt_init_slots(struct input_dev
return 0;
if (mt)
return mt->num_slots != num_slots ? -EINVAL : 0;
+ /* Arbitrary limit for avoiding too large memory allocation. */
+ if (num_slots > 1024)
+ return -EINVAL;
mt = kzalloc(struct_size(mt, slots, num_slots), GFP_KERNEL);
if (!mt)
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 110/341] usb: gadget: uvc: cleanup request when not in correct state
2024-08-27 14:35 ` [PATCH 6.6 110/341] usb: gadget: uvc: cleanup request when not in correct state Greg Kroah-Hartman
@ 2024-08-27 15:04 ` Michael Grzeschik
2024-08-27 16:06 ` Greg Kroah-Hartman
0 siblings, 1 reply; 367+ messages in thread
From: Michael Grzeschik @ 2024-08-27 15:04 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: stable, patches, Sasha Levin
[-- Attachment #1: Type: text/plain, Size: 2239 bytes --]
On Tue, Aug 27, 2024 at 04:35:41PM +0200, Greg Kroah-Hartman wrote:
>6.6-stable review patch. If anyone has any objections, please let me know.
Since this change is not actually in Mainline anymore as you reverted it
immediatly afterwards, it probably make no sense to pick it up.
I saw this patch and its revert past me the last week while being
applied on some other stable trees.
>------------------
>
>From: Michael Grzeschik <m.grzeschik@pengutronix.de>
>
>[ Upstream commit 52a39f2cf62bb5430ad1f54cd522dbfdab1d71ba ]
>
>The uvc_video_enable function of the uvc-gadget driver is dequeing and
>immediately deallocs all requests on its disable codepath. This is not
>save since the dequeue function is async and does not ensure that the
>requests are left unlinked in the controller driver.
>
>By adding the ep_free_request into the completion path of the requests
>we ensure that the request will be properly deallocated.
>
>Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
>Link: https://lore.kernel.org/r/20230911140530.2995138-3-m.grzeschik@pengutronix.de
>Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>Signed-off-by: Sasha Levin <sashal@kernel.org>
>---
> drivers/usb/gadget/function/uvc_video.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
>diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
>index 281e75027b344..678ed30ada2b7 100644
>--- a/drivers/usb/gadget/function/uvc_video.c
>+++ b/drivers/usb/gadget/function/uvc_video.c
>@@ -259,6 +259,12 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
> struct uvc_device *uvc = video->uvc;
> unsigned long flags;
>
>+ if (uvc->state == UVC_STATE_CONNECTED) {
>+ usb_ep_free_request(video->ep, ureq->req);
>+ ureq->req = NULL;
>+ return;
>+ }
>+
> switch (req->status) {
> case 0:
> break;
>--
>2.43.0
>
>
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2024-08-27 14:39 ` [PATCH 6.6 341/341] Input: MT - limit max slots Greg Kroah-Hartman
@ 2024-08-27 15:39 ` Naresh Kamboju
2024-08-27 17:47 ` Florian Fainelli
` (11 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Naresh Kamboju @ 2024-08-27 15:39 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie, rcu,
Paul E. McKenney, Zhen Lei
On Tue, 27 Aug 2024 at 20:12, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.6.48 release.
> There are 341 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.48-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
The tinyconfig builds failed due to following build warnings / errors on the
stable-rc linux.6.6.y.
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
Build error:
-------
kernel/rcu/update.c:49:
kernel/rcu/rcu.h: In function 'debug_rcu_head_callback':
/kernel/rcu/rcu.h:255:17: error: implicit declaration of function
'kmem_dump_obj'; did you mean 'mem_dump_obj'?
[-Werror=implicit-function-declaration]
255 | kmem_dump_obj(rhp);
| ^~~~~~~~~~~~~
| mem_dump_obj
cc1: some warnings being treated as errors
Build log links,
------
- https://storage.tuxsuite.com/public/linaro/lkft/builds/2lFMi7HOL2XF8hQWViw6CjE3NAF/
metadata:
----
git describe: v6.6.47-342-g0ec2cf1e20ad
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git sha: 0ec2cf1e20adc2c8dcc5f58f3ebd40111c280944
kernel config:
https://storage.tuxsuite.com/public/linaro/lkft/builds/2lFMi7HOL2XF8hQWViw6CjE3NAF/config
build url: https://storage.tuxsuite.com/public/linaro/lkft/builds/2lFMi7HOL2XF8hQWViw6CjE3NAF/
toolchain: clang-18 and gcc-13
config: tinyconfig
steps to reproduce:
------
# tuxmake --runtime podman --target-arch arm64 --toolchain gcc-13
--kconfig tinyconfig
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 110/341] usb: gadget: uvc: cleanup request when not in correct state
2024-08-27 15:04 ` Michael Grzeschik
@ 2024-08-27 16:06 ` Greg Kroah-Hartman
0 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-27 16:06 UTC (permalink / raw)
To: Michael Grzeschik; +Cc: stable, patches, Sasha Levin
On Tue, Aug 27, 2024 at 05:04:12PM +0200, Michael Grzeschik wrote:
> On Tue, Aug 27, 2024 at 04:35:41PM +0200, Greg Kroah-Hartman wrote:
> > 6.6-stable review patch. If anyone has any objections, please let me know.
>
> Since this change is not actually in Mainline anymore as you reverted it
> immediatly afterwards, it probably make no sense to pick it up.
>
> I saw this patch and its revert past me the last week while being
> applied on some other stable trees.
I took the revert as well. That way our scripts don't try to pick it up
again in the future as they would go "hey, here's a patch you missed!"
thanks,
greg k-h
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2024-08-27 15:39 ` [PATCH 6.6 000/341] 6.6.48-rc1 review Naresh Kamboju
@ 2024-08-27 17:47 ` Florian Fainelli
2024-08-29 14:23 ` Greg Kroah-Hartman
2024-08-28 1:00 ` SeongJae Park
` (10 subsequent siblings)
353 siblings, 1 reply; 367+ messages in thread
From: Florian Fainelli @ 2024-08-27 17:47 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, srw, rwarsow,
conor, allen.lkml, broonie
On 8/27/24 07:33, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.48 release.
> There are 341 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.48-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Same problem as with the 6.1-rc, perf fails to build with:
In file included from ./util/header.h:10,
from pmu-events/pmu-events.c:9:
../include/linux/bitmap.h: In function 'bitmap_zero':
../include/linux/bitmap.h:28:34: warning: implicit declaration of
function 'ALIGN' [-Wimplicit-function-declaration]
28 | #define bitmap_size(nbits) (ALIGN(nbits, BITS_PER_LONG) /
BITS_PER_BYTE)
| ^~~~~
../include/linux/bitmap.h:35:32: note: in expansion of macro 'bitmap_size'
35 | memset(dst, 0, bitmap_size(nbits));
| ^~~~~~~~~~~
LD
/local/users/fainelli/buildroot/output/arm/build/linux-custom/tools/perf/pmu-events/pmu-events-in.o
LINK
/local/users/fainelli/buildroot/output/arm/build/linux-custom/tools/perf/perf
/local/stbopt_p/toolchains_303/stbgcc-12.3-1.0/bin/../lib/gcc/arm-unknown-linux-gnueabihf/12.3.0/../../../../arm-unknown-linux-gnueabihf/bin/ld:
/local/users/fainelli/buildroot/output/arm/build/linux-custom/tools/perf/perf-in.o:
in function `record__mmap_read_evlist':
builtin-record.c:(.text+0x13578): undefined reference to `ALIGN'
/local/stbopt_p/toolchains_303/stbgcc-12.3-1.0/bin/../lib/gcc/arm-unknown-linux-gnueabihf/12.3.0/../../../../arm-unknown-linux-gnueabihf/bin/ld:
/local/users/fainelli/buildroot/output/arm/build/linux-custom/tools/perf/perf-in.o:
in function `record__init_thread_masks_spec.constprop.0':
builtin-record.c:(.text+0x13b10): undefined reference to `ALIGN'
/local/stbopt_p/toolchains_303/stbgcc-12.3-1.0/bin/../lib/gcc/arm-unknown-linux-gnueabihf/12.3.0/../../../../arm-unknown-linux-gnueabihf/bin/ld:
builtin-record.c:(.text+0x13b68): undefined reference to `ALIGN'
/local/stbopt_p/toolchains_303/stbgcc-12.3-1.0/bin/../lib/gcc/arm-unknown-linux-gnueabihf/12.3.0/../../../../arm-unknown-linux-gnueabihf/bin/ld:
builtin-record.c:(.text+0x13b9c): undefined reference to `ALIGN'
/local/stbopt_p/toolchains_303/stbgcc-12.3-1.0/bin/../lib/gcc/arm-unknown-linux-gnueabihf/12.3.0/../../../../arm-unknown-linux-gnueabihf/bin/ld:
builtin-record.c:(.text+0x13bd8): undefined reference to `ALIGN'
/local/stbopt_p/toolchains_303/stbgcc-12.3-1.0/bin/../lib/gcc/arm-unknown-linux-gnueabihf/12.3.0/../../../../arm-unknown-linux-gnueabihf/bin/ld:
/local/users/fainelli/buildroot/output/arm/build/linux-custom/tools/perf/perf-in.o:builtin-record.c:(.text+0x13c14):
more undefined references to `ALIGN' follow
collect2: error: ld returned 1 exit status
make[4]: *** [Makefile.perf:672:
/local/users/fainelli/buildroot/output/arm/build/linux-custom/tools/perf/perf]
Error 1
make[3]: *** [Makefile.perf:242: sub-make] Error 2
make[2]: *** [Makefile:70: all] Error 2
make[1]: *** [package/pkg-generic.mk:294:
/local/users/fainelli/buildroot/output/arm/build/linux-tools/.stamp_built]
Error 2
make: *** [Makefile:29: _all] Error 2
--
Florian
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2024-08-27 17:47 ` Florian Fainelli
@ 2024-08-28 1:00 ` SeongJae Park
2024-08-28 3:57 ` Peter Schneider
` (9 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: SeongJae Park @ 2024-08-28 1:00 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: SeongJae Park, stable, patches, linux-kernel, torvalds, akpm,
linux, shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie, damon
Hello,
On Tue, 27 Aug 2024 16:33:51 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> This is the start of the stable review cycle for the 6.6.48 release.
> There are 341 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.48-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
This rc kernel passes DAMON functionality test[1] on my test machine.
Attaching the test results summary below. Please note that I retrieved the
kernel from linux-stable-rc tree[2].
Tested-by: SeongJae Park <sj@kernel.org>
[1] https://github.com/awslabs/damon-tests/tree/next/corr
[2] 0ec2cf1e20ad ("Linux 6.6.48-rc1")
Thanks,
SJ
[...]
---
ok 1 selftests: damon: debugfs_attrs.sh
ok 2 selftests: damon: debugfs_schemes.sh
ok 3 selftests: damon: debugfs_target_ids.sh
ok 4 selftests: damon: debugfs_empty_targets.sh
ok 5 selftests: damon: debugfs_huge_count_read_write.sh
ok 6 selftests: damon: debugfs_duplicate_context_creation.sh
ok 7 selftests: damon: debugfs_rm_non_contexts.sh
ok 8 selftests: damon: sysfs.sh
ok 9 selftests: damon: sysfs_update_removed_scheme_dir.sh
ok 10 selftests: damon: reclaim.sh
ok 11 selftests: damon: lru_sort.sh
ok 1 selftests: damon-tests: kunit.sh
ok 2 selftests: damon-tests: huge_count_read_write.sh
ok 3 selftests: damon-tests: buffer_overflow.sh
ok 4 selftests: damon-tests: rm_contexts.sh
ok 5 selftests: damon-tests: record_null_deref.sh
ok 6 selftests: damon-tests: dbgfs_target_ids_read_before_terminate_race.sh
ok 7 selftests: damon-tests: dbgfs_target_ids_pid_leak.sh
ok 8 selftests: damon-tests: damo_tests.sh
ok 9 selftests: damon-tests: masim-record.sh
ok 10 selftests: damon-tests: build_i386.sh
ok 11 selftests: damon-tests: build_arm64.sh
ok 12 selftests: damon-tests: build_m68k.sh
ok 13 selftests: damon-tests: build_i386_idle_flag.sh
ok 14 selftests: damon-tests: build_i386_highpte.sh
ok 15 selftests: damon-tests: build_nomemcg.sh
[33m
[92mPASS [39m
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2024-08-28 1:00 ` SeongJae Park
@ 2024-08-28 3:57 ` Peter Schneider
2024-08-28 11:41 ` Mark Brown
` (8 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Peter Schneider @ 2024-08-28 3:57 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, broonie
Am 27.08.2024 um 16:33 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.6.48 release.
> There are 341 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg
oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2024-08-28 3:57 ` Peter Schneider
@ 2024-08-28 11:41 ` Mark Brown
2024-08-28 11:53 ` Takeshi Ogasawara
` (7 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Mark Brown @ 2024-08-28 11:41 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml
[-- Attachment #1: Type: text/plain, Size: 1299 bytes --]
On Tue, Aug 27, 2024 at 04:33:51PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.48 release.
> There are 341 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
As others have reported the ALGIN macro is still broken, it affects the
KVM selftests on at least arm64 too:
In file included from lib/memstress.c:8:
/build/stage/linux/tools/testing/selftests/../../../tools/include/linux/bitmap.h
: In function ‘bitmap_zero’:
/build/stage/linux/tools/testing/selftests/../../../tools/include/linux/bitmap.h:28:34: warning: implicit declaration of function ‘ALIGN’ [-Wimplicit-function-declaration]
28 | #define bitmap_size(nbits) (ALIGN(nbits, BITS_PER_LONG) / BITS_PER_BYTE)
| ^~~~~
/build/stage/linux/tools/testing/selftests/../../../tools/include/linux/bitmap.h:35:32: note: in expansion of macro ‘bitmap_size’
35 | memset(dst, 0, bitmap_size(nbits));
| ^~~~~~~~~~~
At top level:
cc1: note: unrecognized command-line option ‘-Wno-gnu-variable-sized-type-not-at-end’ may have been intended to silence earlier diagnostics
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2024-08-28 11:41 ` Mark Brown
@ 2024-08-28 11:53 ` Takeshi Ogasawara
2024-08-28 14:30 ` Naresh Kamboju
` (6 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Takeshi Ogasawara @ 2024-08-28 11:53 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
Hi Greg
On Tue, Aug 27, 2024 at 11:42 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.6.48 release.
> There are 341 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.48-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
6.6.48-rc1 tested.
Build successfully completed.
Boot successfully completed.
No dmesg regressions.
Video output normal.
Sound output normal.
Lenovo ThinkPad X1 Carbon Gen10(Intel i7-1260P(x86_64) arch linux)
[ 0.000000] Linux version 6.6.48-rc1rv
(takeshi@ThinkPadX1Gen10J0764) (gcc (GCC) 14.2.1 20240805, GNU ld (GNU
Binutils) 2.43.0) #1 SMP PREEMPT_DYNAMIC Wed Aug 28 20:10:31 JST 2024
Thanks
Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com>
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2024-08-28 11:53 ` Takeshi Ogasawara
@ 2024-08-28 14:30 ` Naresh Kamboju
2024-08-28 17:29 ` Naresh Kamboju
2024-08-28 14:35 ` Wang Yugui
` (5 subsequent siblings)
353 siblings, 1 reply; 367+ messages in thread
From: Naresh Kamboju @ 2024-08-28 14:30 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
On Tue, 27 Aug 2024 at 20:12, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.6.48 release.
> There are 341 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.48-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
The tinyconfig builds failed for all architectures on 6.6.48-rc1.
Builds
- clang-18-tinyconfig
- clang-nightly-tinyconfig
- gcc-13-tinyconfig
- gcc-8-tinyconfig
lore links:
- https://lore.kernel.org/stable/CA+G9fYuibSowhidTVByMzSRdqudz1Eg_aYBs9rVS3bYEBesiUA@mail.gmail.com/
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build
* kernel: 6.6.48-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git commit: 0ec2cf1e20adc2c8dcc5f58f3ebd40111c280944
* git describe: v6.6.47-342-g0ec2cf1e20ad
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.6.y/build/v6.6.47-342-g0ec2cf1e20ad
## Test Regressions (compared to v6.6.46-68-gf44ed2948b39)
* arm64, build
* arm, build
* i386, build
* x86_64, build
- clang-18-tinyconfig
- clang-nightly-tinyconfig
- gcc-13-tinyconfig
- gcc-8-tinyconfig
## Metric Regressions (compared to v6.6.46-68-gf44ed2948b39)
## Test Fixes (compared to v6.6.46-68-gf44ed2948b39)
## Metric Fixes (compared to v6.6.46-68-gf44ed2948b39)
## Test result summary
total: 175487, pass: 153815, fail: 1637, skip: 19813, xfail: 222
## Build Summary
* arc: 5 total, 4 passed, 1 failed
* arm: 129 total, 125 passed, 4 failed
* arm64: 41 total, 37 passed, 4 failed
* i386: 28 total, 23 passed, 5 failed
* mips: 26 total, 21 passed, 5 failed
* parisc: 4 total, 3 passed, 1 failed
* powerpc: 36 total, 31 passed, 5 failed
* riscv: 19 total, 16 passed, 3 failed
* s390: 14 total, 4 passed, 10 failed
* sh: 10 total, 8 passed, 2 failed
* sparc: 7 total, 5 passed, 2 failed
* x86_64: 33 total, 29 passed, 4 failed
## Test suites summary
* boot
* commands
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-efivarfs
* kselftest-exec
* kselftest-filesystems
* kselftest-filesystems-binderfs
* kselftest-filesystems-epoll
* kselftest-firmware
* kselftest-fpu
* kselftest-ftrace
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-kcmp
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-mincore
* kselftest-mqueue
* kselftest-net
* kselftest-net-mptcp
* kselftest-openat2
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-tc-testing
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user_events
* kselftest-vDSO
* kselftest-x86
* kunit
* kvm-unit-tests
* libgpiod
* libhugetlbfs
* log-parser-boot
* log-parser-test
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-hugetlb
* ltp-ipc
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-pty
* ltp-sched
* ltp-smoke
* ltp-syscalls
* ltp-tracing
* perf
* rcutorture
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2024-08-28 14:30 ` Naresh Kamboju
@ 2024-08-28 14:35 ` Wang Yugui
2024-08-28 14:45 ` Alexander Lobakin
2024-08-28 16:02 ` Miguel Ojeda
` (4 subsequent siblings)
353 siblings, 1 reply; 367+ messages in thread
From: Wang Yugui @ 2024-08-28 14:35 UTC (permalink / raw)
To: Greg Kroah-Hartman, Alexander Lobakin
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
Hi,
> This is the start of the stable review cycle for the 6.6.48 release.
> There are 341 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.48-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
We need a patch
upsteam: 0a04ff09bcc39e0044190ffe9f00f998f13647c
From: Alexander Lobakin <aleksander.lobakin@intel.com>
Subject: tools: move alignment-related macros to new <linux/align.h>
to fix the new build error.
tools/include/linux/bitmap.h: In function 'bitmap_zero':
tools/include/linux/bitmap.h:28:29: warning: implicit declaration of
function 'ALIGN' [-Wimplicit-function-declaration]
#define bitmap_size(nbits) (ALIGN(nbits, BITS_PER_LONG) / BITS_PER_BYTE)
Best Regards
Wang Yugui (wangyugui@e16-tech.com)
2024/08/28
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-28 14:35 ` Wang Yugui
@ 2024-08-28 14:45 ` Alexander Lobakin
2024-08-29 14:20 ` Greg Kroah-Hartman
0 siblings, 1 reply; 367+ messages in thread
From: Alexander Lobakin @ 2024-08-28 14:45 UTC (permalink / raw)
To: Wang Yugui, Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
From: Wang Yugui <wangyugui@e16-tech.com>
Date: Wed, 28 Aug 2024 22:35:27 +0800
> Hi,
>
>> This is the start of the stable review cycle for the 6.6.48 release.
>> There are 341 patches in this series, all will be posted as a response
>> to this one. If anyone has any issues with these being applied, please
>> let me know.
>>
>> Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
>> Anything received after that time might be too late.
>>
>> The whole patch series can be found in one patch at:
>> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.48-rc1.gz
>> or in the git tree and branch at:
>> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
>> and the diffstat can be found below.
>
> We need a patch
> upsteam: 0a04ff09bcc39e0044190ffe9f00f998f13647c
> From: Alexander Lobakin <aleksander.lobakin@intel.com>
> Subject: tools: move alignment-related macros to new <linux/align.h>
> to fix the new build error.
> tools/include/linux/bitmap.h: In function 'bitmap_zero':
> tools/include/linux/bitmap.h:28:29: warning: implicit declaration of
> function 'ALIGN' [-Wimplicit-function-declaration]
> #define bitmap_size(nbits) (ALIGN(nbits, BITS_PER_LONG) / BITS_PER_BYTE)
Patch 29/341 and its dependencies 26-28 is an improvement, not a fix. Do
we need it in the LTS kernels? I'm fine with that, just asking as
usually LTSes only receive critical fixes :>
>
> Best Regards
> Wang Yugui (wangyugui@e16-tech.com)
> 2024/08/28
Thanks,
Olek
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2024-08-28 14:35 ` Wang Yugui
@ 2024-08-28 16:02 ` Miguel Ojeda
2024-08-28 18:16 ` Ron Economos
` (3 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Miguel Ojeda @ 2024-08-28 16:02 UTC (permalink / raw)
To: gregkh
Cc: akpm, allen.lkml, broonie, conor, f.fainelli, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, srw, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda
On Tue, 27 Aug 2024 16:33:51 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.6.48 release.
> There are 341 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.48-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
Boot-tested under QEMU for Rust x86_64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-28 14:30 ` Naresh Kamboju
@ 2024-08-28 17:29 ` Naresh Kamboju
2024-08-29 14:16 ` Greg Kroah-Hartman
0 siblings, 1 reply; 367+ messages in thread
From: Naresh Kamboju @ 2024-08-28 17:29 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie,
Zhen Lei
On Wed, 28 Aug 2024 at 20:00, Naresh Kamboju <naresh.kamboju@linaro.org> wrote:
>
> On Tue, 27 Aug 2024 at 20:12, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > This is the start of the stable review cycle for the 6.6.48 release.
> > There are 341 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.48-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
>
> The tinyconfig builds failed for all architectures on 6.6.48-rc1.
>
> Builds
> - clang-18-tinyconfig
> - clang-nightly-tinyconfig
> - gcc-13-tinyconfig
> - gcc-8-tinyconfig
The bisection pointed to the following is the first bad commit,
bc2002c9d531dd4ad0241268c946abf074d2145d is the first bad commit
rcu: Dump memory object info if callback function is invalid
[ Upstream commit 2cbc482d325ee58001472c4359b311958c4efdd1 ]
- Naresh
>
> lore links:
> - https://lore.kernel.org/stable/CA+G9fYuibSowhidTVByMzSRdqudz1Eg_aYBs9rVS3bYEBesiUA@mail.gmail.com/
>
> Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
>
> ## Build
> * kernel: 6.6.48-rc1
> * git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
> * git commit: 0ec2cf1e20adc2c8dcc5f58f3ebd40111c280944
> * git describe: v6.6.47-342-g0ec2cf1e20ad
> * test details:
> https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.6.y/build/v6.6.47-342-g0ec2cf1e20ad
>
> ## Test Regressions (compared to v6.6.46-68-gf44ed2948b39)
> * arm64, build
> * arm, build
> * i386, build
> * x86_64, build
> - clang-18-tinyconfig
> - clang-nightly-tinyconfig
> - gcc-13-tinyconfig
> - gcc-8-tinyconfig
>
> ## Metric Regressions (compared to v6.6.46-68-gf44ed2948b39)
>
> ## Test Fixes (compared to v6.6.46-68-gf44ed2948b39)
>
> ## Metric Fixes (compared to v6.6.46-68-gf44ed2948b39)
>
> ## Test result summary
> total: 175487, pass: 153815, fail: 1637, skip: 19813, xfail: 222
>
> ## Build Summary
> * arc: 5 total, 4 passed, 1 failed
> * arm: 129 total, 125 passed, 4 failed
> * arm64: 41 total, 37 passed, 4 failed
> * i386: 28 total, 23 passed, 5 failed
> * mips: 26 total, 21 passed, 5 failed
> * parisc: 4 total, 3 passed, 1 failed
> * powerpc: 36 total, 31 passed, 5 failed
> * riscv: 19 total, 16 passed, 3 failed
> * s390: 14 total, 4 passed, 10 failed
> * sh: 10 total, 8 passed, 2 failed
> * sparc: 7 total, 5 passed, 2 failed
> * x86_64: 33 total, 29 passed, 4 failed
>
> ## Test suites summary
> * boot
> * commands
> * kselftest-arm64
> * kselftest-breakpoints
> * kselftest-capabilities
> * kselftest-cgroup
> * kselftest-clone3
> * kselftest-core
> * kselftest-cpu-hotplug
> * kselftest-cpufreq
> * kselftest-efivarfs
> * kselftest-exec
> * kselftest-filesystems
> * kselftest-filesystems-binderfs
> * kselftest-filesystems-epoll
> * kselftest-firmware
> * kselftest-fpu
> * kselftest-ftrace
> * kselftest-futex
> * kselftest-gpio
> * kselftest-intel_pstate
> * kselftest-ipc
> * kselftest-kcmp
> * kselftest-livepatch
> * kselftest-membarrier
> * kselftest-memfd
> * kselftest-mincore
> * kselftest-mqueue
> * kselftest-net
> * kselftest-net-mptcp
> * kselftest-openat2
> * kselftest-ptrace
> * kselftest-rseq
> * kselftest-rtc
> * kselftest-seccomp
> * kselftest-sigaltstack
> * kselftest-size
> * kselftest-tc-testing
> * kselftest-timers
> * kselftest-tmpfs
> * kselftest-tpm2
> * kselftest-user_events
> * kselftest-vDSO
> * kselftest-x86
> * kunit
> * kvm-unit-tests
> * libgpiod
> * libhugetlbfs
> * log-parser-boot
> * log-parser-test
> * ltp-commands
> * ltp-containers
> * ltp-controllers
> * ltp-cpuhotplug
> * ltp-crypto
> * ltp-cve
> * ltp-dio
> * ltp-fcntl-locktests
> * ltp-fs
> * ltp-fs_bind
> * ltp-fs_perms_simple
> * ltp-hugetlb
> * ltp-ipc
> * ltp-math
> * ltp-mm
> * ltp-nptl
> * ltp-pty
> * ltp-sched
> * ltp-smoke
> * ltp-syscalls
> * ltp-tracing
> * perf
> * rcutorture
>
> --
> Linaro LKFT
> https://lkft.linaro.org
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2024-08-28 16:02 ` Miguel Ojeda
@ 2024-08-28 18:16 ` Ron Economos
2024-08-29 10:24 ` Jon Hunter
` (2 subsequent siblings)
353 siblings, 0 replies; 367+ messages in thread
From: Ron Economos @ 2024-08-28 18:16 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, broonie
On 8/27/24 7:33 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.48 release.
> There are 341 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.48-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2024-08-28 18:16 ` Ron Economos
@ 2024-08-29 10:24 ` Jon Hunter
2024-08-29 11:14 ` Shreeya Patel
2024-08-31 21:26 ` Guenter Roeck
353 siblings, 0 replies; 367+ messages in thread
From: Jon Hunter @ 2024-08-29 10:24 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie,
linux-tegra, stable
On Tue, 27 Aug 2024 16:33:51 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.48 release.
> There are 341 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.48-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v6.6:
10 builds: 10 pass, 0 fail
26 boots: 26 pass, 0 fail
116 tests: 116 pass, 0 fail
Linux version: 6.6.48-rc1-g0ec2cf1e20ad
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra194-p2972-0000, tegra194-p3509-0000+p3668-0000,
tegra20-ventana, tegra210-p2371-2180,
tegra210-p3450-0000, tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2024-08-29 10:24 ` Jon Hunter
@ 2024-08-29 11:14 ` Shreeya Patel
2024-08-31 21:26 ` Guenter Roeck
353 siblings, 0 replies; 367+ messages in thread
From: Shreeya Patel @ 2024-08-29 11:14 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie,
Kernel CI - Regressions, Gustavo Padovan, Jeny Sheth
---- On Tue, 27 Aug 2024 20:03:51 +0530 Greg Kroah-Hartman wrote ---
> This is the start of the stable review cycle for the 6.6.48 release.
> There are 341 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.48-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
Hi,
Please find the KernelCI report below :-
OVERVIEW
Builds: 30 passed, 2 failed
Boot tests: 436 passed, 20 failed
CI systems: broonie, maestro
REVISION
Commit
name: v6.6.47-330-gfd01fbcb4e1b
hash: fd01fbcb4e1b208d063aedf49e3af43655837eb2
Checked out from
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
BUILDS
Failures
-i386 (tinyconfig)
Build detail: https://kcidb.kernelci.org/d/build/build?orgId=1&var-id=maestro:66cdd5a3fb8042744d0e8d2b
Build error: kernel/rcu/rcu.h:255:17: error: implicit declaration of function ‘kmem_dump_obj’; did you mean ‘mem_dump_obj’? [-Werror=implicit-function-declaration]
-x86_64 (tinyconfig)
Build detail: https://kcidb.kernelci.org/d/build/build?orgId=1&var-id=maestro:66cdd5a5fb8042744d0e8d36
Build error: kernel/rcu/rcu.h:255:17: error: implicit declaration of function ‘kmem_dump_obj’; did you mean ‘kmemdup_nul’? [-Werror=implicit-function-declaration]
CI system: maestro
BOOT TESTS
Failures
arm:(multi_v7_defconfig)
-bcm2836-rpi-2-b
CI system: maestro
x86_64: (x86_64_defconfig)
-lenovo-TPad-C13-Yoga-zork
-hp-x360-14a-cb0001xx-zork
-hp-14b-na0052xx-zork
-asus-CM1400CXA-dalboz
-acer-cbv514-1h-34uz-brya
-minnowboard-turbot-E3826
CI system: maestro
See complete and up-to-date report at:
https://kcidb.kernelci.org/d/revision/revision?orgId=1&var-git_commit_hash=fd01fbcb4e1b208d063aedf49e3af43655837eb2&var-patchset_hash=
Tested-by: kernelci.org bot <bot@kernelci.org>
Thanks,
KernelCI team
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-28 17:29 ` Naresh Kamboju
@ 2024-08-29 14:16 ` Greg Kroah-Hartman
0 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-29 14:16 UTC (permalink / raw)
To: Naresh Kamboju
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie,
Zhen Lei
On Wed, Aug 28, 2024 at 10:59:41PM +0530, Naresh Kamboju wrote:
> On Wed, 28 Aug 2024 at 20:00, Naresh Kamboju <naresh.kamboju@linaro.org> wrote:
> >
> > On Tue, 27 Aug 2024 at 20:12, Greg Kroah-Hartman
> > <gregkh@linuxfoundation.org> wrote:
> > >
> > > This is the start of the stable review cycle for the 6.6.48 release.
> > > There are 341 patches in this series, all will be posted as a response
> > > to this one. If anyone has any issues with these being applied, please
> > > let me know.
> > >
> > > Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
> > > Anything received after that time might be too late.
> > >
> > > The whole patch series can be found in one patch at:
> > > https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.48-rc1.gz
> > > or in the git tree and branch at:
> > > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> > > and the diffstat can be found below.
> > >
> > > thanks,
> > >
> > > greg k-h
> >
> > The tinyconfig builds failed for all architectures on 6.6.48-rc1.
> >
> > Builds
> > - clang-18-tinyconfig
> > - clang-nightly-tinyconfig
> > - gcc-13-tinyconfig
> > - gcc-8-tinyconfig
>
> The bisection pointed to the following is the first bad commit,
>
> bc2002c9d531dd4ad0241268c946abf074d2145d is the first bad commit
> rcu: Dump memory object info if callback function is invalid
>
> [ Upstream commit 2cbc482d325ee58001472c4359b311958c4efdd1 ]
Thanks for tracking this down, I've fixed it up by adding a patch before
this one.
greg k-h
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-28 14:45 ` Alexander Lobakin
@ 2024-08-29 14:20 ` Greg Kroah-Hartman
0 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-29 14:20 UTC (permalink / raw)
To: Alexander Lobakin
Cc: Wang Yugui, stable, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
On Wed, Aug 28, 2024 at 04:45:12PM +0200, Alexander Lobakin wrote:
> From: Wang Yugui <wangyugui@e16-tech.com>
> Date: Wed, 28 Aug 2024 22:35:27 +0800
>
> > Hi,
> >
> >> This is the start of the stable review cycle for the 6.6.48 release.
> >> There are 341 patches in this series, all will be posted as a response
> >> to this one. If anyone has any issues with these being applied, please
> >> let me know.
> >>
> >> Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
> >> Anything received after that time might be too late.
> >>
> >> The whole patch series can be found in one patch at:
> >> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.48-rc1.gz
> >> or in the git tree and branch at:
> >> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> >> and the diffstat can be found below.
> >
> > We need a patch
> > upsteam: 0a04ff09bcc39e0044190ffe9f00f998f13647c
> > From: Alexander Lobakin <aleksander.lobakin@intel.com>
> > Subject: tools: move alignment-related macros to new <linux/align.h>
> > to fix the new build error.
> > tools/include/linux/bitmap.h: In function 'bitmap_zero':
> > tools/include/linux/bitmap.h:28:29: warning: implicit declaration of
> > function 'ALIGN' [-Wimplicit-function-declaration]
> > #define bitmap_size(nbits) (ALIGN(nbits, BITS_PER_LONG) / BITS_PER_BYTE)
>
> Patch 29/341 and its dependencies 26-28 is an improvement, not a fix. Do
> we need it in the LTS kernels? I'm fine with that, just asking as
> usually LTSes only receive critical fixes :>
It's to fix a build issue due to other commits wanting to use ALIGN in
tools/
I've queued it up now, thanks!
greg k-h
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-27 17:47 ` Florian Fainelli
@ 2024-08-29 14:23 ` Greg Kroah-Hartman
0 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-29 14:23 UTC (permalink / raw)
To: Florian Fainelli
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, broonie
On Tue, Aug 27, 2024 at 10:47:53AM -0700, Florian Fainelli wrote:
> On 8/27/24 07:33, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 6.6.48 release.
> > There are 341 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.48-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
>
> Same problem as with the 6.1-rc, perf fails to build with:
>
> In file included from ./util/header.h:10,
> from pmu-events/pmu-events.c:9:
> ../include/linux/bitmap.h: In function 'bitmap_zero':
> ../include/linux/bitmap.h:28:34: warning: implicit declaration of function
> 'ALIGN' [-Wimplicit-function-declaration]
> 28 | #define bitmap_size(nbits) (ALIGN(nbits, BITS_PER_LONG) /
> BITS_PER_BYTE)
> | ^~~~~
> ../include/linux/bitmap.h:35:32: note: in expansion of macro 'bitmap_size'
> 35 | memset(dst, 0, bitmap_size(nbits));
> | ^~~~~~~~~~~
> LD /local/users/fainelli/buildroot/output/arm/build/linux-custom/tools/perf/pmu-events/pmu-events-in.o
> LINK
> /local/users/fainelli/buildroot/output/arm/build/linux-custom/tools/perf/perf
> /local/stbopt_p/toolchains_303/stbgcc-12.3-1.0/bin/../lib/gcc/arm-unknown-linux-gnueabihf/12.3.0/../../../../arm-unknown-linux-gnueabihf/bin/ld: /local/users/fainelli/buildroot/output/arm/build/linux-custom/tools/perf/perf-in.o:
> in function `record__mmap_read_evlist':
> builtin-record.c:(.text+0x13578): undefined reference to `ALIGN'
> /local/stbopt_p/toolchains_303/stbgcc-12.3-1.0/bin/../lib/gcc/arm-unknown-linux-gnueabihf/12.3.0/../../../../arm-unknown-linux-gnueabihf/bin/ld: /local/users/fainelli/buildroot/output/arm/build/linux-custom/tools/perf/perf-in.o:
> in function `record__init_thread_masks_spec.constprop.0':
> builtin-record.c:(.text+0x13b10): undefined reference to `ALIGN'
> /local/stbopt_p/toolchains_303/stbgcc-12.3-1.0/bin/../lib/gcc/arm-unknown-linux-gnueabihf/12.3.0/../../../../arm-unknown-linux-gnueabihf/bin/ld:
> builtin-record.c:(.text+0x13b68): undefined reference to `ALIGN'
> /local/stbopt_p/toolchains_303/stbgcc-12.3-1.0/bin/../lib/gcc/arm-unknown-linux-gnueabihf/12.3.0/../../../../arm-unknown-linux-gnueabihf/bin/ld:
> builtin-record.c:(.text+0x13b9c): undefined reference to `ALIGN'
> /local/stbopt_p/toolchains_303/stbgcc-12.3-1.0/bin/../lib/gcc/arm-unknown-linux-gnueabihf/12.3.0/../../../../arm-unknown-linux-gnueabihf/bin/ld:
> builtin-record.c:(.text+0x13bd8): undefined reference to `ALIGN'
> /local/stbopt_p/toolchains_303/stbgcc-12.3-1.0/bin/../lib/gcc/arm-unknown-linux-gnueabihf/12.3.0/../../../../arm-unknown-linux-gnueabihf/bin/ld: /local/users/fainelli/buildroot/output/arm/build/linux-custom/tools/perf/perf-in.o:builtin-record.c:(.text+0x13c14):
> more undefined references to `ALIGN' follow
> collect2: error: ld returned 1 exit status
> make[4]: *** [Makefile.perf:672: /local/users/fainelli/buildroot/output/arm/build/linux-custom/tools/perf/perf]
> Error 1
> make[3]: *** [Makefile.perf:242: sub-make] Error 2
> make[2]: *** [Makefile:70: all] Error 2
> make[1]: *** [package/pkg-generic.mk:294:
> /local/users/fainelli/buildroot/output/arm/build/linux-tools/.stamp_built]
> Error 2
> make: *** [Makefile:29: _all] Error 2
I think I've fixed this up now, but wow, I can't build perf at all for
6.6.y or 6.1.y. So this might have been broken for a while? Hopefully
people are just using perf from the latest kernel release anyway...
thanks,
greg k-h
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 230/341] change alloc_pages name in dma_map_ops to avoid name conflicts
2024-08-27 14:37 ` [PATCH 6.6 230/341] change alloc_pages name in dma_map_ops to avoid name conflicts Greg Kroah-Hartman
@ 2024-08-30 22:12 ` Nathan Chancellor
2024-08-30 22:35 ` Suren Baghdasaryan
0 siblings, 1 reply; 367+ messages in thread
From: Nathan Chancellor @ 2024-08-30 22:12 UTC (permalink / raw)
To: Greg Kroah-Hartman, Sasha Levin
Cc: stable, patches, Suren Baghdasaryan, Kees Cook, Alexander Viro,
Alex Gaynor, Alice Ryhl, Andreas Hindborg, Benno Lossin,
Björn Roy Baron, Boqun Feng, Christoph Lameter, Dennis Zhou,
Gary Guo, Kent Overstreet, Miguel Ojeda, Pasha Tatashin,
Peter Zijlstra, Tejun Heo, Vlastimil Babka, Wedson Almeida Filho,
Andrew Morton
Hi Greg and Sasha,
On Tue, Aug 27, 2024 at 04:37:41PM +0200, Greg Kroah-Hartman wrote:
> 6.6-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Suren Baghdasaryan <surenb@google.com>
>
> [ Upstream commit 8a2f11878771da65b8ac135c73b47dae13afbd62 ]
>
> After redefining alloc_pages, all uses of that name are being replaced.
> Change the conflicting names to prevent preprocessor from replacing them
> when it's not intended.
>
> Link: https://lkml.kernel.org/r/20240321163705.3067592-18-surenb@google.com
> Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> Tested-by: Kees Cook <keescook@chromium.org>
> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: Alex Gaynor <alex.gaynor@gmail.com>
> Cc: Alice Ryhl <aliceryhl@google.com>
> Cc: Andreas Hindborg <a.hindborg@samsung.com>
> Cc: Benno Lossin <benno.lossin@proton.me>
> Cc: "Björn Roy Baron" <bjorn3_gh@protonmail.com>
> Cc: Boqun Feng <boqun.feng@gmail.com>
> Cc: Christoph Lameter <cl@linux.com>
> Cc: Dennis Zhou <dennis@kernel.org>
> Cc: Gary Guo <gary@garyguo.net>
> Cc: Kent Overstreet <kent.overstreet@linux.dev>
> Cc: Miguel Ojeda <ojeda@kernel.org>
> Cc: Pasha Tatashin <pasha.tatashin@soleen.com>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Tejun Heo <tj@kernel.org>
> Cc: Vlastimil Babka <vbabka@suse.cz>
> Cc: Wedson Almeida Filho <wedsonaf@gmail.com>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Stable-dep-of: 61ebe5a747da ("mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0")
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> arch/alpha/kernel/pci_iommu.c | 2 +-
> arch/mips/jazz/jazzdma.c | 2 +-
> arch/powerpc/kernel/dma-iommu.c | 2 +-
> arch/powerpc/platforms/ps3/system-bus.c | 4 ++--
> arch/powerpc/platforms/pseries/vio.c | 2 +-
> arch/x86/kernel/amd_gart_64.c | 2 +-
> drivers/iommu/dma-iommu.c | 2 +-
> drivers/parisc/ccio-dma.c | 2 +-
> drivers/parisc/sba_iommu.c | 2 +-
> drivers/xen/grant-dma-ops.c | 2 +-
> drivers/xen/swiotlb-xen.c | 2 +-
> include/linux/dma-map-ops.h | 2 +-
> kernel/dma/mapping.c | 4 ++--
> 13 files changed, 15 insertions(+), 15 deletions(-)
This patch breaks the build for s390:
arch/s390/pci/pci_dma.c:724:10: error: 'const struct dma_map_ops' has no member named 'alloc_pages'; did you mean 'alloc_pages_op'?
724 | .alloc_pages = dma_common_alloc_pages,
| ^~~~~~~~~~~
| alloc_pages_op
https://storage.tuxsuite.com/public/clangbuiltlinux/continuous-integration2/builds/2lNUl0tacZpSlu9Edrlk3QoSElM/build.log
This change happened after commit c76c067e488c ("s390/pci: Use dma-iommu
layer") in mainline, which explains how it was missed for stable.
The fix seems simple:
diff --git a/arch/s390/pci/pci_dma.c b/arch/s390/pci/pci_dma.c
index 99209085c75b..ce0f2990cb04 100644
--- a/arch/s390/pci/pci_dma.c
+++ b/arch/s390/pci/pci_dma.c
@@ -721,7 +721,7 @@ const struct dma_map_ops s390_pci_dma_ops = {
.unmap_page = s390_dma_unmap_pages,
.mmap = dma_common_mmap,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages = dma_common_alloc_pages,
+ .alloc_pages_op = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
/* dma_supported is unconditionally true without a callback */
};
but I think the better question is why this patch is even needed in the
first place? It claims that it is a stable dependency of 61ebe5a747da
but this patch does not even touch mm/vmalloc.c and 61ebe5a747da does
not mention or touch anything with alloc_pages_op, so it seems like this
change should just be reverted from 6.6?
Cheers,
Nathan
^ permalink raw reply related [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 230/341] change alloc_pages name in dma_map_ops to avoid name conflicts
2024-08-30 22:12 ` Nathan Chancellor
@ 2024-08-30 22:35 ` Suren Baghdasaryan
2024-08-30 22:48 ` Suren Baghdasaryan
0 siblings, 1 reply; 367+ messages in thread
From: Suren Baghdasaryan @ 2024-08-30 22:35 UTC (permalink / raw)
To: Nathan Chancellor
Cc: Greg Kroah-Hartman, Sasha Levin, stable, patches, Kees Cook,
Alexander Viro, Alex Gaynor, Alice Ryhl, Andreas Hindborg,
Benno Lossin, Björn Roy Baron, Boqun Feng, Christoph Lameter,
Dennis Zhou, Gary Guo, Kent Overstreet, Miguel Ojeda,
Pasha Tatashin, Peter Zijlstra, Tejun Heo, Vlastimil Babka,
Wedson Almeida Filho, Andrew Morton
On Fri, Aug 30, 2024 at 3:12 PM Nathan Chancellor <nathan@kernel.org> wrote:
>
> Hi Greg and Sasha,
>
> On Tue, Aug 27, 2024 at 04:37:41PM +0200, Greg Kroah-Hartman wrote:
> > 6.6-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Suren Baghdasaryan <surenb@google.com>
> >
> > [ Upstream commit 8a2f11878771da65b8ac135c73b47dae13afbd62 ]
> >
> > After redefining alloc_pages, all uses of that name are being replaced.
> > Change the conflicting names to prevent preprocessor from replacing them
> > when it's not intended.
> >
> > Link: https://lkml.kernel.org/r/20240321163705.3067592-18-surenb@google.com
> > Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> > Tested-by: Kees Cook <keescook@chromium.org>
> > Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> > Cc: Alex Gaynor <alex.gaynor@gmail.com>
> > Cc: Alice Ryhl <aliceryhl@google.com>
> > Cc: Andreas Hindborg <a.hindborg@samsung.com>
> > Cc: Benno Lossin <benno.lossin@proton.me>
> > Cc: "Björn Roy Baron" <bjorn3_gh@protonmail.com>
> > Cc: Boqun Feng <boqun.feng@gmail.com>
> > Cc: Christoph Lameter <cl@linux.com>
> > Cc: Dennis Zhou <dennis@kernel.org>
> > Cc: Gary Guo <gary@garyguo.net>
> > Cc: Kent Overstreet <kent.overstreet@linux.dev>
> > Cc: Miguel Ojeda <ojeda@kernel.org>
> > Cc: Pasha Tatashin <pasha.tatashin@soleen.com>
> > Cc: Peter Zijlstra <peterz@infradead.org>
> > Cc: Tejun Heo <tj@kernel.org>
> > Cc: Vlastimil Babka <vbabka@suse.cz>
> > Cc: Wedson Almeida Filho <wedsonaf@gmail.com>
> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> > Stable-dep-of: 61ebe5a747da ("mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0")
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > ---
> > arch/alpha/kernel/pci_iommu.c | 2 +-
> > arch/mips/jazz/jazzdma.c | 2 +-
> > arch/powerpc/kernel/dma-iommu.c | 2 +-
> > arch/powerpc/platforms/ps3/system-bus.c | 4 ++--
> > arch/powerpc/platforms/pseries/vio.c | 2 +-
> > arch/x86/kernel/amd_gart_64.c | 2 +-
> > drivers/iommu/dma-iommu.c | 2 +-
> > drivers/parisc/ccio-dma.c | 2 +-
> > drivers/parisc/sba_iommu.c | 2 +-
> > drivers/xen/grant-dma-ops.c | 2 +-
> > drivers/xen/swiotlb-xen.c | 2 +-
> > include/linux/dma-map-ops.h | 2 +-
> > kernel/dma/mapping.c | 4 ++--
> > 13 files changed, 15 insertions(+), 15 deletions(-)
>
> This patch breaks the build for s390:
>
> arch/s390/pci/pci_dma.c:724:10: error: 'const struct dma_map_ops' has no member named 'alloc_pages'; did you mean 'alloc_pages_op'?
> 724 | .alloc_pages = dma_common_alloc_pages,
> | ^~~~~~~~~~~
> | alloc_pages_op
>
> https://storage.tuxsuite.com/public/clangbuiltlinux/continuous-integration2/builds/2lNUl0tacZpSlu9Edrlk3QoSElM/build.log
>
> This change happened after commit c76c067e488c ("s390/pci: Use dma-iommu
> layer") in mainline, which explains how it was missed for stable.
>
> The fix seems simple:
>
> diff --git a/arch/s390/pci/pci_dma.c b/arch/s390/pci/pci_dma.c
> index 99209085c75b..ce0f2990cb04 100644
> --- a/arch/s390/pci/pci_dma.c
> +++ b/arch/s390/pci/pci_dma.c
> @@ -721,7 +721,7 @@ const struct dma_map_ops s390_pci_dma_ops = {
> .unmap_page = s390_dma_unmap_pages,
> .mmap = dma_common_mmap,
> .get_sgtable = dma_common_get_sgtable,
> - .alloc_pages = dma_common_alloc_pages,
> + .alloc_pages_op = dma_common_alloc_pages,
> .free_pages = dma_common_free_pages,
> /* dma_supported is unconditionally true without a callback */
> };
>
> but I think the better question is why this patch is even needed in the
> first place? It claims that it is a stable dependency of 61ebe5a747da
> but this patch does not even touch mm/vmalloc.c and 61ebe5a747da does
> not mention or touch anything with alloc_pages_op, so it seems like this
> change should just be reverted from 6.6?
Hmm, Nathan is right. I don't see any dependency between this patch
and 61ebe5a747da. Maybe some other patch that uses .alloc_pages_op got
backported and that caused a dependency but then that other patch
should be changed to use .alloc_pages. I'm syncing stable 6.6 to
check. Thanks for pointing this out Nathan!
>
> Cheers,
> Nathan
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 230/341] change alloc_pages name in dma_map_ops to avoid name conflicts
2024-08-30 22:35 ` Suren Baghdasaryan
@ 2024-08-30 22:48 ` Suren Baghdasaryan
2024-08-31 5:32 ` Greg Kroah-Hartman
0 siblings, 1 reply; 367+ messages in thread
From: Suren Baghdasaryan @ 2024-08-30 22:48 UTC (permalink / raw)
To: Nathan Chancellor
Cc: Greg Kroah-Hartman, Sasha Levin, stable, patches, Kees Cook,
Alexander Viro, Alex Gaynor, Alice Ryhl, Andreas Hindborg,
Benno Lossin, Björn Roy Baron, Boqun Feng, Christoph Lameter,
Dennis Zhou, Gary Guo, Kent Overstreet, Miguel Ojeda,
Pasha Tatashin, Peter Zijlstra, Tejun Heo, Vlastimil Babka,
Wedson Almeida Filho, Andrew Morton
On Fri, Aug 30, 2024 at 3:35 PM Suren Baghdasaryan <surenb@google.com> wrote:
>
> On Fri, Aug 30, 2024 at 3:12 PM Nathan Chancellor <nathan@kernel.org> wrote:
> >
> > Hi Greg and Sasha,
> >
> > On Tue, Aug 27, 2024 at 04:37:41PM +0200, Greg Kroah-Hartman wrote:
> > > 6.6-stable review patch. If anyone has any objections, please let me know.
> > >
> > > ------------------
> > >
> > > From: Suren Baghdasaryan <surenb@google.com>
> > >
> > > [ Upstream commit 8a2f11878771da65b8ac135c73b47dae13afbd62 ]
> > >
> > > After redefining alloc_pages, all uses of that name are being replaced.
> > > Change the conflicting names to prevent preprocessor from replacing them
> > > when it's not intended.
> > >
> > > Link: https://lkml.kernel.org/r/20240321163705.3067592-18-surenb@google.com
> > > Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> > > Tested-by: Kees Cook <keescook@chromium.org>
> > > Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> > > Cc: Alex Gaynor <alex.gaynor@gmail.com>
> > > Cc: Alice Ryhl <aliceryhl@google.com>
> > > Cc: Andreas Hindborg <a.hindborg@samsung.com>
> > > Cc: Benno Lossin <benno.lossin@proton.me>
> > > Cc: "Björn Roy Baron" <bjorn3_gh@protonmail.com>
> > > Cc: Boqun Feng <boqun.feng@gmail.com>
> > > Cc: Christoph Lameter <cl@linux.com>
> > > Cc: Dennis Zhou <dennis@kernel.org>
> > > Cc: Gary Guo <gary@garyguo.net>
> > > Cc: Kent Overstreet <kent.overstreet@linux.dev>
> > > Cc: Miguel Ojeda <ojeda@kernel.org>
> > > Cc: Pasha Tatashin <pasha.tatashin@soleen.com>
> > > Cc: Peter Zijlstra <peterz@infradead.org>
> > > Cc: Tejun Heo <tj@kernel.org>
> > > Cc: Vlastimil Babka <vbabka@suse.cz>
> > > Cc: Wedson Almeida Filho <wedsonaf@gmail.com>
> > > Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> > > Stable-dep-of: 61ebe5a747da ("mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0")
> > > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > > ---
> > > arch/alpha/kernel/pci_iommu.c | 2 +-
> > > arch/mips/jazz/jazzdma.c | 2 +-
> > > arch/powerpc/kernel/dma-iommu.c | 2 +-
> > > arch/powerpc/platforms/ps3/system-bus.c | 4 ++--
> > > arch/powerpc/platforms/pseries/vio.c | 2 +-
> > > arch/x86/kernel/amd_gart_64.c | 2 +-
> > > drivers/iommu/dma-iommu.c | 2 +-
> > > drivers/parisc/ccio-dma.c | 2 +-
> > > drivers/parisc/sba_iommu.c | 2 +-
> > > drivers/xen/grant-dma-ops.c | 2 +-
> > > drivers/xen/swiotlb-xen.c | 2 +-
> > > include/linux/dma-map-ops.h | 2 +-
> > > kernel/dma/mapping.c | 4 ++--
> > > 13 files changed, 15 insertions(+), 15 deletions(-)
> >
> > This patch breaks the build for s390:
> >
> > arch/s390/pci/pci_dma.c:724:10: error: 'const struct dma_map_ops' has no member named 'alloc_pages'; did you mean 'alloc_pages_op'?
> > 724 | .alloc_pages = dma_common_alloc_pages,
> > | ^~~~~~~~~~~
> > | alloc_pages_op
> >
> > https://storage.tuxsuite.com/public/clangbuiltlinux/continuous-integration2/builds/2lNUl0tacZpSlu9Edrlk3QoSElM/build.log
> >
> > This change happened after commit c76c067e488c ("s390/pci: Use dma-iommu
> > layer") in mainline, which explains how it was missed for stable.
> >
> > The fix seems simple:
> >
> > diff --git a/arch/s390/pci/pci_dma.c b/arch/s390/pci/pci_dma.c
> > index 99209085c75b..ce0f2990cb04 100644
> > --- a/arch/s390/pci/pci_dma.c
> > +++ b/arch/s390/pci/pci_dma.c
> > @@ -721,7 +721,7 @@ const struct dma_map_ops s390_pci_dma_ops = {
> > .unmap_page = s390_dma_unmap_pages,
> > .mmap = dma_common_mmap,
> > .get_sgtable = dma_common_get_sgtable,
> > - .alloc_pages = dma_common_alloc_pages,
> > + .alloc_pages_op = dma_common_alloc_pages,
> > .free_pages = dma_common_free_pages,
> > /* dma_supported is unconditionally true without a callback */
> > };
> >
> > but I think the better question is why this patch is even needed in the
> > first place? It claims that it is a stable dependency of 61ebe5a747da
> > but this patch does not even touch mm/vmalloc.c and 61ebe5a747da does
> > not mention or touch anything with alloc_pages_op, so it seems like this
> > change should just be reverted from 6.6?
>
> Hmm, Nathan is right. I don't see any dependency between this patch
> and 61ebe5a747da. Maybe some other patch that uses .alloc_pages_op got
> backported and that caused a dependency but then that other patch
> should be changed to use .alloc_pages. I'm syncing stable 6.6 to
> check. Thanks for pointing this out Nathan!
I reverted this patch in stable 6.6 and there is no code using
alloc_pages_op. We should just drop this patch
(983e6b2636f0099dbac1874c9e885bbe1cf2df05) from stable 6.6. Sorry for
not noticing this in the first place.
Thanks,
Suren.
>
>
> >
> > Cheers,
> > Nathan
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 230/341] change alloc_pages name in dma_map_ops to avoid name conflicts
2024-08-30 22:48 ` Suren Baghdasaryan
@ 2024-08-31 5:32 ` Greg Kroah-Hartman
0 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-08-31 5:32 UTC (permalink / raw)
To: Suren Baghdasaryan
Cc: Nathan Chancellor, Sasha Levin, stable, patches, Kees Cook,
Alexander Viro, Alex Gaynor, Alice Ryhl, Andreas Hindborg,
Benno Lossin, Björn Roy Baron, Boqun Feng, Christoph Lameter,
Dennis Zhou, Gary Guo, Kent Overstreet, Miguel Ojeda,
Pasha Tatashin, Peter Zijlstra, Tejun Heo, Vlastimil Babka,
Wedson Almeida Filho, Andrew Morton
On Fri, Aug 30, 2024 at 03:48:40PM -0700, Suren Baghdasaryan wrote:
> On Fri, Aug 30, 2024 at 3:35 PM Suren Baghdasaryan <surenb@google.com> wrote:
> >
> > On Fri, Aug 30, 2024 at 3:12 PM Nathan Chancellor <nathan@kernel.org> wrote:
> > >
> > > Hi Greg and Sasha,
> > >
> > > On Tue, Aug 27, 2024 at 04:37:41PM +0200, Greg Kroah-Hartman wrote:
> > > > 6.6-stable review patch. If anyone has any objections, please let me know.
> > > >
> > > > ------------------
> > > >
> > > > From: Suren Baghdasaryan <surenb@google.com>
> > > >
> > > > [ Upstream commit 8a2f11878771da65b8ac135c73b47dae13afbd62 ]
> > > >
> > > > After redefining alloc_pages, all uses of that name are being replaced.
> > > > Change the conflicting names to prevent preprocessor from replacing them
> > > > when it's not intended.
> > > >
> > > > Link: https://lkml.kernel.org/r/20240321163705.3067592-18-surenb@google.com
> > > > Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> > > > Tested-by: Kees Cook <keescook@chromium.org>
> > > > Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> > > > Cc: Alex Gaynor <alex.gaynor@gmail.com>
> > > > Cc: Alice Ryhl <aliceryhl@google.com>
> > > > Cc: Andreas Hindborg <a.hindborg@samsung.com>
> > > > Cc: Benno Lossin <benno.lossin@proton.me>
> > > > Cc: "Björn Roy Baron" <bjorn3_gh@protonmail.com>
> > > > Cc: Boqun Feng <boqun.feng@gmail.com>
> > > > Cc: Christoph Lameter <cl@linux.com>
> > > > Cc: Dennis Zhou <dennis@kernel.org>
> > > > Cc: Gary Guo <gary@garyguo.net>
> > > > Cc: Kent Overstreet <kent.overstreet@linux.dev>
> > > > Cc: Miguel Ojeda <ojeda@kernel.org>
> > > > Cc: Pasha Tatashin <pasha.tatashin@soleen.com>
> > > > Cc: Peter Zijlstra <peterz@infradead.org>
> > > > Cc: Tejun Heo <tj@kernel.org>
> > > > Cc: Vlastimil Babka <vbabka@suse.cz>
> > > > Cc: Wedson Almeida Filho <wedsonaf@gmail.com>
> > > > Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> > > > Stable-dep-of: 61ebe5a747da ("mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0")
> > > > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > > > ---
> > > > arch/alpha/kernel/pci_iommu.c | 2 +-
> > > > arch/mips/jazz/jazzdma.c | 2 +-
> > > > arch/powerpc/kernel/dma-iommu.c | 2 +-
> > > > arch/powerpc/platforms/ps3/system-bus.c | 4 ++--
> > > > arch/powerpc/platforms/pseries/vio.c | 2 +-
> > > > arch/x86/kernel/amd_gart_64.c | 2 +-
> > > > drivers/iommu/dma-iommu.c | 2 +-
> > > > drivers/parisc/ccio-dma.c | 2 +-
> > > > drivers/parisc/sba_iommu.c | 2 +-
> > > > drivers/xen/grant-dma-ops.c | 2 +-
> > > > drivers/xen/swiotlb-xen.c | 2 +-
> > > > include/linux/dma-map-ops.h | 2 +-
> > > > kernel/dma/mapping.c | 4 ++--
> > > > 13 files changed, 15 insertions(+), 15 deletions(-)
> > >
> > > This patch breaks the build for s390:
> > >
> > > arch/s390/pci/pci_dma.c:724:10: error: 'const struct dma_map_ops' has no member named 'alloc_pages'; did you mean 'alloc_pages_op'?
> > > 724 | .alloc_pages = dma_common_alloc_pages,
> > > | ^~~~~~~~~~~
> > > | alloc_pages_op
> > >
> > > https://storage.tuxsuite.com/public/clangbuiltlinux/continuous-integration2/builds/2lNUl0tacZpSlu9Edrlk3QoSElM/build.log
> > >
> > > This change happened after commit c76c067e488c ("s390/pci: Use dma-iommu
> > > layer") in mainline, which explains how it was missed for stable.
> > >
> > > The fix seems simple:
> > >
> > > diff --git a/arch/s390/pci/pci_dma.c b/arch/s390/pci/pci_dma.c
> > > index 99209085c75b..ce0f2990cb04 100644
> > > --- a/arch/s390/pci/pci_dma.c
> > > +++ b/arch/s390/pci/pci_dma.c
> > > @@ -721,7 +721,7 @@ const struct dma_map_ops s390_pci_dma_ops = {
> > > .unmap_page = s390_dma_unmap_pages,
> > > .mmap = dma_common_mmap,
> > > .get_sgtable = dma_common_get_sgtable,
> > > - .alloc_pages = dma_common_alloc_pages,
> > > + .alloc_pages_op = dma_common_alloc_pages,
> > > .free_pages = dma_common_free_pages,
> > > /* dma_supported is unconditionally true without a callback */
> > > };
> > >
> > > but I think the better question is why this patch is even needed in the
> > > first place? It claims that it is a stable dependency of 61ebe5a747da
> > > but this patch does not even touch mm/vmalloc.c and 61ebe5a747da does
> > > not mention or touch anything with alloc_pages_op, so it seems like this
> > > change should just be reverted from 6.6?
> >
> > Hmm, Nathan is right. I don't see any dependency between this patch
> > and 61ebe5a747da. Maybe some other patch that uses .alloc_pages_op got
> > backported and that caused a dependency but then that other patch
> > should be changed to use .alloc_pages. I'm syncing stable 6.6 to
> > check. Thanks for pointing this out Nathan!
>
> I reverted this patch in stable 6.6 and there is no code using
> alloc_pages_op. We should just drop this patch
> (983e6b2636f0099dbac1874c9e885bbe1cf2df05) from stable 6.6. Sorry for
> not noticing this in the first place.
Now reverted, thanks!
greg k-h
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2024-08-29 11:14 ` Shreeya Patel
@ 2024-08-31 21:26 ` Guenter Roeck
2024-09-01 9:43 ` Greg Kroah-Hartman
353 siblings, 1 reply; 367+ messages in thread
From: Guenter Roeck @ 2024-08-31 21:26 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, broonie
On 8/27/24 07:33, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.48 release.
> There are 341 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
> Anything received after that time might be too late.
>
[ ... ]
> Suren Baghdasaryan <surenb@google.com>
> change alloc_pages name in dma_map_ops to avoid name conflicts
>
This patch triggers:
Building s390:defconfig ... failed
--------------
Error log:
arch/s390/pci/pci_dma.c:724:10: error: 'const struct dma_map_ops' has no member named 'alloc_pages'; did you mean 'alloc_pages_op'?
724 | .alloc_pages = dma_common_alloc_pages,
for pretty much all s390 builds.
Source code analysis suggests that the problem also affects
arch/ia64/hp/common/sba_iommu.c.
Guenter
^ permalink raw reply [flat|nested] 367+ messages in thread
* Re: [PATCH 6.6 000/341] 6.6.48-rc1 review
2024-08-31 21:26 ` Guenter Roeck
@ 2024-09-01 9:43 ` Greg Kroah-Hartman
0 siblings, 0 replies; 367+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 9:43 UTC (permalink / raw)
To: Guenter Roeck
Cc: stable, patches, linux-kernel, torvalds, akpm, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, broonie
On Sat, Aug 31, 2024 at 02:26:28PM -0700, Guenter Roeck wrote:
> On 8/27/24 07:33, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 6.6.48 release.
> > There are 341 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000.
> > Anything received after that time might be too late.
> >
> [ ... ]
>
> > Suren Baghdasaryan <surenb@google.com>
> > change alloc_pages name in dma_map_ops to avoid name conflicts
> >
>
> This patch triggers:
>
> Building s390:defconfig ... failed
> --------------
> Error log:
> arch/s390/pci/pci_dma.c:724:10: error: 'const struct dma_map_ops' has no member named 'alloc_pages'; did you mean 'alloc_pages_op'?
> 724 | .alloc_pages = dma_common_alloc_pages,
>
> for pretty much all s390 builds.
>
> Source code analysis suggests that the problem also affects
> arch/ia64/hp/common/sba_iommu.c.a
Thanks, already handled.
greg k-h
^ permalink raw reply [flat|nested] 367+ messages in thread
end of thread, other threads:[~2024-09-01 9:43 UTC | newest]
Thread overview: 367+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-27 14:33 [PATCH 6.6 000/341] 6.6.48-rc1 review Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 001/341] tty: serial: fsl_lpuart: mark last busy before uart_add_one_port Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 002/341] tty: atmel_serial: use the correct RTS flag Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 003/341] Revert "ACPI: EC: Evaluate orphan _REG under EC device" Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 004/341] Revert "misc: fastrpc: Restrict untrusted app to attach to privileged PD" Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 005/341] Revert "usb: typec: tcpm: clear pd_event queue in PORT_RESET" Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 006/341] selinux: revert our use of vma_is_initial_heap() Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 007/341] fuse: Initialize beyond-EOF page contents before setting uptodate Greg Kroah-Hartman
2024-08-27 14:33 ` [PATCH 6.6 008/341] char: xillybus: Dont destroy workqueue from work item running on it Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 009/341] char: xillybus: Refine workqueue handling Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 010/341] char: xillybus: Check USB endpoints when probing device Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 011/341] ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 012/341] ALSA: usb-audio: Support Yamaha P-125 quirk entry Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 013/341] xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 014/341] thunderbolt: Mark XDomain as unplugged when router is removed Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 015/341] ALSA: hda/tas2781: fix wrong calibrated data order Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 016/341] s390/dasd: fix error recovery leading to data corruption on ESE devices Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 017/341] KVM: s390: fix validity interception issue when gisa is switched off Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 018/341] riscv: change XIPs kernel_map.size to be size of the entire kernel Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 019/341] i2c: tegra: Do not mark ACPI devices as irq safe Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 020/341] ACPICA: Add a depth argument to acpi_execute_reg_methods() Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 021/341] ACPI: EC: Evaluate _REG outside the EC scope more carefully Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 022/341] arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 023/341] dm resume: dont return EINVAL when signalled Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 024/341] dm persistent data: fix memory allocation failure Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 025/341] vfs: Dont evict inode under the inode lru traversing context Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 026/341] fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64() Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 027/341] s390/cio: rename bitmap_size() -> idset_bitmap_size() Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 028/341] btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits() Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 029/341] bitmap: introduce generic optimized bitmap_size() Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 030/341] fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 031/341] i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 032/341] rtla/osnoise: Prevent NULL dereference in error handling Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 033/341] net: mana: Fix RX buf alloc_size alignment and atomic op panic Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 034/341] net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 035/341] wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 036/341] fs/netfs/fscache_cookie: add missing "n_accesses" check Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 037/341] selinux: fix potential counting error in avc_add_xperms_decision() Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 038/341] selinux: add the processing of the failure of avc_add_xperms_decision() Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 039/341] mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 040/341] btrfs: tree-checker: reject BTRFS_FT_UNKNOWN dir type Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 041/341] btrfs: zoned: properly take lock to read/update block groups zoned variables Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 042/341] btrfs: tree-checker: add dev extent item checks Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 043/341] drm/amdgpu: Actually check flags for all context ops Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 044/341] memcg_write_event_control(): fix a user-triggerable oops Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 045/341] drm/amdgpu/jpeg2: properly set atomics vmid field Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 046/341] drm/amdgpu/jpeg4: " Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 047/341] s390/uv: Panic for set and remove shared access UVC errors Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 048/341] bpf: Fix updating attached freplace prog in prog_array map Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 049/341] igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 050/341] igc: Fix qbv_config_change_errors logics Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 051/341] igc: Fix reset adapter logics when tx mode change Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 052/341] net/mlx5e: Take state lock during tx timeout reporter Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 053/341] net/mlx5e: Correctly report errors for ethtool rx flows Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 054/341] atm: idt77252: prevent use after free in dequeue_rx() Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 055/341] net: axienet: Fix register defines comment description Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 056/341] net: dsa: vsc73xx: pass value in phy_write operation Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 057/341] net: dsa: vsc73xx: use read_poll_timeout instead delay loop Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 058/341] net: dsa: vsc73xx: check busy flag in MDIO operations Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 059/341] net: ethernet: mtk_wed: fix use-after-free panic in mtk_wed_setup_tc_block_cb() Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 060/341] mlxbf_gige: disable RX filters until RX path initialized Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 061/341] mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 062/341] tcp: Update window clamping condition Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 063/341] netfilter: allow ipv6 fragments to arrive on different devices Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 064/341] netfilter: flowtable: initialise extack before use Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 065/341] netfilter: nf_queue: drop packets with cloned unconfirmed conntracks Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 066/341] netfilter: nf_tables: Audit log dump reset after the fact Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 067/341] netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj Greg Kroah-Hartman
2024-08-27 14:34 ` [PATCH 6.6 068/341] netfilter: nf_tables: Unconditionally allocate nft_obj_filter Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 069/341] netfilter: nf_tables: A better name for nft_obj_filter Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 070/341] netfilter: nf_tables: Carry s_idx in nft_obj_dump_ctx Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 071/341] netfilter: nf_tables: nft_obj_filter fits into cb->ctx Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 072/341] netfilter: nf_tables: Carry reset boolean in nft_obj_dump_ctx Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 073/341] netfilter: nf_tables: Introduce nf_tables_getobj_single Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 074/341] netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 075/341] vsock: fix recursive ->recvmsg calls Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 076/341] selftests: net: lib: ignore possible errors Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 077/341] selftests: net: lib: kill PIDs before del netns Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 078/341] net: hns3: fix wrong use of semaphore up Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 079/341] net: hns3: use the users cfg after reset Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 080/341] net: hns3: fix a deadlock problem when config TC during resetting Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 081/341] gpio: mlxbf3: Support shutdown() function Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 082/341] ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7 Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 083/341] drm/amd/pm: fix error flow in sensor fetching Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 084/341] drm/amd/amdgpu/imu_v11_0: Increase buffer size to ensure all possible values can be stored Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 085/341] drm/amdgpu: access RLC_SPM_MC_CNTL through MMIO in SRIOV runtime Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 086/341] ssb: Fix division by zero issue in ssb_calc_clock_rate Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 087/341] ASoC: cs35l45: Checks index of cs35l45_irqs[] Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 088/341] wifi: mac80211: lock wiphy in IP address notifier Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 089/341] wifi: cfg80211: check wiphy mutex is held for wdev mutex Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 090/341] wifi: mac80211: fix BA session teardown race Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 091/341] wifi: iwlwifi: mvm: fix recovery flow in CSA Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 092/341] rcu: Dump memory object info if callback function is invalid Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 093/341] rcu: Eliminate rcu_gp_slow_unregister() false positive Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 094/341] net: ethernet: mtk_wed: check update_wo_rx_stats in mtk_wed_update_rx_stats() Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 095/341] sched/topology: Handle NUMA_NO_NODE in sched_numa_find_nth_cpu() Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 096/341] wifi: cw1200: Avoid processing an invalid TIM IE Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 097/341] cgroup: Avoid extra dereference in css_populate_dir() Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 098/341] i2c: riic: avoid potential division by zero Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 099/341] RDMA/rtrs: Fix the problem of variable not initialized fully Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 100/341] s390/smp,mcck: fix early IPI handling Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 101/341] drm/bridge: tc358768: Attempt to fix DSI horizontal timings Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 102/341] wifi: ath12k: fix WARN_ON during ath12k_mac_update_vif_chan Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 103/341] i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 104/341] i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 105/341] drm/amdkfd: Move dma unmapping after TLB flush Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 106/341] media: radio-isa: use dev_name to fill in bus_info Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 107/341] wifi: ath11k: fix ath11k_mac_op_remain_on_channel() stack usage Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 108/341] staging: iio: resolver: ad2s1210: fix use before initialization Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 109/341] wifi: mt76: fix race condition related to checking tx queue fill status Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 110/341] usb: gadget: uvc: cleanup request when not in correct state Greg Kroah-Hartman
2024-08-27 15:04 ` Michael Grzeschik
2024-08-27 16:06 ` Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 111/341] drm/amd/display: Validate hw_points_num before using it Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 112/341] staging: ks7010: disable bh on tx_dev_lock Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 113/341] platform/x86/intel/ifs: Validate image size Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 114/341] media: s5p-mfc: Fix potential deadlock on condlock Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 115/341] accel/habanalabs/gaudi2: unsecure tpc count registers Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 116/341] accel/habanalabs: export dma-buf only if size/offset multiples of PAGE_SIZE Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 117/341] accel/habanalabs: fix bug in timestamp interrupt handling Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 118/341] md/raid5-cache: use READ_ONCE/WRITE_ONCE for conf->log Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 119/341] binfmt_misc: cleanup on filesystem umount Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 120/341] drm/tegra: Zero-initialize iosys_map Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 121/341] media: qcom: venus: fix incorrect return value Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 122/341] iommu/arm-smmu-qcom: Add SDM670 MDSS compatible Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 123/341] ASoC: SOF: Intel: hda-dsp: Make sure that no irq handler is pending before suspend Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 124/341] scsi: spi: Fix sshdr use Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 125/341] wifi: mac80211: flush STA queues on unauthorization Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 126/341] gfs2: setattr_chown: Add missing initialization Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 127/341] wifi: iwlwifi: abort scan when rfkill on but device enabled Greg Kroah-Hartman
2024-08-27 14:35 ` [PATCH 6.6 128/341] wifi: iwlwifi: fw: Fix debugfs command sending Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 129/341] wifi: iwlwifi: check for kmemdup() return value in iwl_parse_tlv_firmware() Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 130/341] clk: visconti: Add bounds-checking coverage for struct visconti_pll_provider Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 131/341] IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 132/341] hwmon: (ltc2992) Avoid division by zero Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 133/341] rust: work around `bindgen` 0.69.0 issue Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 134/341] rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 135/341] rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 136/341] cpu/SMT: Enable SMT only if a core is online Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 137/341] powerpc/topology: Check " Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 138/341] arm64: Fix KASAN random tag seed initialization Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 139/341] block: Fix lockdep warning in blk_mq_mark_tag_wait Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 140/341] drm/msm: Reduce fallout of fence signaling vs reclaim hangs Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 141/341] memory: tegra: Skip SID programming if SID registers arent set Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 142/341] powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 143/341] ASoC: SOF: ipc4: check return value of snd_sof_ipc_msg_data Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 144/341] hwmon: (pc87360) Bounds check data->innr usage Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 145/341] powerpc/pseries/papr-sysparm: Validate buffer object lengths Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 146/341] ionic: prevent pci disable of already disabled device Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 147/341] ionic: no fw read when PCI reset failed Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 148/341] drm/rockchip: vop2: clear afbc en and transform bit for cluster window at linear mode Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 149/341] evm: dont copy up security.evm xattr Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 150/341] Bluetooth: hci_conn: Check non NULL function before calling for HFP offload Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 151/341] gfs2: Refcounting fix in gfs2_thaw_super Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 152/341] EDAC/skx_common: Filter out the invalid address Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 153/341] nvmet-trace: avoid dereferencing pointer too early Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 154/341] ext4: do not trim the group with corrupted block bitmap Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 155/341] btrfs: zlib: fix and simplify the inline extent decompression Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 156/341] afs: fix __afs_break_callback() / afs_drop_open_mmap() race Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 157/341] fuse: fix UAF in rcu pathwalks Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 158/341] wifi: ath12k: Add missing qmi_txn_cancel() calls Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 159/341] quota: Remove BUG_ON from dqget() Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 160/341] riscv: blacklist assembly symbols for kprobe Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 161/341] kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 162/341] media: pci: cx23885: check cx23885_vdev_init() return Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 163/341] fs: binfmt_elf_efpic: dont use missing interpreters properties Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 164/341] scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list() Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 165/341] media: drivers/media/dvb-core: copy user arrays safely Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 166/341] wifi: iwlwifi: mvm: avoid garbage iPN Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 167/341] net/sun3_82586: Avoid reading past buffer in debug output Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 168/341] drm/lima: set gp bus_stop bit before hard reset Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 169/341] gpio: sysfs: extend the critical section for unregistering sysfs devices Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 170/341] hrtimer: Select housekeeping CPU during migration Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 171/341] virtiofs: forbid newlines in tags Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 172/341] accel/habanalabs: fix debugfs files permissions Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 173/341] clocksource/drivers/arm_global_timer: Guard against division by zero Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 174/341] tick: Move got_idle_tick away from common flags Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 175/341] netlink: hold nlk->cb_mutex longer in __netlink_dump_start() Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 176/341] md: clean up invalid BUG_ON in md_ioctl Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 177/341] x86: Increase brk randomness entropy for 64-bit systems Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 178/341] memory: stm32-fmc2-ebi: check regmap_read return value Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 179/341] parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367 Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 180/341] rxrpc: Dont pick values out of the wire header when setting up security Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 181/341] f2fs: stop checkpoint when get a out-of-bounds segment Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 182/341] powerpc/boot: Handle allocation failure in simple_realloc() Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 183/341] powerpc/boot: Only free if realloc() succeeds Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 184/341] btrfs: delayed-inode: drop pointless BUG_ON in __btrfs_remove_delayed_item() Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 185/341] btrfs: defrag: change BUG_ON to assertion in btrfs_defrag_leaves() Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 186/341] btrfs: change BUG_ON to assertion when checking for delayed_node root Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 187/341] btrfs: tests: allocate dummy fs_info and root in test_find_delalloc() Greg Kroah-Hartman
2024-08-27 14:36 ` [PATCH 6.6 188/341] btrfs: push errors up from add_async_extent() Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 189/341] btrfs: handle invalid root reference found in may_destroy_subvol() Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 190/341] btrfs: send: handle unexpected data in header buffer in begin_cmd() Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 191/341] btrfs: send: handle unexpected inode in header process_recorded_refs() Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 192/341] btrfs: change BUG_ON to assertion in tree_move_down() Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 193/341] btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent() Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 194/341] f2fs: fix to do sanity check in update_sit_entry Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 195/341] usb: gadget: fsl: Increase size of name buffer for endpoints Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 196/341] nvme: clear caller pointer on identify failure Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 197/341] Bluetooth: bnep: Fix out-of-bound access Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 198/341] firmware: cirrus: cs_dsp: Initialize debugfs_root to invalid Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 199/341] rtc: nct3018y: fix possible NULL dereference Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 200/341] net: hns3: add checking for vf id of mailbox Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 201/341] nvmet-tcp: do not continue for invalid icreq Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 202/341] NFS: avoid infinite loop in pnfs_update_layout Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 203/341] openrisc: Call setup_memory() earlier in the init sequence Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 204/341] s390/iucv: fix receive buffer virtual vs physical address confusion Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 205/341] irqchip/renesas-rzg2l: Do not set TIEN and TINT source at the same time Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 206/341] clocksource: Make watchdog and suspend-timing multiplication overflow safe Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 207/341] platform/x86: lg-laptop: fix %s null argument warning Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 208/341] usb: dwc3: core: Skip setting event buffers for host only controllers Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 209/341] irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 210/341] ext4: set the type of max_zeroout to unsigned int to avoid overflow Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 211/341] nvmet-rdma: fix possible bad dereference when freeing rsps Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 212/341] selftests/bpf: Fix a few tests for GCC related warnings Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 213/341] Revert "bpf, sockmap: Prevent lock inversion deadlock in map delete elem" Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 214/341] nvme: use srcu for iterating namespace list Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 215/341] drm/amdgpu: fix dereference null return value for the function amdgpu_vm_pt_parent Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 216/341] hrtimer: Prevent queuing of hrtimer without a function callback Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 217/341] ionic: use pci_is_enabled not open code Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 218/341] ionic: check cmd_regs before copying in or out Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 219/341] EDAC/skx_common: Allow decoding of SGX addresses Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 220/341] nvme: fix namespace removal list Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 221/341] gtp: pull network headers in gtp_dev_xmit() Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 222/341] jfs: define xtree root and page independently Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 223/341] i2c: stm32f7: Add atomic_xfer method to driver Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 224/341] riscv: entry: always initialize regs->a0 to -ENOSYS Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 225/341] dm suspend: return -ERESTARTSYS instead of -EINTR Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 226/341] mm: fix endless reclaim on machines with unaccepted memory Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 227/341] tools/testing/selftests/mm/run_vmtests.sh: lower the ptrace permissions Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 228/341] selftests/mm: log run_vmtests.sh results in TAP format Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 229/341] selftests: memfd_secret: dont build memfd_secret test on unsupported arches Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 230/341] change alloc_pages name in dma_map_ops to avoid name conflicts Greg Kroah-Hartman
2024-08-30 22:12 ` Nathan Chancellor
2024-08-30 22:35 ` Suren Baghdasaryan
2024-08-30 22:48 ` Suren Baghdasaryan
2024-08-31 5:32 ` Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 231/341] mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 232/341] btrfs: replace sb::s_blocksize by fs_info::sectorsize Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 233/341] btrfs: send: allow cloning non-aligned extent if it ends at i_size Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 234/341] drm/amd/display: Adjust cursor position Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 235/341] drm/amd/display: Enable otg synchronization logic for DCN321 Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 236/341] drm/amd/display: fix cursor offset on rotation 180 Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 237/341] drm/amd/amdgpu: command submission parser for JPEG Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 238/341] platform/surface: aggregator: Fix warning when controller is destroyed in probe Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 239/341] ALSA: hda/tas2781: Use correct endian conversion Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 240/341] drm/amdkfd: reserve the BO before validating it Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 241/341] Bluetooth: hci_core: Fix LE quote calculation Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 242/341] Bluetooth: SMP: Fix assumption of Central always being Initiator Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 243/341] net: mscc: ocelot: use ocelot_xmit_get_vlan_info() also for FDMA and register injection Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 244/341] net: mscc: ocelot: fix QoS class for injected packets with "ocelot-8021q" Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 245/341] net: mscc: ocelot: serialize access to the injection/extraction groups Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 246/341] tc-testing: dont access non-existent variable on exception Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 247/341] selftests: udpgro: report error when receive failed Greg Kroah-Hartman
2024-08-27 14:37 ` [PATCH 6.6 248/341] tcp/dccp: bypass empty buckets in inet_twsk_purge() Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 249/341] tcp/dccp: do not care about families " Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 250/341] tcp: prevent concurrent execution of tcp_sk_exit_batch Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 251/341] net: mctp: test: Use correct skb for route input check Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 252/341] kcm: Serialise kcm_sendmsg() for the same socket Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 253/341] netfilter: nft_counter: Disable BH in nft_counter_offload_stats() Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 254/341] netfilter: nft_counter: Synchronize nft_counter_reset() against reader Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 255/341] ip6_tunnel: Fix broken GRO Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 256/341] bonding: fix bond_ipsec_offload_ok return type Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 257/341] bonding: fix null pointer deref in bond_ipsec_offload_ok Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 258/341] bonding: fix xfrm real_dev null pointer dereference Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 259/341] bonding: fix xfrm state handling when clearing active slave Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 260/341] ice: fix page reuse when PAGE_SIZE is over 8k Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 261/341] ice: fix ICE_LAST_OFFSET formula Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 262/341] ice: fix truesize operations for PAGE_SIZE >= 8192 Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 263/341] dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp() Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 264/341] igb: cope with large MAX_SKB_FRAGS Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 265/341] net: dsa: mv88e6xxx: Fix out-of-bound access Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 266/341] netem: fix return value if duplicate enqueue fails Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 267/341] udp: fix receiving fraglist GSO packets Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 268/341] ipv6: prevent UAF in ip6_send_skb() Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 269/341] ipv6: fix possible UAF in ip6_finish_output2() Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 270/341] ipv6: prevent possible UAF in ip6_xmit() Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 271/341] bnxt_en: Fix double DMA unmapping for XDP_REDIRECT Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 272/341] netfilter: flowtable: validate vlan header Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 273/341] octeontx2-af: Fix CPT AF register offset calculation Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 274/341] net: xilinx: axienet: Always disable promiscuous mode Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 275/341] net: xilinx: axienet: Fix dangling multicast addresses Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 276/341] net: ovs: fix ovs_drop_reasons error Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 277/341] drm/msm/dpu: dont play tricks with debug macros Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 278/341] drm/msm/dp: fix the max supported bpp logic Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 279/341] drm/msm/dpu: use drmm-managed allocation for dpu_encoder_phys Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 280/341] drm/msm/dpu: drop MSM_ENC_VBLANK support Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 281/341] drm/msm/dpu: split dpu_encoder_wait_for_event into two functions Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 282/341] drm/msm/dpu: capture snapshot on the first commit_done timeout Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 283/341] drm/msm/dpu: move dpu_encoders connector assignment to atomic_enable() Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 284/341] drm/msm/dp: reset the link phy params before link training Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 285/341] drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 286/341] drm/msm/dpu: try multirect based on mdp clock limits Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 287/341] drm/msm/dpu: take plane rotation into account for wide planes Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 288/341] drm/msm/mdss: switch mdss to use devm_of_icc_get() Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 289/341] drm/msm/mdss: Rename path references to mdp_path Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 290/341] drm/msm/mdss: Handle the reg bus ICC path Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 291/341] drm/msm: fix the highest_bank_bit for sc7180 Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 292/341] mmc: mmc_test: Fix NULL dereference on allocation failure Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 293/341] smb: client: ignore unhandled reparse tags Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 294/341] Bluetooth: MGMT: Add error handling to pair_device() Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 295/341] scsi: core: Fix the return value of scsi_logical_block_count() Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 296/341] ksmbd: the buffer of smb2 query dir response has at least 1 byte Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 297/341] drm/amdgpu: Validate TA binary size Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 298/341] net: dsa: microchip: fix PTP config failure when using multiple ports Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 299/341] MIPS: Loongson64: Set timer mode in cpu-probe Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 300/341] HID: wacom: Defer calculation of resolution until resolution_code is known Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 301/341] Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3 Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 302/341] Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 303/341] cxgb4: add forgotten u64 ivlan cast before shift Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 304/341] KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 305/341] mmc: mtk-sd: receive cmd8 data when hs400 tuning fail Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 306/341] mmc: dw_mmc: allow biu and ciu clocks to defer Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 307/341] pmdomain: imx: scu-pd: Remove duplicated clocks Greg Kroah-Hartman
2024-08-27 14:38 ` [PATCH 6.6 308/341] pmdomain: imx: wait SSAR when i.MX93 power domain on Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 309/341] nouveau/firmware: use dma non-coherent allocator Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 310/341] mptcp: pm: re-using ID of unused removed ADD_ADDR Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 311/341] mptcp: pm: re-using ID of unused removed subflows Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 312/341] mptcp: pm: re-using ID of unused flushed subflows Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 313/341] mptcp: pm: remove mptcp_pm_remove_subflow() Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 314/341] mptcp: pm: only mark subflow endp as available Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 315/341] mptcp: pm: only decrement add_addr_accepted for MPJ req Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 316/341] mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 317/341] mptcp: pm: only in-kernel cannot have entries with ID 0 Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 318/341] mptcp: pm: fullmesh: select the right ID later Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 319/341] mptcp: pm: avoid possible UaF when selecting endp Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 320/341] selftests: mptcp: join: validate fullmesh endp on 1st sf Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 321/341] selftests: mptcp: join: check re-using ID of closed subflow Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 322/341] Revert "usb: gadget: uvc: cleanup request when not in correct state" Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 323/341] Revert "drm/amd/display: Validate hw_points_num before using it" Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 324/341] platform/x86/intel/ifs: Call release_firmware() when handling errors Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 325/341] tcp: do not export tcp_twsk_purge() Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 326/341] hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt() Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 327/341] drm/msm/mdss: specify cfg bandwidth for SDM670 Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 328/341] drm/panel: nt36523: Set 120Hz fps for xiaomi,elish panels Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 329/341] igc: Fix qbv tx latency by setting gtxoffset Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 330/341] ALSA: timer: Relax start tick time check for slave timer elements Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 331/341] mm/numa: no task_numa_fault() call if PMD is changed Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 332/341] mm/numa: no task_numa_fault() call if PTE " Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 333/341] bpf: Fix a kernel verifier crash in stacksafe() Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 334/341] selftests/bpf: Add a test to verify previous stacksafe() fix Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 335/341] NFSD: simplify error paths in nfsd_svc() Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 336/341] drm/amdgpu/vcn: identify unified queue in sw init Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 337/341] drm/amdgpu/vcn: not pause dpg for unified queue Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 338/341] ksmbd: fix race condition between destroy_previous_session() and smb2 operations() Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 339/341] net: ngbe: Fix phy mode set to external phy Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 340/341] Revert "s390/dasd: Establish DMA alignment" Greg Kroah-Hartman
2024-08-27 14:39 ` [PATCH 6.6 341/341] Input: MT - limit max slots Greg Kroah-Hartman
2024-08-27 15:39 ` [PATCH 6.6 000/341] 6.6.48-rc1 review Naresh Kamboju
2024-08-27 17:47 ` Florian Fainelli
2024-08-29 14:23 ` Greg Kroah-Hartman
2024-08-28 1:00 ` SeongJae Park
2024-08-28 3:57 ` Peter Schneider
2024-08-28 11:41 ` Mark Brown
2024-08-28 11:53 ` Takeshi Ogasawara
2024-08-28 14:30 ` Naresh Kamboju
2024-08-28 17:29 ` Naresh Kamboju
2024-08-29 14:16 ` Greg Kroah-Hartman
2024-08-28 14:35 ` Wang Yugui
2024-08-28 14:45 ` Alexander Lobakin
2024-08-29 14:20 ` Greg Kroah-Hartman
2024-08-28 16:02 ` Miguel Ojeda
2024-08-28 18:16 ` Ron Economos
2024-08-29 10:24 ` Jon Hunter
2024-08-29 11:14 ` Shreeya Patel
2024-08-31 21:26 ` Guenter Roeck
2024-09-01 9:43 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox